Coreboot VS Libreboot :: Which is better for Qubes OS ?
Marek Jenkins
Is one better than the other for Qubes OS ?
Marek Jenkins
Or will it work out-of-the-box ? I don't have the hardware / knowledege to flash BIOS chips.
Holger Levsen
> What is the difference between Coreboot and Libreboot ?
software added instead). So if you happen to have hardware which needs
those blobs, you won't be happy with Libreboot.
--
cheers,
Holger
Marek Jenkins
Hi Holger,
so from my understanding, "blobs" is a synonym for proprietary code, right ?
I mean if it doesn't really matter for security I can live with those blobs inside Coreboot.
I don't need extreme security on that level, I guess :D Just a decently secure system that respects privacy.
But Qubes will work better with Coreboot correct or why is it recommended here ?
Holger Levsen
> so from my understanding, "blobs" is a synonym for proprietary code, right ?
source code.
> I mean if it doesn't really matter for security I can live with those blobs inside Coreboot.
but if you have hardware which either works with a blob, or doesnt work
without it, you might want to choose the blob.
> But Qubes will work better with Coreboot correct or why is it recommended here ?
hardware than coreboot.
--
cheers,
Holger
Tai...@gmx.com
> What is the difference between Coreboot and Libreboot ?
Coreboot is sterile and corporate (as evidenced by not only the quiet
acceptance of boards with closed source init but the removal of older
open source boards from the tree, most people in the project and on the
list work for intel/google/etc so any questioning of this is always shot
down)
Libreboot is like an anarchist punk scene complete with a jerk in charge
(ex: the FSF related drama) - although she has done quite a bit for the
free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports,
both entirely libre and RYF certified) and has finally paid her debt for
the KCMA-D8 port so I respect her a little bit.
> Is one better than the other for Qubes OS ?
that supports v4.0) you're getting the same thing as libreboot if you
don't include the microcode update (note: microcode update needed in
either OS or firmware for 43xx CPU's due to a very bad exploit which
doesn't effect the slightly less fast 42xx CPU's)
All the libreboot boards work without the binaries contrary to what
holger said, you aren't going to boot up and find out there isn't any
video or w/e - leah laid out a lot of cash to ensure that.
I use coreboot.
Tai...@gmx.com
> Also, will you need to flash the BIOS manually for Coreboot/Libreboot to work ?
sure you orient it properly according to the diagrams) and a CH341A usb
flasher, it is very easy to do.
Marek Jenkins
Okay I see!
Thanks a lot for taking the time to explain, really appreciate it.
I think Coreboot is an interesting topic, but to be honest, it seems quite complex.
I don't really compile code myself and have no idea which settings + payload I need to pick to compile the ROM for flashing. And flashing also requires some skill + equipment.
Additionally, I read some people have issues with Qubes + SeaBios. Maybe I postpone the whole thing to a later day when I have more time to learn something new :)
Also, because I don't really think I need that level of security that protects someone to tamper with my BIOS :D I just didn't like the idea of having a "backdoor" in my system (Intel ME, AMT, vPro), thats how I learned about Coreboot.
So the final question:
If I choose an older mainboard from AMD for example, which doesn't have all those bad technologies built-in, I am still much more secure than the average guy with a new Intel CPU, right ?
Have a nice weekend!
Tai...@gmx.com
> If I choose an older mainboard from AMD for example, which doesn't have all those bad technologies built-in, I am still much more secure than the average guy with a new Intel CPU, right ?
For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8),
with a 4386 and that you'd be playing new games in a VM with no ME/PSP.
Marek Jenkins
> Philosophy, that's it.
>
> Coreboot is sterile and corporate (as evidenced by not only the quiet
> acceptance of boards with closed source init but the removal of older
> open source boards from the tree, most people in the project and on the
> list work for intel/google/etc so any questioning of this is always shot
> down)
Thanks for that info. From what I found, Librecore also seems to a fork of Coreboot, they only remove all the blobs. But my main concern are Intel AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I could live with Coreboot.
I am going for the KGPE-D16 and it seems they really have put in a lot of effort to support it. Also Raptor Engineering seems to do a lot to make KGPE-D16 and coreboot work.
