I take things from point A to point B

  • 42 Posts
  • 9 Comments
Joined 1 year ago
cake
Cake day: June 17th, 2023

help-circle











  • There are two main aspects to coreboot in my opinion that differentiate it from other firmware ecosystems:

    The first is a strong push towards having a single code base for lots of boards (and, these days, architectures). Historically, most firmware is build in a model I like to call “copy&adapt”: The producer of a device picks the closest reference code (probably a board support package), adapts it to work with their device, builds the binary and puts it on the device, then moves to the next device.

    Maintenance is hard in such a setup: If you find a bug in common code you’ll have to backport the fix to all these copies of the source code, hope it doesn’t break anything else, and build all these different trees. Building a 5 year old coreboot tree on a modern OS is quite the exercise, but many firmware projects are near impossible to build under such circumstances.

    With coreboot, we encourage developers to push their changes to the common tree. We maintain it there, but we also expect the device owner (either the original developer or some interested user) in helping with that, at least with testing but more ideally with code contributions to keep it up to current standards of the surrounding code. A somewhat maintained board is typically brought up to latest standards in less than a day if a new build is required, and that means that everybody has an easy time to do a new build when necessary.

    The second aspect is our separation of responsibilities: Where BIOS mandates the OS-facing APIs and not much else (with lots of deviation in how that standard is implemented), UEFI (and other projects like u-boot) tends to go the other extreme: with UEFI you buy into everything from build system, boot drivers, OS APIs and user interface. If you need something that only provides 10% of UEFI you’ll be having a hard time.

    With coreboot we split responsibilities between 2 parts: coreboot does the hardware initialization (and comes with its build system for the coreboot part, and drivers, but barely any OS APIs and no user interface). The payload is responsible for providing interfaces to the OS and user (and we can use Tianocore to provide a UEFI experience on top of coreboot’s initialization, or seabios, grub2, u-boot, Linux, or any program you build for the purpose of running as payload).

    The interface between coreboot and the payload is pretty minimal: the payload’s entry point is well-defined, and there’s a data table in memory that describes certain system properties. In particular the interface defines no code to call into (including: no drivers), which we found complicates things and paints the firmware architecture into a corner.

    To help payload developers, coreboot also provides libpayload, a set of minimal libraries implementing libc, ncurses and various other things we found useful, plus standard drivers. It’s up to each coreboot user/vendor if they want to use that or rather go for whatever else they want.

    credit: [deleted] user on Reddit.













  • As a side note about BIOS

    Framework’s official stance on Coreboot:

    “As this keeps popping up even after multiple responses, let this be the “official” response so we can put this to bed, at least for now.

    It is not that Framework “does not care” about Coreboot, it is that we have a very long list of priorities for a very small team (we are less than 50 globally and have existed for less than 3 years) and while being able to support Coreboot would be fantastic, it is just not a priority for Framework right now given the sheer number of initiatives that we have to launch now and in the immediate future. We pivot from one NPI (New Product Introduction) to the next, back to back, and have since our first product launch. Our firmware/BIOS team is small and is supplemented by an outside 3rd Party partner. The consistent, “well, just hire more people then” is unfortunate as those in the know understand that’s not how it works, especially for a small, private company trying to exist in a very mature market segment. While tech in general is shrinking, layoffs are in the news constantly, and global economies are getting hit hard, we’re still here, releasing new products, and working hard to support everything we’ve already launched.

    If and when we decide to add Coreboot to the docket of active projects, we’ll let the Community know, but if you want Framework to continue to exist, and you believe in our mission, we’ll have to continue to ask for your patience. If not having Coreboot is a blocker for you, personally, to join the Framework Family, we do hope that we can earn your business in the future.”

    https://community.frame.work/t/responded-coreboot-on-the-framework-laptop/791/239




  • If you’re already on a Linux-based operating system, and you gotta run a real instance of Windows for some reason, your safest bet from both a security and privacy standpoint is to run it in a virtual machine (I like VirtualBox, personally, but VMWare, or whatever else will do the job fine also) and firewall the hell out of it. In a virtual machine, you can totally lock it down as much or as little as you need for the task at hand, and ain’t a damned thing Windows itself can really do about it, and as an added bonus, it saves you from the required reboots of dual-booting. It’s confined to a “safe space” (until you start opening enabling network stuff and opening ports to it). You’re in control.

    edit: or QEMU/KVM (with virt-manager)