I am a great fan of open-source software and have been for over a decade now. Recently I've been asking myself a few questions, regarding the state of FOSS and how much of it we truly get to rely on in our everyday lives. Note that this post will be a bit long, and might require a good understanding of hardware and firmware in general (I'm not above average at this chapter myself).

Many of us choose to install and use open software for various activities: Some of us have a FOSS operating system (Linux instead of Windows), others just use free alternatives to commercial software for their work (LibreOffice instead of Microsoft Office), some gamers prefer free games over commercial alternatives (Xonotic instead of Team Fortress), and the list goes on. I'm among those who take comfort in the idea of going full FOSS, which I have since I permanently made the switch to openSUSE Linux. While for me it's an ideological thing too since I feel that I'm supporting something free that was created by others like me, I also take comfort in knowing that I'm always using trusted software: When the source code and compiled binary are both in a trusted repository that anyone can check, you know it's far more unlikely that someone would sneak in programs that spy on you or attempt to control your machine... things that Windows 10 or Apple's OS are notorious for doing.

Recently however, I've become more aware of something that doesn't stand out right away: You can't truly go full open-source... at least not very easily. While you can install a FOSS operating system like Linux, you're still using a computer that has a proprietary BIOS coded by the manufacturer. The BIOS is just the tip of the iceberg: Various other components have proprietary firmware which cannot be changed. This is most obvious with video cards, who rely on a binary blob for the video driver to work with... however the issue exists for every component at the end of the day, including motherboard chips and the network card and the hard drive and the monitor on your desk.

To this day this hasn't been something people had to give much thought to: The firmware is only responsible for providing an API for other drivers to work with, you almost never need to modify and update such a thing, usually it's easy to forget it even exists to begin with. But with computing power increasing, firmwares are becoming an increasing concern... especially among the surveillance and online censorship scandals society has found itself in during the past year. There will come a day when the BIOS will be capable of secretly sending whole files from your machine to an external server, effectively stealing files off your drive or logging pressed keys (which can reconstruct messages you type or your passwords). Censorship in the name of safety from random dangers has also been forced on us, and there may come a day when network card manufacturers could be required to include content blacklists directly in the firmware of network cards. In the very distant future, video cards may even come with firmware that can detect copyright in images using an external database, effectively blacking out your screen if something forbidden pops up! We need to have an alternative ready before those kinds of disasters can start happening.

Amid such concerns, I've grown interested in how much open-source hardware and firmware we have access to right now, to protect ourselves from hidden software or applications being forced on us by devices themselves. I want to imagine a world where every motherboard and video card and hard drive has FOSS alternatives on the market shelves, meaning they come unlocked software wise and anyone can code a firmware for them... including the ability to install and update your own firmware of choice after you take your device home and plug it into your computer. Unfortunately this idea faces at least three major issues I'm aware of:

1. Most computer hardware manufacturers create their products with intent for their software to not be modified, making that difficult both by design and by law. It's easy to see why this happens: The production of motherboards or video cards or LCD monitors is an industrial scale business, which requires large costly factories and employees that must be paid well... it's not something you can do at home, or that a few people can create a Kickstarter campaign for.
2. Updating the firmware on a device is very difficult. I am a casual programmer, and even I wouldn't have any idea how I could possibly take my webcam or drawing tablet and replace the software embedded into it! Is this even physically possible through the USB cable, granted the firmware is most likely mounted on a read-only chip? Further more, components the computer rely on to run are hard to update while the computer is running, however the computer must run to do the update thus creating a paradox... imagine taking down your chipset to update it for instance, it would be the equivalent of plucking out your RAM while the computer is powered on and processing data!
3. Updating the firmware on a device is extremely risky. One little mistake and your device will be bricked, which basically means you'll have to throw it away and get a new one. This happens because the firmware you're updating is often also the firmware used to make the device communicate with the computer: If that is erased or corrupted, you have no way to connect the device again in order to get a new firmware installed.

For this ideal world to be possible, a few changes would need to be made. For point 1, we'd need corporations willing to produce FOSS hardware without seeking any control over the software we put on them... I believe there have been attempts in the past, this is definitely not impossible. For points 2 and 3, the device would need to have two different chips and essentially two firmwares: One that handles only connectivity (allows you to read and write to the chip) and said chip which contains the actual firmware (operates the functionality of the device)... this way the device can always be repaired if you brick the firmware, as you're not affecting the area which writes to the medium where the firmware is stored. The computer itself would have to allow booting into a special mode, which basically shuts down usage of all connected devices (including its own chipset) so that the firmware can be updated safely... in realtime this would almost never be possible as you'd need to suspend access to the CPU / video card / hard drive which would instantly crash the system.

I wish to know to what extent this has been done so far: Are there any open-source motherboards (including the BIOS) and video cards and other components, which are available in shops now or any of us can order online from across the world? If not then I'm wondering if this might ever happen: Could we live to have affordable computers and laptops and smartphones that are fully FOSS, meaning we can put our own firmware into any component without requiring advanced technical knowledge or there being a risk of breaking it?

tl;dr

It is much worse than you think. Even most CPUs have an undocumented co-processor (see e.g. https://en.wikipedia.org/wiki/Intel_Management_Engine) and the BIOS became UEFI which runs in part on the management engine and can access your files and can connect to the net and can send files and you'll never know.

<edit> My eight years old mainboard hosts two BIOSes (see my signature). If I had got some glitch when updating the BIOS (which I did) the manufacturer made sure I could have restored the original condition... </edit>

3 members found this post helpful.