I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read the 63xx series has a lot of issues with coreboot/libreboot and needs firmware / "microcode" updates to work properly - like you mentioned as well.
Do you know if not only the KCMA-D8 but also the KGPE-D16 is also fully supported ? Should be, right ?
> Libreboot is like an anarchist punk scene complete with a jerk in charge
> (ex: the FSF related drama) - although she has done quite a bit for the
> free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports,
> both entirely libre and RYF certified) and has finally paid her debt for
> the KCMA-D8 port so I respect her a little bit.
> >
> > Is one better than the other for Qubes OS ?
> If you compile coreboot for say the KCMA-D8 (libre board I recommend
> that supports v4.0) you're getting the same thing as libreboot if you
> don't include the microcode update (note: microcode update needed in
> either OS or firmware for 43xx CPU's due to a very bad exploit which
> doesn't effect the slightly less fast 42xx CPU's)
>
> All the libreboot boards work without the binaries contrary to what
> holger said, you aren't going to boot up and find out there isn't any
> video or w/e - leah laid out a lot of cash to ensure that.
>
> I use coreboot.
Thanks for your help!
I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM.
I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile).
But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ?
So if that would be solved, I might definitely consider to use Coreboot in the near future.
Marek Jenkins
Okay good to know!
I remember you advised to get the mainboard in new condition and everything else used. Is that more for security/privacy reasons or just to ensure to buy a functional mainboard that hasn't been degraded by years of 24/7 use ?
Because right now, I am sitting on the fence, wether I should really buy the mainboard new.
Sometimes I see used mainboards with almost 50% discount, so buying a used one would make quite a difference.
Tai...@gmx.com
On 11/04/2017 09:12 PM, 'Marek Jenkins' via qubes-users wrote:
>>> What is the difference between Coreboot and Libreboot ?
>> Philosophy, that's it.
>>
>> Coreboot is sterile and corporate (as evidenced by not only the quiet
>> acceptance of boards with closed source init but the removal of older
>> open source boards from the tree, most people in the project and on the
>> list work for intel/google/etc so any questioning of this is always shot
>> down)
> Thanks for that info. From what I found, Librecore also seems to a fork of Coreboot, they only remove all the blobs. But my main concern are Intel AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I could live with Coreboot.
supported by libreboot.
>
> I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read the 63xx series has a lot of issues with coreboot/libreboot and needs firmware / "microcode" updates to work properly - like you mentioned as well.
use coreboot for those but it will do it automatically by default.
>
> I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM.
default config.
>
> But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ?
anything the default settings are fine.
Marek Jenkins
> use coreboot for those but it will do it automatically by default.
Is that only the case with Coreboot BIOS or also with the stock BIOS ?
> > I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM.
> As long as you have the prerequisites installed it should work with the
> default config.
> > I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile).
> >
> > But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ?
> SeaBIOS for beginners, other then that you don't need to mess with
> anything the default settings are fine.
> > So if that would be solved, I might definitely consider to use Coreboot in the near future.
> >
Hi, I just saw you pretty much answered all questions I had regarding Coreboot and its setup for KGPE-D16. I didn't see you already posted here at the time of writing my reply in the other thread. So in other words, you don't really need to go into great detail again in the other thread - I think I am good !
Maybe I get back to you in case I want to add any security features (AEM) to Coreboot. But for now, I will start to test it with basic settings.
Tai...@gmx.com
>> 63xx/43xx is fine as long as you include a microcode update, you need to
>> use coreboot for those but it will do it automatically by default.
> Is that only the case with Coreboot BIOS or also with the stock BIOS ?
revision)
>> As long as you have the prerequisites installed it should work with the
>> default config.
>>> I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile).
>>>
>>> But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ?
>> SeaBIOS for beginners, other then that you don't need to mess with
>> anything the default settings are fine.
>>> So if that would be solved, I might definitely consider to use Coreboot in the near future.
>>>
> Hi, I just saw you pretty much answered all questions I had regarding Coreboot and its setup for KGPE-D16. I didn't see you already posted here at the time of writing my reply in the other thread. So in other words, you don't really need to go into great detail again in the other thread - I think I am good !
>
> Maybe I get back to you in case I want to add any security features (AEM) to Coreboot.
TPM module.