{{Header}}
{{title|title=
Open Source Hardware
}}
{{#seo:
|description=Establishing Hardware Trust, Open-source Hardware Alternatives
|image=Opensourcehardware.png
}}
{{boot_firmware}}
[[File:Opensourcehardware.png|200px|thumb]]
{{intro|
Establishing Hardware Trust, Open-source Hardware Alternatives
}}
= Introduction =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = This chapter contains general security advice and is unspecific to {{project_name_long}}. Readers interested in this topic should undertake significant research before purchasing any open-source hardware. It is also recommended to learn more about [https://www.gnu.org/philosophy/free-hardware-designs.en.html free hardware designs].
}}
= Hardware Trust in Modern Computing =
Security researcher and Qubes founder, Joanna Rutkowska, has noted that modern computing and networking security relies upon a critical foundation - trusted hardware and firmware domains. Even high-security operating systems have a security upper bound, since that is defined by the trustworthiness of hardware components that are ideally placed to compromise the entire system if bugs or backdoors are present: [
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
]
... for years we have been, similarly, assuming the underlying hardware, together with all the firmware that runs on it, such as the BIOS/UEFI and the SMM, GPU/NIC/SATA/HDD/EC firmware, etc., is all... trusted.
But isn’t that a rational assumption, after all?
Well, not quite: today we know it is rather unwise to assume all hardware and firmware is trusted. Various research from the last ten years, as discussed below, has provided enough evidence for that, in the author’s opinion. We should thus revisit this assumption. And given what’s at stake, the sooner we do this, the better.
Rutkowska has concluded the following hardware components and mechanisms are all vulnerable to exploitation and often flawed in their implementation, making them easy to "backdoor":
* x86 boot security (BIOS implementation).
* Vt-d (CPU-enforced sandboxing of networking).
* Graphics cards (GPUs) and sub-systems.
* USB controllers.
* Disk controllers (SATA etc.).
* Embedded controllers (for keyboard operation, battery charging etc.).
* Audio cards.
* Peripheral devices.
* Intel Management Engine (ME) and AMD Security Processor (embedded microcontrollers).
* Built-in speakers, microphones and cameras.
This is particularly true for privileged, out-of-band hardware components like Intel ME's AMT which can read or write any of the host computer's memory, without any constraints - the perfect, undetectable rootkiting infrastructure. [
AMD-based x86 platforms have analogous hardware mechanisms to Intel, so they are not theoretically safer.
]
= Open Source BIOS and Firmware Security Impact =
Quote {{project_name_short}} developer Patrick Schleizer [
A login requirement was enabled by Qubes forum after this was posted. (Not specifically because of this forum thread but because of the sub forum in which it resides.
Link: https://forum.qubes-os.org/t/intel-vs-arm-vs-power-vs-risc-v-architecture-freedom-perspective/14172/11
]:
{{quotation
|quote=Hardware is solidified software.
}}
{{quotation
|quote=Attempts on getting BIOS, Intel ME, AMD PSP are awesome, an important step but all just scratching the surface. The following video elaborates on that.
Disclaimer: I didn’t look much into RISC-V. This isn’t an endorsement / non-endorsement of RISC-V. That video isn’t much of a RISC-V promotion. The video is chosen as an example because it nicely elaborates on the extremely difficulty of having hardware that is secure, reasonable certain free of backdoors, Open Hardware, and whatnot.
{{VideoLink
|videoid=zXwy65d_tu8
|text=Wednesday 11 00am Keynote Address Impedance Matching Expectations Between RISC V and the Open Har
}}
}}
{{quotation
|quote=Freedom? Security? The hardware is proprietary. In simplified terms, there is no meaningful distinction between hardware and security from a freedom and security perspective. Maybe the term “hardware acceleration” easily illustrates that. Hardware in a sense is solidified software. Hardware is for a large part just a different representation of software. What’s software? One level to look at it, it’s just zero’s and one’s on some storage medium. What hardware does is has concepts how to process incoming data / electricity burnt, solidified into silicon.
You need a complex program to write a complex blueprint which then creates other complex files which then are used by complex machines which then create the actual hardware. At each step, a backdoor could be introduced.
}}
See also this presentation {{VideoLink
|videoid=Hzb37RyagCQ
|text=36C3 - Open Source is Insufficient to Solve Trust Problems in Hardware
}} by Andrew "bunnie" Huang or {{VideoLink
|videoid=RqQhWitJ1As
|text=BlueHat IL 2019 - Andrew "bunnie" Huang - Supply Chain Security: "If I were a Nation State...”
