Article published by: Leah Rowe
Date of publication: 10 July 2023
The exact changes that created this Censored Libreboot release can be found here:
There is an entire version of the Libreboot site, made specifically for this release: https://censored.libreboot.org/
Libreboot provides boot firmware for supported x86/ARM machines, starting a bootloader that then loads your operating system. It replaces proprietary BIOS/UEFI firmware on x86 machines, and provides an improved configuration on ARM-based chromebooks supported (U-Boot bootloader, instead of Google’s depthcharge bootloader). On x86 machines, the GRUB and SeaBIOS coreboot payloads are officially supported, provided in varying configurations per machine. It provides an automated build system for the configuration and installation of coreboot ROM images, making coreboot easier to use for non-technical people. You can find the list of supported hardware in Libreboot documentation.
Libreboot’s main benefit is higher boot speed, better security and more customisation options compared to most proprietary firmware. As a libre software project, the code can be audited, and coreboot does regularly audit code. The other main benefit is freedom to study, adapt and share the code, a freedom denied by most boot firmware, but not Libreboot! Booting Linux/BSD is also well supported.
Libreboot previously complied with GNU FSDG policy, banning (removing) all binary blobs from coreboot. Coreboot requires binary blobs on a lot of boards, though it does provide something very close to full freedom on a lot of them, so the old Libreboot policy resulted in very weak hardware support.
Libreboot, in regular releases, adopted a more pragmatic Binary Blob Reduction Policy in November 2022, with the aim of providing support for a lot more hardware (the goal is to support everything coreboot supports), while reducing the impact (in terms of security and reliability) that certain binary blobs have; for example, it automatically uses
me_cleaner during build time, to disable Intel ME after bringup, on newer Intel platforms that require Intel ME.
This new release, Censored Libreboot c20230710, released today 10 July 2023, is a special spin-off of Libreboot based on the 20230625 release, provided as a proof of concept; it shows what state the Libreboot project would likely be in, if it never adopted the new Binary Blob Reduction Policy. A lot of mainboards and documentation has been removed (censored), in this version, hence the name: Censored Libreboot. More information available here: https://censored.libreboot.org/censorship.html
You can find out about the current status of binary blobs, on the Freedom Status page. It describes how Libreboot policy is implemented, in great detail.
There are going to be two changelogs written in this page: one in reference to the recent Libreboot 20230625 release, showing what was removed (censored).
Then, after that, a separate changelog will be provided in this article, in reference to the Libreboot 20220710 release, while ignoring any changes since then that do not comply with the old Libreboot policy, which you can read here. In other words, this will be the censored changelog.
This release announcement is mirrored on the Censored Libreboot website, but heavily censored to reflect only the latter changelog, written as though Libreboot never changed its policies; in other words, it’s a view into a parallel universe, another reality. You can read that censored announcement here:
This release was build-tested on Debian Sid, as of 9 July 2023. Your mileage may vary, with other distros. Refer to Libreboot documentation.
FUN FACT: This includes building of ASUS KFSN4-DRE, KCMA-D8 and KGPE-D16 boards, which were re-added based on coreboot
4.11_branch. ROM images are provided for these boards, in this Libreboot release. The toolchain in this coreboot version would not build on modern Linux, so I spent time patching it. I want to use coreboot
4.11_branch to study code differences between the D8 and D16 boards, which are mostly otherwise identical code-wise, so that I can port KCMA-D8 to Dasharo, and then use that for D8/D16 in Libreboot. Dasharo is based on a much newer coreboot version, with many new fixes/features.
I won’t be adding this release’s D8/D16/DRE support to the
master branch of Libreboot, because coreboot
4.11_branch is horribly out of date; I will add these boards there, after I’ve integrated the Dasharo version of coreboot.
