"Technically, Intel ME is still operational on this laptop. However, malicious features such as Intel AMT are removed using me_cleaner. For all intents and purposes, this laptop is very similar freedom-wise to a Libreboot laptop, but it is absolutely true that a Libreboot system is superior in terms of software freedom. However, if you’re willing to slightly compromise (neutered Intel ME, after running me_cleaner, is fairly benign and does barely anything), these laptops offer a huge performance improvement over Libreboot thinkpads.
Minifree runs me_cleaner which modifies the Intel ME up to the point where it is only active during the boot process, but otherwise disabled during normal operation. Only basic hardware initialization is still performed, but otherwise the Intel ME becomes benign from a security perspective, providing only basic power management. Coreboot is handling the vast majority of the hardware initialization and is 100% Free Software on this laptop.
Proprietary features such as AMT are no longer present or accessible after me_cleaner is used. The me_cleaner program removes all networking from the Intel ME, thus removing any security risks associated with Intel ME."
This is about Libre X230 laptop, whereas, e.g., their Libreboot T400 does not have any ME at all and is endorsed by the FSF as "Respects Your Freedom".
Yeah, there's something a bit ironic about a store with the tagline "GNU+Linux laptops with Libreboot preinstalled." putting a laptop without libreboot at the front. I understand why, but at the same time, it feels ever so slightly disingenuous, since you can install coreboot/run me_cleaner on a pretty wide range of computers (e.g. Purism's laptops), while libreboot can only run on a handful of late 2000s laptops.
Unless new progress has been made that I'm not aware of, you need at least another blob beside the ME firmware (me.bin) to build a full coreboot image on the X230: there's the "Intel flash descriptor" (ifd.bin). I'm not sure if that contains executable code or it can be generated similarly to the gbe.bin (ethernet controlled config).
yeah but that's not software. It's configuration data, in a binary format that's well-documented. There is also a tool for managing it in coreboot, called ifdtool.
There is also the GbE NVM (non-volatile memory) region, which configures the onboard ethernet chipset.
These configure the hardware, and the format is fully documented by datasheets.
Thanks for the explanation. Do you know if it would be possible to fully create an ifd.bin knowing the specs of the mainboard? Basically the opposite of `ifdtool --dump`. I'm surprised because it seems to contain some pretty secretive options like the HAP bit.
Yeah it's possible to know the format by reading the Intel datasheets (sandybridge/ivybridge ones). Certain parts are "reserved" but have been reverse engineered like you see in ifdtool.
In Libreboot there is a tool that I wrote called ich9gen, which can entirely generate ich9 ifd+gbe from scratch. This does not exist yet for sandy/ivy i think, but yes there is that --dump option in ifdtool.
By the way:
bincfg is a nice tool in coreboot, and you can write a spec file for that, based on intel datasheet, to generate gbe/ifd images. I actually have this on my todo list, as I've been studying it. The datasheets are very confusing especially for the Gbe NVM region, making it look like it's not even documented, but it is, poorly.
> I actually have this on my todo list, as I've been studying it. The datasheets are very confusing especially for the Gbe NVM region, making it look like it's not even documented, but it is, poorly.
That's very good news. I thank you for all the work you've done on this.
It's not false advertising, there are no lies or outright deception. However, it feels disingenuous to me because there are lots of laptops out there that can either have coreboot flashed or you can run me_cleaner on, possibly laptops that people already own.
The store's branding overall and presentation leans hard on being 100% totally free, and once you deviate from that "absolutely totally free of proprietary" status your market options open up dramatically.
This is still a valuable service to some people. I didn't mean to come off so negative, but I also feel people who read the page wouldn't realize they have other market options that are "just as free" as the X230. The benefit of buying from this storefront is supporting Libreboot development and Leah Rowe.
However, those other companies that advertise neutered ME are shipping newer Intel platforms where actual x86 hardware initialization is handled by binary blobs (e.g. Intel FSP).
Sandybridge and Ivybridge platforms (e.g. X220/X230) in coreboot are all free software for the x86 part, and that's the majority of it. It's only the ME that isn't. With me_cleaner used, it's very close to Libreboot.
X230 used to be worse in coreboot; for instance, it previously had non-free raminit. Nowadays, it's all GPL code.
Minifree runs me_cleaner which modifies the Intel ME up to the point where it is only active during the boot process, but otherwise disabled during normal operation. Only basic hardware initialization is still performed, but otherwise the Intel ME becomes benign from a security perspective, providing only basic power management. Coreboot is handling the vast majority of the hardware initialization and is 100% Free Software on this laptop.
Proprietary features such as AMT are no longer present or accessible after me_cleaner is used. The me_cleaner program removes all networking from the Intel ME, thus removing any security risks associated with Intel ME."