Conversation

Notices

1. Embed this notice
   Leah Rowe is not a Rowebot (libreleah@mas.to)'s status on Monday, 21-Aug-2023 21:23:57 JST Leah Rowe is not a Rowebot

   This customer is getting FreeBSD. Libreboot T440p laptop, with stable release FreeBSD 13.2 and Xfce. Everything configured.

   Yeah and the first thing I do is install Vim when configuring a system, FreeBSD included!

   My company: https://minifree.org/

   I sell laptops with Libreboot pre-installed, which replaces proprietary BIOS/UEFI firmware. Libreboot offers greater security and faster boot speeds, plus many more features. I'm the lead developer and founder of Libreboot; sales fund the project.

   • clacke likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 21:23:56 JST 翠星石

     in reply to
     @libreleah Vi Vim Vi, the editor of the devil - I install GNU nano first and then get around to compiling GNU emacs later.
     
     >I sell laptops with Libreboot pre-installed, which replaces proprietary BIOS/UEFI firmware
     Aside from the fact that I cannot say that such replacement BIOS is libre, as such replacement BIOS contains proprietary software.
     
     It's a damn shame that the t440p is a tyrant laptop that refuses to boot without signed, proprietary software - it's painful to get so close to freedom, but be cursed to never reach it.
     
     "Free"BSD is proprietary software as well unfortunately.
     
     --
     Sent from my KGPE-D16 system, with all software provided by me being free software.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 21:44:02 JST 翠星石

     in reply to

     • :niggy:
     @niggy >you'll never get a system without proprietary software unfortunately
     Challenge accepted (people kept telling rms that GNU would never be a 100% free software OS, but he did it).
     
     >every component has it
     It depends on the competent. Some components don't have a microprocessor and some have only hardware in ROM - of course the amount of hardware that runs proprietary software keeps increasing of course.
     
     >even a basic SSD has a proprietary arm processor running a whole proprietary real-time operating system inside it
     I'm well aware, but as long as such SDD doesn't implemented digital handcuffs on the software, it's possible to replace such software with GNU/SDD Control - but the priority of that is pretty low on my list.
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 21:44:03 JST :niggy:

     in reply to

     • 翠星石
     @Suiseiseki @libreleah you'll never get a system without proprietary software unfortunately, every component has it. even a basic SSD has a proprietary arm processor running a whole proprietary real-time operating system inside it
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 22:10:35 JST :niggy:

     in reply to

     • 翠星石
     @Suiseiseki you actually could run custom firmware on old SSDs, caused security issues so you can't anymore
     only way for a complete free-software platform would be completely free hardware. actually a cool idea, doubt well ever see it though. there's so much protected corporate IP that goes into every component, most with no open hardware alternatives
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:10:35 JST 翠星石

     in reply to

     • Zero :zt_think: :artix:
     • :niggy:
     @zero Infidels like you shall burn in GNU/Hell.
     
     rms always makes sure to give credit for what Linus has actually done, but Linus refuses to give credit to GNU for what GNU has done.
     
     @niggy >caused security issues so you can't anymore
     Yes, the "security" issue of the user having the freedom to install software.
     
     >only way for a complete free-software platform would be completely free hardware
     Hardware is inherently proprietary, but it doesn't matter all too much if you have proprietary NAND gates if those NAND gates are only being interfaced with free software.
     
     The iCE40 line is a line of proprietary FGPA's that can be programmed with only free software to load up free hardware designs, but we really need much faster FGPAs of the sort before such are useful for implementing a non-toy version of GNU/SoC.
     
     >there's so much protected corporate IP
     Imaginary property is corporate propaganda that should be avoided if you want to have a useful discussion on soft cores and the trade secrets, copyrights and patents that apply: https://www.gnu.org/philosophy/not-ipr.html
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:13:53 JST 翠星石

     in reply to

     • Zero :zt_think: :artix:
     @zero I believe you are deflecting something.
     
