256 lines
11 KiB
Markdown
256 lines
11 KiB
Markdown
---
|
|
title: Other coreboot distributions
|
|
x-toc-enable: true
|
|
...
|
|
|
|
Introduction
|
|
============
|
|
|
|
Canoeboot is a *coreboot distribution* or *coreboot distro*, in the same way
|
|
that Debian is a *Linux distro*. Its purpose is to provide free/opensource boot
|
|
firmware, replacing proprietary BIOS/UEFI firmware, and it
|
|
supports [many machines](docs/install/#which-systems-are-supported-by-canoeboot).
|
|
|
|
It is a coreboot distro precisely because of its [design](docs/maintain/).
|
|
Canoeboot's build system automatically downloads, patches and builds all the
|
|
various upstream sources such as coreboot, GRUB, SeaBIOS, U-Boot and so on.
|
|
This automation is used to provide [binary releases](download.md), which the
|
|
user can [easily install](docs/install/). Coreboot is notoriously difficult
|
|
to configure and install, for most people, and you need a high degree of
|
|
technical skill to use it; distros like Canoeboot bridge this gap, making
|
|
coreboot accessible to non-technical users.
|
|
|
|
Coreboot is highly flexible for many configurations. It is quite possible build
|
|
to [your own coreboot image](https://doc.coreboot.org/getting_started/index.html)
|
|
but most non-technical users should probably use a coreboot distro.
|
|
|
|
It's thanks to the various coreboot distros that many people use coreboot today;
|
|
without them, many otherwise non-technical users might not use coreboot at all.
|
|
|
|
Why list other distros?
|
|
-----------------------
|
|
|
|
Over the years, several other coreboot distros have come and gone. It has been
|
|
decided that this page will be written, to document some of them. Not every
|
|
distro is listed; only those of high quality, or otherwise of interest, will
|
|
be listed. Quality over quantity.
|
|
|
|
Canoeboot tries to support as much hardware as possible, and focuses on providing
|
|
the easiest possible experience for non-technical users; it's also
|
|
highly [configurable](docs/maintain/) for power users.
|
|
Several other projects exist that target different kinds of users, and support
|
|
different types of hardware; for example, Canoeboot mostly doesn't target
|
|
Chromebooks, except for a few.
|
|
|
|
Canoeboot's main priority is to provide users with free/opensource boot
|
|
firmware, to help more users achieve a higher level
|
|
of [software freedom](https://writefreesoftware.org/learn).
|
|
|
|
Well, Canoeboot is great but it may be that Canoeeboot isn't for
|
|
you; these other projects may support features and mainboards that Canoeboot
|
|
doesn't, that you may find preferable.
|
|
|
|
We in the Canoeboot project greatly admire and respect the other distros, and
|
|
will gladly work with them.
|
|
|
|
Without further ado,
|
|
|
|
List of coreboot distros
|
|
========================
|
|
|
|
In alphabetical order:
|
|
|
|
Chultrabook
|
|
-----------
|
|
|
|
Website: <https://docs.chrultrabook.com/>
|
|
|
|
Git repositories: <https://github.com/chrultrabook>
|
|
|
|
Provides a tailored EDK2(UEFI) payload on supported *Chromebooks*. You can use
|
|
this to replace ChromeOS with a regular Linux distro or BSD system - even
|
|
Windows - if you wish.
|
|
|
|
The benefit of using *Chultrabook* is that it provides up to date EDK2, unlike
|
|
proprietary vendors who often provide old, CVE-ridden versions of EDK2 forks
|
|
such as InsydeH2O.
|
|
|
|
With Chultrabook's guidance, you can have a completely up to date UEFI firmware
|
|
on your machine, and get good use out of your Chromebook for many more years,
|
|
with regular security updates.
|
|
|
|
One of Chultrabook's maintainers, Elly, did this talk at 37C3 conference,
|
|
demonstrating Chultrabook:
|
|
<https://www.youtube.com/watch?v=7HFIQi835wY> - and also did this more general
|
|
talk about coreboot at 38C3: <https://www.youtube.com/watch?v=LD9tOcf4OkA>. It's
|
|
very good reference material if you want to know more about coreboot, and
|
|
coreboot distros more generally.
