The importance of firmware updates is often underestimated. Most people do not even think about it, nor how essential free and open source software firmware would be to fix bugs and guarantee privacy. On Intel platforms there is the closed source/proprietary Intel ME which is a security issue as of many vulnerabilities. And lately the Meltdown/Spectre security issues affected almost all CPU’s and required firmware updates as well to fix issues via the microcode.
Open systems are very rare and most vendors try to hide the possibility of free and open source firmware plus software from potential customers. The very few exceptions are the following ones:
- Raptor Computing – Talos II and Blackbird provide together with the OpenPower CPU’s an almost fully open source firmware https://raptorcs.com/content/base/products.html
- Notebook + Mini-PC
- Purism (social purpose company) – Librem 13, 15 and Librem Mini are provided with a disabled Intel Management Engine (ME), coreboot, hardware kill switches, Linux-libre https://puri.sm/products
- Purism (social purpose company) – Librem 5 will be the first almost fully open mobile phone based with hardware kill switches for the cell modem and Linux-libre https://puri.sm/products/librem-5
Firmware is today everywhere, in every single device (more details are documented at https://libreboot.org/faq.html#what-other-firmware-exists-outside-of-libreboot). Examples:
- RAM (DDR4)
- USB controller
As firmware’s are everywhere and as almost always the sources are closed they are a very critical component and the only option to a user is to at least keep them updated so that the commonly known security holes are closed. The issue with proprietary firmware is that there is no option for the device owner to verify that there are no back-doors or if somebody provided/re-flashed a malicious firmware.
The free and open source software community is often not able to provide alternative solutions as firmware’s are extremely hard to replace without any documentation. Read more about the importance of free and open source software firmware here https://jxself.org/free-firmware.shtml.
Gladly there are great projects that do address these issues like:
- UEFI Bios replacements
- Coreboot and LibreCore (previously LibreBoot) => If coreboot is not available for the platform (as in most cases), LinuxBoot would be the only option without needing the help of a vendor.
- LinuxBoot (NERF)
- Heads project https://trmm.net/Heads
- OpenBMC (https://github.com/openbmc, https://www.openbmc.org) creates a firmware for a BMC chip that can remotely manage (start, reset) and monitor (temperatur, fans, hardware events) a complete server, it basically is a second Linux OS that runs even if the main OS is turned off or is not available.
- fwupd to update firmware in all devices even closed source ones if supported by the vendor, example are new notebooks of Dell where you can update the UEFI or some input devices.
- Purism and system76 are selling the Librem notebooks with coreboot preinstalled and they even remove Intel ME (and by this disabling the second CPU). Dell offers as well some devices with the Intel ME disabled.
Fwupd (license LGPL) can be installed on all computers as it allows you to update certain devices where the Vendor provided proprietary firmware automatically on Linux. A complete list of vendors supporting the LVFS can be found here https://fwupd.org/lvfs/vendorlist
In Arch Linux you can install fwupd with the following command:
pacman -Sy fwupd fwupdate
The following commands can be used to update the database, see the connected devices and to update them:
fwupdmgr get-devices fwupdmgr refresh fwupdmgr get-updates
ME_Cleaner (license GPLv3,https://github.com/corna/me_cleaner) is a tool to completely remove the Intel ME. On Arch Linux you can install the ME_Cleaner for Intel machines from AUR:
There are some guides how to work with ME_Cleaner, but depending from the system this can be quite experimental.
Flashrom (license GPLv2, https://www.flashrom.org) is a tool to flash, read and extract a BIOS, UEFI or Coreboot. For supported hardware, read https://www.flashrom.org/Supported_hardware. Flashrom gets support to flash Radeon GPU’s up until Polaris (https://www.phoronix.com/scan.php?page=news_item&px=Coreboot-Flashrom-Polaris)
- PSPtool (for AMD), PSP trace and avatar2 (details https://media.ccc.de/v/thms-38-dissecting-the-amd-platform-security-processor#t=1750)
UEFI Secure Boot
The UEFI secure Boot is usually a proprietary, closed blob and it limits which systems are allowed to boot (Linux systems must be signed by Microsoft) and it will limit as well which drivers are loaded. More details about UEFI secure boot can be found in the article https://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot.
UEFI Firmware Update
This section is to just name a few examples how hardware companies deal with firmware updates:
- Dell: UEFI updates are provided even for older systems. Exe file could be placed on /boot/EFI and system could be upgraded without the need to a USB drive. UEFI firmware updates provide a SHA256 checksum hash sum to verify the file before flashing. Some newer systems offer fwupd support. Dell sells some systems with Linux. Dell sell some systems with Intel ME disabled as an option.
- HP: UEFI updates provide no checksum. Some devices require Windows to do the update at least when using an older UEFI. HP provides no fwupd support, sells no Linux machines and doesn’t warn customers about Intel ME.
- ASRock: No checksum for firmware download, no fwupd support, Linux aware
- Asus: No checksum for firmware download, no fwupd support, Linux aware
- MSI: No checksum for firmware, no fwupd support, no Linux support
- Mainboards: No warning about Intel ME.
Closed source microcode updates are provided by the most Linux distributions for AMD and Intel automatically. Linux can show you the security mitigations that are in place for your CPU due to hardware and firmware bugs with these commands:
grep bugs /proc/cpuinfo | sort -u #
lscpu | grep "Vulnerability"
IBM offers with the OpenPOWER an open CPU and is the best option if you really care about free and open source software, user privacy and security. Raptor created an open platform (Mainboard, RAM, …) for it. For details read https://raptorcs.com/TALOSII. The source code is available here https://git.raptorcs.com/git. OpenPOWER platform is quite competitive and priced as other AMD and Intel workstation, but it is fully open compared to x86.
