Linux Plumbers Conference 2017: audio archives uploaded

Quoting the Phoronix post:
talks range from Linux power management and energy awareness to developments around kernel live patching, NUMA, the state of UEFI support, NVMe, DRM/KMS, and other areas of the Linux kernel. “

more on ME Cleaner

I did a brief post on ME Cleaner, found on an article pointed out to me by a reader (i.e., I missed it). Phoronix has a story on ME Cleaner, including a pointer to it’s hardware/firmware-compatibility page, which I also missed:


Coreboot adds U-Boot as a Payload

Michael Larabel of Phoronix reports that Coreboot now supports U-Boot as another payload option:

Coreboot users have generally relied upon the SeaBIOS or TianoCore payloads for booting up into a Linux distribution, but now a U-Boot payload is supported as another option. Intel-based Chromebooks have long been using U-Boot as a payload for Coreboot while now all of that support is going upstream. A commit today adds U-Boot as a possible payload for x86 systems when configured via the new Kconfig options. The commit by Google’s Martin Roth explains, “Graphics worked in U-Boot correctly by initializing the VBIOS and setting up a console mode. Tested in QEMU and on Minnowboard Max.”

More information:

FreeBSD 10.3.beta2’s UEFI changes

Excerpting Phoronix:

Over the past week were some fixes/improvements around FreeBSD’s UEFI support, “The UEFI ZFS loader has been updated to support the latest ZFS Boot Environment (BE) loader menu features” and “The UEFI boot loader received several improvements: /boot/config and /boot.config files now are adhered to, multi device boot support works and command line argument parsing has been added.”

NVIDIA Nouveau Secure Boot

Quoting Michael of Phoronix:

NVIDIA Publishes Nouveau Patches For Secure Boot, Unified Firmware Loading

NVIDIA has released new patches today for helping the open-source Nouveau driver step towards properly supporting the GeForce GTX 900 “Maxwell” graphics cards as well as better supporting Tegra. The first patch series sent out today was authored by NVIDIA’s Alexandre Courbot and provides unified firmware loading functions. He explained, “This patchset centralizes the firmware-loading procedure to one set of functions instead of having each engine load its firmware as it pleases. This helps ensure that all firmware comes from the same place, namely nvidia/chip/. This changes where the firmware is fetched from for falcon/xtensa/bios, but these locations never seemed to have been official anyway. Also for most (all?) chips supported by Nouveau there is corresponding internal firmware, so disruption should be minimal/non-existent. If this assumption is wrong, feel free to drop patches 3-5. At the very least, firmware officially provided by NVIDIA should be looked up using the new functions for consistency.”[…]

Phoronix news

Earlier, I used to post stories I found on Phoronix. But these days that means too many posts, I can’t keep up with Phoronix, so I’m assuming if you care about Linux-based firmware security, you’re also reading for their excellent news. For example, here’s a few of the recent stories:

Michael makes better use of tags than I do as well:


Linux firmware update

As pointed out on Phoronix, there’s a new blog post by Peter Jones of Red Hat on the status of firmware updates on Linux.

Phoronix has been covering this much better than I have:

fwupd and Linux Vendor Firmware Service

I haven’t been covering LVFS and fwupd much. Luckily, Michael Larabel of has been doing a good job. Richard Hughes has built a Firmware Update for GNOME-based Linux systems. Excerpting from some of Richard’s posts, including his asking for help getting word out to vendors to support it:

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It’s designed for desktops, but this project is also usable on phones, tablets and on headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly.

