Libreboot on an X60, Part I: the Setup
Recently I wrote a review for the Linux Journal Web site on the Purism Librem 15 laptop. The goal of this laptop is to provide a piece of modern hardware that can run 100% free software not just for the OS, but also all device drivers and firmware up to and including the BIOS. At the time I'm writing this, the last major sticking point along those lines for the project is the Intel Management Engine: a proprietary piece of firmware that is required to boot up modern systems. In that review, I wrote the following:
It turns out it's rather difficult to have a fully free software laptop. Even if you can pick hardware that can use free software drivers, there's still that pesky BIOS. While coreboot and libreboot are great free software BIOS implementations, to get it on many laptops requires hardware BIOS chip flashing with pomona clips—the kind of thing I wasn't ready to brick a laptop to try. Like other privacy advocates, I turned to the old ThinkPad X60 laptop series. While it's old, underpowered and has a low-res screen by today's standards, the keyboard is great and more important, you could flash its BIOS with coreboot or libreboot from within Linux itself—no hardware hacking required. So that's what I did.
Although the Purism 15 laptop seems to be a viable choice for those who want a free software laptop, at the time of this writing, the crowdfunding campaign is still in process, and even after it completes, it will take some time until they ship. Plus, a new laptop like that doesn't come cheap, and many people who may want a laptop that runs 100% free software may not have $1,600+ to spend on it. I've been able to find used ThinkPad X60 laptops on auction sites as cheap as $30, so if you are willing to live with some of the limitations of hardware that old, it is an inexpensive route to a decent machine that runs only free software.
The first time I attempted to flash an X60 with coreboot, it was one of the more difficult things I'd done with Linux to the point that I wasn't ever planning on writing it up in Linux Journal. More recently, I tried again, only this time with Libreboot—a coreboot BIOS distribution that has all of the proprietary software removed. The process was greatly simplified and automated to the point where I feel relatively comfortable recommending others try it (with a few caveats I'll explain later).
In my next couple articles, I'm going to walk through the journey that brought me to the X60 running Libreboot that I'm using to type this column. In this first part, I discuss the setup, including what Libreboot is, what hardware it currently supports and some of the risks around flashing your BIOS. If I haven't scared you off by the end of this article, in future articles, I'll cover how to download Libreboot and verify its integrity, how to flash the BIOS itself in detail with sample script output and how to modify the default GRUB bootloader. If you can't wait until next month, a lot of my process is based on the excellent guide provided at https://github.com/bibanon/Coreboot-ThinkPads/wiki/ThinkPad-X60.
Free as in BIOS
To understand Libreboot, it helps to understand coreboot first. Coreboot is an open-source BIOS replacement. With coreboot, you can replace a proprietary BIOS with open-source software on supported hardware with a minimal amount of proprietary firmware included to support things like video hardware in the BIOS or the Intel Management Engine on newer hardware. Coreboot doesn't currently support all hardware out there, although the list continues to grow, and you might be surprised to know that Chromebooks ship with coreboot by default. To install coreboot on much of the supported hardware, you must use external hardware including a connector like an 8-pin Pomona clip to reflash the BIOS chip. That's pretty intense for a lot of people, but fortunately, some hardware including the X60, X60s, X60 tablet and T60 can be flashed completely in software.
When I first attempted to flash an X60 with coreboot a few months ago, the process involved disassembling the laptop to inspect the underside of the motherboard with a magnifying glass so I could determine which of two BIOS chip types I had. I used that information to hand-patch the flashrom software with custom code and compiled a special version just to unlock my BIOS. Then I downloaded, configured and compiled a custom coreboot BIOS image for my laptop and went through a two-phase flash. In the end, I got it working; however, I needed to strip out and include the proprietary video firmware from my proprietary BIOS to get any video at boot time—useful when you want to select between hard drive and USB boot.
Libreboot is a custom distribution of coreboot that removes all proprietary software from the BIOS. Instead of proprietary BIOS boot selector, for instance, Libreboot boots straight into its own GRUB menu that you can use to load your own underlying OS. In addition, Libreboot has automated a lot of the difficult processes around installing coreboot and provides custom scripts and pre-build ROMs for its officially supported hardware.
But, why would you want a free software BIOS? For those who fully support the Free Software Foundation and the principles of free software, you don't need any further justification. Although I have traditionally taken a more pragmatic approach to the free vs. open-source software debate, I've recently been more motivated to seek out free software whenever I can find it as I explain in my Librem 15 review:
In the past, I didn't care all that much if I had to use a binary blob to get a wireless card or video card working as long as it worked, and I definitely never cared that my BIOS was proprietary software.
