NLnet is a Dutch non-profit that was previously an ISP. It is a European
Non-Profit.
Canada is a completely different country. Can you explain how much funding
you have received and from where please.
What funding have you received from “Canada” and from which NPO, or
Academic institution, or government institution?
I already said NLnet @xian_hufeng. NLnet requires plan proposition, concours, first round selection and then acceptation. MoU agreement on tasks, open source planned deliverables, and payout is on proof of work. Delay between application and acceptation takes months. Payout upon delivered proof of work requires evaluation, inspection and acceptation. This also can take months between time work began and is finished, and some more once proof of work is provided, accepted and payment is sent and received.
I provided links with thorough information and named NLnet already. NLnet accepts some foreign grant applications if outcome helps EU one way or the other. I was lucky to receive their funding for three rounds up to now, but the overhead is still present and not neglictable even if they do an amazing job reducing frictions to bare minimal.
The problem for most niche open source projects, in my opinion, is to get understanding from users/community that the work accomplished is not necessarily properly funded and requires from the maintainer to sometimes do way too many sacrifices for their users. I’m now obeying open source laws: no work outside of maintenance is done without issues being tracked, planning on deliverables and feature freeze and enticing other contributors to fix their own itches, otherwise pay for the features they desire. That’s how it should work.
Profit is needed to reinvest, have employees etc, otherwise I want to be employed as well to not have that burden on my soles shoulders. I fast paced development of Heads between 2018-2022 from PrivacyBeast sells, continued research and development with NLnet funding up to 2024, and now contribute/maintain to Heads as much as I can from free time by lack of stable income channels/employment until their is an employment offer for me to continue my work under a proper organization. Until then, I continue my work the best I can to maintain Heads and welcome consultation services for additional feature requests otherwise fixing bugs reported over github.
Laptops sold by Nitrokey / Novacustom with coreboot+Heads gives me a small portion of the subscription fee for maintenance of Heads.
Purism contributed back in code in a really significant and periodic manner in the past. Git history should answer your questions on past contributors, frequency and even number of lines of codes changed across the years. This is what open source means.
Official vendors of Heads: Heads Vendors and Resellers | Heads - Wiki
Donations, as pointed per Qr code of each laptop booting upstream Heads: Insurgo Initiative - Open Collective
@shantyspruce your recommendations have value.
They should be searched under github and commented open issues and or have code review upon PR.
Interestingly, most of the things you point here have either issues or proof of concept code in PR for people to test and review. Even under kvm/qemu without needing additional hardware.
How much funding are you getting and how many people are working on this.
The original concept is a cyber security startup with open source boot firmware
which is verifiable at each stage of the boot, and can be signed with
GPG key for specific user.
The part with the read only fuses is still confusing. How can you tell
if Coreboot/Libreboot .rom files are not maliciously modified.
Heads can return boot .rom file hash for comparison on Heads website?
How much funding did you get, how many employees, how much revenue,
how much net income?
@xian_hufeng will you click provided links? NLnet provides maximum grants of 50000E. People involved in each of those projects are named, links provided to proof of work. As you can see if you click those links, you will fast understand that none of those projects actually paid me a lot in proportion, because other’s work were needed prior of mine doing my part upon their work, which I needed and why I applied for grant because Insurgo needed it (it went to whonix, qubesos and 3mdeb,not me even though I applied for grant: for others!) Lots of management, following up, testing erc prior of being merged there.
I don’t understand your repetitive questions. If you’re asking me how much money I received for those projects, I will simply say not enough to rely on it and pay more then rent. Not talking about buying a house or a car here. I had hopes that with time and proper energy investment, my efforts would pay off to live from my research and development work. Time tells I should work under employment and getting grant money for research, and be paid by employment for Maintainership. But not wear all the hats at once.
How many people in this project and who is the CEO?
How many months of delay?
Why did you choose Canada as head office?
so 50,000 EUR x 3 rounds = E150,000 total? How many years
spent on this project? How many employees, how mauch in annual salary?
Where is head office located? What are annual expenses?
I see $30,000 raised from crowd sourcing also.
So more like ~$240,000 CAD in total for a cyber security startup receving
both non-profit, crowd sourced and net income from sale of Insurgo X230.