I’ve spent the last couple of months talking with various Red Hat partners and other OpenHardware vendors that produce firmware updates. These include most of the laptop vendors that you know and love, along with a few more companies making very specialized hardware. We’ve now got a process, fwupd, that is capable of taking the packaged update and applying it to the hardware using various forms of upload mechanism. We’ve got a specification, AppStream, which is used to describe the updates and provide metadata for what firmware updates are available to be installed. What we were missing was to “close the circle” and provide a web service for small and medium size vendors to use to upload new firmware and make it available to Linux users. Microsoft already provides such a thing for vendors to use, and it’s part of the Microsoft Update service. From the vendors I’ve talked to, the majority don’t want to run any tools on their firmware to generate metadata. Most of them don’t even want to commit to hosting the metadata or firmware files in the same place forever, and with a couple of exceptions actually like the Microsoft Update model. I’ve created a simple web service that’s being called Linux Vendor Firmware Service (perhaps not the final name). You can see the site in action here, although it’s not terribly useful or exciting if you’re not a hardware vendor. If you are vendor that produces firmware and want an access key for the beta site, please let me know. All firmware uploaded will be transferred to the final site, although I’m still waiting to hear back from Red Hat legal about a longer version of the redistribution agreement.

Over the last couple of months I’ve been emailing various tech companies trying to get hold of the right people to implement this. So far the reaction from companies has been enthusiastic and apathetic in equal measures. I’ve had a few vendors testing the process, but I can’t share those names just yet as most companies have been testing with unreleased hardware. This is where you come in. On your Linux computer right now, think about what hardware you own that works in Linux that you know has user-flashable firmware? What about your BIOS, your mouse, or your USB3 hub? Your network card, your RAID card, or your video card? Things I want you to do:

* Find the vendor on the internet, and either raise a support case or send an email. Try and find a technical contact, not just some sales or marketing person
* Tell the vendor that you would like firmware updates when using Linux, and that you’re not able to update the firmware booting to Windows or OS-X
* Tell the vendor that you’re more likely to buy from them again if firmware updates work on Linux
* Inform the vendor about the LVFS project :

At all times I need you to be polite and courteous, after all we’re asking the vendor to spend time (money) on doing something extra for a small fraction of their userbase. Ignoring one email from me is easy, but getting tens or hundreds of support tickets about the same issue is a great way to get an issue escalated up to the people that can actually make changes. So please, spend 15 minutes opening a support ticket or sending an email to a vendor now.

If you know of any vendors, please try to help Richard out with his above request. I hope Richard has contacts at the USB and UEFI trade groups, to directly get word out to their member-vendors.

LibreTrend: new Linux OEM

As reported by Phoronix today, LibreTrend has partnered with Ubuntu Mate, to ship systems with Ubuntu Mate pre-installed. LibreTrend is a relatively new Linux OEM, they apparently launched last year in Portugal. LibreTrend joins the ranks of ThinkPenguin, System76, Purism, Novena, and a few others, OEMs that selling Linux-based systems. Quoting the press release with Ubuntu Mate:

LibreTrend are the designer and manufacturer of the LibreBox, a computer geared towards providing a complete “out of the box” Linux experience, with a heavy focus on hardware compatibility. All the hardware in the LibreBox is Free Software friendly and %100 supported by “blobless” Linux drivers.

The hardware behind this first LibreBox is based on the Intel 1037U Dual Core CPU. I’m not sure what firmware the LibreBox uses. I presume stock BIOS, not coreboot or UEFI.

Again, I don’t know what LibreTrend is doing with their firmware. Most Linux OEMs are merely taking commodity hardware made for Windows PCs, with stock BIOS, many blobs, fairly insecure compared to UEFI. (Novena is an exception, they’ve crowdsourced new Open Hardware development, and don’t use BIOS. Purism may also be exceptional, but I’ve yet to see specifics of what firmware they’re using.) Most other Linux OEMs are not exceptional w/r/t firmware, and could be be improved by using Intel FSP and coreboot, something that Sage Engineering, an open source BIOS vendor, does. That’d be more Open Source firmware (mostly Free Software-based) and fewer blobs than the default BIOS, which their Linux user audience would presumably prefer. Or they could ship a UEFI and get the additional security that Secure Boot brings to the OS; to help with their Linux user audience further, they could remove the Microsoft certs, something they could do as an OEM, or if they worked with their BIOS vendor. Intel and SuSE showed how to have a Microsoft key-free Linux system back at IDF 2013, yet AFAIK no OEM is selling hardware like this to the Linux community. Most Linux OEMs need to improve the firmware of their products.

