Coreboot Blocked from Recent Thinkpads by Intel Boot Guard

First it was &quot;secure boot&quot;, now it&#x27;s &quot;boot guard&quot;? It seems that the PC, which was once a <i>very</i> open platform (IBM published schematics and the source code of the BIOS up to the PC&#x2F;AT), is gradually becoming another locked-down walled-garden ecosystem.<p>The worst part is that the masses are going to think these anti-user measures are <i>helping</i> them, &quot;because security&quot;. They&#x27;ll see only the &quot;prevents hackers&quot; part being advertised and agree wholeheartedly, or even if they realise that it means they won&#x27;t be able to choose the firmware they run, they&#x27;ll shrug it off as &quot;I&#x27;m basically never going to do that, so why should it matter to me?&quot; The majority have spoken for security over freedom, and lead us down this path, where eventually almost no one will own the computers they use, or be allowed to do anything with them (including write software) except as permitted by the organisations that control them.<p>This is really, <i>really</i> scary. It&#x27;s quite reminiscent of the dystopia in Stallman&#x27;s &quot;The Right to Read&quot;:<p><a href="https://www.gnu.org/philosophy/right-to-read.html" rel="nofollow">https:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;right-to-read.html</a><p>It won&#x27;t be easy to turn the situation around, but if anything I believe it will have to start with education - to reverse the brainwashing that companies and governments have propagated, and show people the power they can have when they control their computing devices. It is particularly hard when the majority are barely computer-literate, and there is vested interest in keeping them that way.<p>I don&#x27;t think the situation has gotten to the point where it&#x27;s necessary to stockpile older and freer computers, but that could be an option in the future. However, I&#x27;m certainly not going to be replacing my Thinkpad X60 with anything else for as long as possible.<p>I think this famous quote really needs to be made more aware of among those preparing to fight against the war on general-purpose computing: &quot;Those who give up freedom for security deserve neither.&quot;

Lenovo Broadwell devices are attempting to dig themselves out of the hole caused by Haswell trackpads. Probably not a good time to cripple them.<p>How would Lenovo react if Broadwell devices began receiving many service calls under warranty? Presumably the lock could be changed by a motherboard replacement.<p>Related article, <a href="http://www.pcworld.com/article/2883903/how-intel-and-pc-makers-prevent-you-from-modifying-your-pcs-firmware.html" rel="nofollow">http:&#x2F;&#x2F;www.pcworld.com&#x2F;article&#x2F;2883903&#x2F;how-intel-and-pc-make...</a>, <i>&quot;.. New thinkpad&#x27;s can&#x27;t be used anymore for coreboot. Especially the U and Y Intel CPU Series. They come with Intel Boot Guard and you are won&#x27;t be able to boot anything which is unsigned and not approved by OEM. This means the OEM are fusing SHA256 public key hashes into the southbridge.<p>... to their credit, Intel does allow PC manufacturers to configure the hardware in a different way. The real way to get that open hardware seems to be to build it from scratch and make the right decisions along the way, as Purism is trying to do. If you want this sort of open hardware, be prepared to vote with your wallet.&quot;</i><p>Purism: <a href="https://www.crowdsupply.com/purism/librem-laptop" rel="nofollow">https:&#x2F;&#x2F;www.crowdsupply.com&#x2F;purism&#x2F;librem-laptop</a>

That&#x27;s why I always emphasize that TPM (UEFI&#x2F;SecureBoot&#x2F;Boot Guard etc.) are not the right way for open source systems (Linux etc.).<p>The Linux community should stop to fiddle with locked-down boot systems. They actually should boycott locked-down systems and only support hardware vendors who officially support Linux. Many of them are presented at LinuxGizmos. I believe that such hardware vendors are much more open to the demands of the Opensource Community than vendors who produce locked-down systems.<p><a href="http://linuxgizmos.com" rel="nofollow">http:&#x2F;&#x2F;linuxgizmos.com</a>

I have no problem with a cryptographically verified boot process, so long as I control the key or verification step.<p>Unfortunately, Intel stripped this freedom from CPU owners by allowing OEMs to lock down the boot process in a manner that cannot be bypassed. Soon Coreboot will be all but dead for machines with Intel processors -- other than Chromebooks which ship with Coreboot. Owners will have to accept the bios that vendors give us.<p>The UEFI legacy boot option also seems to be on its way out, so I expect there will be fewer OS choices in our future too.

I recently purchase a Dell Inspiron Laptop which gave me a nightmare to install Windows 7 on it.<p>The &quot;secure Boot&quot; isn&#x27;t to secure the boot against rootkit, but secure from &quot;unauthorized&quot; or &quot;unsupported&quot; install your favorite operate system. In this case, I cannot install windows 7 on my brand new laptop.<p>I still remember the SIM card lock from carriers years ago, so if i am the vigilant, I am going to ask users to pay upfront to unlock &quot;Secure Lock&quot; so that they can install another operate system.

Original mailing list thread: <a href="http://www.coreboot.org/pipermail/coreboot/2015-February/thread.html#79207" rel="nofollow">http:&#x2F;&#x2F;www.coreboot.org&#x2F;pipermail&#x2F;coreboot&#x2F;2015-February&#x2F;thr...</a><p>Scary times indeed.

Ladies and gentleman lenovo.

When this came up on Phoronix, I suggested a jumper to disable it.