Open and secure computing

Latest update: Nov 2018

Introduction

When you think about computers there are always two levels which are coexistent: hard- and software. Every software is running on top of hardware. Despite the probability that open and free software might be better (refer to comparison between open and closed source) there are free and open-sourced solutions for both levels.

Pinetree

To minimize security risks you should examine your whole chain of computing. Figure 1 provides a short overview about hard- and software you might look for if you are keen on following the „libre“-philosophy.

Figure: pinetree of open computing

A brief explanation: hardware / firmware

At the very bottom your computer is running a basic BIOS/UEFI which has been implemented by your OEM (original equipment manufacturer). This piece of software is called firmware and it provides control for your specific hardware parts which your computer consists of.

This BIOS (Basic Input/Output System) is proprietary firmware which is located on a special ROM chip. It is run after you switch your computer on. If you are interested in using free software you should think about replacing that firmware first. Unfortunately that’s almost impossible for most of the mainboards out there. It’s not possible because the source code of this firmware is never available to anybody except the manufacturer himself. As a replacement you could use an implementation called „Coreboot“ or „Libreboot“. There are some parts of your hardware that simply won’t function without small portions of proprietary code. Due to those limitations there are just very few mainboards which can be run without any parts of proprietary code as Libreboot aims.

Coreboot sacrifices some liberty as it includes a minimal bunch of proprietary code to make the bare minimum work. Because of this inclusion more mainboards are supported and work with Coreboot. If Libreboot is limiting you too much (and yes, there is really just few hardware working), then you should give Coreboot a shot. In the end the configuration tool which Coreboot uses allows you to build your custom Coreboot-image which includes only those parts which you have selected before.

A brief explanation: software / operating system

If you succeed in running your hardware without a proprietary BIOS/UEFI you should consider using a free operating system as well since you can’t be sure what your operating system does if the source code is closed.

What is BIOS?

This is the Basic Input/Output System. It is an (often) proprietary firmware which is located on a special ROM chip. It is run after you switch your computer on.

BIOS’ settings are saved within the CMOS chip on your mainboard.

The BIOS offers configuration options for memory, drives, clock speed, virtualization, power management, security, health services and boot order (amongst others).

What is UEFI?

UEFI Stands for Unified Extensible Firmware Initiative. This is pretty much the same as a BIOS just with nice additional graphics instead of text-based optics, additional Ethernet support and some other extensions. It is also often a proprietary firmware which is located on a special ROM chip (system on a chip) and runs after you switch your computer on.