coreboot - Free up your firmware!
Firmware is the layer between the software and the hardware of your computer. coreboot is an open source firmware. So coreboot replaces your BIOS/UEFI but focuses on boot speed, security and flexibility. It is 100% designed to boot your OS as rapidly as possible but does not compromise on security. Remember that the BIOS from your computer manufacturer can and most likely has a backdoor pre-installed, So get rid of that BIOS and go coreboot!
Having laid that out, let's dig deeper.
Your firmware is usually provided as a closed source pre-installed layer within your computer but it is a black-box and most likely allows backdoors. Now think of your computer vendor (example Samsung who sells your data to make some extra bucks as explained in our EXPOSED! series) or of the government or just any one of their friendly neighborhood big brother agencies...you get the picture! Basically, BIOS is so 1984!
The over-riding benefits of the system are really best described by coreboot themselves as per their official website:
coreboot comes with a minimal Trusted Computing Base which reduces the general attack surface. It also supports a secure boot process called VBOOT2. It’s written in MISRA-C standard and provides other languages like Ada for formal verification of special properties. Also the use of platform features like IOMMU, flash protections and deactivated SMM mode increases the security as well.
coreboot engineers have worked on many safety critical software projects. The architecture of coreboot is designed to have an unbrickable update process. Updating firmware should be no more dangerous than installing your favorite app on your mobile phone.
coreboot is designed to boot quickly. For desktops and laptop machines, it can frequently boot to the start of the operating system in under a second. For servers, it can cut minutes off of the boot time. Some vendors have demonstrated a decrease in boot time by more than 70% when compared to the OEM BIOS.
The good news is that if you run Linux you can easily install coreboot, however, please make sure you have supported (and supporting) hardware.
sudo apt-get install -y bison build-essential curl flex git gnat libncurses5-dev m4 zlib1g-dev qemu
once you have done that clone coreboot into the working directory
git clone https://review.coreboot.org/coreboot
having cloned the repo into the directory, build the coreboot toolchain
This can take a while... read a book, have a coffee, do what you need to do.
NOTE: I am not sure if you can do the same thing using MacOS and brew, but you should by now if you have been following me whilst talking you through the switch to Linux! For Windows to use coreboot you can probably do this over on VM when you run a Linux version on it. But then again, if you are on Windows, I could suggest that since you already share your data openly there is no need to protect your BIOS anyway.
Once you've build the toolchain you can configure coreboot to run with QEMU.
make nconfig (easier to navigate, uses ncurses)
now check if coreboot is configured for the build on QEMU
You should see and choose an Emulation board the QEMU x86 i440fx. Leave the rest as is. Hit
ESC twice to go back to the menu.
SeaBIOS what supposed to be selected already as default. Navigate to
Secendary Payload and hit
Enter. Then select Load coreinfo as a secondary payload, with your space bar. This entry should be marked now.
ESC multicle times to exit the menuconfig. Select
save when you exit.
after this type
this should build coreboot now
Now let's build coreboot in QEMU
qemu-system-x86_64 -bios build/coreboot.rom -serial stdio
You should now see coreboot running within QEMU
In the last step coreinfo will be loaded by SeaBIOS and you're done.
I hope that helps you in getting a safer BIOS and actually being in even more control of your computer.
Purism and System76 have coreboot pre-installed and there are also some community builds available.
Which brings us to next week's review. I recently got myself a little Lemur Pro from System76 and would like to talk about it. How great it is, how it feels, some issues I would like to address and what I did to it and what I installed to make it the beast I wanted.
Stay safe, stay secure!
The Privacy Advocate