The state of open-source hardware
I am a great fan of open-source software and have been for over a decade now. Recently I've been asking myself a few questions, regarding the state of FOSS and how much of it we truly get to rely on in our everyday lives. Note that this post will be a bit long, and might require a good understanding of hardware and firmware in general (I'm not above average at this chapter myself).
Many of us choose to install and use open software for various activities: Some of us have a FOSS operating system (Linux instead of Windows), others just use free alternatives to commercial software for their work (LibreOffice instead of Microsoft Office), some gamers prefer free games over commercial alternatives (Xonotic instead of Team Fortress), and the list goes on. I'm among those who take comfort in the idea of going full FOSS, which I have since I permanently made the switch to openSUSE Linux. While for me it's an ideological thing too since I feel that I'm supporting something free that was created by others like me, I also take comfort in knowing that I'm always using trusted software: When the source code and compiled binary are both in a trusted repository that anyone can check, you know it's far more unlikely that someone would sneak in programs that spy on you or attempt to control your machine... things that Windows 10 or Apple's OS are notorious for doing. Recently however, I've become more aware of something that doesn't stand out right away: You can't truly go full open-source... at least not very easily. While you can install a FOSS operating system like Linux, you're still using a computer that has a proprietary BIOS coded by the manufacturer. The BIOS is just the tip of the iceberg: Various other components have proprietary firmware which cannot be changed. This is most obvious with video cards, who rely on a binary blob for the video driver to work with... however the issue exists for every component at the end of the day, including motherboard chips and the network card and the hard drive and the monitor on your desk. To this day this hasn't been something people had to give much thought to: The firmware is only responsible for providing an API for other drivers to work with, you almost never need to modify and update such a thing, usually it's easy to forget it even exists to begin with. But with computing power increasing, firmwares are becoming an increasing concern... especially among the surveillance and online censorship scandals society has found itself in during the past year. There will come a day when the BIOS will be capable of secretly sending whole files from your machine to an external server, effectively stealing files off your drive or logging pressed keys (which can reconstruct messages you type or your passwords). Censorship in the name of safety from random dangers has also been forced on us, and there may come a day when network card manufacturers could be required to include content blacklists directly in the firmware of network cards. In the very distant future, video cards may even come with firmware that can detect copyright in images using an external database, effectively blacking out your screen if something forbidden pops up! We need to have an alternative ready before those kinds of disasters can start happening. Amid such concerns, I've grown interested in how much open-source hardware and firmware we have access to right now, to protect ourselves from hidden software or applications being forced on us by devices themselves. I want to imagine a world where every motherboard and video card and hard drive has FOSS alternatives on the market shelves, meaning they come unlocked software wise and anyone can code a firmware for them... including the ability to install and update your own firmware of choice after you take your device home and plug it into your computer. Unfortunately this idea faces at least three major issues I'm aware of:
For this ideal world to be possible, a few changes would need to be made. For point 1, we'd need corporations willing to produce FOSS hardware without seeking any control over the software we put on them... I believe there have been attempts in the past, this is definitely not impossible. For points 2 and 3, the device would need to have two different chips and essentially two firmwares: One that handles only connectivity (allows you to read and write to the chip) and said chip which contains the actual firmware (operates the functionality of the device)... this way the device can always be repaired if you brick the firmware, as you're not affecting the area which writes to the medium where the firmware is stored. The computer itself would have to allow booting into a special mode, which basically shuts down usage of all connected devices (including its own chipset) so that the firmware can be updated safely... in realtime this would almost never be possible as you'd need to suspend access to the CPU / video card / hard drive which would instantly crash the system. I wish to know to what extent this has been done so far: Are there any open-source motherboards (including the BIOS) and video cards and other components, which are available in shops now or any of us can order online from across the world? If not then I'm wondering if this might ever happen: Could we live to have affordable computers and laptops and smartphones that are fully FOSS, meaning we can put our own firmware into any component without requiring advanced technical knowledge or there being a risk of breaking it? |
tl;dr ;)
It is much worse than you think. Even most CPUs have an undocumented co-processor (see e.g. https://en.wikipedia.org/wiki/Intel_Management_Engine) and the BIOS became UEFI which runs in part on the management engine and can access your files and can connect to the net and can send files and you'll never know. <edit> My eight years old mainboard hosts two BIOSes (see my signature). If I had got some glitch when updating the BIOS (which I did) the manufacturer made sure I could have restored the original condition... </edit> |
You might be interested in these guys:
https://puri.sm/products/ https://olimex.wordpress.com/2017/02...p-is-complete/ https://www.pine64.org/?page_id=3707 https://www.kosagi.com/w/index.php?t...vena_Main_Page I'm sure there are more - you just have to root around. |
You may like to lookup "coreboot" and "libreboot" for computers with a free software bios/uefi replacement
|
Quote:
I wonder if Dell iDRAC is also implemented in the ME. Although the idea is great (you can remotely start a powered off host) you can only disclose all functions if you buy the license. About $800 on a server you just purchased. By keeping ME implementations secret and obfuscated the door is wide open for hacks, hijacking and other abuse. Had they made this great technology fully open, everyone could have benefit. jlinkels |
I vaguely seem to remember that there are real exploits targeting the ME. Can't find the reference right now. If you read German:
https://www.heise.de/newsticker/meld...s-3940637.html https://www.heise.de/newsticker/meld...k-3928301.html There is more... |
Computers are regarded as disposable by manufacturers, if we had truly open hardware, not many people would buy another computer. This would make each computer much more expensive, as the manufacturers want to make money on their investment on equipment.