You haven’t divulged net income from sale of your product.
Financial math is opaque to say the least. Try to get that right first.
Insurgo does not operate anymore. I’m tlaurion, maintainer and main developer of Heads. There is no CEO. There is the open source project, and then users of this project and partnerships through Dasharo subscriptions for firmware support through coreboot+heads releases. 3mdeb develops and maintain coreboot port, coreboot upstream maintains coreboot and I maintain Heads.
Dasharo coreboot+heads has tested releases. OEM sponsors development of additionally needed features needed for their deployment and their user use cases.
There is Pureboot fork from Purism which is their coreboot fork + upstream Heads + rebranding and configurations specific for Librems and shipped with their laptops. Lots of collaboration happened with Purism over the years back and forth.
There is no big corp behind Heads. Heads is a collaborative project since 2016, is a linuxboot implementation improved by collaborators contributions over the years.
You could be one of those users, then one of its collaborator, contributor, sponsor or donor today.
“Open source project” can you explain what this term really means?
Purism is a US corporation with a code base that is “upstream” meaning
Heads receives “downstream” code updates right?
Dasharo is a Polish headquartered corporation that maintains a coreboot
port, coreboot “upstream” and coreboot for different motherboards and CPU
architectures.
Tlaurian maintians the Heads codebase.
How many lines of code are we talking about here? How many people?
Purism and 3mdeb are coporations with employees and their own
funding and corporate structures?
The Open source project, what does this really mean? Released under
MIT license? Apache License?
The Insurgo Project is a hybrid open and closed source project in reality,
because BOTH closed and open source hardware, firmware/microcode,
software are present.
The objective is to have a completely open source firmware, microcode,
Hypervisor (Xen-QubesOS, Browser security (Whonix), which is verifible
and measured from boot.
You have a HYBRID open/closed source project with funding from
→ Sales
→ Crowd sourcing
→ Subscriptions
→ Government grants (Non-Profit)
You have raised in or around $240,000 CAD, not including sales income.
This project needs more financial clarity, although I support the
concept and the desired goal of having completely open source and
transparent computing which is secure and verifiable down to the CPU
microcode, firmware hypervisor/OS, application level.
The question remains. Who are the financial and technical beneficiaries
of the Insurgo, Heads projects? Who benefits from this work?
Who created Coreboot and Libreboot? Are they still maintaining the codebase?
How are they themselves funded?
How much net income is Purism, 3mdeb earning off the Insurgo/Heads
“open source” project?
To me it looks like the EU (via NLnet, Netherlands) is the main beneficiary of
this work, along with Purism(USA), 3mdeb(Poland).
How much revenue has been generated by these projects? How many
employees? How much in salaries? Head offices USA, Poland right?
Thierry you should be able to maintain your website and inventory.
You should make another grant application if that’s not the case, or
hire somebody to do the application for you.
This project is technically complex and also needs support staff.
You should setup and disclose a royalty % from Purism and 3mdeb
for revenues they are making to properly fund your website, technical support,
engineering time.
USA and Poland are pilfering Canadian time and expertise in this relationship.
@xian_hufeng in Accessible Security project, part of this funding paid for initial steps of coreboot port of Talos II. That was the goal of having real open compute. That project took years to propel, support under Heads, with most of Insurgo profits being reinjected in that port cost, paying employees of Insurgo startup growing.
There was kgpe-d16, which has had its losses as well and now 8 years later gets back attention. Timing is everything. I seemed to miss that important fact.
Producing hardware is out of reach unless you are already ODM. Clevo being one of them.
Coreboot ports are either developed after hardware is released and sold (which also means you have to buy lots of a platform to not have bootguard fused at factory) to then develop coreboot and then make Heads work on it and abstracting hardware.
The problem is having real open hardware. Yes.
As links can show, Accessible Security had no money flow directed at me. Authenticated Heads money flow went at me for the reproducible parts (nix R&D to produce and reuse nix based docker image with all needed there to build dev debug), and the workflow to have qemu/kvm dev cycle support in completely virtualized environment. Outside of that, not much went my way but to partners that were filed to do the work. I cannot disclose those numbers publicly. As for donations, it’s Opencollective and you can follow the money yourself. I try to get money through this channel exactly for these transparency reasons.