     It seems that you might have an attraction to prepubescent children - if so, please don't act on that attraction and please get help from someone who's willing to help you if needed.
   • Embed this notice
     Zero :zt_think: :artix: (zero@strelizia.net)'s status on Monday, 21-Aug-2023 22:13:54 JST Zero :zt_think: :artix:

     in reply to

     • 翠星石
     • :niggy:
     @Suiseiseki @niggy not reading your pedophile rant kill yourself
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:22:10 JST 翠星石

     in reply to

     • :niggy:
     @niggy >because it lacks modern uefi security features
     The thing is, if you want to achieve security, the only way to actually achieve that would be to install a actually libre version of libreboot, set grub to only boot kernels signed with a gpg key and then write protect the SPI flash chip (or get such burned into a ROM chip if you want to be sure).
     
     On the newer, ultra proprietary boards, despite all the signing schemes they use, it seems that there's always somewhere to install malware in a way that bypasses the signature check - while you're looking pretty good if you have a motherboard with the only significant storage is the SPI flash chip and that's write protected.
     
     grub gpg boot is much better than secure boot really.
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 22:22:11 JST :niggy:

     in reply to
     @libreleah that doesn't "offer greater security", libreboot can only even run on that old hardware because it lacks modern uefi security features. freebsd also lacks modern os security features like secure boot and kernel code integrity (eg linux kernel lockdown)
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:26:12 JST 翠星石

     in reply to

     • :niggy:
     @niggy I've read about a case where someone ported just Linux onto a HDD and watched as it panic()'d on boot (as it seems he forgot to port GNU as well).
     
     Users do have a use of free SDD software, it's just that manufacturers have done their best to prevent it and implementations haven't yet been written - it's unacceptable to trample over such freedom merely because free SDD software hasn't been completed yet.
     
     It's entirely possible to implement a SDD software signing scheme where the user is able to set their own keys, but manufacturers don't do that for a reason.
     
     
     For an adversary to infect a SDD, they have to gain root access first and you're really long gone by then.
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 22:26:13 JST :niggy:

     in reply to

     • Zero :zt_think: :artix:
     • 翠星石
     @Suiseiseki @zero

     Yes, the “security” issue of the user having the freedom to install software

     don’t know a single user ever actually did that on their SSD controller, TAO did though

     that’s the issue. demanding “freedom” actual users have no use for, and only adversaries do

   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 22:41:42 JST :niggy:

     in reply to

     • 翠星石
     @Suiseiseki read-only SPI flash can't get security updates
     grub verifying a kernel doesn't matter when there's nothing verifying grub, that's the point of secure boot
     if you're secure-boot signing your own bootloader, the signing key is on the machine, which defeats the point
     the entire chain of trust falls apart when it doesn't start from secure digitally-signed firmware, which avoiding is the entire point of libreboot
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:41:42 JST 翠星石

     in reply to

     • :niggy:
     @niggy >read-only SPI flash can't get security updates
     So dyke out the old ROM chip and solder in an updated ROM chip?
     
     >grub verifying a kernel doesn't matter when there's nothing verifying grub
     You verified grub and burned it into a ROM chip - the impossibility of changing that ROM chip from software verifies grub pretty hard.
     
     >that's the point of secure boot
     The problem with secure boot is that it assumes the proprietary UEFI is verified, when really I haven't come across a single proprietary UEFI that has been properly verified - even though you should NEVER trust a proprietary UEFI.
     
     >if you're secure-boot signing your own bootloader, the signing key is on the machine, which defeats the point
     You can have the signing key on a different machine with a slight inconvenience - it's probably better to have the key on another computer of yours, rather than relying in the utter clowns that all OEM's are, who probably have the signing key on a windows computer (the NSA probably has direct access to all signing keys for every single OEM for this reason and how on earth are you meant to tell the difference between the manufacturers signed proprietary malware and the NSA's signed proprietary malware when both verify just fine?).
     
