My First Fully Free Laptop: a Chromium Book

  • Last Update:2015-01-02
  • Version:en
  • Language:001

I have been using Free Software for almost 20 years and it is only on Friday, 12th December 2014 that I could realize my dream: work on an affordable and powerful laptop that provides acceptable privacy and which manufacturer gives me the freedom to modify or share any of its software components.

One Sentence Howto

I purchased a 250 EUR Toshiba CB30 Chromebook in a shop in Paris, recompiled a stable release of Chromium OS on a VIFIB VM, installed Chromium OS image to the latop, modified /etc/hosts to point every google web site that trie to track me to 127.0.0.1, logged as guest in Chromium OS user interface and I can now develop through an encrypted SlapOS chroot on a high performance USB 3.0 key installed by crouton.

Existing Approaches

Before we proceed to a step by step explanation, let us review here what are the existing approaches for a developer to work an on "Fully Free Laptop".

Leemote

The reference approach is to use the FSF funded gNewSense (http://www.gnewsense.org/) GNU/Linux distribution on Lemote laptop (https://en.wikipedia.org/wiki/Lemote). FSF actually published a version of gNewSense designed specifically for Lemote Yeeloong (http://www.gnewsense.org/Main/Download) and Lemote officially supports a pure "Free Software" approach. Also, Lemote hardware is not powerful, its price is high and it is hard to find. It is thus unlikely that such an approach will reach any time soon mass adoption.

Rockchip

Another approach is to purchase a device designed for Android based on a Rockchip reasonably powerful System-on-Chip. Lenovo A10 is an example of such laptop (http://www.cnx-software.com/2013/10/27/lenovo-a10-android-laptop-is-powered-by-rockchip-rk3188/). Rikomagic provides similar device in desktop PC format (http://www.rikomagic.co.uk/linux_mini_pcs.html). It is then possible to use about any of the tools of the Android Open Source Project (AOSP) alone or in combination with Linuxium (https://sites.google.com/site/ianwmorrison/) to install all kinds of open source operating systems derived from GNU/Linux or Android.This approach could apply in the future to other Android hardware, as long as an equivalent of Linuxiume exists. 

RaspberryPi Laptop

For educational purpose, one can build a laptop based on RaspberryPi hardware. See for example 2012 PC World article (http://www.pcworld.com/article/2023218/turn-your-raspberry-pi-into-a-tiny-linux-laptop.html). However, this approach is even further away from mass adoption than Lemote approach.

GNU/Linux on Windows PC

For open source developers, the most common way to work on a somehow Free PC is to purchase a Windows PC with a proprietary BIOS and replace Windows with GNU/Linux. Some PC manufacturers try to provide the option to deliver PCs without Windows or to refund Windows (see here for a list http://bons-constructeurs-ordinateurs.info/). But in most cases, developers prefer to chose a PC based on the kind of keyboard and screen that they like, even if this contributes to increasing official sales statistics of Windows operating system and does not help demonstrating the existence of a significant market for GNU/Linux. 

Step by Step

Here are now the steps I followed to build my own Chromium OS laptop with acceptable privacy.

Purchase Chromebook in a shop 

I purchased by Chromebook (a Toshiba CB30) by going to Grosbill in the center of Paris after making sure that they had some inventory (http://www.grosbill.com/4-toshiba_cb30_b_102_-622045-ordinateurs-ultra_portable). I tend to prefer purchasing my laptop in anonymous ways and at a physical outlets so that chances of getting a bugged hardware are reduced (see http://www.engadget.com/2014/05/16/nsa-bugged-cisco-routers/). I selected the CB30 with 2GB RAM and 16 GB SSD because I like its bigger screen and bigger keyboard. I actually also own an Acer 720P with more RAM (4GB) and bigger (32 GB) which is very nice but I prefer the CB30 for daily work.

Setup a VM

I then used ViFiB (http://www.vifib.com) to get an SSD based virtual machine with 4GB RAM, 4 cores and 100 GD disk space. ViFiB is a distributed mesh cloud operator that hosts its servers outside datacenters for higher resiliency and privacy.I installed a Debian distribution (version 7.7) by publishing its ISO image with qemu over NBD protocol (ViFiB does not provide default images but anyone can boot a VM through NBD over IPv6).

