Comments upon comments ignorant of the realities of the privacy laws governing this domain and the implications on firmware, driver and OS security support. “Just install Linux on it” is a completely unworkable solution. As some have pointed out, the places where this is done have a much thicker IT departments staffed with higher grade professionals to make it work. The thing to be mad here about is the shit support from vendors across the stack. If I had to guess, the worst offenders are probably the SoC vendors who typically ship firmware and driver updates as is the tradition.
I mean, even if just installing a different OS were an option, you’d need to install and setup that OS on a few hundred computers or more. I used to work for a place that would essentially do the enterprise enrollment in bulk before shipping off the computers to schools. I could only setup a bit under 100 over an 8 hour workday, assuming no major issues (like captchas on the login step, or the wifi going out). Keep in mind that we also had specialized little microcontroller* USBs specifically for doing all the enrollment keypresses, and enough of those for someone to setup multiple computers at once.
I am actually curious as to how you would make a locked down managed linux OS akin to ChromeOS. Maybe there would be a way to do something like that that’s also faster to setup, but idk.
That’s exactly the problem. The standard GNU/Linux distro isn’t suitable to allow carrying the responsibility that an innumerable number of users with physical access won’t be able to pwn those machines. Machines that are used by others too. You absolutely can make an OS like that out of Debian or Ubuntu, or what have you. Google has - Chrome OS - but it’ll take a significant development effort. You’d have to basically redo at least some of the work they’ve done. And let’s say you did all of that. Then you end up deploying it on an ARM-based fleet. And there’s a wild vulnerability in the WiFi firmware blob, and the SoC vendor no longer supports it. Every student has root and we’re back to the original problem. 👨🚀🔫
And that’s why instead of getting hardware from a vendor and hoping for the best, you might want to get it in writing that they’ll support their crap till a date. Then you stamp that as the EOL date for that laptop and you present it as part of the spec to whoever might want to buy this laptop. There’s no escaping this problem unless there are no proprietary blobs on the system, which is unlikely for ARM, or you have a solid development team and you’re large enough to have a source sharing contract with the vendor that lets your team fix the vulnerabilities and support the hardware for as long as you like. It’s probably much easier to achieve on x86.
Yeah, bulk imaging computers is really only limited to how many you can hook up to the network. I used to have to image hundreds of computers a day at times, and really the longest part was walking around and restarting them all so they’d PXE boot. The actual process maybe took 2 hours since all the computers were on 100Mb/s connections.
I converted one of these Chromebooks to Linux as a test project and the results were, not good.
To start, they have a bootloader lock screw under the motherboard, so you have to take the entire laptop apart to load anything but unsupported ChromeOS.
Then you have to use a Google tool, can’t remember the specific one, to swap the bootloader. That might be possible to automate but I didn’t look into it because…
… The hardware sucks. We’re talking like 4GB of storage on a lot of these Chromebooks. The driver support is all over the place, and there are issues everywhere even on “supported” distros.
With the vast amount of junk Chromebooks out there, I’m sure community hospice support will get better, but it’s never going to be an easy bulk conversion because of how common the bootloader locks are.
Comments upon comments ignorant of the realities of the privacy laws governing this domain and the implications on firmware, driver and OS security support. “Just install Linux on it” is a completely unworkable solution. As some have pointed out, the places where this is done have a much thicker IT departments staffed with higher grade professionals to make it work. The thing to be mad here about is the shit support from vendors across the stack. If I had to guess, the worst offenders are probably the SoC vendors who typically ship firmware and driver updates as is the tradition.
I mean, even if just installing a different OS were an option, you’d need to install and setup that OS on a few hundred computers or more. I used to work for a place that would essentially do the enterprise enrollment in bulk before shipping off the computers to schools. I could only setup a bit under 100 over an 8 hour workday, assuming no major issues (like captchas on the login step, or the wifi going out). Keep in mind that we also had specialized little microcontroller* USBs specifically for doing all the enrollment keypresses, and enough of those for someone to setup multiple computers at once.
I am actually curious as to how you would make a locked down managed linux OS akin to ChromeOS. Maybe there would be a way to do something like that that’s also faster to setup, but idk.
*centipedes are the name for the ones we used.
That’s exactly the problem. The standard GNU/Linux distro isn’t suitable to allow carrying the responsibility that an innumerable number of users with physical access won’t be able to pwn those machines. Machines that are used by others too. You absolutely can make an OS like that out of Debian or Ubuntu, or what have you. Google has - Chrome OS - but it’ll take a significant development effort. You’d have to basically redo at least some of the work they’ve done. And let’s say you did all of that. Then you end up deploying it on an ARM-based fleet. And there’s a wild vulnerability in the WiFi firmware blob, and the SoC vendor no longer supports it. Every student has root and we’re back to the original problem. 👨🚀🔫
And that’s why instead of getting hardware from a vendor and hoping for the best, you might want to get it in writing that they’ll support their crap till a date. Then you stamp that as the EOL date for that laptop and you present it as part of the spec to whoever might want to buy this laptop. There’s no escaping this problem unless there are no proprietary blobs on the system, which is unlikely for ARM, or you have a solid development team and you’re large enough to have a source sharing contract with the vendor that lets your team fix the vulnerabilities and support the hardware for as long as you like. It’s probably much easier to achieve on x86.
Thank you for sharing your experience along with that link.
Because Linus Torvalds stupidly refused to change the Linux license to GPL3.
What difference would the kernel licence make in this context?
Yeah, bulk imaging computers is really only limited to how many you can hook up to the network. I used to have to image hundreds of computers a day at times, and really the longest part was walking around and restarting them all so they’d PXE boot. The actual process maybe took 2 hours since all the computers were on 100Mb/s connections.
I converted one of these Chromebooks to Linux as a test project and the results were, not good.
To start, they have a bootloader lock screw under the motherboard, so you have to take the entire laptop apart to load anything but unsupported ChromeOS.
Then you have to use a Google tool, can’t remember the specific one, to swap the bootloader. That might be possible to automate but I didn’t look into it because…
… The hardware sucks. We’re talking like 4GB of storage on a lot of these Chromebooks. The driver support is all over the place, and there are issues everywhere even on “supported” distros.
With the vast amount of junk Chromebooks out there, I’m sure community hospice support will get better, but it’s never going to be an easy bulk conversion because of how common the bootloader locks are.