Don't Use Libreboot (Coreboot Distro)

Neptunian, Kitmonk

12.08.2025


Quick Note: This is a post on Libreboot yet it will cover parts on the Intel Management Engine and it also applies to Leah Rowe’s Canoeboot. Also the title was inspired by Soatok’s Don’t Use Session (Signal Fork). Give it a read.

Introduction

Let’s talk about Libreboot. Now, you might’ve heard of it. Maybe like this, or like this, or perhaps like this, or maybe even this. Either way, we’re assuming you’ve heard of it. If you haven’t: think of Libreboot as a FOS-firmware that replaces the traditional proprietary blobs present in some firmware. Libreboot is not a fork of Coreboot, rather, it can be thought of as a distribution of Coreboot which differs in that it removes all proprietary blobs rather than just some (excluding certain blobs). Because these proprietary blobs are often needed for support, Libreboot typically only works on older laptop models. Now that you know what Libreboot is, we want to present our criticisms. Libreboot, as we see it, has been held in this position of a “golden goose,” removing Intel ME (or AMD PSP) blobs which some people consider as the removal of an ultimate backdoor. (It has other features such as Coreboot’s fallback systems, a fully-automated build system, but those will be mentioned later.) Despite this status, Libreboot is archaic in its nature, having its mitigations counteracted by legacy threat modelling and lockrot.

Libreboot’s Purpose and Caveats

Libreboot exists to give people free and open source firmware alike to Coreboot with build automation, making it optimal for end-users rather than just developers as they put it. With that, it brings Coreboot’s purpose of mostly blob-free booting. However, Libreboot carries with itself additional caveats. Libreboot is entirely blob free and restricts its ability to be flashed to boards which require blobs. It’s why you typically hear Libreboot being talked about in the context of older laptops, primarily Thinkpads (T480, X220, etc). Which, this makes a lot of sense when you consider Coreboot’s design philosophy. Coreboot relies on technical knowledge that Libreboot doesn’t. Libreboot also leans towards using GRUB as a payload rather than Coreboot’s varied choices. These design choices force Libreboot to only work on certain devices as mentioned previously, typically ones without firmware such as Intel ME or AMD PSP in cases where they are integral to the system (i.e. where they cannot be removed.) This applies to graphics too, disallowing for certain graphics initialization that includes proprietary blobs. These restrictions also disallow for modern features such as certain TPM technology and speculative exploit mitigations.

In this sense, we lose a lot of what has been built for safety over what is primarily a philosophical effort rather than a practical one. Consider Moxie Marlinspike’s speech, “The Ecosystem is Changing.” One of his main points is that the ecosystem is a moving target. With that comes the issue of Libreboot being contrarian to the idea of an ecosystem being able to move within its design philosophy. Of course, he was speaking about instant messengers in the speech, but the point arguably applies just as deeply here. Security, especially hardware security, will always be moving. Attempting to solidify yourself in a conservative position regarding low-level operations like this is an incredible lapse in judgement. And the issue here is that it sets an untrue and arguably dangerous precedent about FOSS, being that it will be “stuck in the past” as it is with IPv4, SMTP, XMPP, IRC, DNS, and others. The only place it differs in here is that Libreboot is a centralized effort, yet is semi-willingly conservative. I say semi-willingly because they’re forced by both their philosophy (of their control) and the environment their philosophy exists in (out of their control). With this, their purpose begins to track over itself, decaying security whilst having such as its secondary priority.

Practicality

Now about that golden goose status… We should actually discuss whether or not Libreboot actually works in terms of mitigating threats. Now, one of Libreboot’s claims to fame is its ability to neuter the Intel ME. Despite this, it does not prevent the same kinds of attacks done by leveraging the ME. Take, for example, the Evil Maid Attack. Despite popular FUD, the IME requires immense physical access to exploit, being akin to an EMA (we will discuss this soon.) With Libreboot, you only get a bit of hardening. On that very page, it recognizes that a lot of these modifications may brick the system and even tells you to expect it (note that bricking here can be reversed with an external SPI programmer.) The mitigations only prevent software-based flashing, not SPI flashing which certain parts of modern security firmware. With physical access and trivial amounts of time alone with your device, you are arguably safer with an IME/PSP device than you are a Librebooted one. This is because things like BootGuard provide SPI defenses which Libreboot simply can’t. Aside from this being the case, Libreboot sort of admits that they’re not meant to be purely practical, which is something I’ll clarify at the end of this post.

Aside from this, if you accept certain end-user caveats, Libreboot is a good project. I recommend trying to install Libreboot or Coreboot if you have the time and money. It’s a good project to understand firmware and alike. Libreboot also, admittedly, has very few security holes. It’s quite well audited and Leah Rowe impressed me.

IME, PSP

To preface, I am in no way defending the implementation of either of these technologies. This was a stupid and careless effort by Intel and AMD and I really dislike it. Fuck the both of them. With that said…

Let’s actually talk about these two things because I see a lot of FUD about what they can and can’t do. Firstly, I’ve seen the main claim that it’s some NSA RCE into your device with trivial effort. This is laughably wrong.

Firstly, the main vulnerability which really brought traction to the IME was Silent Bob is Silent, a vulnerability which required a system to have Intel AMT enabled and configured in “admin” or “enterprise” mode (perhaps in corporate settings this could easily be the case) with consumer devices without AMT being listed as not vulnerable. The issue with calling this a remote hole in the way most do is that you’d need to be on the same network as the affected. This might be dangerous for the corporate world but so long as you have proper firewalls in place it’ll be fine. For the PSP, there was a locally authenticated attacker issue which is far harder to perform than one on a Librebooted platform. With this said, I feel like it is not unreasonable to establish that physical or badly configured LAN access is required (SA-00112, SA-00086, CVE-2017-5705…5712, etc etc).

Now, to the FUD. Claiming that the IME is 100% an NSA remote hole into your machine is obtuse at best. Claiming it is constantly spying on you to record your private moments and ship those off is even worse. You’d think over the nearly two decades of its existence the groups reverse-engineering it (puri.sm, System76, etc) would’ve discovered traces that it was actively or at some point making malicious requests. Or perhaps someone with a fancy firewall catching those requests in their logs. The idea that Intel’s careful placement of their backdoor somehow evaded all of this is dubious at the very best. The idea that the NSA is constantly using it like some revamped version of XKeyscore is even worse. Perhaps the worst problem of considering an archaic threat model concerning things like the IME or PSP is that it ignores actual threats which we currently face. We minimize those threats to cater to something which has a substance composed of mostly FUD. Am I saying that the NSA can’t exploit either of these? No. Am I saying that it’s stupid to claim doing such is trivial? Yes.

What Is Libreboot?

Philosophy. At least that’s how I see it. Libreboot is a movement which is primarily philosophy concerning free software, specifically, FOS-firmware. I disagree that it provides much practical advantage, rather, it provides ideological advantage (meaning that you must accept the axioms of the ideology for it to provide any advantage.) Aside from that, the jury is out.


Back home Back to blog
?