NOTE: this page lists code changes in Censored Libreboot. For website and documentation changes, please read the following document: https://censored.libreboot.org/censorship.html
You can actually view the changes yourself, in great detail, by looking at these special branches of
lbmk.git (build system) and
lbwww.git (Libreboot website files, markdown):
I’ve implemented this Censored Libreboot release, in these special branches. These changes are not (and will not be) merged in the
These mainboards are not supported in Censored Libreboot, and have been removed (regular Libreboot does support them):
All of the above mainboards have fully libre, zero-blob initialisation code available in coreboot, and that code is used by Libreboot. However, the flash is divided into regions (partitions), namely: IFD(config), GBE(config), ME(Intel ME firmware), BIOS(coreboot firmware).
The Ifd/GbE regions are not software, and their format is well-documented. Libreboot even includes utilities that can re-configure them!
The ME is configured via
me_cleaner, automatically by Libreboot’s build system, in such a way that the Intel ME initialises itself, and then does nothing. In other words, it is disabled. More information about all of this is explained in the Freedom Status page.
Here is an overview of the code changes in lbmk:
deblob-checkscript. (yes, it works on other code bases, besides Linux). This means that most mainboards no longer compile, in coreboot, and many u-boot targets no longer compile.
build/boot/roms: These scripts build ROM images. For zero-blob boards, in other words boards that do not require binary blobs, regular Libreboot inserts CPU microcode by default, but copies each ROM to produce a corresponding, parallel zero-blobs version without CPU microcode. This censored version of Libreboot modifies the script in the following way: since the coreboot and uboot download scripts remove blobs anyway, including CPU microcode, the default compiled ROMs exclude microcode. Therefore, this version simply removes that logic, because it’s not needed.
blobutil: Anything pertaining to blobutil has been removed. This includes
ME7 Update Parserand the like. It is not needed, in this version of Libreboot. Directories such as
resources/blobs/(containing code and config data) has been removed. In regular Libreboot, there are certain required binary blobs that we cannot legally distribute on certain mainboards, so
blobutilauto-downloads them from the vendor while compiling ROM images, then it processes them (if needed) and inserts them; the scripts that produce release archives will delete these blobs, for the release, and those same scripts can be re-run on release ROMs, to re-insert binary blobs. It is completely automated, removing any need for manual intervention by the user, thus saving hours of time in some cases. Blobutil snaps them up like that and everything Just Works. It does this for many different types of blobs, including: Intel ME, Intel MRC, HP KBC1126 EC firmware, VGA ROMs - you just run 1 command on 1 ROM (or an entire collection of ROMs) and it does it, automatically detecting what is needed for the given ROM image, per mainboard definition. Very easy to use. This highly innovative technology does not exist in Censored Libreboot.
blobutil, during the build process or post-release. This includes: Intel ME firmware, Intel MRC firmware, HP KBC1126 EC firmware and VGA option ROM for Nvidia GPU variant of Dell Latitude E6400.
lbmk: Code that executes
blobutilhas been removed.
build/release/src: correspondingly deleted files are no longer copied by these scripts (they are the scripts that generate tar archives for Libreboot releases, after everything is compiled). The
romsscript no longer bothers to scrub non-redistributable inserted binary blobs from certain ROM images, because 1) those corresponding mainboards are no longer supported anyway and 2) the logic for downloading/inserting those blobs no longer exists. So there’s nothing to do.
It’s not actually a lot of code that was removed. The actual diff that did this is very large, because it also removed the coreboot configs for the removed boards, and those configs are very large. The diff is about 40,000 deleted lines. Fourty thousand.
Libreboot 20220710 was the last regular Libreboot release to comply with the old Binary Blob Extermination Policy adhering to GNU FSDG ideology. Between then and now, there have been these releases of Libreboot that follow the new Binary Blob Reduction Policy: 20221214, 20230319, 20230413, 20230423 and 20230625.