}}.
A CPU is not just a dumb piece of hardware that can do basic calculations at high speed. Modern CPU from Intel / AMD have many "software alike" features built-in. To name a few of a plethora of examples:
* [https://en.m.wikipedia.org/wiki/Hardware_acceleration hardware acceleration]
* Hardware accelerated AES encryption, the [https://en.wikipedia.org/wiki/AES_instruction_set AES instruction set]. Historically AES encryption was implemented as software. Nowadays implementations of AES are implemented as hardware.
* [https://en.wikipedia.org/wiki/Hardware_virtualization Hardware virtualization] such as [https://en.wikipedia.org/wiki/X86_virtualization#Intel-VT-x Intel VT-x] or [https://en.wikipedia.org/wiki/X86_virtualization#AMD_virtualization_(AMD-V) AMD-V] are complex CPU instructions directly built into the CPU.
* [https://en.wikipedia.org/wiki/RDRAND RDRAND], quote Wikipedia "is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source."
* [https://en.m.wikipedia.org/wiki/VHDL VHDL] (VHSIC Hardware Description Language) is a hardware description language.
* [https://en.wikipedia.org/wiki/EFuse EFuse] to allow for the dynamic real-time reprogramming of chips.
* [https://en.wikipedia.org/wiki/Spectre_(security_vulnerability) Spectre (security vulnerability)], quote Wikipedia "Spectre is one of the two original transient execution CPU vulnerabilities (the other being Meltdown), which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation.[1][2][3] On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers."
See also these blog posts by Joanna Rutkowska, security researcher and founder of Qubes OS:
* [https://theinvisiblethings.blogspot.com/2009/03/trusting-hardware.html Trusting Hardware]
* [https://blog.invisiblethings.org/2009/06/01/more-thoughts-on-cpu-backdoors.html More Thoughts on CPU backdoors]
As well as these:
* {{VideoLink
|videoid=KrksBdWcZgQ&t=40s
|text=Breaking the x86 Instruction Set
}}
* [https://www.tomshardware.com/pc-components/cpus/30-year-old-pentium-fdiv-bug-tracked-down-in-the-silicon-ken-shirriff-takes-the-microscope-to-intels-first-ever-recall Tom's Hardware: 30-year-old Pentium FDIV bug tracked down in the silicon — Ken Shirriff takes the microscope to Intel's first-ever recall]
** The blog post by the author [https://www.righto.com/2024/11/antenna-diodes-in-pentium-processor.html Antenna diodes in the Pentium processor] manages to pinpoint a software bug from the physical world.
For a video showing that hardware based encryption (in a different context) can be vulnerable, see this computer chaos club (CCC) talk {{VideoLink
|videoid=C5hLTk5MyGU
|text=35C3 - Self-encrypting deception
}}.
{{quotation|
|quote=From my personal perspective, in terms of threats customers already need to trust AMD with manufacturing something as complex as a CPU without introducing bugs (let alone backdoors). "Cleaning" one small piece of this complex system (i.e. the PSP's firmware) would be a drop in the ocean.
|context=Security researcher [https://www.user.tu-berlin.de/cwerling/ Christian Werling] in [https://github.com/PSPReverse/PSPTool/issues/54 Question, regarding psp]
}}
Can modern hardware be audited? For the most part, no. Security researchers can investigate and sometimes discover hardware security vulnerabilities such as Spectre and Meltdown. Occasionally, a significant vulnerability is uncovered, akin to finding a needle in a haystack. However, it is generally not feasible to audit the entirety of modern hardware comprehensively.
{{quotation
|quote=it is a completely opaque construction. We absolutely no way to examine what's inside.
|context=Joanna Rutkowska, security researcher and founder of Qubes OS, at timestamp 7:40, [https://www.youtube.com/watch?v=rcwngbUrZNg Joanna Rutkowska: Towards (reasonably) trustworthy x86 laptops]
}}
Can one hardware producer audit another? No.
{{quotation
|quote=Some people believe that processor backdoors do not exist in reality, because if they did, the competing CPU makers would be able to find them in each others' products, and later would likely cause a "leak" to the public about such backdoors (think: Black PR). Here people make an assumption that AMD or Intel is technically capable of reversing each others processors, which seems to be a natural consequence of them being able to produce them.
