coreboot - Free up your firmware!

Firmware is the layer between the software and the hardware of your computer. coreboot is an open source firmware. So coreboot replaces your BIOS/UEFI but focuses on boot speed, security and flexibility. It is 100% designed to boot your OS as rapidly as possible but does not compromise on security. Remember that the BIOS from your computer manufacturer can and most likely has a backdoor pre-installed, So get rid of that BIOS and go coreboot!

Having laid that out, let's dig deeper.

Your firmware is usually provided as a closed source pre-installed layer within your computer but it is a black-box and most likely allows backdoors. Now think of your computer vendor (example Samsung who sells your data to make some extra bucks as explained in our EXPOSED! series) or of the government or just any one of their friendly neighborhood big brother agencies...you get the picture! Basically, BIOS is so 1984!

The over-riding benefits of the system are really best described by coreboot themselves as per their official website:

Security

coreboot comes with a minimal Trusted Computing Base which reduces the general attack surface. It also supports a secure boot process called VBOOT2. It’s written in MISRA-C standard and provides other languages like Ada for formal verification of special properties. Also the use of platform features like IOMMU, flash protections and deactivated SMM mode increases the security as well.

Safety

coreboot engineers have worked on many safety critical software projects. The architecture of coreboot is designed to have an unbrickable update process. Updating firmware should be no more dangerous than installing your favorite app on your mobile phone.

Performance

coreboot is designed to boot quickly. For desktops and laptop machines, it can frequently boot to the start of the operating system in under a second. For servers, it can cut minutes off of the boot time. Some vendors have demonstrated a decrease in boot time by more than 70% when compared to the OEM BIOS.

The good news is that if you run Linux you can easily install coreboot, however, please make sure you have supported (and supporting) hardware.

https://coreboot.org/status/board-status.html

sudo apt-get install -y bison build-essential curl flex git gnat libncurses5-dev m4 zlib1g-dev qemu

once you have done that clone coreboot into the working directory

git clone https://review.coreboot.org/coreboot

having cloned the repo into the directory, build the coreboot toolchain

make crossgcc-i386

This can take a while... read a book, have a coffee, do what you need to do.

NOTE: I am not sure if you can do the same thing using MacOS and brew, but you should by now if you have been following me whilst talking you through the switch to Linux! For Windows to use coreboot you can probably do this over on VM when you run a Linux version on it. But then again, if you are on Windows, I could suggest that since you already share your data openly there is no need to protect your BIOS anyway.

Once you've build the toolchain you can configure coreboot to run with QEMU.

make menuconfig

or

make nconfig (easier to navigate, uses ncurses)

now check if coreboot is configured for the build on QEMU

You should see and choose an Emulation board the QEMU x86 i440fx. Leave the rest as is. Hit ESC twice to go back to the menu.

Navigate to payload. Select SeaBIOS what supposed to be selected already as default. Navigate to Secendary Payload and hit Enter. Then select Load coreinfo as a secondary payload, with your space bar. This entry should be marked now.

Now hit ESC multicle times to exit the menuconfig. Select save when you exit.

after this type

make

this should build coreboot now

Now let's build coreboot in QEMU

qemu-system-x86_64 -bios build/coreboot.rom -serial stdio

You should now see coreboot running within QEMU

In the last step coreinfo will be loaded by SeaBIOS and you're done.

I hope that helps you in getting a safer BIOS and actually being in even more control of your computer.

Purism and System76 have coreboot pre-installed and there are also some community builds available.

https://www.coreboot.org/users.html

Which brings us to next week's review. I recently got myself a little Lemur Pro from System76 and would like to talk about it. How great it is, how it feels, some issues I would like to address and what I did to it and what I installed to make it the beast I wanted.

Stay safe, stay secure!

The Privacy Advocate