You might be interested in these guys:

https://puri.sm/products/

https://olimex.wordpress.com/2017/02...p-is-complete/

https://www.pine64.org/?page_id=3707

https://www.kosagi.com/w/index.php?t...vena_Main_Page

I'm sure there are more - you just have to root around.

2 members found this post helpful.

You may like to lookup "coreboot" and "libreboot" for computers with a free software bios/uefi replacement

2 members found this post helpful.

From a pure technical point of view it is of course elegant to have a management engine available when the main processor is off or asleep. But as so often, the billion-dollar enterprises abuse clean technical development, just thinking they might benefit if they keep the implementations secret and obfuscated. Recently I saw a horror story on youtube about the ME making sure only the charger of the manufacturer itself was connected to a laptop. If it is a different charger your laptop won't charge. The fake reason for this is that the manufacturer then can guarantee that the best performance for the battery is achieved. Sure, but laptops are typically used for traveling and power supplies (and the cords) tend to break at the least convenient moment.

I wonder if Dell iDRAC is also implemented in the ME. Although the idea is great (you can remotely start a powered off host) you can only disclose all functions if you buy the license. About $800 on a server you just purchased.

By keeping ME implementations secret and obfuscated the door is wide open for hacks, hijacking and other abuse. Had they made this great technology fully open, everyone could have benefit.

jlinkels

2 members found this post helpful.

I vaguely seem to remember that there are real exploits targeting the ME. Can't find the reference right now. If you read German:

https://www.heise.de/newsticker/meld...s-3940637.html
https://www.heise.de/newsticker/meld...k-3928301.html

There is more...

Computers are regarded as disposable by manufacturers, if we had truly open hardware, not many people would buy another computer. This would make each computer much more expensive, as the manufacturers want to make money on their investment on equipment.

P.S. The ARM processor is much cheaper than Intel/AMD, & I believe it is our future for commodity computing.

Thank you for the info! I understand that so far, the only company working on open hardware explicitly are Purism with their Librem phones and laptops... was hoping there are more, but they are a very good start none the less. I looked into CoreBoot / LibreBoot a while ago too... they seem interesting for sure, though I hear it only works on specific motherboard models so I'll have to see when I consider buying a new one. Management engines like IME (Intel Management Engine) sound pretty scary to me generally speaking, however they would get the task of offering a firmware updater done... can they themselves be updated and replaced however?

No. As mentioned in post #5 it is too much closed to allow benign modifications. For malign vectors just search the web, these things were very much in focus lately.

Thanks. I will definitely want to avoid buying any motherboard with IME then. My main concern is what will happen when one day, all Intel boards will have it and AMD starts doing the same? I believe we need to support a group willing to produce modern FOSS motherboards and video cards... sounds like something to poke Purism about.

Have a read here for info and contacts: https://en.wikipedia.org/wiki/Open-source_hardware and https://en.wikipedia.org/wiki/Open-s...uting_hardware

The Open Source Hardware Association might also be worth contacting at https://www.oshwa.org/

1 members found this post helpful.

The first question I would ask is "what do you mean by a "computer?"

This isn't all that silly with (for instance) self-driving cars just around the corner; these are essentially "computers" by your definition since they have firmware, bios, and so forth (although my desktop doesn't have wheels).

I would certainly want some assurances that the vehicle (remember, many of them - like our phones - now have a microphone and more than one camera) was not monitoring me and/or my passengers, where we went, how long we stayed there, and so forth. Open Source would be great for that. On the other hand, I'm not really sure I would want to get anywhere near the vehicle that had "open" bios alterations by someone other than the manufacturer regardless of their skill level; there are just too many gotchas in something as complex as I imagine these vehicles to be. And the idea that a car manufacturer would ever open up enough of their proprietary competitive secrets to make such mods safe seems pretty unlikely.

Then again, who would have imagined an open source word processor much less operating system in 1978, so who knows...

My own view is that we would be better off with legislation forcing manufacturers who spy or otherwise infringe to turn over control of their entire company to Richard Stallman or perhaps someone he designates But those who would sponsor such legislation rely on those same manufacturers for their campaign funds.

I applaud your intentions to force discussions of these things that you perceive (rightly) as problems, but it is a far more universal concern than our own piddly little universe of computers and operating systems.

https://opencores.org/
https://www.openbios.info/Welcome_to_OpenBIOS
https://www.openbsd.org/
It doesn't all fit together yet.

http://forth.org/cores.html or http://forth.org
I like the forth language because you can do some serious programming direct on the hardware without layers of obfuscation,
easiest language to port to new hardware.

Not sure if you want open or trustworthy.
I would feel if a manufacturer was trustworthy they would be open with hardware, firmware and software.
unfortunately the world doesn't work like that
and that's after I've taken my meds

AMD does it already. They drew level with Intel years ago. ARM might(!) be different in as much as they just sell intellectual property (i.e. designs) and the customers decide whether they want some ME or not. Form that perspective you can trust no big manufacturer at all.

Very interesting discussion. But you need to remember that the Linux community falls into (at least) two parts. On the one hand, you have people who are fascinated by hardware and know quite a lot about it. These are the sort of people who regularly update their bioses and may be beginning to investigate coreboot. On the other hand, you have a large number of people like me who moved to Linux basically because they didn't like Windows.

We were looking for a system which was secure against malware, stable against crashes, easy to understand and ran well on our existing hardware without requiring us constantly to upgrade. Free software for us was just the icing on the cake. I love the philosophy. I love the community spirit that it engenders. But I wouldn't be able to cope with a system that required me to manage my own firmware and I think a lot of other people wouldn't either. Do you really want a system that is only usable by hackers?