I’ve been working on my FreeBSD setup for Purism’s Librem 13 laptop ever since receiving it back in April. I’m relatively pleased with the way things have progressed, and most of the critical issues have been addressed. However, the setup still has a way to go in my opinion before it gets to the point of being the “ideal” setup.
Three of the four critical issues I identified back in April have been addressed:
- Matt Macy’s i915 graphics patch works well on the Librem 13, and I personally made sure that the suspend/resume support works. The patch is very stable on the Librem, and I’ve only had one kernel panic the entire time testing it.
- The HDMI output Just Works™ with the i915 driver. Even better, it works for both X11 and console modes.
- Full support for the Atheros 9462 card has been merged in. I’ve had some occasional issues, but it works for the most part.
- The vesa weirdness is obviated by i915 support, but it was resolved by using the scfb driver.
While not Librem-specific, I have been working primarily on GELI support for EFI. This is also part of a larger set of tamper-resilience features I have planned to implement for FreeBSD.
Additional Configuration Notes
I’ve played around with the configuration a bit since April, and discovered a few things in the process:
- The mouse is frozen after suspend. The way to un-stick it is to restart moused (for some reason, this doesn’t work when done in rc.resume), then move your finger on the pad while pressing the Fn+F1 (mouse lock) keys until it un-sticks.
- PulseAudio works fine, but the default settings end up sending output to the HDMI port even if nothing is plugged in. Simply change the default sink, and it should work fine. Sound without PulseAudio also works fine, as I previously reported.
I have plans to do more work on this port, especially with my Librem 15 hopefully arriving soon. I hope to eventually turn this platform into a fully-supported FreeBSD laptop.
There are still a number of items to be addressed, of course. Some of these are issues, and some are longer-term work I’ve planned.
Sporadic Boot Hang
The only real “issue” at this point is a boot-hang that manifests sporadically, causing boots to hang for several minutes before having a kernel panic. Fortunately, the machine tends not to experience this problem after rebooting from such a kernel panic. Thus, it’s an annoying problem, but not a show-stopper.
After observing this phenomenon many times, I suspect it to be a bug in the either the AML execution engine or the AML itself that causes AML execution to go into an infinite recursion before crashing from a stack overflow. After this happens, the hardware seems to be in an indeterminate state and causes a kernel panic later on. Resume also sometimes causes the machine to freeze, and I suspect this to be the root cause of that as well.
This ought to be fairly straightforward to hunt down; the only confounding factor is the fact that it is sporadic, and tends to only happen after the machine has been shut down for a time.
All the important devices are supported. Support is missing for some minor things, though:
- Synaptics support is not present, due to no support for the BYD touchpad beyond the regular PS/2 mouse driver. I am currently starting an effort to port Purism’s work on the Linux PS/2 driver to FreeBSD.
- I also plan to look into support for things like screen brightness adjustment, either bringing over support from the Linux drivers or working out the configs to make the brightness keys work if the driver support is already there.
- A few of the hotkeys work (the mouse lock and the screen blank), others don’t. Currently non-functional hotkeys include the volume keys, the brightness keys, the bluetooth and wireless keys, the suspend key, and the video output key. This probably involves writing an ACPI extras driver similar to acpi_ibm and company.
My longer-term plans mostly revolve around security, integrity, and tamper-resilience. Some are related to the hardware platform, while others are general FreeBSD features.
FreeBSD Tamper Resilience
My GELI EFI work was the first step in a series of projects I have planned regarding tamper-resilience features at the OS level for FreeBSD. I’ve hinted at this, and will write a full post on my plans, but here is a sketch of the process:
- Full-Disk Encryption for EFI (done): This was addressed by my GELI EFI work
- Secure Boot and Loading: Provide support in EFI boot1/loader and the kernel for signed images. Wire it in with EFI Secure Boot architecture.
- Secure Hibernate: Implement the ability to suspend to disk and resume in a secure fashion. This is the coup-de-gras, as it means the machine’s data is fully encrypted when powered off or suspended.
I am currently looking at building a new, better crypto library, as the current crypto framework is in need of some cleanup.
CoreBoot and TianoCore
Once my Librem 15 arrives and I have two machines to work with, I plan to replace the proprietary BIOS image with CoreBoot and an open-source EFI implementation (likely TianoCore). In addition to the obvious benefits in terms of openness and control over my own hardware, this affords certain possibilities like baking extra EFI filesystem drivers into the firmware, allowing me to get rid of the unencrypted FAT-formatted EFI system partition.
It also might be possible to boot straight into FreeBSD and avoid the EFI stuff altogether (this is possible with Linux, and leads to super-fast boots).
Disabling Intel ME
I have a good document on disabling the Intel Management Engine altogether. This is the one goal that Purism was unable to realize for their Librem laptops (which is fine in my opinion; the push for open hardware is a process, and Purism’s success was a major step forward in that process).
The final stroke in all this is to try and set up a method to disable the ME completely. While this is obviously platform-specific, it would represent a major victory for the forces of openness.
The Librem platform represents the best chance I’ve ever seen of creating the “perfect” FreeBSD setup. It’s going to take some work to get to the laptop I’ve always wanted, of course, but stay tuned and hopefully we’ll get there eventually.