The firmware in AMD CPU’s is closed and they use a PSP (a so called Platform Security Processor) since Family 16H+ systems (started in 2013). The PSP itself is a separate ARM processor with TPM and DRM. The PSP has access to the total RAM and to the hardware. One advantage of the AMD PSP is that it theoretically allows encryption of the RAM and per virtual machine, practically you still need to trust the closed firmware. At least AMD did officially confirm that they consider supporting coreboot again, read https://www.golem.de/news/freie-firmware-amd-prueft-coreboot-support-fuer-ryzen-1703-126524.html. But the libreboot project is more negative about AMD, read the call to release sources https://libreboot.org/amd-libre.html and https://libreboot.org/faq.html#amd.
In the latest AMD AGESA updates it seems like it might be possible to disable AMD PSP, but the Mainboard vendor need to expose this option, read https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-Disable-Option or https://www.reddit.com/r/linux/comments/7i7nni/amd_listened_to_us_and_added_a_psp_disable_option. Actual status might be for some board like Gigabytes need a modded bios, ASRock exposes the new option, no info on Asus, Biostar and MSI.
The PSP firmware is delivered with the UEFI bios update and stored inside of the bios chip. Ryzen does load more firmware then EPYC.
Intel is using Intel ME (Intel Management Engine) since 2006, it is completely closed. The Intel ME is a separate ARC processor and since Skylake a x86 Intel Quark (P54C.), it is running Minix as a OS. It is there for remote management and TPM and DRM. The Intel ME has access to the total RAM and to the hardware like the network module.
For more details regarding the vulnerabilities of the Intel ME read https://www.phoronix.com/scan.php?page=news_item&px=Intel-ME-Linux-Vuln-Checker. Example of a Intel ME security issue https://www.intel.com/content/www/us/en/support/articles/000025619/software.html.
There is a great talk about the 2 1/2 OS (UEFI on X86 CPU, SMM 16bit on X86 CPU, Intel ME on seperate CPU) that run on Intel systems: https://www.youtube.com/embed/iffTJ1vPCSo?wmode=transparent
Purism replaced in their Librem notebooks UEFI with coreboot and they additionally disabled the Intel ME to avoid back-doors and security flaws.
Dell is offering some laptops with Intel ME disabled, if available there is a option during customizing your new device called “Intel vPro — ME Inoperable, Custom Order”.
System76 is disabling the Intel ME on their notebooks by default. If you own one already then you will get automatically an update via their Ubuntu repository to disable it. But it needs to be criticized that System76 promotes Nvidia hardware with 100% proprietary firm- and software from a company that is hostile to Open Source, read https://www.phoronix.com/scan.php?page=news_item&px=NVIDIA-Contributions-2010s-Kern.
Arm depends often as well from unfree firmware. But as there are so many difference between vendors it is almost impossible to know which technology is in use and what is a non-free firmware blob. But most of the devices require a lot of firmware blobs. The worst thing about ARM is that it is a big mess in regards to firmware’s, drivers and and hardware capabilities. Compared to x86 it lacks a lot in regard to standardization.
ARM and Cell Modems
Worst case scenario are ARM devices combined with cell modem CPU’s, mostly used in mobile/smart phones or tablets. Besides all of the issues with the ARM platform they have a completely separate cell modem with its own CPU, hardware access and software. As the users carries the devices like a phone always with him, these devices are even more dangerous than the Intel ME. Even if you use Android on a ARM device without google services, the mobile network carrier can connect with the cell modem, request data, turn on the microphone, locate the phone and do suspicious activities that nobody can monitor. All this works even if the phone is turned off, the cell modem can work separately from the OS as long as the battery is connected (in most new mobiles you cannot remove the battery anymore). This cell modem sends regularly the IMEI and phone hardware id. As the cell modem answers all the cell towers the location is leaked as well.
Librem is developing the Librem 5 smartphone based on the iMX8 platform. They will provide kill switches to disable the microphone, camera and most importantly to disconnect and disable the cell modem.
Once there was an effort to implement a open source firmware for ATI graphic cards, which was later on locked down with some help of some member even from the open source community. For more details read https://www.phoronix.com/forums/forum/linux-graphics-x-org-drivers/open-source-amd-linux/885967-radv-a-community-open-source-effort-to-get-vulkan-working-on-radeon?p=886371#post886371.
Requires for the display controller and power management a firmware blob since Skylake/Boxtron, read https://www.phoronix.com/scan.php?page=news_item&px=Intel-SKL-BXT-Firmware-Blobs
For details regarding the SSD firmwares read https://wiki.archlinux.org/index.php/Solid_State_Drives#Firmware.
Western Digital will use instead of the proprietary ARM processors the open source RISC-V cores, read https://www.phoronix.com/scan.php?page=news_item&px=Western-Digital-SweRV. WD released the source of the 32bit RISC-V CPU here https://github.com/westerndigitalcorporation/swerv_eh1.
Coreboot (old name LinuxBIOS) is the main project. All ChromeBooks from Google use coreboot, it can be replaced with a normal coreboot build. LibreBoot (https://libreboot.org) removes all proprietary blobs for hardware, as such it is limited even more to very specific hardware, but as too many non technical discussions, LibreCore has been created (http://librecore.info).
Coreboot will provide for Linux a frame buffer device to reduce boot time by avoiding that Linux has to initiate a full graphic driver additionally to Coreboot, read https://www.phoronix.com/scan.php?page=news_item&px=New-Coreboot-FB-Linux-Driver.
LinuxBoot (https://www.linuxboot.org) is a new approach of the Linux Foundation to replace at least some parts of the UEFI/BIOS with a Linux boot process, they call it Linux as firmware, in parts it is originating from the Google NERF project. For more details read https://www.phoronix.com/scan.php?page=news_item&px=LinuxBoot-Announced.