Build ChromiumOS

Next, I built ChromiumOS. My favourites sources of information for the build process are:

  • the Acer C720 information page because it provides a more complete overview of what can be done with a typical chromebook - http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/acer-c720-chromebook
  • the Toshiba CB30 information page because I use a CB30 - http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices/toshiba-cb30-chromebook
  • the Quick Start guide - http://www.chromium.org/chromium-os/quick-start-guide
  • the Chromium OS developer guide - http://www.chromium.org/chromium-os/developer-guide
  • the Chromium OS device page to access all other device information - http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices
  • the list of branches of Chromium OS - https://chromium.googlesource.com/chromiumos/manifest.git/+refs 

I prefer nowadays to follow the Quick Start guide approach, with a small change.

Here is the full list of instructions to build your Chromium OS:

# Install git and some base requirements (once)
sudo aptitude install git-core gitk git-gui subversion curl
# Make sudo more permissive (once, not always required, try first without)
cd /tmp
cat > ./sudo_editor <<EOF
#!/bin/sh
echo Defaults \!tty_tickets > \$1          # Entering your password in one shell affects all shells 
echo Defaults timestamp_timeout=180 >> \$1 # Time between re-requesting your password, in minutes
EOF
chmod +x ./sudo_editor 
sudo EDITOR=./sudo_editor visudo -f /etc/sudoers.d/relax_requirements
# Go to home directory (once)
cd ~
# Download depot tools (once)
git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
# Add depot tools to path
export PATH=`pwd`/depot_tools:"$PATH"
# Make directory for branch "r40" of Chromium OS
mkdir r40
# Download files for branch "release-R40-6457.B" (latest stable branch as of today)
repo init -u https://chromium.googlesource.com/chromiumos/manifest.git -b release-R40-6457.B
repo sync
# Set the traget to build ("leon" in case of Toshiba CB30)
export BOARD=leon
# Build packages 
cros_sdk -- ./build_packages --board=${BOARD}
# Add a bit of privacy by extending /etc/hosts
wget http://www.nexedi.com/NXD-Host.File.Chinamode/Base_download -o hosts.chinamode
cat hosts.chinamode | sudo tee -a chroot/build/${BOARD}/etc/hosts
# Build image
cros_sdk -- ./build_image --board=${BOARD}
# Create an empty 2GB image
qemu-img create -f raw leon.img 2G
# And write to it
cros flash file://~/r40/leon.img src/build/image/leon/latest

I have now built an image of Chromium OS that I can download from the VM and flash on any USB key or SD card using dd.

Setting the Chromebook in developer mode

I should now set my Chromebook to developer mode. Each device uses a different combination of key strokes for this. On Toshiba CB30, hitting at the same time the power button, escape and the "refresh" button brings to a dialog that asks whether the Chromebook should enter developer mode. Read the documentation of your device to know which key strokes bring to developer mode (http://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices)

Preparing for USB installation

In order to get ready to boot on USB, I get a shell by either via VT2 (Ctrl+Alt+F2) and logging in as root or by logging in as a user (or guest mode), starting a "crosh" shell with Ctrl+Alt+t, and typing "shell". 

Now run

sudo crossystem dev_boot_usb=1

This will enable USB booting on your chromebook. Then:

sudo reboot

to reboot.

Booting the USB image

I then plugged a USB stick or SD card in and on the scary "OS Verification is OFF" screen hit Ctrl+u to boot from external media. If needed, I try a couple of times, wait one minute and try again Ctrl+u

If it still does not go well, I switch back to normal mode and back to developer mode (incl. enabling USB boot). This sometimes makes USB boot work when it does not work the first time.

If it still does not go well, I reset the chromebook with the factory image and switch it again to developer mode (see https://support.google.com/chromebook/answer/6002417 to learn how to create a factory image).

At this stage, either the USB image is wrong or the Chromebook should boot on Chromium OS.

Test guest mode

When the login appears, I do not try to use any google account. In general, refrain from logging into any site that is not trustable in terms of privacy. The idea at this stage is to make sure that my Chromebook does not get tainted by accessing Google sites.