While operating Insurgo, problem was scaling up while continuing research and development. Most of the income went into paying for coreboot port of Talos_2 in the dream of having real open compute one day with Qubesos support. We succeeded coreboot +heads support. But cost of acquisition of hardware just went up, not down as expected. Raptor was supposed to speed up port of Xen, which stalled .
Prices of acquisition of platform went up, not down. Nobody owns a talos II and those who does are happy with openpower “open source” firnware. Interest from community never happened. Coreboot port offering was never offered by raptor. Bleh.
Qubesos support can only happen with strong user base justifying another arch to be supported and maintained. So going back to Intel and Amd x86 support for now. Risc-V improves but not yet ready to support qubesos use case nor justify time of research and development for Xen and whole packaging and new arch support. Same for Arm. Stalled for now.
I did my part doing PoC, support platforms that were good candidates. Pushed for kgpe-d16, moved profits from me to Power9/talos_2. Conttibutions/sponsoring drive the platform enablement under Heads. But yet again, those platforms need to be supported by coreboot to be ported. Otherwise linuxboot needs work to support UEFI based hardware (blobs, microcode, bootguard, enabled ME, sinit, ACM, FSP, etc) on which most dxe can be removed to be replaced with Linux payload. Needs R&D but we are there, I think, outside of idealism: harm reduction on newer platforms.
Everything is possible with proper collaboration torward a common goal. But I got tired and a bit burned out of sufficient returns of investment in time, code, support and energy.
You can contact me privately if you want to continue this discussion.
The end of this thread should be: the x230 is now 13 years old. The PrivacyBeast is not sold since end of 2022. Nitrokey continues to sell the x230, Nitrokey and other vendors sell Heads on newer laptops with coreboot flashed without Bootguard being fused at ODM manufacturing time. Waiting on the world to change.
But open for tighter collaboration if you are a serious employer. Linuxboot could change the world. It is used everywhere hyperscalers on top of UEFI (Google ByteDance, Netflix, Azure etc) with secret sauce made in house to dxecleaner and hundred of hours removing unnecessary bloated hardware instead of working torward completely free platforms where OCP leads the way for them (hyperscalers). If we want open compute to be democratized, we need to work tighter. That’s all I’m saying.
Insurgo won’t sell hardware. I’m happy others do that part. I’ve done it, know how much work is needed there up to support users directly. There is still need to simplify things further, which funding/sponsoring would resolve.
I’m just unsure b2c will get enough funding to resolve the ecosystem problems anymore. Unless proven otherwise.
What makes Nitrokey able to stay in business? How are they financed?
There are already RISC-V boards, look at Milk-V, and Deep Computing,
both Hong Kong companies.
Nitrokey is Germany based, how are they funded?
POWER is too expensive to consumer anyways. For academic, corp only.
Intel/AMD, with neutered IntelME/PSP and RISC-V.
How to tell if hardware is unfused?
Why is Purism, 3mdeb and Nitrokey so special?
Thierry please seek funding sources here:
Not very happy with the amount of time money into Insurgo and then the project
just caves, kind of scammy.
Can’t get Canadian grants? Corporate partners?
Make a Youtube channel for Insurgo video tutorials and see what it makes.
Try something like that.
State project goals clearly.
Provide video tutorials in both languages for the x230 Insurgo.
Describe Heads project and goals and make video tutorials.
This will generate revenue.
Insurgo was org created by me to sell the PrivacyBeast, in the goal of proving QubesOS deserved second hand, reasonably trustworthy hardware to be sold with QubesOS preinstalled. At that time, there was no QubesOS being preinstalled and if it was prior, was not secure (LUKS key backup, intervention possible without tampering detection, etc).
Nitrokey was already selling their Nitrokey Pro, Purism changed Heads attestation with HOTP using their Librem key fork made in USA (hotp_verification project) , and them sharing the same firmware for their usb dongle fork made them able to use Heads forks of their own selling their dongles. Insurgo required dongles sold by those two companies, where Insurgo didn’t make any of those dongles themselves. Both Nitrokey and Purism sell other things which hardware they make in house. My learnings is that if you do not make hardware yourself, there is limitations you face sourcing, supply chain and refurbishing issues are a thing, and the amount of work needed to fulfill this on top of support, shipping and handling imports exports requires logistics OEM grow at being better. Being a startup requires fast learning which conflicts with research and development if you have too many hats is what I meant.