|
|
|
|
Elly also did this interview with Brodie Robertson, about coreboot, and
|
|
explains the concept of a coreboot distro in more detail in one part of
|
|
the interview:
|
|
<https://www.youtube.com/watch?v=4Am_1MzJ6ZA>
|
|
|
|
Dasharo
|
|
-------
|
|
|
|
Website: <https://docs.dasharo.com/>
|
|
|
|
Git repositories: <https://github.com/dasharo>
|
|
|
|
Supports many machines, with a choice of EDK2(UEFI) or Heads(Linuxboot)
|
|
payload in the flash. Some older machines may provide a SeaBIOS payload
|
|
instead. A lot of work that goes into the upstream coreboot project came
|
|
from the Dasharo developers.
|
|
|
|
Dasharo provides their own fork of coreboot, with a specific tree *per board*.
|
|
Several coreboot ports (e.g. MSI Z690-A PRO) were implemented directly by
|
|
the Dasharo project, and later upstreamed into the regular coreboot project.
|
|
|
|
Dasharo has a special emphasis on commercial application, providing tailored
|
|
coreboot images for each supported mainboard, with an emphasis on stability.
|
|
|
|
Heads
|
|
-----
|
|
|
|
Website: <https://osresearch.net/>
|
|
|
|
Git repositories: <https://github.com/linuxboot/heads>
|
|
|
|
Heads provides a LinuxBoot payload using U-Root, and has many advanced features
|
|
such as TPM-based MeasuredBoot. With combined use of a FIDO key, you can easily
|
|
and more reliably determine whether you boot firmware has been tampered with.
|
|
|
|
The Linux-based payload in flash uses kexec to boot another Linux kernel. It
|
|
provides an easy to use boot menu, highly configurable and supports many
|
|
Linux distros easily.
|
|
|
|
If you're the sort of person who needs full disk encryption and you have a
|
|
focus on security, Heads is for you. Perfect for use with something like Qubes.
|
|
|
|
Another focus of the heads project is on *reproducible builds*. Its build
|
|
system bootstraps a toolchain that then compiles everything else, including
|
|
the coreboot crossgcc toolchain. The purpose of this is to provide matching
|
|
ROM hashes on every build; for this purpose, it also auto-downloads vendor
|
|
files such as Intel ME at build time, instead of requiring you to dump from
|
|
the original boot firmware.
|
|
|
|
Libreboot
|
|
---------
|
|
|
|
Website: <https://libreboot.org/>
|
|
|
|
Git repositories: <https://libreboot.org/git.html>
|
|
|
|
Libreboot was the *first* coreboot distro ever, starting in December 2013.
|
|
|
|
Canoeboot is a *special fork* of Libreboot; both Canoeboot and Libreboot are
|
|
maintained in parallel by the same developer, Leah Rowe. Canoeboot supports
|
|
far less hardware than Libreboot, but provides a *pure* free software coreboot
|
|
distribution, due to its [blob extermination policy](news/policy.md). As
|
|
a result of Canoeboot's policy, it currently only supports very old hardware.
|
|
|
|
It otherwise has the exact same design as Libreboot, and is kept in relative
|
|
sync [at all times](about.html), often doing releases side by side on the same
|
|
days as Libreboot.
|
|
|
|
*Libreboot* supports more hardware than Canoeboot, due to its more
|
|
pragmatic [Binary Blob Reduction Policy](https://libreboot.org/news/policy.html)
|
|
adopted on 17 November 2022; Canoeboot is a continuation of Libreboot from prior
|
|
to this, since Libreboot initially used the same dogmatic policy as Canoeboot.
|
|
A small minority of users demanded it post-November 2022, so Canoeboot was born.
|
|
|
|
If you're an absolute Free Software fanatic, Canoeboot is for you. Otherwise,
|
|
if you want to use much newer hardware, Libreboot is a worthy choice. Since
|
|
Canoeboot only supports much older hardware, and uses Libreboot's *old* policy,
|
|
you could consider Canoeboot to be *legacy Libreboot*. Libreboot adopted the
|
|
Binary Blob Reduction Policy in November 2022, as part of a general desire to
|
|
support more - and newer - hardware.