Then the Snowden leaks happened. The sheer depth and breadth of the loss of privacy motivated me to step up my game in terms of overall security and focus on privacy. In the past it would seem rather paranoid to think that there might be some sort of NSA-sanctioned spyware in a binary blob, firmware, or the BIOS. After the Snowden leaks and the subsequent disclosures about the ANT catalog, these things stopped seeming so far-fetched. I found myself leaning more toward the Stallman camp. One of the only ways to be truly sure that you don't have a backdoor on your system is to be able to see the source code for all of it from the browser plugins to the kernel drivers all the way to the BIOS.
Due to the fact that Libreboot avoids any proprietary firmware in the BIOS, its hardware support is somewhat limited. Among other reasons, this is due to the fact that modern Intel hardware requires the proprietary Intel Management Engine firmware even to boot. Although you may be able to get Libreboot to work on other hardware, at this point, only a few laptops are listed on its hardware compatibility list as officially supported:
Lenovo ThinkPad X60/X60s
Lenovo ThinkPad X60 Tablet
Lenovo ThinkPad T60
You may find one major thing in common with all the laptops on this list: they are old. In most cases, we are talking about 32-bit Intel Core Duo processors or 64-bit Core 2 Duos in some cases (and the T60's CPU can be replaced with a 64-bit CPU apparently). That said, the X60 is a decent piece of hardware with a solid keyboard and decent battery life, even if the CPU is slow and the screen resolution is low by today's standards.
Even on this list of supported hardware there are some exceptions. Although all X60s are supported, only T60s that use Intel GPUs are supported, and those with ATI GPUs are not. The Libreboot hardware compatibility page has more information to help you figure out what's supported and what isn't. The page also lists recommended Wi-Fi chipsets that are known to work well with Libreboot and Linux in general, as they don't require any proprietary binary blobs to function.
If it doesn't already go without saying, reflashing the BIOS on your laptop with custom software is risky! Although I've had success so far flashing a couple different X60s, I did temporarily brick one laptop when I got fancy and tried an initial flash with one of my own custom ROMs instead of one provided by Libreboot. For the most part, the process is straightforward and automated, but as you'll see in my follow-up article that describes each step, many of the automated scripts call other software that output some pretty scary warnings and errors during the process that you are supposed to ignore.
There are two primary ways you can brick your laptop during the process. First, you could have a bad flash during the initial bootstrapping flash phase. If that happens but you were using one of the Libreboot-supplied ROMs, all you should have to do is shut off the machine, unplug the CMOS battery for a few seconds, reconnect it and power on your machine to get back to the original BIOS.
If you flash during the initial bootstrapping phase with a custom ROM like I tried one time, lose power during the process, attempt this on incompatible hardware or otherwise encounter a worst-case scenario, you could end up with a completely unbootable machine. Because you can't boot back to your OS, you can't attempt to reflash, so you are stuck with a bricked laptop unless you buy hardware that can flash your BIOS chip, such as a BusPirate or a Raspberry Pi running custom software. That said, if you have that hardware, wire it properly and you remembered to back up your original BIOS first, you should be able to restore your laptop to normal.
Although so far I've been successful when I've stuck strictly to the directions, there is still a possibility you will brick your laptop, so if you are particularly attached to your laptop and can't risk it being out of service while you acquire hardware flashing tools, you may want to reconsider going down this road. Again, you can get used X60s relatively cheap on-line if you shop around, so if you are concerned, you may want to try this first with a sacrificial machine.
Well, if I haven't scared you off yet, I hope you check out my next column in this series where I jump right into step-by-step instructions on how to flash an X60 with Libreboot. Although the process isn't quite as simple as updating a traditional proprietary BIOS and requires a number of unusual steps, most of the hard work already has been done for you, and in the end you'll have a trusted machine without any proprietary firmware.
Kyle Rankin is VP of engineering operations at Final, Inc., the author of many books including Linux Hardening in Hostile Networks, DevOps Troubleshooting and The Official Ubuntu Server Book, and a columnist for Linux Journal. Follow him @kylerankin
|Graph Any Data with Cacti!||Apr 27, 2017|
|Be Kind, Buffer!||Apr 26, 2017|
|Preparing Data for Machine Learning||Apr 25, 2017|
|openHAB||Apr 24, 2017|
|Omesh Tickoo and Ravi Iyer's Making Sense of Sensors (Apress)||Apr 21, 2017|
|Low Power Wireless: 6LoWPAN, IEEE802.15.4 and the Raspberry Pi||Apr 20, 2017|
- Graph Any Data with Cacti!
- Teradici's Cloud Access Platform: "Plug & Play" Cloud for the Enterprise
- The Weather Outside Is Frightful (Or Is It?)
- Simple Server Hardening
- Understanding Firewalld in Multi-Zone Configurations
- Preparing Data for Machine Learning
- Server Technology's HDOT Alt-Phase Switched POPS PDU
- IGEL Universal Desktop Converter
- Gordon H. Williams' Making Things Smart (Maker Media, Inc.)