I don't think I fully agree with such an assumption though. Just the fact that you are capable of designing and producing a CPU, doesn't mean you can also reverse engineer it. Just the fact that Adobe can write a few hundred megabyte application, doesn't mean they are automatically capable of also reverse engineering similar applications of that size. Even if we assumed that it is technically feasible to use some electron microscope to scan and map all the electronic elements from the processor, there is still a problem of interpreting of how all those hundreds of millions of transistors actually work.
|context=Joanna Rutkowska, security researcher and founder of Qubes OS, [https://blog.invisiblethings.org/2009/06/01/more-thoughts-on-cpu-backdoors.html More Thoughts on CPU backdoors]
}}
See also:
* https://danluu.com/cpu-backdoors/
* https://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor
* https://www.youtube.com/watch?v=_eSAF_qT_FY
* https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-Mode-Unlocked-Hardware-Backdoors-In-x86-CPUs-wp.pdf
* https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf
* https://www.cl.cam.ac.uk/~sps32/sec_news.html
related:
* {{VideoLink
|videoid=36myc8wQhLo
|text=USENIX ATC '21/OSDI '21 Joint Keynote Address-It's Time for Operating Systems to Rediscover Hardware
}}
* {{VideoLink
|videoid=vaGZapAGvwM
|text=I built my own computer. by hand.
}}
= Requirements for Trustworthy Hardware =
'''1.''' Open Source Blueprints
'''2.''' Blueprints Auditing
'''3.''' Fabrication Auditing
{{quotation
|quote=Unfortunately there is nothing that could stop a processor vendor to provide its customers with a different blueprints than those that are used to actually "burn" the processors. So, the additional requirement would be needed that they also allow to audit their manufacturing process.
|context=Joanna Rutkowska, security researcher and founder of Qubes OS, [https://theinvisiblethings.blogspot.com/2009/03/trusting-hardware.html Trusting Hardware]
}}
{{quotation
|quote=
Some people believe that processor backdoors do not exist in reality, because if they did, the competing CPU makers would be able to find them in each others' products, and later would likely cause a "leak" to the public about such backdoors (think: Black PR). Here people make an assumption that AMD or Intel is technically capable of reversing each others processors, which seems to be a natural consequence of them being able to produce them.
I don't think I fully agree with such an assumption though. Just the fact that you are capable of designing and producing a CPU, doesn't mean you can also reverse engineer it. Just the fact that Adobe can write a few hundred megabyte application, doesn't mean they are automatically capable of also reverse engineering similar applications of that size. Even if we assumed that it is technically feasible to use some electron microscope to scan and map all the electronic elements from the processor, there is still a problem of interpreting of how all those hundreds of millions of transistors actually work.
|context=Joanna Rutkowska, security researcher and founder of Qubes OS, [https://blog.invisiblethings.org/2009/06/01/more-thoughts-on-cpu-backdoors.html More Thoughts on CPU backdoors]
}}
For a deeper understanding of how modern processors are produced and function, it is recommended to watch videos on the subject. These videos provide insightful information on the complexities and intricacies involved in processor production.
* {{VideoLink
|videoid=2kJDTzFtUr4
|text=How ASML, TSMC And Intel Dominate The Chip Market | CNBC Marathon
}}
* {{VideoLink
|videoid=GU87SH5e0eI
|text=Secretive Giant TSMC’s $100 Billion Plan To Fix The Chip Shortage
}}
* {{VideoLink
|videoid=cNN_tTXABUA
|text=How a CPU Works
}}
A processor producer may not have the capability to audit their own processors. CPUs are produced using lithography, with the producer of lithography equipment (ASML) relying on components from various vendors. This results in a complex, not publicly documented supply chain. No single company possesses all the knowledge or machinery required. In a chain of complex machines used to build other complex machines, a backdoor could be introduced at any stage of the fabrication process.
Processors are "burnt" in layers, and once these layers are established, they cannot be reversed without destroying the processor. Current technology for non-destructive disassembly of modern processors does not exist. Even the [https://en.wikipedia.org/wiki/I386 Intel I386 (80386)], with "only" 275,000 transistors and released in 1985, cannot be disassembled, audited, reassembled, or modified. Modern CPUs, like the Intel i7, are much more complex and can contain over 1 billion transistors.
'''4.''' Secure shipping.
= Open-source Hardware Alternatives =
People who are motivated to avoid proprietary hardware solutions are in a bind. There are few options available that are truly "free" (as in freedom), affordable, and which provide suitable processing power to run "secure" operating systems like [[Qubes|{{q_project_name_long}}]], because specific hardware requirements like VT-d and VT-x are necessary for compatibility with future software releases.