This is why I now only use the guest mode of ChromiumOS. This mode requires no login, has no bookmarks and no browsing history. When the user quits, all data is washed out (except data stored on external media). It is a nice solution to erase one's traces frequently.

I try a couple sites, I try HTML5 videos (webm or theora, not mp4 nor flash).

If the test is successful, I go to the next step.

Flash ChromiumOS

I open a shell using the same procedure as previously. Then I type:

/usr/sbin/chromeos-install

After saying yes to the question, I can reboot a fully open source Chromium OS book.These days, I can do the whole process in less than 10 minutes once the image has been built.

Developing

I use crouton (https://github.com/dnschneid/crouton) to create an encrypted USB key (USB 3.0, high performance) with a Debian distribution chroot. Crouton is a tool that simplifies the installation of a GNU/Linux distribution in parallel to Chromium OS. It can be very useful for example to support legacy software using a light desktop environment such as XFCE. It is also useful to run a set of services in parallel to Chromium OS. It could even possibly be used to recompile Chromium OS on a Chromebook (I tried to do it but did not succeed yet). 

I like very much crouton's native encryption and the nice scripts that help sharing the Chromium OS files with the chroot environment. Files that have been downloaded with Chromium OS can be opened in XFCE with Libreoffice quite easily. This pleasant integration helped me a lot during the transition from a traditional desktop to a pure Web based desktop. 

I also use this chroot environment to install re6st (resilient IPv6 access) and SlapOS (distributed mesh clould). With re6st, I get a bunch of global IPv6 addresses on my Chromebook. This is useful for peer-to-peer comunication within our company, or to use a Chromebook as a personal server. With SlapOS, I get a full Platform as a Service (PaaS) running locally on my Chromebook. Even offline, I can do Web based development thanks to SlapOS's Web Runner application.

I also used SlapOS on a Chromebook to demonstrate how SlapOS cloud could run a small web server inside an airplane between Paris and Tokyo (https://groups.google.com/forum/#!topic/mozilla.dev.decentralization/9R_oWxvfBmY) and provide connectivity to it to the world. If you can connect to the web site http://jal046.erp5.cn/, you are actually connecting to my chromebook.

Better Privacy

The kind of privacy I am looking for, is a desktop environment that can not be used too easily by another party or by a viruses to steal all my passwords or certificates and possibly access all data of our company. Chromium OS in guest mode seems to be a good start since it erases all traces of the user after... every crash of the Chromium browser (about once a week, which pretty reliable compared to the same Chromium on my Ubuntu 14.10 laptop). Still, I need to use some tools that are not available in Chromium OS or even on a GNU/Linux distribution.

Smartphone

I thus split my IT in two parts: smartphone (dirty) and customized chromebook (clean). I use my smartphone as a "normal" person in order - hopefully - not to create too many signs that will attract attention and then intrusion. Everything in my smartphone is considered as a source of intrusion: social networks, chat, email, telecommunication data channel, etc. Even the mobile versions of our corporate applications are considered as dirty since the  telecommunication data channel or SS7 network of a smartphone is an easy source of intrusion that can bypass the smartphone operating system. Our corporate applications are thus designed to include some access limitation since there is no way to eliminate traces in a smartphone.

/etc/hosts

Our approach for privacy is to first deactivate Web sites such as Google since they try to "save" user passwords that we use to log into other sites. Google also has the ability to keep a browsing history of the user either through access to the Chromium browser internals or indirectly through advertising.

A first list of such web sites is being built under the name "China GFW Emulation". It will be further extended in the future to include similar sites in China (ex. Baidu) and other countries. This step is achieved by adding one line to the normal build process:

# Build packages 
cros_sdk -- ./build_packages --board=${BOARD}
# Add a bit of privacy by extending /etc/hosts
wget http://www.nexedi.com/NXD-Host.File.Chinamode/Base_download -o hosts.chinamode
cat hosts.chinamode | sudo tee -a chroot/build/${BOARD}/etc/hosts
# Build image
cros_sdk -- ./build_image --board=${BOARD}

Roadmap

The next steps for better privacy include:

