Open Source Bios - Is it worth it ?

>risking to brick your device for freedom
Not worth imo

>irrelevant individual persuasion

It would be irrelevant if the freak didn't go out of its way to ram the shit down everyone's throat.

>REEEEEEE STALLMAN ISN'T RESPECTING THE FREEDOM OF XIR. I KNOSSOS WHAT XIR WILL DO, XIR WILL GO ON AN AUTISIC RANT THAT ALIENATES EVERYONE

If you have the tools to flash libreboot you have the tools to restore the original bios

Wrong, you can flash it from the OS on some laptops

If you're autistic enough to have an x60, then you have a BBB or a Rpi

shit, you're right

Or even just a $2 ch341a flasher from China.

Full full disk encryption, if you flash the grub payload you don't need an unencrypted /boot on your disk. Faster boot times too.

It'll allow you to install non-whitelisted but supported devices if your machine has such a thing.

A-M-DDEEEEEE

>flashing with a Chinese botnet

I seriously hope you don't do this.

AMD has its own version of AMT/ME.

Do you have a Thinkpad X200, T60, T400 or such? With an Intel GPU?

If so, Libreboot.
If not, Coreboot.

You can re-flash it from software after installation since it removes the write-protection.

then use coreboot, libreboot is literally coreboot but with no nonfree blobs and no microcode, changes that come to libreboot first eventually make it to coreboot (or sometimes libreboot changes make it to coreboot first while the libre changes require additional developer time, especially in the case where libreboot devs pay to port boards to coreboot/libreboot)

this shouldn't be that difficult to grasp

work is being done to try and make some more recent thinkpads libreboot compatible but at always projects like libreboot (and/or gnu) do not compromise at all so they may not ever be fully endorsed by libreboot

if you want to do this on your own machine you can run me_cleaner for a 99% free machine with only a *tiny* portion of intel's management engine remaining, purism are selling laptops with this ran at a huge markup - me_cleaner isn't quite within the gnu (or by extension libreboot) guidelines but for 99% of people that might consider using libreboot it's good enough

>It would be irrelevant if the freak didn't go out of its way to ram the shit down everyone's throat.

and this had any impact on you using libreboot/coreboot how exactly?

if you're flashing from within libreboot/coreboot or flashing on the laptops that support flashing libreboot/coreboot in software from stock bios then you risk soft booting but in 100% of cases you can flash externally using bbb/rpi/literally any linux based spi flasher and """recover""" the machine to a working state (if you don't back up the stock bios you lose it for good, they're tied to the hardware in some way)

yeah but most laptops have a stock bios for this, it shouldn't be considered a selling point

THAT'S WHY I POSTED THE PREVIOUS PICTURE TO SHOW MY ANGER
HERE IS ANOTHER PICTURE

THEY SHOULD OPEN IT SINCE THEY'RE RELEASING ACTUAL ENTERPRISE CPUS ANYWAY
REGULAR CUSTOMERS DON'T NEED IT

As of last year, the dedicated GPU laptops are compatible. Libreboot just disables the dedicated GPU and uses integrated.

>hardware remote management features in consumer hardware
>encrypted firmware that you can't replace
really makes you wonder

I'm sure Intel and AMD spent millions of dollars developing and installing their remote management tools just because it was a fun thing to do. Nothing to see, go back to sleep.

If you can, but good luck finding hardware that it supports.

>I'm sure Intel and AMD spent millions of dollars developing and installing their remote management tools just because it was a fun thing to do.

it was a business/server orientated feature from the start to further provide the ability to remotely automate common tasks outside of the operating system (changing bios features/flashing bios firmware) as well as to provide some slightly tangible security benefits (secureboot precursor/tpm stuff) that eventually saw some use in marking it as a premium feature to mobile (read: laptop/tablet) users who you know, might want to remotely shut down/lock out their pc when it's stolen, but nice strawman, nobody is implying they developed it for fun or with no inherent use case

Such use cases aren't used by the vast majority of people who buy computers. There's no reason for them to include this malware in all their processors, especially when they refuse to allow users to disable it.

There is no reason not to use libreboot.
It is more secure then the regular bios.
It is faster than the regular bios.
I have yet to have problems with it.
It allows you to install with /boot/ encrypted.
It allows you to require any kernel to be GPG signed.
Its free as in freedumbs.

How to install libreboot on T400, I have raspberry pi if it is needed for flashing

>There's no reason for them to include this malware in all their processors

I agree

>especially when they refuse to allow users to disable it.

to be fair, the way to 'disable' it is to not buy a computer/laptop/motherboard chipset with the vpro or other amt interfaces, that way every chip is still going to have the management engine but it should be isolated from the os in a meaningful way - the recent exploit was with the management engine interface after all

There's no effective way to disable it besides Libreboot and the recent work around. After a decade of widespread use, Intel finally admitted this year that ME is vulnerable to hackers. Of course, there's really no way to fix the vulnerability from Intel's side because even it doesn't have the source code for all of ME.

>It is more secure then the regular bios.
How so?

>It is faster than the regular bios.
Boot times never bothered me.

>It allows you to install with /boot/ encrypted.
That's pretty nice but usually it's everything else except boot that needs encrypted and Grub already allows that right?

>It allows you to require any kernel to be GPG signed
If you're going to put some kernel piece in your OS then you should already know exactly what and from where you are putting it. Signatures are pointless here.

libreboot.org/docs/install/t400_external.html

You can do it through software on some thinkpads but the t400 needs external flashing with a beagel bone black allthough I think a rassbery pi would work aswell.

Doesn't ME need OS support to access the HDD? And even if they can access it without it, how are they going to get the data out of there? They still need support from the OS.

>How so?
You know what is in it because you can look at the source code. Old thinkpad bios hasn't been audited for a while and probally has backdoors in it anyway.

>Boot times never bothered me.
Me neither. I just listed that because some people like a 2 second boot up.

>That's pretty nice but usually it's everything else except boot that needs encrypted and Grub already allows that right?
It allows you to install with everything on your hard drive encrytped. Grub.cfg is stored on the flash chip.

>If you're going to put some kernel piece in your OS then you should already know exactly what and from where you are putting it. Signatures are pointless here.
I think its more so that attackers couldn't boot live USB's and mess with you.

ME has direct memory access and network access. It can rip out your encryption keys and send them to an attacker without you ever knowing. It can also turn your computer on and copy your entire hard drive without you lifting a finger.

It was designed as a way to keep corporate employees in check and it's turned into a gaping security hole.

>probally has backdoors in it anyway.

But it would still need OS support to do anything meaningful.

>I think its more so that attackers couldn't boot live USB's and mess with you.

So it assumes someone has physical access to your PC. I see, most people worry only about remote access.

How does it connect to my router?
Intel introduced the new EAS instruction, that way they can know when someone is encrypted something, ofc you could just compile your encryption software without using the EAS instruction (how we've been doing until now), that way your encryption won't stand out like a soar thumb.