Open-source hardware is also not perfectly secure since it is not "stateless". Meeting this standard requires there be no persistent storage at all. [
https://www.wired.com/2015/03/richard-stallman-how-to-make-hardware-designs-free/
] [
https://www.wired.com/2015/03/need-free-digital-hardware-designs/
]
== ARM-based Platforms ==
ARM architecture dominates smartphone and tablet markets, providing a good level of performance. However, an open-source "ARM processor" is non-existent, because only the specifications and other intellectual property (IP) are released to manufacturers under specific licenses. This leads to NVIDIA, Samsung and others combining the ARM IP with their own, leading to the actual, customized processors called System-on-Chips (SoCs). [
https://lowrisc.org/about/
] [
https://en.wikipedia.org/wiki/OpenPOWER_Foundation
] [Primarily the Power8 chip technology, but previous designs will also be available for licensing.
] The initiative will also include open-source software, firmware, the KVM hypervisor, and a little-endian Linux operating system. [
Firmware to boot Linux was released in 2014.
] OpenPOWER code can be found on [https://github.com/open-power GitHub].
News:
* [https://www.devever.net/~hl/omi In the future, even your RAM will have firmware; and the subject of POWER10 blobs 2]
* https://forums.whonix.org/t/free-bios-hardware-that-support-all-your-needs/6411/13
= Hardware Purchase Considerations =
Check [https://ryf.fsf.org/ this list] from the FSF, as they are certified "RYF" (Respects Your Freedom hardware product certification).
The Free Software Foundation (FSF) makes a number of relevant recommendations: [
https://www.fsf.org/resources/hw
]
* Find devices which support fully free distributions of GNU/Linux.
* Purchase hardware:
** From manufacturers who support GNU/Linux.
** Which supports coreboot/libreboot as a proprietary BIOS replacement.
** Without the need for proprietary drivers or firmware; see [https://h-node.org/ h-node.org].
* Check the [https://ryf.fsf.org/about/criteria/ FSF criteria] for hardware certification requirements.
* If looking for a single-board computer (SBC), check the [https://www.fsf.org/resources/hw/single-board-computers list] of available (flawed) hardware. [
None of these options are completely free in their design.
]
* Check the list of [https://coreboot.org/status/board-status.html motherboards] that are compatible with coreboot. [
Some motherboards still require proprietary CPU microcode.
]
A list of suppliers selling or providing [https://libreboot.org/ Libreboot] pre-installed on laptops, desktops, servers and motherboards can be found [https://minifree.org/ here]. Readers interested in purchasing hardware with Coreboot pre-installed can start their search [https://www.coreboot.org/users.html here].
= Open Hardware Alternatives =
== RISC-V ==
Based on the preceding information and links, those seeking an open-source solution need to make a compromise. Since an Open Source LowRISC processor based on the RISC-V ISA -- which can support a fully-fledged operating system -- does not yet exist, [
The [https://lowrisc.org/docs/current-release-faq/ LowRISC FAQ] notes the rough processor speed that is expected:
]
The clock rate achieved will depend on the technology node and particular process selected. As a rough guide we would expect ~0.5-1GHz at 40nm and ~1.0-1.5GHz at 28nm.
some open source
some not
Not yet compatible with Qubes OS. (October 2024)
RISC-V isn't that far behind...
https://deepcomputing.io/product/dc-roma-risc-v-laptop-ii/
https://youtube.com/watch?v=3mhd98AGNXQ
Performance is being shown in the video. It's usable.
== single-board computers - SBCs ==
the closest thing available is [https://www.fsf.org/resources/hw/single-board-computers single-board computers (SBCs)], which are delivered as one circuit board that are powerful enough to run a real operating system.
These systems generally contain a SoC with an ARM processor, with options like
* [https://spectrum.ieee.org/novena-a-laptop-with-no-secrets Novena] ([https://www.crowdsupply.com/sutajio-kosagi/novena/updates/novena-five-year-anniversary EOL (end of life)]), and
* [https://eu.mouser.com/new/pandaboardorg/pandaboardES/ PandaBoardES] falling into this category.
However, they still have a number of closed-source binary blobs and the FSF also notes "severe flaws" in these products due to proprietary design concerns.