However, the purpose of Censored Libreboot is to provide a glimpse of what Libreboot would be like, had it kept the old policy. The website for Censored Libreboot has its own version of this release announcement, with only this censored version of the changelog present. You can view that here:
The following changelogs cherry-pick only the old-policy-compliant changes from the above listed Libreboot release announcements:
These laptops would have been compatible with Libreboot, under the old policy, and they were added in recent regular releases of Libreboot:
This is not intended to be an exhaustive list. It is a high-level overview. For more details, you should always check the log in
All of these changes are present in regular Libreboot releases, but these are the changes from regular Libreboot that would have complied with the old Libreboot policy:
cros: Disable coreboot-related BL31 features. This fixes poweroff on gru chromebooks. Patch courtesy of Alper Nebi Yasak.
u-boot: Increase EFI variable buffer size. This fixes an error where Debian’s signed shim allocates too many EFI variables to fit in the space provided, breaking the boot process in Debian. Patch courtesy Alper Nebi Yasak
util/spkmodem-recv: New utility, forked from GNU’s implementation, then re-written to use OpenBSD style(9) programming style instead of the originally used GNU programming style, and it is uses OpenBSD
pledge()when compiled on OpenBSD. Generally much cleaner coding style, with better error handling than the original GNU version (it is forked from coreboot, who forked it from GNU GRUB, with few changes made). This is a receiving client for spkmodem, which is a method coreboot provides to get a serial console via pulses on the PC speaker.
extra.shdirectly from given coreboot tree. Unused by any boards, but could allow expanding upon patching capabilities in lbmk for specific mainboards, e.g. apply coreboot gerrit patches in a specific order that is not easy to otherwise guarantee in more generalised logic of the Libreboot build system.
util/e6400-flash-unlock: New utility, that disables flashing protections on Dell’s own BIOS firmware, for Dell Latitude E6400. This enables Libreboot installation without disassembling the machine (external flashing equipment is not required). Courtesy Nicholas Chin.
cbutils: New concept, which implements: build coreboot utilities like cbfstool and include the binaries in a directory inside lbmk, to be re-used. Previously, they would be compiled in-place within the coreboot build system, often re-compiled needlessly, and the checks for whether a given util are needed were very ad-hoc: now these checks are much more robust. Very centralised approach, per coreboot tree, rather than selectively compiling specific coreboot utilities, and makes the build system logic in Libreboot much cleaner.
gru_kevinchromebooks, U-Boot is used instead of Google’s own depthcharge bootloader. It has been heavily modified to avoid certain initialisation that is replaced by coreboot, in such a way that U-Boot is mainly used as a bootloader providing UEFI for compliant Linux distros and BSDs. Courtesy Alper Nebi Yasak.
sh(though, many dependencies still use GNU extensions, such as GNU Make, so this portability is not directly useful yet, but a stepping stone. Libreboot eventually wants to be buildable on non-GNU, non-Linux systems, e.g. BSD systems)
nvmutil- can randomise the MAC address on Intel GbE NICs, for systems that use an Intel Flash Descriptor
grub.cfgfiles on the HDD/SSD.
The number of changes are vast, too big to be readable on a release announcement. Again, I say: check log in
All of the following are believed to boot, but if you have any issues, please contact the Libreboot project. They are:
You can find this release on the downloads page. At the time of this announcement, some of the rsync mirrors may not have it yet, so please check another one if your favourite one doesn’t have it.
This censored version is in the directory named
censored, on Librbeoot rsync and https mirrors. For example:
tl;dr yes, I made this special release of Libreboot specifically so that I could crap all over it. Any project that tries (whether or not they succeed) to replicate the old Libreboot project (as illustrated by this special release of Libreboot) are doing themselves, and their users, a major disservice by providing completely inferior firmware, and mostly on very outdated hardware that normal people don’t want to use.
Ideological purity is all well and good, but you have to meet people where they’re at. If someone approaches you with hardware that can have certain proprietary code replaced (thus increasing software freedoms), they should be accomodated, and Libreboot’s mission is to do exactly that. We believe passionately in free software, and we want everyone to use it!
Coreboot is one of humanity’s greatest achievements. It should be respected, not shunned. All coreboot ports are valid, and Libreboot will eventually assimilate all of them.
Markdown file for this page: https://libreboot.org/news/censored-libreboot20230710.md
This HTML page was generated by the untitled static site generator.