Having followed these instructions before, they're not quite suitable for making a Chromebook run an alternative operating system for the average user. A developer, sure. But every time you boot up the computer, you hear an annoying beep and have to wait ten seconds, during which you're a few keystrokes away from wiping the machine and restoring it to a pristine copy of Chrome OS.
(Of note, the newer Chromebooks no longer require a physical hardware switch or jumper to be toggled. The hardware folks said this was expensive, so newer devices let you enter developer mode by holding the correct keys on boot.)
> An attacker with physical possession of the device over an extended period. The attacker has access to tools including a soldering iron.
Yeah, if that is the vulnerability scenario they see necessary to "protect" me against, it's pretty clear I'm not the owner of the machine. I think the anger if warranted.
More broadly, I find the distinction between "normal users" and "developers" in that article pretty telling. I guess the goal isn't anymore to make everyone Computer-Literatur enough to run anything else than Chrome OS.
You misread the document. You're quoting from the vulnerabilities section, which lists scenarios that Chromebooks either do or do not protect against ("We cannot prevent this attack").
You don’t have to replace the EEPROM. You can just open the case and briefly disconnnect the battery to disable write protect, and then flash whatever you like.
Ctrl+D skips that boot screen and beep, so at least it's less annoying.
Much more of a problem for me personally is that I've spent several hours trying to follow the guides to recompile the kernel I already have, so I can try to modify it, and it comes out grossly wrong and unbootable. It's doing a very bad job of handling open source.
Are we really so far gone that expressing a strong opinion with a little hyperbole is interpreted as "anger" ?
The adjective I'd use to describe OP's writing is "resolute". And in these days when surveillance and other corporate monsters continually bathe us in soft nudging to acquiesce to their agendas, it is a stance that's quite necessary.
But its totally misplaced emotion. The whole design goal of a chromebook is constantly push signed OTA updates. They give you a hardware switch to turn off the signature checks. His comment that a hardware key you'd certainly lose is better than a jumper is pretty weak.
If you don't like them, fine, but this just comes off as nerd rage in an attempt at saying "I am very smart."
Really? The whole design goal? The design goal that Google's massive marketing department made up, or the design goal that was actually used in creating Chromebooks? And really, with what is common knowledge about Google, why would you ever trust them at face value?
Google's marketing department doesn't give a flying f*k whether you install another os on your chromebook. Use it however you like, with their blessing and even their assistance to the degree that they can help.
Your "common knowledge" notwithstanding, I can tell you with 100% certainty that the os protection features in chromeos devices are about security. More specifically, it's about creating a device that Google can use themselves for extremely high-security use cases.
You can trust it, or not, doesn't matter. But for Google, the modern Chromebook is the only desktop environment where they can be absolute sure that all the software and all the hardware are clean. Turns out that other companies like this capability as well, so it's a general product feature.
But if all you want is some cheap hardware where you can flash the bios and run Windows Vista, then you just go ahead and be you. That's fine.
Unfortunately the Arbiter of Emotion was not there to correct his frustration during the unlocking.
The Chromebook's model is obviously consistent with Google's fleshed out security model. But this model is at odds with Free users, and there isn't one straightforward way to reconcile the two, but rather various ones that will each attract their own criticism.
Individuals don't have the luxury of massaging their opinions with a PR department, and conflict (with the corporate narrative) draws attention to rough points. People aren't going to express things perfectly - one can either work to be tolerant of varying personalities and colorful overstating, or retreat to the safe space of sanitized corporate press releases.
Ask yourself what is your motivation to shit on him with classical bullying ("nerd rage"). Some casual ranting about security models while tediously reflashing a BIOS is not an attempt to say "I am very smart".
Or they could have made their point without the rant and increased their chances of being taken seriously. As it stands, it’s not clear that the author understands why the things he’s annoyed about exist.
It's amazing how these tone policing responses are coupled with patronizing endorsements of Google's security model...
We get it. Google's (and Apple's, Intel's, etc) contemporary security model is to work to retain control over the device for themselves, taking end users under their wing to provide them security. For a non-technical person with no technical family, obtaining a device with this security model from Best Buy is likely the pinnacle of what can be done.