Then Nitrokey started selling the x230 and then the t430 also certifying with Qubesos (a couple of months after PrivacyBeast was released: see qubesos blog posts for timeline). Insurgo was enforcing an OEM to user re-ownership, which changed the status quo, getting me at Platform security 2018 and propelled me to do all things I’ve done up to today and I’m grateful for that. Nitrokey continued selling refurbished platforms with Heads fork since open source (GPL see licence in project). And added more to their offer over the years. I didn’t see myself compete with them. Decided to focus on R&D and Heads, which the ecosystem depends on.
Novacustom/Nitrokey/Purism sells hardware and support, 3mdeb some hardware but is mostly established into being coreboot developer firm, across other specialized consultation services link to platform enablement. Purism also develops and maintain coreboot for their platforms.
There was/is collaboration between all of us as said previously. This is not competition anymore, everyone trying to do what they do best in the goal of doing things the most open, secure and usable as possible with available resources.
Which hardware you need to make yourself? Can you
list? Need clarity on this point. What hardware are you actually
needing?
I’m saying if you do not make the hardware, profit margins are low. This is ODM realms, OEM integrate and resells ODM. This is where we lack alternatives today in my opinion. I’m aware of the risc-V platforms, while same reasoning applies. There is a long road ahead before those arch run QubesOS, follow Xen developments and convince users to switch. This will stay niche until proven otherwise.
So Canada needs semiconductor fab? Motherboard fab? you are saying this?
Has no domestic semiconductor, motherboard supply chain?
Can’t source PCBs in Canada. can’t source CPU/CPU/ROM chips.
Can’t get in Canada?
Need machine?
I’m in no position to comment more on semi conductor monopoly and concentration of powers. Looking at progression of risc-V is my current hopes, OpenSIL is changing things a bit outside of psp and microcode.
I just don’t pretend I will alone change what I wanted to change with Openpower (Talos 2) with openpower having lost a lot of feathers and no future current offering from Raptor letting us hope for new emergence of semiconductor that can be inspected with a return to no blobs policy. I don’t pretend I’ll change that. My role is to integrate on top of hardware we have that is not fused anymore. I can only dream things will change, since I have no trust in opacity of current AI hyperscalers with the insights I have on how things are shady out there to get proper performance, caching and personalized answers and accumulation of knowledge happening on the user, targeted ads etc.
I have hope in self hosted services on the rise if people can buy ram still. And keeping an eye on risc-V for blobless platforms. Outside of that, I’m a spectator looking for next platforms I can put my trust in, or take a posture of harm reduction on hardware produced for us, on which I think we don’t have a strong enough voice.
So what is Canada missing to have semiconductor and PCB
sovereignty?
Needs to build fabs? PCB manufacturing plants?
Comment away, don’t be shy.
I think there is a fundamental that is not enough exposed.
On intel laptops. To get non-fused bootguard (requirements for open source firmware) you need to have money to buy a lot of platforms so ODM does an exception to not fuse at last manufacturing step.
This is what gives us Chromebooks, Novacustom laptops and other laptop we can tinker on. If fused, OEM has keys to sign firmware that your hardware will boot. Can leak such keys. And stop providing firmware, or decide rhythm of releases of such firmware. In other words, fusing bootguard gives the owner of the keys the power over your firmware, and reduce your freedoms if you decide someone else to be the owner of said signing keys. That is the security model that is predominant today. And the forever problem of who owns the key, if not you. And all security concerns that happens, one way, or the other.
That is all for today. Most of those questions already answered in this forum itself, others on github and other scathered places I can’t stop myself responding which is counter productive.
How many you need to buy for unfused boot guard?
Buying from Lenovo?
I’m no ODM nor OEM. I only sold second hands laptops myself with all the refurbishing work that it means.
Maybe if you ask at the right place, you will get that intel. I don’t. And I don’t think you will get those people to publicly answer such intel either.