I’m happy to see LibreTrend selling hardware with Free Software pre-installed, focusing on blobs at the Linux driver level. I hope they start building Open Hardware and use something beyond COTS BIOS, in future models, and also focus on blobs at the firmware level.

More Information:

coreboot gets Rockchip ‘Veyron Shark’ support

As reported today by Michael Larabel at Phoronix, coreboot recently got support for the Rockchip ‘Veyron Shark’ ARM SoC , used for Chromebook/Chromebox, with code from Google and Rock Chip.

To quote Phoronix:

“Julius Werner of Google’s Chromium team added the Veyron Shark mainboard into Coreboot Git. Shark is in turn is based off a copy of the Coreboot code for Veyron Speedy. Some of the code comes from Google while the rest is from Rockchip Inc. Rockchip’s latest chip series is the RK33xx that is based on an octa-core Cortex-A53 design with a GPU supporting OpenGL ES 3.1 and capable of HDMI 2.0 and 4Kx2K @ 60 FPS H.264/H.265 real-time video playback.”

Rock Chip nor coreboot didn’t didn’t consider this newsworthy, no press release. I’m grateful that Phoronix has such an efficient news gathering system, especially for tracking new features in coreboot.

More Information:

Two Linux firmware articles

1) Linux Vendor Firmware Service launches

In a Phoronix article today, Michael Larabel describes the new Linux Vendor Firmware Service (LVFS) has been announced.

“This site provides a place for hardware vendors to submit packaged firmware updates, typically .cab files. This fire-and-forget service allows vendors to submit firmware updates without generating and hosting AppStream metadata themselves.”

More information:

2) Intel on Linux firmware updates

Brian Richardson posted a blog yesterday, with information on Linux fwupdate, UEFI Capsule (firmware updates), UEFI 2.5 ESRT, and the Fedora firmware update mechanism.

More information:

Rasberry Pi firmware revised to use Linux 4.0

As reported by Michael Larabel in Phoronix, the Raspberry Pi firmware has been changed, it now uses the Linux 4.0 kernel.

As Michael says, “For this low-cost ARM single board computers, the newer kernel is beneficial for new features, file-system improvements, and new device support like when it comes to USB peripherals and adapters.”

More information:

Google Auron support added to Coreboot

As reported yesterday by Michael Larabel at Phoronix, coreboot recently got support for the Intel-based Google Broadwell ‘Auron’ board. To quote Phoronix:

“Support for Auron has been added in Coreboot Git. Auron is the Google Broadwell Reference Motherboard, which in turn is based on Google’s Peppy. More Broadwell designs are emerging and soon this latest-generation Intel processor will finally be out for desktops. The Google Auron is their reference board for this latest micro-architecture.”

More Information:

UEFI 2.5 ESRT in Linux 4.2

One new feature in UEFI 2.5 is the ESRT (EFI System Resource Table). As reported in Phoronix, ESRT supports has been added to the Linux kernel, and it appears that it’ll be in Linux 4.2. Quoting Peter Jones’ ESRT patch to sysfs on the linux-efi list, describing ESRT:

“The EFI System Resource Table (ESRT) provides a read-only catalog of system components for which the system accepts firmware upgrades via UEFI’s “Capsule Update” feature.  This module allows userland utilities to evaluate what firmware updates can be applied to this system, and potentially arrange for those updates to occur. The ESRT is described as part of the UEFI specification, in version 2.5 which should be available from in early 2015.  If you’re a member of the UEFI Forum, information about its addition to the standard is available as UEFI Mantis 1090. For some hardware platforms, additional restrictions may be found at , and additional documentation may be found at .”

Peter’s patch adds sysfs files for the EFI System Resource Table (ESRT) under /sys/firmware/efi/esrt and for each EFI System Resource Entry under entries/ as a subdir. See the UEFI 2.5 specification for more details on ESRT.

More Information: