FSF increases focus on firmware

January 17, 2017 ~ hucktech ~ Leave a comment

The Free Software Foundation has updated their list of Campaigns, which includes mention of reversing firmware, and a blob-free version of Coreboot:

[…]
Reverse engineering projects.
We haven’t analyzed these in detail yet, but more broadly free drivers and free firmware (the goals of nearly all of the listed projects) have all four of our characteristics. Reverse engineering is one way to obtain free drivers and firmware, but the ideal is for manufacturers to publish full specifications and ship free drivers and free firmware, and this is what users should demand. We may want to reframe this page around free drivers, firmware, and hardware designs, noting priority reverse engineering tasks, but also encouraging users to make requests to vendors. The page also lists Replicant, a free version of Android. Phone operating systems were one of the most popular suggestions and merit their own entry (see potential additions below).
[…]
Coreboot.
A free BIOS has at least the universal and frontier characteristics. Several people suggested adding “and Libreboot,” the project to ship a version of Coreboot with no blobs, pushing further in the frontier direction. We intend to take this suggestion. We are also discussing whether to move this listing to the reframed page about free drivers, firmware, and hardware designs mentioned above.
[…]
Free software drivers for network routers.
The text of this listing concerns mesh networking, which may be too narrow to satisfy our criteria. In general free drivers for network routers probably meet the universal and frontier criteria, but it may make sense to fold this listing into a listing/page concerning free drivers and firmware for a large category of hardware (see reverse engineering above).
[…]

https://www.fsf.org/campaigns/priority-projects/changelog
https://media.libreplanet.org/u/libreplanet/m/the-state-of-free-revising-the-high-priority-projects-list/
https://www.fsf.org/blogs/community/a-preliminary-analysis-of-high-priority-projects-feedback

FSF RYF hardware cert program update

January 8, 2016January 9, 2016 ~ hucktech ~ Leave a comment

For a while now, the Free Software Foundation has had it’s RYF (Respects Your Freedom) hardware certification program. Companies send samples of their product to the FSF for testing. If it passes muster, the company is able to use the FSF RYF certification mark. The FSF presumes that people need not fully understand technology, and can instead trust the FSF and this certification mark, and know that this research has been done for them. This year, they’ve certified 6 new devices, half of which are legacy retroffitted hardware, half are new devices:

“The RYF certification program is one of the most important parts of the FSF’s work — and one of the most promising and successful parts. Since announcing our first RYF-certified product in October 2012 (the LulzBot AO-100 3D printer), we have certified a total of eighteen different hardware devices sold by five different companies. In 2015 alone we awarded RYF certification to six new devices:

* 3 laptops: Libreboot X200 and T400 from Minifree, and the Taurinus X200 from Libiquity.
* 2 3D-printers: The LulzBot TAZ 5 and the LulzBot Mini by Aleph Objects.
* 1 wireless router: The Free Software Wireless-N Mini Router (TPE-R1100) sold by ThinkPenguin.”

https://www.fsf.org/blogs/licensing/hardware-we-certified-in-2015-to-respect-your-freedom
https://www.fsf.org/ryf
https://www.fsf.org/resources/hw/endorsement/criteria
https://my.fsf.org/donate/?pk_campaign=2015-appeal&pk_kwd=ryf
https://my.fsf.org/join?pk_campaign=2015-appeal&pk_kwd=ryf

Bluntly, I really don’t understand why the FSF isn’t doing more to push crowdfunding of their “Free Hardware”, or even mentioning their Free Hardware concept in the RYF hardware program, or giving presentations at Embedded Linux Conference and elsewhere to discuss this with OEMs, and not helping any of the open architecture designs (GPL’ed OpenRISC, BSD LowRISC/RISC-V, etc.), or mentioning available and up-and-coming devices (eg, Inverse Path’s USB Armory, Olimex’s OSH ARM64 laptop, some of the new devices that can run Libreboot w/o blobs, etc.. I was hoping for more when RMS blessed CrowdSupply.com as funding source for GPL hardware… It looks like the best we can hope for is the above RYF Donate button. 😦

Replicant on mobile device security

July 12, 2015 ~ hucktech ~ Leave a comment

The Replicant project is a Free Software-specific fork of Android, which focuses on users’ freedoms, and privacy/security. They try to get Android running without any firmware- or OS-level “blobs”, which gives them technical perspectives that most don’t have. They have a document which gives a decent introduction to mobile device security, including hardware, firmware, OS, and app issues, and about security issues of mobile baseband chips.. The advice is focused for someone using Replicant, but the app advice is applicable to most Android users.

More Information:

http://www.replicant.us/freedom-privacy-security-issues.php

RMS on Free Hardware from LibrePlanet 2015

May 13, 2015 ~ hucktech ~ Leave a comment

The Free Software Foundation has released some of the videos from LibrePlanet 2015. The presentation from RMS is described as:

Free software, free hardware, and other things by Richard Stallman, founder of the Free Software Foundation. Richard gives his take on some major issues facing the world of free software and explains how the free software philosophy extends to hardware.

It is a 45-minute video, the first 23 minutes are presentation, the remainder are QA. Video is here:
https://media.libreplanet.org/u/libreplanet/m/richard-stallman-free-software-free-hardware/

I have few questions of my own, from watching it:

At the beginning, he mentions that remote attestation of TPM doesn’t work, without any details on why he thinks that. I don’t understand what he’s talking about, there are multiple TNC implemenations, as well as non-TNC equivalent solutions that use TPM for network attestation. Linux-based Chrome OS, StrongSwan for Linux, Linux-IMA or OpenAttestation (OAT) for example.
If someone has more background on his perspective on remote attestation of TPM doesn’t work, please speak up. Heck, even the UEFI firmware on most modern systems have TNC support. IMO, it would have been more interesting to hear a discussion about new TPM 2.0 features, as well as TrustZone on ARM, and how that impacts various Free Software/Firmware/Hardware movements.
https://github.com/OpenAttestation/OpenAttestation/wiki
https://wiki.strongswan.org/projects/strongswan/wiki/TrustedNetworkConnect
http://linux-ima.sourceforge.net/

Later, he talks about “Free Hardware” term, which AFAICT isn’t that well-defined, and recommends using GPLv3 for hardware, and doesn’t mention OSHWA license, except to say that the alternatives offer no value. I am not sure that the existing OSHWA has the same opinion as RMS with his “Free Hardware” perspective, see March-April thread on the OSHWA list. IMO, Free Hardware -vs- Open Hardware needs some clarification. I guess, like with software, we’ll have the Open camps and the Free camp, with FSF as the Free owner and OSHWA instead of OSI for the Open camps, in addition to the Closed camps. However, unlike ISVs, I’ve never met an OEM or IHV that likes the GPL, so any Free Hardware will likely have to be community-funded, like Novena; I hope the FSF plans community-funded Free Hardware in the coming months.
https://www.fsf.org/bulletin/2012/fall/a-bit-about-free-hardware
http://www.wired.com/2015/03/need-free-digital-hardware-designs/
http://www.wired.com/2015/03/richard-stallman-how-to-make-hardware-designs-free/
http://lists.oshwa.org/pipermail/discuss/2015-March/thread.html
https://www.crowdsupply.com/kosagi/novena