Coreboot vs Libreboot
Updated: May 15, 2019
If there was to be a battle of Coreboot vs Libreboot, for the title of best free and secure BIOS, who would win? Well, the answer is surprising….Nobody. While there are subtle differences between the two, each come with their own benefits and applications. I’ll use my time here to explain why Intel's management engine is important for you to know and understand, briefly describe the alternative to this, and analyze Coreboot vs Libreboot and why you should consider switching
My system is totally secure….or wait... is it?
So you’ve been careful and meticulously monitoring your computer behavior as to minimize any security threat . Never had your identity stolen or out of curiosity opened one of those ransomware emails. Determined not be one of those people that has had their wallets emptied or other precious information taken from you. Well my friend, you’ve been blissfully unaware of a huge threat that has been under most people's noses for some time now.
Let me introduce you to Intel’s sneaky program called Management Engine
Once upon a time there was this big,bad, scary thing called Intel Management Engine (ME) that totally undermined a computers security and consequently, your freedom. Little is known about it still but the best explanation of it comes from Igor Skochinsky who gave an insightful talk at REcon 2014 [https://www.youtube.com/watch?v=4kCICUPc9_8\] about the depths of Intel's ME.
What Intel’s Management Engine does
The Intel ME has a few specific functions, These functions include Active Management Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys. With a trusted processor connected directly to the memory, network, and BIOS of a computer, the ME could be like a supercharged rootkit in the wrong hands
Do not fear the Intel ME
Luckily for us, there is an alternative to Intel’s Management Engine. Let me introduce you to Coreboot and Libreboot. These programs are aimed at replacing the proprietary firmware (bios, Intels ME) that is found in most modern computers. This allows us to totally rid our systems from the proprietary and insecure firmware that is most likely still on your system.
The biggest and sometimes most disappointing realization of Coreboot is that it is not available on all systems. The most popular systems that tend to get Coreboot are the Lenovo Thinkpad series, more specifically, the x201, the x220, the x230. But it is not limited to these, to see a full list of supported chipsets and devices simply go here [https://coreboot.org/status/board-status.html] . With Coreboot some additional work must be done to rid our systems of Intel’s ME but the process is fairly straightforward. More information on Coreboot can be found here [https://www.coreboot.org/FAQ] Installation requires compiling it for each motherboard and chipset. Not all ram and wifi cards work with Coreboot, so some research is recommended
Libreboot is an upstream of Coreboot. As with Coreboot, it is only available on a limited number of systems. The most common systems are: Lenovo Thinkpad x60, x200,x200s, t400,t400s,t500,and w500. For a complete list see here [https://libreboot.org/docs/hardware/]. With Libreboot, no additional work is needed to rid your system of Intel’s ME. More information can be found here [www.libreboot.org] . Unlike Coreboot, installation does not require compilation. Not all ram and wifi cards work with Libreboot, so some research is recommended.
How do I get totally a totally free, secure, non-proprietary bios?
Simply download the libreboot rom (system specific) or coreboot(you must compile coreboot for each system) and flash it onto your system. This process varies from system to system and may require an external flasher. Or check out my products page for pre-flashed systems that come with a Linux Distro and are ready to use out of the box. For additional information, I'll be putting a step-by-step tutorial on how to flash your system
Do I need a Libreboot or Coreboot?
After outlining some of the dangers that Intel’s ME poses and the free alternative to this menace, the choice should not be hard to make, especially if your priority is security and freedom. If you do not know how to flash your system, documentation can be found on my website and various other sources. If you do not feel like you want to take on the challenge of flashing your system and can’t wait to feel the amazing feel of freedom, please see my products page.