  • configuring another default search engine (duckduckgo)
  • configure different default page (officejs.com
  • making sure that our image is not unique (amiunique.org)
  • create an online build system (based on SlapOS)
  • adding re6stnet network connectivity
  • add self signed X509 master certificate
  • add ability to include extensions
  • add support for JIO persistent storage on encrypted USB key 
  • add another browser as option

I would also like to include some extra features:

Last, I would be even happier if all BLOBs could be removed. Most GNU/Linux distributions include BLOBs as part of the Linux kernel. Chromium OS is neither worse nor better from this point of view. The Intel based wifi driver relies on .ucode BLOB files located in /lib/firmware. The coreboot fork that is used on Intel device includes at least 2 BLOBs provided by Intel. Both are required to bootstrap the system. Even though this situation is not perfect in terms of software freedom, I find it still better than using a fully proprietary BIOS that I can not change or debug. 

Conclusion

If you sincerely wants to support open source, then you should purchase chromebooks rather than laptops with proprietary BIOS and proprietary OS. Chromebooks are the only device that gets close enough to a Free laptop - such as Lemote Yeelong -  and that are mass distributed worldwide. They contribute to the decrease of Windows sales statistics And for "friends and family", Chromebooks and Google Drive are just as awfully intrusive as anything else for privacy (iCloud, OneDrive, Baidu, etc.) but they are at least cheaper and will take you less time for to support. This will give you more time in the end to write Free Software that can eventually outperform Google Drive, iCloud, OneDrive, Baidu, etc. It will also force you to learn browser based Javascript programming, which is a good thing to boost the audience of Free Software beyond its current narrow circle of backend server engineers.

Privacy is a long term utopia that can be approached in a company by simplifying the client side of IT (individuals) and by improving the monitoring of the server side (shared). If the client side contains little or no data, it can be washed out every month. If the simplest intrusion points are eliminated (currently the google "password save" feature, the shared bookmarks and the history), then Chromium OS can be a good base to start this the quest for full privacy. Due to proliferation of government intrusion tools in criminal organisations and because of its centralized corporate nature, Google is actually facing more security challenges than anybody else. This leads Google corporation to care seriously about the security of Chromium browser and share some of the concerns that Free Software users have in terms of Cloud security. 

For privacy, it is also essential to maintain an anonymous way to purchase hardware: cash and carry. Sadly, in some countries (ex. France), mass distribution of Chromebooks has ceased while in others (ex. Japan), it just started. Let us hope that someone will create a distribution channel with physical outlets in countries where it still does not or no longer exist.

Notes

FSFE has a couple of nice articles on the same topic: 

It is really nice that FSFE acknowledges through such articles that Chromebooks are among the closest device to a Free laptop. FSFE demonstrates its ability to differentiate Google cloud services (awfully proprietary) from Chromium OS device (beautifully open compared to other mass distribution device). 

I also wrote an article about the good things to learn from Chromium OS and how they help understanding modern Web. If you believe that using vi (or emacs, or nano) on a laptop with a proprietary BIOS and Flash or Skype support makes you a real Free Software developer, then this article is for you. 

Contact

  • Photo Rafael Monnerat
  • Logo Nexedi
  • Rafael Monnerat
  • rafael (at) nexedi (dot) com
  • 2
  • Photo Jean-Paul Smets
  • Jean-Paul Smets
  • jp (at) nexedi (dot) com
  • Jean-Paul Smets is the founder and CEO of Nexedi. After graduating in mathematics and computer science at ENS (Paris), he started his career as a civil servant at the French Ministry of Economy. He then left government to start a small company called “Nexedi” where he developed his first Free Software, an Enterprise Resource Planning (ERP) designed to manage the production of swimsuits in the not-so-warm but friendly north of France. ERP5 was born. In parallel, he led with Hartmut Pilch (FFII) the successful campaign to protect software innovation against the dangers of software patents. The campaign eventually succeeeded by rallying more than 100.000 supporters and thousands of CEOs of European software companies (both open source and proprietary). The Proposed directive on the patentability of computer-implemented inventions was rejected on 6 July 2005 by the European Parliament by an overwhelming majority of 648 to 14 votes, showing how small companies can together in Europe defeat the powerful lobbying of large corporations. Since then, he has helped Nexedi to grow either organically or by investing in new ventures led by bright entrepreneurs.