But this is not the only device security model. And the idea of a manufacturer working against the owner of a device is abhorrent to the perspective of Freedom. Weighing Google's specific design decisions within their model is not terribly important if one is repudiating the entire model. I personally think a better synthesis could be found between the two models, but that was obviously not the point of the original post!
I'm not personally a huge fan of blog posts / youtube / etc that just reiterate and editorialize information that is easily found elsewhere. But I do recognize that this is how many people learn - both the viewers and the authors. By picking on this post for not having the details fleshed out and stated in an impartial manner, all you're really doing is putting a veil of faux impartiality over shouting down the culture of Freeing computing devices.
>We get it. Google's (and Apple's, Intel's, etc) contemporary security model is to work to retain control over the device for themselves
This is exactly what you and likely the author of the post don't get. Google's security model is vastly different from Apple's or Intel's or anyone else's. In particular, the google security model is the only one of these which still ensures the ability for a user to take full control of the device (to the extent possible in current times). And they have gone through a lot of effort to do so. The easy way out is to do what every other manufacturer on the planet does.
Their security model is the exact same one - trust us and we'll maintain your security. The difference is better described as Google deliberately adding an opt-out to the devices.
That's definitely appreciated and is nicer than not doing so. But it isn't a real model of hardware protections that would serve a Free device, nor does it allow for agility or nuance around that trust relationship with Google.
Which is why the experience of taking ownership of your device turns into a violent one - because you basically have to repudiate the OEM's built-in system in favor of a completely different Free road. Which is why it's much easier to do with a fresh device, rather than after you've grown accustomed to it.
>But it isn't a real model of hardware protections that would serve a Free device
What is your proposed mechanism to ensure a verified chain of boot that the vendor intends for the majority of its customers while simultaneously allowing a user to do whatever they please ? The current solution is about the only one you can do at a technical level. Note that the convenience (or lack thereof) is a separate minor thing that is not so relevant. You really need to understand the verified boot design in chromebooks to appreciate the nuance, as you put it.
>you basically have to repudiate the OEM's built-in system in favor of a completely different Free road
You are not repudiating anything. You are using a feature that the OEM explicitly added at significant cost to please someone like you. Buy any other machine, and tell me how much freedom you get.
Even though a TPM has be tamper proof hardware, it does not have to be beholden to the single party of the manufacturer. I'd start by removing any burned in (loaded-once) asymmetric keys from the trust root. I'd pop an explicit serial header on the motherboard to communicate with the TPM in a user-friendly manner.
Any signing key could then be loaded into the TPM by holding the machine in a specific wiping mode for say a few days, essentially making the ultimate trust root "long term possession of the machine".
The actual signing key that is loaded needs to be percolated up through the UI so the user can verify whom they're actually trusting. But this doesn't actually need to be done every single boot, but really only when the machine is setup for a new user.
The banal criticism is that doing so would be work that doesn't directly benefit Google. Well you asked, and that's inherent in any constructive solution.
> You are using a feature that the OEM explicitly added at significant cost to please someone like you. Buy any other machine, and tell me how much freedom you get.
Erm okay you're taking this back to a hostile direction. Take any pre-DRM PC from 1985-2010, where the CPU simply trusts its memory. That's the longstanding basic model that Google simply added an escape hatch to revert to. I've said that it is appreciated, but don't act like it was somehow onerous.
> making the ultimate trust root "long term possession of the machine
You probably don't want someone who steals your laptop to get access to your secrets after a few days. Also, how would you know your "brand new" laptop wasn't interdicted by a hostile party while it was "having problems clearing at customs"?
It is clear to me that your threat-model and Google's (they dogfood ChromeOS hardware extensively) are divergent. Chromebooks are not for everyone, and that's OK.
> You probably don't want someone who steals your laptop to get access to your secrets after a few days
Obviously. I was describing the signature chain management. The encryption key management would be as it is.
> how would you know your "brand new" laptop wasn't interdicted by a hostile party while it was "having problems clearing at customs"?