{{quotation
|quote=
The Pandaboard has another serious flaw: a WiFi and Bluetooth chip that can't work without nonfree software. The workaround is to get an external USB device for these functions, if you want them. See the documentation of your board for information about using these USB devices with it.
|context=[https://www.fsf.org/resources/hw/single-board-computers single-board computers (SBCs)]
}}
Running tier 1 Linux distributions is often difficult or impossible. See [[Dev/boot#ARM|Dev/boot wiki page chapter ARM]].
== Security-Focused Hardware Vendors ==
There isn't a well defined definition of the "Security-Focused Hardware Vendors" term yet. Potential criteria:
* Intel ME disabled using HAP method
* Freedom Software based firmware
* blob free (no non-freedom firmware required and no non-freedom device drivers required)
* open hardware design
Some hardware producers seek to remove as many proprietary blobs as possible, for example by using the Freedom Software coreboot in place of the standard closed source BIOS or EFI implementation.
* in no particular order
* no recommendation by Kicksecure yet
* the user must carefully review each vendor and device on its own
* this list cannot guarantee that all devices are free from Intel ME and come with Open Source firmware such as coreboot
* https://system76.com/
* https://puri.sm/
* https://shop.nitrokey.com
* https://novacustom.com
* https://se.starlabs.systems
* https://insurgo.ca
* https://www.tuxedocomputers.com
** https://www.tuxedocomputers.com/en/Infos/News/TUXEDO-disables-Intels-Management-Engine.tuxedo
** https://www.tuxedocomputers.com/en/Infos/Help-Support/Frequently-asked-questions/Coreboot-on-TUXEDO-Computers-devices.tuxedo
** https://docs.dasharo.com/variants/tuxedo_ibs15/releases/
* https://3mdeb.com/open-source-hardware/
* https://shop.vikings.net/
* https://www.thinkpenguin.com/
* https://tehnoetic.com/
* https://minifree.org/
** Does not mention HAP (High Assurance Platform) Intel ME disablement method.
TODO: Unfortunately, this solution is expensive and still relies on an Intel processor. Despite the claims that ME is "neutralized", the ME still poses potential security threats to the user as highlighted in Rutkowska's research.
https://www.theregister.com/2015/12/31/rutkowska_talks_on_intel_x86_security_issues/
== OpenPOWER ==
* Worthy mention: [https://www.raptorcs.com/ Raptor Computing Systems] have built their processors based on IBM OpenPOWER technology.
** OpenPOWER is not fully open-source. The instruction set architecture is source-available and allows one to freely produce POWER-compliant processors, and it is allowable to implement extensions to the architecture, however implementing remixes of the ISA is not permitted. See https://openpower.foundation/blog/final-draft-of-the-power-isa-eula-released/. Note that this is only the license for the ISA, it does not cover individual chip designs. Those may be kept proprietary or made open as each designer sees fit.
** Examples of source-available POWER CPU cores may be seen at https://git.openpower.foundation/cores.
** Available user guides [
For example, see the [https://wiki.raptorcs.com/w/images/e/e3/T2P9D01_users_guide_version_1_0.pdf T2P9D01 Mainboard document].
] appear to at least partially meet [https://en.wikipedia.org/wiki/Open-source_hardware opensource hardware principles]. [
This requires: ]... that information about the hardware is easily discerned so that others can make it – coupling it closely to the maker movement. Hardware design (i.e. mechanical drawings, schematics, bills of material, PCB layout data, HDL source code and integrated circuit layout data), in addition to the software that drives the hardware, are all released under free/libre terms.
** Unfortunately it is not compatible with Qubes OS, but it will run Linux. It is possible to run the [https://wiki.raptorcs.com/wiki/Whonix {{project_name_short}} KVM version as it is documented in the Raptor Computing Systems Wiki], but this is [[unsupported]] by {{project_name_short}} developers. For further information, see footnotes. [
https://www.fsf.org/blogs/licensing/support-the-talos-ii-a-candidate-for-respects-your-freedom-certification-by-pre-ordering-by-september-15
] [
https://twitter.com/Whonix/status/1190634591045865472
]
== Future ==
In the coming years when open-source processors and hardware designs further mature and the necessary functionality is provided for virtualization, reasonable and fairly-priced alternatives to proprietary architectures will start to emerge.
= Firmware Considerations =
[https://en.wikipedia.org/wiki/Open-source_hardware Open-source hardware] is not affected by the non-freedom firmware updates issue described in the previous chapter. Such hardware might be more trustworthy, but open-source firmware can be just as insecure as a proprietary one. Fortunately, open-source firmware increases the chances of actually making it secure, with options like coreboot appearing to be a promising solution.