     >the entire chain of trust falls apart when it doesn't start from secure digitally-signed firmware,
     A single piece of proprietary software makes all chains of trust crumble.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 22:46:52 JST 翠星石

     in reply to

     • 翠星石
     • :niggy:
     @niggy I can't believe it took me this long to figure it out.
     
     I am 100% confident that all UEFI signing schemes are 100% compromised by the NSA and/or other intelligence agencies, as bypassing Intel boot guard or secure boot etc is as easy as paying such companies a few million for the signing keys to get them to hand them over, or cracking into the relevant computers and extracting the keys (only mildly difficult for the NSA to pull off).
     
     I would suggest relying on free software signing schemes with keys that you control, over proprietary software signing schemes with keys controlled by the NSA and ?? other parties.
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 23:02:04 JST :niggy:

     in reply to

     • 翠星石
     @Suiseiseki can you show me this setup of yours friend with the custom motherboard and grub rom chip you resolder every few weeks for updates?
     sounds interesting, all I've seen is OP running a decade old laptop to avoid basic security features
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 23:02:04 JST 翠星石

     in reply to

     • :niggy:
     @niggy I could go that far, but I really just settle for a 100% free software BIOS with a SPI flash chip that can't be written without root access and no proprietary software runs as root either, as I doubt the glowers have dedicated resources to getting me...yet.
     
     "Secure boot" is not a basic security feature, as it gives a false sense of security, as it's extremely trivial to bypass, as clowns have signed every proprietary binary under the sun under the root UEFI certificates.
     
     Although there are revocation lists for known buggy binaries, those revocation lists are extremely rarely ever implemented.
     
     Really, the only way to achieve a similar level of security than Grub gpg signing is to disable all the default UEFI root certificates and load up your own keys.
   • Embed this notice
     :niggy: (niggy@poa.st)'s status on Monday, 21-Aug-2023 23:44:26 JST :niggy:

     in reply to

     • 翠星石
     @Suiseiseki these security features do work friend, they make our lives very difficult. it's hard to get a malicious UEFI binary signed, it's a significant barrier to the vast majority of attackers. If I went online
     now and tried I couldn't do it
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Monday, 21-Aug-2023 23:44:26 JST 翠星石

     in reply to

     • :niggy:
     @niggy >these security features do work friend, they make our lives very difficult.
     Yes, the whole idea is to make it so that computers serve them and not you.
     
     For now it's possible to disable secure boot and upload your own keys, but such features will eventually be removed, for "security".
     
     >it's hard to get a malicious UEFI binary signed, it's a significant barrier to the vast majority of attackers.
     The thing is, plenty of malicious and non-malicious shim binaries are signed.
     
     It seems like a significant barrier as it's not easy to get x binary signed yourself, but if you think harder, all you really need to do is grab one of the many shim binaries available, upload that and then have the shim load your software.
     
     There is a version of GNU Grub signed for UEFI with a "vulnerability" where it can be used to load whatever software (a feature really) and you really just need to load that up to boot whatever kernel you want (such binary has been added to the UEFI blacklist, but I'm not sure of any UEFI implementations that actually uses a regularly updated blacklist).
     
     GNU/Linux previously couldn't be installed on windows ARM tablets, as m$ requires that "secure boot" can't be disabled on ARM tables (for "security"), but eventually someone happened to get a shim binary signed and finally GNU/Linux could be booted on such tablets.
     
     Eventually m$ will ensure that "secure boot" implementations only boot windows and have a constant internet connection so blacklisted binaries can be added immediately (i.e. when someone finds a bug in the windows boot process that allows jumping to booting GNU/Linux instead, m$ can release a new version that doesn't have that feature and blacklist booting of the old version).
     
     If you went online and tried now with the right technique, you could indeed do it.
     
     
     "Secure boot" is only intended to restrict the user, although some parts of the plan are to be implemented later - therefore no real security benefit can be realized from such proprietary signing schemes - only a false sense of security, which is far worse that not having security, but knowing that you don't have it.