Author: Martin Steigerwald Date: To: dng Subject: Re: [DNG] Google abandons UEFI in Chromebooks
Adam Borowski - 31.10.17, 12:41: > On Tue, Oct 31, 2017 at 11:48:35AM +0100, Martin Steigerwald wrote:
> > Arnt Gulbrandsen - 30.10.17, 12:25:
> > > Martin Steigerwald writes:
> > > > I wonder about ARM64 as an alternative? But they have some
> > > > Trustzone crap if I remember correctly.
> > >
> > > ARM64 is fine from a performance viewpoint. The mobile phone vendors
> > > have
> > > spent a decade optimising ARM SOCs for performance on small batteries. I
> > > haven't found laptops with ≥8GB RAM so far though.
> > >
> > > Personally I consider the Trustzone well-justified and good. It makes it
> > > easy to provide security regimes that rely on an unchangeable past and
> > > already-closed windows of opportunity.
> >
> > I don´t know much about Trustzone. Do you have any links to a good
> > explaination of it (preferable from a non-vendor source)?
>
> There's nothing inherently evil in TrustZone, although it can (and often is)
> used for evil. Think of it as a hypervisor: unlike IME, it's a privilege
> level of the main processor and executes regular ARM code. There are two
> "worlds": secure and normal.
Thanks Adam and Arnt for explaination.
I agree that such a feature if done like in
> The ROM code executes (at least partially) in the secure world, and may or
> may not let the bootloader replace it with your own code (typically you
> compile ATF, with or without modifications, instead of writing everything
> from scratch). On free machines like Pine64 or Pinebook, you can do this.
> On most others, you can't, with obvious freedom consequences. Insert the
> usual lecture about hardware you don't truly own.?
can be useful.
As my next music playback machine I may even use such a Pine64. As anything
from ThinkPad X240 and upwards appears to be "protected" by Intel Boot Guard
Verified Boot crap, instead of just offering the Measured Boot feature for
those who want it. Or I go with a ThinkPad X230 where it appears that Intel ME
cleaner can do its work. May still be better the Pine64 appears to be a tad
bit limited especially by memory, although for music playback it would be
enough if expanded with a large MicroSD card. And it would have the advantage
that I would not have to mess with removing crap as it does not appear to have
crap inside. And cheaper too.
Other alternative may be a Chromebook if I can rid it easily enough of Chrome
OS and install my distro of choice on it.