>> The actual signing key that is loaded needs to be percolated up through the UI so the user can verify whom they're actually trusting
> It is clear to me that your threat-model and Google's (they dogfood ChromeOS hardware extensively) are divergent. Chromebooks are not for everyone, and that's OK.
Here we go again with the condescending simplistic conclusions...
As the other comment said, the emotion is mostly misplaced. Quite a lot of effort has gone in to making chromebooks work the way they do. The documentation or the low level code may not be perfect from the standpoint of alternate OSes, but chromebooks are literally the most open laptops you can buy (barring a few niche products at the moment like purism's).
That's "missing forest for the trees". Most laptops ship with rubbish AMI bios and bootguard enabled making them objectively less open. Chromebooks let you do whatever you want, although google does not do a lot of heavylifting for you. There are apparently some plans in the works by google for making things like dual booting more convenient, but nothing official yet.
I'm in agreement with you, and its refreshing to see that view expressed on this site. The guy shouldn't have to go so far to do what he wants with hardware that he purchased. We have come so far away from the old concept of ownership and have for so long dealt with lackluster consumer protection that this simple concept is a radical one to some.
It seems to me that there's a bit of a blind spot here on ycombinator, specifically for tech companies and developers that is, in assuming they are working in good faith.
I guess it's that most people here work in tech or with said folks so I get why; it's just the way ycombinator swings.
Chromebooks would go down as one of those tragedies that were too ahead of their time because people have just stopped reading or doing any of their own research.
>I guess it's that most people here work in tech or with said folks so I get why; it's just the way ycombinator swings.
There is HN bias, but in this case it's the reverse bias, specifically because most folks DO NOT work in this sort of tech.
The language one uses when writing, while not perfectly accurate, is a good indicator of how one carries themselves in real conversation with strangers. Repeated usage of phrases like "Google Spy Device" isn't indicative of someone who's assertive or "resolute", it's indicative of someone who is being emotional. If you're a regular here and part of the author's target audience, you know how awful Google is with regards to the user privacy sphere. You don't want to hear someone whinge about it every some-odd lines of a tutorial.
Or "Google Spy Device" is simply an amateur attempt at reframing a paradigm. Those fall flat most of the time, but trying them out is still necessary to separate one's own and hopefully everyone's perspective from default Google.
I personally appreciated "A Chromebook is an inexpensive data milking device and you are the cow". Rather than throwing everything at the wall and hoping something would stick, OP would have certainly benefited from some editing. But the bulk still shouldn't have been hard to read past.
There is editorializing in every communique. IMHO the protests here say more about being acclimated to a culture of milquetoast-positivity corporatespeak than anything else.
> Or "Google Spy Device" is simply an amateur attempt at reframing a paradigm.
That would require effort on the author's part. This is the equivalent of that guy who goes "gNu pLus LiNuX ;D" whenever someone simply says/mentions Linux as part of a larger conversation topic because they have nothing to contribute.
> But the bulk still shouldn't have been hard to read past.
It is difficult because the author has two simultaneous discussions going on: their actual work with the Chromebook and their banal google privacy comments which are intertwined with the actual interesting content.
> IMHO the protests here say more about being acclimated to a culture of milquetoast-positivity corporatespeak than anything else.
I clicked the link to read an article on getting ChromeOS off of a Chromebook. I didn't click the link to have to scrape aside the same wannabe revolutionary feel-good drivel that's been propagated on every common and tech-focused news site just to get at the content. If anything, the author writing the equivalent of "ha ha doodoo head google sheeple FITE DA POWA" and the volume of people defending it speaks volumes about what constitutes privacy advocacy in HackerNews comments.
It is on the other hand in some sense expressing hostility towards fellow humans for "don't be evil" Google to make this so hard to do. If they were more honest in that saying it would indeed be simpler, and that is probably why the author is disappointed.
Chromebooks are arguably the most secure consumer devices out there. This security is very much by design, has been there from day one and is of tremendous benefit to its target users.
Space then enter, and only during a little time window during the boot sequence: it's not easy to hit accidentally. Oh, and it warns you that you are reenabling OS verification for each step.