|
|
|
|
Libreboot also [includes CPU microcode updates
|
|
by default](news/policy.md#more-detailed-insight-about-microcode), on any given
|
|
x86 machine that both Canoeboot and Libreboot support; these updates improve
|
|
system stability and fix security issues. It is for *this* reason that all users
|
|
are in fact advised to use *Libreboot*, not Canoeboot. Canoeboot is meant only
|
|
as a proof of concept, and/or for purists who absolutely wish to have the purest
|
|
free software experience possible, regardless of these facts.
|
|
|
|
MrChromeBox
|
|
-----------
|
|
|
|
Website: <https://docs.mrchromebox.tech/>
|
|
|
|
Git repositories: <https://github.com/MrChromebox/>
|
|
|
|
Provides a tailored EDK2(UEFI) payload on supported *Chromebooks*. You can use
|
|
this to replace ChromeOS with a regular Linux distro or BSD system - even
|
|
Windows - if you wish.
|
|
|
|
The benefit of using *MrChromebox* is that it provides up to date EDK2, unlike
|
|
proprietary vendors who often provide old, CVE-ridden versions of EDK2 forks
|
|
such as InsydeH2O.
|
|
|
|
With MrChromebox's guidance, you can have a completely up to date UEFI firmware
|
|
on your machine, and get good use out of your Chromebook for many more years,
|
|
with regular security updates.
|
|
|
|
Ownerboot
|
|
---------
|
|
|
|
Git repository: <https://codeberg.org/amjoseph/ownerboot>
|
|
|
|
Ownerboot is an interesting one; it uses the Nix package manager to compile
|
|
coreboot images, with a Linux-based payload on supported x86 and ARM64
|
|
devices. Similar conceptually to Heads, but with a *much* cleaner build system
|
|
design.
|
|
|
|
It comes with the LVM2 and cryptsetup sources included in builds by default, so
|
|
it can easily be used to create a fully encrypted system, much like Canoeboot's
|
|
own [hardened GRUB](docs/gnulinux/grub_hardening.md) setup.
|
|
|
|
Since it uses Nix, reproducible builds are quite feasible and this is one of
|
|
the project's primary goals. Interestingly enough, it also supports both the
|
|
gru kevin chromebook and the ASUS KGPE-D16 boards, which Canoeboot supports but
|
|
Canoeboot uses U-Boot and a combination of SeaBIOS/GRUB, respectively, on these
|
|
boards.
|
|
|
|
Ownerboot's build system can also cross compile everything, so it's quite
|
|
portable across various host CPUs. It also extends coreboot's normal/fallback
|
|
payload scheme. See: <https://codeberg.org/amjoseph/ownerboot/src/branch/master/doc/fallback.md>
|
|
|
|
All of this combined makes for a highly configurable boot setup, and the Linux
|
|
payload in flash (using kexec to boot another kernel) is highly flexible,
|
|
offering many opportunities for security hardening (like Heads).
|
|
|
|
Skulls
|
|
------
|
|
|
|
Git repositories: <https://github.com/merge/skulls>
|
|
|
|
Skulls provides simple coreboot images with SeaBIOS payload, on a handful of
|
|
Thinkpads. Libreboot *also* provides similar SeaBIOS configurations, on all
|
|
of the same machines, but Libreboot's design does mean that there are a few
|
|
additional steps for installation.
|
|
|
|
If you just want the simplest, most barebones setup, Skulls is a great choice.
|
|
|
|
Libreboot *also* provides U-Boot and GRUB, and has other ambitions. Libreboot
|
|
aims to provide ease of use while also providing great power and flexibility.
|
|
So Libreboot is aimed specifically at power users, while also trying to
|
|
accomodate non-technical users; Skulls largely targets the latter.
|
|
|
|
System76 Open Firmware
|
|
----------------------
|
|
|
|
Git repository: <https://github.com/system76/firmware-open>
|
|
|
|
Other repositories e.g. EC firmware: <https://github.com/system76>
|
|
|
|
System76 provides their own special coreboot fork, that they tailor for
|
|
specific machines that they sell; they also provide free EC firmware. Jeremy
|
|
Soller of System76 maintains this firmware, and the work is regularly
|
|
upstreamed into the regular coreboot project.
|
|
|
|
System76 provides the coreboot firmware, along with EDK2 UEFI payload. It can
|
|
boot Linux distros, BSD systems and even Windows perfectly.
|