[RESPONDED] Coreboot on the Framework Laptop

Would it be possible for framework to make a bios update that removes the boot guard keys? Or let’s us replace them. In a way it would ensure that a typical user won’t have them replaced, but it would let us remove/replace them so we can port coreboot to it.

2 Likes

Some fresh news about AMD recent contribution on coreboot :

4 Likes

Sweet exactly the soc the amd version is getting.

4 Likes

I read all three got bricked and send back. FW offered new boards or where in the process of offering new ones (probably need to get some unprogrammed mainboards soldered is slightly a different production)

I read your two comments and altho im a big fan in getting coreboot. especially the long run. I dont think FW has an easy position to get Coreboot made, they did send 3 laptops out, hopefully ready to ship more if serious devs want to. but I dont think many “normal” consumers have a need for it.

if the AMD board gets it first, me sad, especially cause I wished my 12th gen got coreboot sometime soon. but i wont be upgrading in a few years. Also, what bios version to keep on supporting? how many RMA get back that end up being a wrongly flashed bios update? they are carefull enough and sure enough about the few things they do release. Im not sure if this is even about money or the “lack of will”.

Who is gonna spend so many hours on testing and making coreboot run good. and how many customers want coreboot? And all of a sudden they might come with coreboot :smiley: it depends if the dev is vocal about it and willingly public. else, we only get FW news and coreboot mailinglists/news

1 Like

Wow I’m definitely exited now ! Can’t wait next week !

As Phoronix mentionned in his last post, there is a photo with both epic and ryzen proc sitting next to each other… Let’s hope the Coreboot support to be extended to Ryzen processors too.

9 Likes

At least would it be possible to use me_cleaner? From my understanding someone can flash a bios rom that was cleaned and it should boot without issues. Is that possible on a Framework? I plan to play around with it if nobody has tried it.

2 Likes

@prepaidpyramid I’m going to go with no. You could potentially set the HAP bit although I’m not sure how to do that.

Reddit thread that confirms the above

2 Likes

@GhostLegion I think there are some more active forks that have done it on 12th gen, but I would have to do more research about it.

1 Like

@prepaidpyramid I have seen/heard of the ME being disabled on recent platforms. This was likely by utilizing the HAP bit. I have seen/heard nothing about recent neutering of the ME, which is the removal of most or all of the code.

But there are a few laptop manufectures that have claimed they did it using neutralization so that is what I’m intrested in.

@prepaidpyramid who? I think you should double check the language used. I just checked 3 boutique manufacturers that I know of and none of them said neutered and only one mentioned disabling (StarLabs, Tuxedo Computers, System76).

@GhostLegion last year starlabs was mentioning quite a lot how to didn’t just disable it, but they also had it neutralized.

@prepaidpyramid I am pretty sure that starlabs does not “neutralize” the intel me, as there is currently not a single reliable way to do this. ME cleaner does not work on 12th gen. The Intel Management Engine - Star Labs

Currently the only known available way to work on intel me with the modern CPUs is the HAP bit. However, the only thing it does is to “kindly ask” the me to turn itself off. There is actually ZERO verification from real analysis on what it really does.

And it is necessary to be aware that turning off ME will result in a number of issues. It is well known that turning off ME will break the S3 sleep, which will cause high battery drain in laptops.

It is simply impossible for modern CPUs not to come with some standalone modules. Just pick your poison: intel me listening on your network port or AMD psp which is still a blackbox and integrates with another blackbox Microsoft pluton?

2 Likes

I believe that particular functionality requires vPRO and an Intel network card. I have neither.

1 Like

It needs vpro for it to do something useful for the owner, it still has access to a lot of stuff it really should not without it, it’s just not useful to the user.

I’m not contesting the ME is mostly useless to most people but I don’t think the ME can access network traffic without the above conditions.

1 Like

It cannot do so for you, it may still be able to do it against you. It has pretty much unrestricted acces to the pcie bus, memory and most of the other internal connections.

No, it can’t. I’m going off of what I read from a Purism employee with knowledge of such things. I’ll link to the source once I find it.

Edit: I can’t find it.

There are very few people even at intel that know what it actually can do, that is kind of the problem. Funny black box with obfuscated encrypted firmware that is connected to way too much stuff. It probably doesn’t but it could access non intel networks if somebody wanted it to, it has the connections to it, it (probably) just doesn’t have the drivers for it.

For now it likely can’t but it could. The really bad part is, it is really hard to know.

I don’t doubt that. He probably still doesn’t know what it actually can and can’t do though. But that’s like most of the problem with the me. Most of what it does is probably even useful but being a spooky black box makes it a pain.

2 Likes