P.S. The ARM processor is much cheaper than Intel/AMD, & I believe it is our future for commodity computing. |
Thank you for the info! I understand that so far, the only company working on open hardware explicitly are Purism with their Librem phones and laptops... was hoping there are more, but they are a very good start none the less. I looked into CoreBoot / LibreBoot a while ago too... they seem interesting for sure, though I hear it only works on specific motherboard models so I'll have to see when I consider buying a new one. Management engines like IME (Intel Management Engine) sound pretty scary to me generally speaking, however they would get the task of offering a firmware updater done... can they themselves be updated and replaced however?
|
Quote:
|
Quote:
|
Quote:
The Open Source Hardware Association might also be worth contacting at https://www.oshwa.org/ |
The first question I would ask is "what do you mean by a "computer?"
This isn't all that silly with (for instance) self-driving cars just around the corner; these are essentially "computers" by your definition since they have firmware, bios, and so forth (although my desktop doesn't have wheels). I would certainly want some assurances that the vehicle (remember, many of them - like our phones - now have a microphone and more than one camera) was not monitoring me and/or my passengers, where we went, how long we stayed there, and so forth. Open Source would be great for that. On the other hand, I'm not really sure I would want to get anywhere near the vehicle that had "open" bios alterations by someone other than the manufacturer regardless of their skill level; there are just too many gotchas in something as complex as I imagine these vehicles to be. And the idea that a car manufacturer would ever open up enough of their proprietary competitive secrets to make such mods safe seems pretty unlikely. Then again, who would have imagined an open source word processor much less operating system in 1978, so who knows... My own view is that we would be better off with legislation forcing manufacturers who spy or otherwise infringe to turn over control of their entire company to Richard Stallman or perhaps someone he designates :) But those who would sponsor such legislation rely on those same manufacturers for their campaign funds. I applaud your intentions to force discussions of these things that you perceive (rightly) as problems, but it is a far more universal concern than our own piddly little universe of computers and operating systems. |
https://opencores.org/
https://www.openbios.info/Welcome_to_OpenBIOS https://www.openbsd.org/ It doesn't all fit together yet. http://forth.org/cores.html or http://forth.org I like the forth language because you can do some serious programming direct on the hardware without layers of obfuscation, easiest language to port to new hardware. Not sure if you want open or trustworthy. I would feel if a manufacturer was trustworthy they would be open with hardware, firmware and software. unfortunately the world doesn't work like that and that's after I've taken my meds ;) |
Quote:
AMD does it already. They drew level with Intel years ago. ARM might(!) be different in as much as they just sell intellectual property (i.e. designs) and the customers decide whether they want some ME or not. Form that perspective you can trust no big manufacturer at all. |
Very interesting discussion. But you need to remember that the Linux community falls into (at least) two parts. On the one hand, you have people who are fascinated by hardware and know quite a lot about it. These are the sort of people who regularly update their bioses and may be beginning to investigate coreboot. On the other hand, you have a large number of people like me who moved to Linux basically because they didn't like Windows.
We were looking for a system which was secure against malware, stable against crashes, easy to understand and ran well on our existing hardware without requiring us constantly to upgrade. Free software for us was just the icing on the cake. I love the philosophy. I love the community spirit that it engenders. But I wouldn't be able to cope with a system that required me to manage my own firmware and I think a lot of other people wouldn't either. Do you really want a system that is only usable by hackers? |
Actually I think we need free hardware bitterly (free not as free beer). When you look at the possibilities of creating mischief on user's systems via the hardware route one gets really worried -- considerung the types of humans and political systems on this planet, and I don't exempt my country from this, far from it.
No, open hardware is just one more aspect to learn and I think in the end it is not harder than the software side, we are just not used to it (yet). <edit> P.S.: I love to learn ;). </edit> |
Isn't the arduino a free board?
|
Quote:
|
Quote:
> https://en.opensuse.org/Free_and_Open_Source_Software More on libre GNU/Linux distributions: https://www.gnu.org/distros/free-distros.en.html I see other people more or less already updated you on the state of libre hardware so I will merely add some links. There is a fully libre high end workstation and server platform available (based on IBM's open source POWER architecture). It's very expensive but I think it's totally worth it. https://www.raptorcs.com/ There are ~10 years old fully libre business notebooks from the ThinkPad series. It is still easy to buy refurbished versions of them. They have new and modern screens (Full HD), keyboards, RAM and HDD. The processor is always the Core 2 Duo, since it was one of the last models, if not the last, not to include IME. Here are two of many sites that sell them: https://minifree.org/ https://tehnoetic.com/ Note that the second site has some non-fully libre products, even thou all of them come close. The pi-top is a raspberry pi based notebook. Two things must be taken into account: They are not very powerful, think of them as a very cheap computer; The raspberry Pi requires proprietary initialization code. You might want to replace it by a Banana Pi or Orange Pi. https://pi-top.com/products/pi-top/ On general guide lines. The Free Software Foundation keeps a list of freedom respecting hardware: https://www.fsf.org/resources/hw/end...s-your-freedom Some people think FSF's constraints are rather severe (I don't). The OpenBSD project strives for safety but not for freedom. When is doubt is always useful to check their supported hardware list. |
All times are GMT -5. The time now is 09:13 AM. |