What an important clarification, I never hit those keys in that pattern, and neither does my cat! Glad I won't have to give my Chromebook a screwdriver enema again!
It is significantly easier to accidentally hit either of two keys than hit those two keys seconds apart in the right order. So I’d call that a pretty important clarification.
> Glad I won't have to give my Chromebook a screwdriver enema again!
If you’re willing to do that, you can disable this key sequence.
Those are the two largest keys on most keyboards. The space bar as also located along the edge closest to the user, making it the easiest key to hit. Having the two largest targets on a keyboard being the special combination for a factory reset is aweful. That's a coercion to foul your system. I hit space and enter quite often, but I don't wipe my OS often... Why convolute those operations? Because it's designed to push you back to Google's domain.
I actually find Google's position more disingenuous and more arrogant. If a customer purchased some hardware they will have uses its creators did not intend or forsee. To take active measures to impede them or make it more difficult is aggression, and confusion about what it means to sell a product.
The active measures are to block unwanted changes by a virus or whatever, protecting naive users from takeover. They explicitly tell you how to take this off if you want. Other companies don't do that. It's missing the whole point of chrome on to complain that it takes 5 minutes to overcome the cryptographically signed of that protects most users from harm.
I disagree. It is this same confusion, and I use that word intentionally, that makes people think user serviceability and safety from malware are mutually exclusive.
Edit: let me elaborate on what I think is the reason. They are selling the hardware at a loss or close to it. When you put Linux on there you eat their revenue. Instead of being honest about this, they dress it up in a bunch of phony security talk. They don't want people reselling them as useful Linux workstations.
It's possible they are selling the hardware at a loss but my experience is the opposite case. If you compare specs of laptops generally a chromebook laptop seems to cost more than a windows laptop of similar capabilities. I think the reason chromebooks cost more not less is because they sell fewer of them. You can buy a cheaper low end windows laptop and install any old os, usually.
I don’t agree; Google shouldn’t have made it hard to do this—they should have made it impossible. (And making it merely hard just adds inconvenience while failing at their design goals.)
The point of the Chromebook’s security approach (with the developer mode beep + notification, etc.) is to have a “Trusted Computing Base”, in the original, non-dystopian meaning of the phrase: you’re supposed to be able to tell, as a regular user, just by looking at/booting up a Chromebook, that it’s running Google-signed firmware/software.
A Trusted Computing Base is precisely for the case where you do trust some particular third-party to be your IT admin (because, for example, they’re your school or employer, or—more likely—a subcontractor of one of those that MDM is being delegated to.) In such cases, you want to know that your device is in exactly the state that that party wants it to be in, and that no other party has been able to modify it.
Google aren’t trying to make it impossible for you to use your Chromebook for whatever you want; that’s just a side-effect. Their goal is to make it impossible for someone who intercepts your Chromebook in shipment to install a rootkit on it, in a way where the device still appears to be (and act like) a Chromebook, with no sign that there’s anything wrong.
Yes, Google is the IT admin of the device. Someone’s gotta be; in a Trusted Computing Base scenario, you remove the possibility of handing the thing off to a repair shop (because what is a repair shop—from the TCB perspective—but another attacker?)
Essentially, a Chromebook has the same goal as a high-security lock: nobody should be able to pick it. Not even a locksmith. Not even the locksmith you hired because you lost your keys to the lock you own. Just like with encryption, you can’t leave a backdoor that only works for people with good intentions. You have to leave no backdoor at all—only a “front door.” In the case of a high-security lock, the “front door” is ordering new keys from the manufacturer, supplying your proof of purchase of the lock. In the case of a Chromebook, the “front door” is the signed update system, which allows one party (in this case the manufacturer, but in TCB Windows/macOS PCs this is your enterprise MDM admin) to manage everything. And also spy, if they want. But the two things are one and the same, really. The manufacturer of your high-security lock could break into your building, too. That’s why you pick a lock manufacturer you trust.
