[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HDCP blob still present
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: HDCP blob still present |
|
Date: |
Sun, 3 Nov 2024 03:06:38 +0100 |
Hi again,
On Thu, 31 Oct 2024 20:10:45 +0000
Leah Rowe via Gnuboot-patches <gnuboot-patches@gnu.org> wrote:
> I've done some further auditing of GNU Boot, as a matter of courtesy
> and friendship:
Thanks.
> fam15h trees:
>
> src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_1gb.absf
> src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_2gb.absf
I've looked a bit and here the license header look like a nonfree
license, so we should remove it. The good news is that they seem gone
upstream since November 2019. We have them only in this tarball:
> $ find -name minnowmax_1gb.absf
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_1gb.absf
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_1gb.absf
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_1gb.absf
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/src/vendorcode/intel/fsp1_0/baytrail/absf/minnowmax_1gb.absf
> src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
We have more than one SMU firmware here:
> $ find -iname "*SmuFirmware*"
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_rdimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_udimm/src/vendorcode/amd/agesa/f12/Proc/GNB/Nb/Family/LN/F12NbSmuFirmware.h
The issue here is lack of corresponding source code so we should remove
them. The firmware is for a lm32 CPU core that is involved in power
management in FAM12H (and probably more recent too) AMD CPUs. There was
some project to replace them but I'm unsure of their status.
The good news is that they are gone upstream as well.
> 3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> 3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
Do these contain nonfree code? Some of the examples in vboot are
genuine binaries constructed by hand while other (like the
chromebook firmwares) do contain nonfree code, probably the
Management Engine firmware, the MRC for sure. I've confirmed that by
extracting it.
The dummy_bootloader.bin and firmware_bmpfv.bin entropy doesn't look
random, yet it doesn't really disassemble to x86 nor ARM.
We have them too in all the upstream source releases:
> $ find -name dummy_bootloader.bin -o -name firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/default/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/default/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/default/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/default/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/default/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/default/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/default/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/default/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/default/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys-pkc/firmware_bmpfv.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/preamble_tests/data/dummy_bootloader.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/devkeys/firmware_bmpfv.bin
> 3rdparty/vboot/tests/futility/data_fmap.bin
Do you know what it contains?
At least I found this file here:
> $ find -name data_fmap.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/default/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc3-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/default/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc2-1_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/default/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_rdimm/3rdparty/vboot/tests/futility/data_fmap.bin
> ./gnuboot-0.1-rc1-2_src/coreboot/fam15h_udimm/3rdparty/vboot/tests/futility/data_fmap.bin
Did you also contact vboot about these (data_fmap.bin,
dummy_bootloader.bin, firmware_bmpfv.bin) or do you prefer if I take
care of it (I'm already in discussion with upstream for that through
the Coreboot mailing list)[1]?
> All of the above binary blobs are still present in GNU Boot 0.1 RC3,
> even the "corrected" tarballs recently re-uploaded in October 2024
> (initial 0.1 RC3 was in December 2023, with more blobs than the
> above).
I then assume that you read the related news. About the nonfree
software found in vboot, we need to contact many distributions and we
didn't have the time to contact Canoeboot yet (it's still in the TODO
list in our bug report system). Do you need me to open a bug or did you
take care of it already?
The good news is that there seems to be some progress upstream but it
will likely be slow.
> So, this makes for the 3rd revision. I believe that the GNU Boot
> project will have to make yet a third revision to its 0.1 RC3 release
> tarballs.
Indeed.
> There are likely still more blobs present in GNU Boot, as I've also
> been finding these in Canoeboot and fixing the issue there, as part
> of a wider audit that I've been doing.
Thanks for doing that work and notifying us as well.
References:
-----------
[1]https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/6JI7KTJ3QVK6Q5BLNWREX2IBVZP7GCLP/
Denis.
pgpmzxqiGUT4O.pgp
Description: OpenPGP digital signature