Sadly, as the author proves, it’s not impossible to install a rootkit (in this case, a Linux distribution, but it could just as well be a keylogger-injected version of ChromeOS) onto a Chromebook, in a way that’d be invisible to the end-user (unless the end-user X-rays their devices upon receipt and uses ML to compare them to a standard blueprint, ala the brouhaha around spy chips surface-mounted onto the bus of Supermicro servers.)
User control is not opposed to security - all your concerns are addressed by making the devices tamper-evident. Making them tamper-proof only benefits Google. As for
> you’re supposed to be able to tell, as a regular user, just by looking at/booting up a Chromebook, that it’s running Google-signed firmware/software.
Not really, you have to open a ChromeOS to replace the firmware, but it's easy to do, and then you can manipulate it however you like.
I personally find this useful, I've got two ChromeOS devices running other OSes, and I like the minimalist hardware. Frankly, I also get enjoyment out of using things in ways not totally intended.
Yes, and that was the solution to an incentive design problem.
If you make it easy to persistently use a rooted device, then regular users would use rooted devices for regular tasks. (Because there are advantages of doing so, like side-loading native apps.)
If regular users use rooted devices, some people’s only experience of a device would be of a rooted device.
If some people’s only experience of a device is of a rooted device, then they’ll have no idea what an actually tampered device looks like, because every device they’ve seen is “tampered.”
This is exactly the state of Android, as it happens. Tons of people use Android in its developer mode; and so people don’t take a security mindset toward using a rooted phone.
The solution to this is to use technical mechanisms to achieve social effects (a.k.a. “incentive design” — the type of thing that tax credits are.) By making it irritating and risky to use developer mode in a persistent way, people won’t do it for anything other than tasks that truly require using developer mode for what it’s for (that’s “using the device as a debug build target”, by the way, not “writing code on the device.”)
Thus, nobody uses Chromebooks in developer mode.
Thus, the average person’s experience of seeing a Chromebook in use is, 99.9% of the time, of a non-rooted Chromebook.
Thus, the boot beep is surprising, and will scare the average user off of using the device.
Adding a switch in the OS that disables this, would be akin to having a switch in your OS (on a device MDM-managed by someone else, including the certificate store) that disables web browsers from doing any certificate checking. You could flip it; but so could viruses, and so could the NSA half-way through the laptop’s delivery process. Why would you want that switch to exist?
——
What people with complaints like yours really want, I think, is not to disable the TCB. You want to be able to be in control of the TCB. You want something that’s like a Chromebook, but where the MDM controller is an enterprise (e.g. you individually, if you’re clever enough) rather than Google.
Well, I mean, first: that’s what a regular PC with Secure Boot is.
But if the particulars of Chromebooks appeal to you (and I suppose they could appeal to somebody): the cheap hardware, the keyboard layout, the sandboxing, etc. Then what you might want is a variant Chromebook.
Such a device would have to look different than a regular Chromebook, somehow, to show regular users that it’s not for them. Sort of like how developer units of game console hardware are clearly not the same as production units. But if that were done, I think it’d be okay for those units to have a user-controllable TCB.
> If some people’s only experience of a device is of a rooted device, then they’ll have no idea what an actually tampered device looks like, because every device they’ve seen is “tampered.”
This is false. All but the most technically inept user will understand "WARNING! YOUR COMPUTER IS NOT RUNNING GOOGLE CHROME OS/HAS BEEN ALTERED FROM FACTORY DEFAULTS!" shown at boot time. Which is what Chromebooks do. All that's needed to make it into a usable device is to get rid of "Press space to wipe your device."
> Tons of people use Android in its developer mode; and so people don’t take a security mindset toward using a rooted phone.
Android security is catastrophic on factory settings already, so how you managed to blame the tiny proportion of users that root their phones to get rid of vendor bloatware for it is beyond me.
> All but the most technically inept user will understand "WARNING! YOUR COMPUTER IS NOT RUNNING GOOGLE CHROME OS/HAS BEEN ALTERED FROM FACTORY DEFAULTS!" shown at boot time.
No. Not if half† the Chromebooks people own emit that message.
Users do not read. I know, it's hard to believe, but a large portion of average (not "most technically inept", average) users have never read a warning message on a screen in their lives. They see a warning message—and then they ask an authority figure what it means. They then classify whatever technobabble response they get into two executive-summary categories: either the warning means they should stop and wait for assistance; or the warning means nothing, and they should confirm whatever it's asking them to confirm and go on as per usual. After that, every time they see a prompt that looks like the one they asked about, they'll remember which of the two categories they surmised it to fall into, and that's what they'll do. Even if it's a prompt with different text. It looks the same—it gets the same treatment.
The next time you see a non-IT person using Windows and they get a UAC prompt, observe what they do. Ask them why it came up, and why they reacted the way they did. They won't know. All they'll know is that someone once told them it's fine to ignore those and click Accept.
If the ChromeOS boot screen is as common as Windows UAC, then it fails at its mission. That is why it makes it easy to un-root the device: because, if you have a boot screen that can "trick" average users into un-rooting a Chromebook, then you can't trust the average user around your rooted Chromebook to not accidentally wipe it, so you can't ever give the average user a rooted Chromebook as some kind of cheap kiosk (i.e. exactly what the author of the article was trying to do.)
And so rooted Chromebooks "in the wild" are rare—rare enough that if any user ever sees that boot screen, it'll be a new error that no authority figure ever told them "the trick" to bypassing and getting on with their day. New enough that they'll either "fall for" the prompt and un-root the device; or they'll call someone over to ask what the prompt "means."
----
† Sure, far less than half of Android devices are rooted. But consider the demographic difference. Every human being has a potential reason to own an Android device. Right now, very few average human beings have a reason to own their own Chromebook. (Be assigned a Chromebook by an enterprise MDM system, sure. But own their own? Quite rare.)
Ignoring the enterprise users, and taking the small slice of people who own their own Chromebook as the base population, any random niche use that requires rooting the Chromebook, if it got popular enough, could blow that population out of the water. If rooted Chromebooks turned out to be, say, good for running TAILS, or game emulators, or any other stupid thing you can think of, suddenly half the Chromebooks "in the wild" that a non-enterprise user ever sees would be doing that, and so would be rooted. They'd all beep and show the warning. And, like UAC, it'd be just another one of those things you ignore.
This person is confused about the security intentions of the device.
Google tells you how to install alternate os' on there. It doesn't have easily upgradable storage in part because that makes them cheaper, but some have had upgradable stoage. My chromeos Asus desktop brick like device has upgraded memory and storage. Look at Mac laptops for serious anti upgrade efforts.
Part if the restrictions are to prevent virii or other rootkit like takeover of the machine.
I don't know about you but I find it maddening that you have to take apart the laptop and risk damaging the hardware simply to install another OS, and I'd feel just as frustrated as the author if I had to deal with that..
Things like these are why I never bothered looking into getting a Chromebook.. developer mode? debug features? The article you liked is even more confusing.. Why can't people just stick a bootable USB in the laptop and install whatever OS they desire?
Not on that page directly, but it links right to a other page detailing how to flash bios. (The other page has a section titled almost exactly like that)
The link you refer to is not so easy to identify, and the linked-to page is missing some critical information. Specifically, it says:
"You'll have to locate the Write Protect jumper and enable it."
But it gives you absolutely no clue where the write-protect jumper is, or how to find it. For this critical step, you are on your own.
It's pretty clear that Google really doesn't want people doing this. (Not that I blame them. But still, the OP page does add quite a bit of value IMHO.)
I recently got a 2017 Google pixelbook to replace Razer stealth 2017 that I unsuccessfully tried to replace 2017 MBP with.
Similar to OP (little less emotion maybe), I flashed coreboot[0][1] on it and installed Ubuntu[2] (display brightness, audio doesn’t work so I have usb-c audio adapter) - couldn’t be happier: keyboard is excellent, it’s light, it was relatively inexpensive (for low end i7, 512gb , 16gb ram), it’s silent (no fans), display is 3:2 aspect ratio (I think) and it’s not 4k, hardware feels nice and solid. Other than audio issue, Ubuntu runs solid on it after some tinkering. If you’re willing to tinker with it s bit - Google totally nailed it on this![3]
To echo some of the other comments - this looks like a useful guide but the attitude is atrocious. You only need to make your anti-google complaint once and then move on.
The suggested coreboot distribution (johnlewis') is not maintained any more. You should use use mr. chromebox's builds or build from source. (https://doc.coreboot.org/distributions.html)
I've updated the firmware on every ChromeOS device I've owned and installed Linux. It's fun!!! But I've also restored some of them to factory condition and given them away to friends or family who find it challenging to apply regular security updates. It sounds like the author gave someone a broken ChromeBook instead of giving her the freedom to decide how she wants to use it.
To clarify, "How to liberate an Intel Chromebook in ten easy steps." Older ARM Chromebooks are doomed to a life of a corporate surveillance endpoint unless you are willing to put in a huge amount of effort.
I can't tell if "if remove all /eight/ screws" is meant as a "look how few we used back then" or as a "look how many screws that is!" comment. It's eight screws. Even my ancient Dell Inspiron has more than that...?
How is that an answer? So does every other laptop I've ever owned that has "feet" pads rather than shaped bits of chassis. That's like going "and then I had to REMOVE the outlet part from the wall socket box so I could switch live and ground!" as if that's somehow crazy unexpected.
Maybe because some have never had the pleasure of taking apart modern equipment and might consider resorting to force, without the knowledge of those four other screws?
I consider it a helpful reminder to count to verify I have gotten them all.
Go to "1020 Base cover assembly" on page 71 (page number at the bottom of the page, not the PDF page number). Note how it instructs you to remove the three caps (feet) to reveal those screws.
The word could be emphasised to make sure the reader pays attention to the fact that it's "eight" and not some other number, if four of the screws are not immediately obvious.
It would be nice if there were a link to purchase the right jumper. I'd rather spend 50 cents, and permanently enable write access, than mess around with the screwdriver.
Permanent write access to the chip that houses your bios? Do you want an unremovable virus? Because this is how you get an unremovable virus. You want to unlock that chip only for exactly as long as you are going to knowingly change its data yourself, and then lock it right back up.
Cheers. I hadn't thought about that. I just saw the photo, and it doesn't look like a pleasant way to work. Screwdriver breaking something off, ESD, etc.
How you enable write access varies by model. For mine you simply remove a screw. That said, I'm not sure you'd want to enable it permanently. That sounds dangerous.
>Pry open the lid by sticking a small flat-head screwdriver in and gently moving it all around the edges.
Instead of a screwdriver, which can easily damage the casing, breaking a washing line pin in half gives you a sturdy plastic object of right size for the job that won't scratch stuff.
I did something similar with my Chromebook. I flashed the bios and installed Arch + Sway + GalliumOS patches. It's been a pretty stellar experience so far.
I appreciate the sentiment behind the author's desire to do this. But I'm wondering:
- Did it void a warranty if it was still valid, and the tampering with the case had damaged some hardware that the end user can't fix on her own?
- Does the user require knowledge of GalliumOS, and understand that updates may need to be pulled manually?
- Can common college programs in her major be run on GalliumOS and on the hardware defined by Chromebooks (low-end)? Can she run SSH to Linux or VNC for Windows w/o difficulty?
I agree having one corporation say to the poor and the young and the otherwise disenfranchised that a corporate, locked-down operating system is good for you is not a great idea. It trades your freedom for convenience, and no matter how appealing that may be for both parties (the end user for cheapness and ease of use, and the corporation for not having to deal with the insanity and unworkablity of some users), it's not a good tradeoff in the long run for anybody, including the corporation that discovers too late that hiring the same sheep it raised is bad.
But I don't think this is the right way to go about it. Shrieking the principles of Stallman from a hill just makes you look like an old crazy person. I personally didn't get to love Linux until I had a MacBook Pro, a UNIX fork that works pretty nicely on a laptop, and moved slowly into Linux until I prefer the CLI over GUIs for many things now. At every stage of my transition, everything worked, and worked best for me, and I understood why I needed to move further. Doing something like this and encountering issues solved by ChromeOS may create a negative impression of Linux in a young mind, which is the exact opposite of what you want to do.
As an alternative way forward, I installed Ubuntu on my parent's laptop after Windows 10 kept freezing up on them. Yes, it has binary blobs and a corporation runs it and whatnot, but it works and it's still Linux.
My dad got a virus from downloading a YouTube video somehow, and I could fix it because I could reinstall chrome using 'apt', and taught him how to use 'youtube-dl' instead (open terminal, paste, enter key). I don't think he cares that it's Linux, but I do think he is happy it works and I can fix it when it goes wrong.
You never want to do the right thing by going against the laws of power, because that's how you end up as cannon fodder and a footnote in an moldy AP compsci textbook somewhere.
If you’re willing to go halfway and live with the verification screen (which doesn’t require opening up the computer), I wrote up a guide for dual booting: https://saagarjha.com/blog/2019/03/13/dual-booting-chrome-os.... But back to the article, the author seems to fundamentally misunderstand the reasons for the warning screens. They are there to alert you if your system has been compromised; if you’re looking for the ability to verify what you’re booting it’s either that or iOS where you can’t install anything else at all. I think I vastly prefer the former option.
Those are not the only two options available. They could also allow you to provide your own signing keys, and then verify that whatever it is you're trying to boot is signed with those.
That’s a valid option but I haven’t seen any consumer hardware implement this properly. The issue seems to be that the ability to change signing keys makes it possible to change them without the end user noticing. Unless Google had a service that could deterministically burn your keys into the hardware at manufacture time instead of their own I can’t see this working: can you think of anything else?
I don't see why it can't work if the only way to change them is through a special UI at boot (the security of which can itself be protected with hardware-assisted measures).
This is trivially avoided by adding a setup password. Additionally, the system could display a hash of the keystore at boot - AIUI, Purism has worked on something like that.
OK, so we're talking about users who have unlocked the system themselves and enrolled a user key onto it, but aren't going to notice if it changes unexpectedly? Suuure.
Direct physical access isn’t that huge of a barrier. An ordinary user isn’t going to set a password anyways, putting themselves at risk, and even someone who is willing to use a password could have their device compromised before they receive it and have had a chance to set their own password.
If I have direct physical access to your laptop, I can just put a hardware keylogger or rootkit in it. I don't see how any form of secure boot would be of much relevance in that scenario.
I have an i5 Chromebox I got at I/O a number of years ago, and I was considering doing something like this to make it useful. For the moment I haven't put in the effort to tackle it yet.
It's ubuntu based, but they use their own kernel. So you rely on their kernel builds, which is not ideal. If your device is one that works well with upstream kernel, you should just use a regular distro (or switch your galliumos kernel to track the regular ubuntu kernel).
Galliumos is no longer under development see r/galliumos for more info. Ubuntu 18.04 works great, see my other link in this for how to enable media keys.
It seems like they are still active, although not quite as much. The stickied post on that sub says so at least. The main draw for galliumos is support for odd devices for which upstream support is lacking. That's kind of why it exists, and I don't think things have changed materially for a lot of these old devices. Going forward, things should be a bit better since chromeOS itself tracks LTS kernel releases now, and I think they also plan to do kernel upgrades over the life of a device.
I'm on an older Toshiba Chromebook 2 and have been running Gallium for a while. I did some distro hopping recently and found that Manjaro, Ubuntu, and some others work almost perfectly out of the box. Bring in the Gallium keyboard layout and its great.
The work the Gallium team did was necessary, and its definitely paid off. It's nice to see things open up over the past few months.
I wonder if the person he gave the laptop to appreciated that he installed Gallium OS. I bet Annie can figure her way around Chrome OS, not sure about Gallium
Not all Chromebooks have a write-protect jumper like this. The HP Chromebooks have a write-protect screw. Rather than jumping terminals, you remove the screw.
I think you just made your own case for why to do this? Your solution costs money, this guy's solution costs however much a few inches of clear tape costs. Between the two "I rarely give the tech industry money" kind of suggests you are on board with repurposing old tech rather than just buying something new?
