Discussion:
[Arm-netbook] closed-source BootROM and RYF certification
Parobalth
2016-11-01 22:09:30 UTC
Permalink
My original message went to moderation queue because it exceeded the
allowed file size. So I am forwarding my message without the pdf
attachment to the list.

----- Forwarded message from Parobalth <***@gmail.com> -----

Date: Sat, 29 Oct 2016 20:13:10 +0200
From: Parobalth <***@gmail.com>
To: arm-***@lists.phcomp.co.uk
Subject: closed-source BootROM and RYF certification
User-Agent: Mutt/1.5.23 (2014-03-12)

At the forum of NextThing Chip is a thread about Chip and a
possible RYF certification. I wrote there that I think that is unlikely
to happen and linked to https://www.crowdsupply.com/eoma68/micro-desktop/updates/fsf-ryf-background.
Then someone else mentioned that a closed-source BootROM is used for Chip.
Another guy with username "eaterjolly" wrote about this BootROM: "The same type of SOC is
used for the EOMA croud project which is vying for ryf-endorsement quite
openly [...]"

You can find the forum thread here:
https://bbs.nextthing.co/t/ntc-thoughts-on-ryf-endorsement/4490

Because they use Discourse to power their forum which relies heavily on
JavaScript I also attach a Pdf version of the forum post.

I wonder if the mentioned statements are correct and how it relates to
the RYF certification of the EOMA68-A20 Libre Tea card.

kind regards
Paro



----- End forwarded message -----

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to arm-***@files.phco
Luke Kenneth Casson Leighton
2016-11-02 03:12:31 UTC
Permalink
Post by Parobalth
My original message went to moderation queue because it exceeded the
allowed file size. So I am forwarding my message without the pdf
attachment to the list.
yep. there's a deliberate 40k limit so that people don't try to use
alain's mail system as a file server!
Post by Parobalth
At the forum of NextThing Chip is a thread about Chip and a
possible RYF certification. I wrote there that I think that is unlikely
to happen and linked to
https://www.crowdsupply.com/eoma68/micro-desktop/updates/fsf-ryf-background.
Then someone else mentioned that a closed-source BootROM is used for Chip.
because it's a ROM it's fine. it's not modifiable, it's directly
readable and thus may be audited. now, if it was Boot *EEPROM* and
required a secret key to write to it, and that secret key was not
available, *then* that would be a problem.

the response about TI, Freescale etc. doing exactly the same thing is
perfectly correct. BootROMs are normal and are acceptable under RYF
rules.

it's when that bootloader *requires* firmware that is proprietary (or
requires secret key signing), *that's* when the problems start and RYF
Certification may not be obtained.
Post by Parobalth
I wonder if the mentioned statements are correct and how it relates to
the RYF certification of the EOMA68-A20 Libre Tea card.
looks fine to me... up until the point where you notice that the CHIP
has an on-board SD-based WIFI module where the firmware source is *NOT
AVAILABLE*. now, with that in mind, i can predict how this will go.
the FSF will go something like, "we look at this from the perspective
of end-users being quotes tempted quotes to install proprietary
firmware or software. if you ship this hardware with an on-board WIFI
module where the *ONLY* option is to install proprietary firmware,
people will be "too tempted" to operate it without WIFI, particularly
given the extremely low price, here. therefore, sorry, we cannot
grant you RYF Certification. if you create an SBC without WIFI
actually on-board, or with WIFI that has full source, come back to
us".

now i know for a fact that there simply aren't any SD-based WIFI
modules anywhere in the world for which there is source code
available.... so they're screwed, unfortunately. they'll need to
provide a variant which doesn't have on-board SD-based WIFI (at all).

for the rest of the processor, we know that they've demanded (due to
community pressure but also due to the fact that they're a USA-based
Corporation, where Copyright law actually matters) that allwinner
provide an entirely copyright-legal set of sources as a *binding
condition* of the purchase of the actual R8 SoCs.

3D MALI... can be left out.... (as we learned from EOMA68-A20
Certification Application)

CEDRUS.... can be installed... that's fine...

the risk is that they have allwinner try to pull the wool over
NextThingCo's eyes on boot0, boot1, and stuffing things like libdram.a
and libhdmi.a and libnand.a into the kernel source (in direct
violation of the agreement made at the Managerial level). allwinner's
engineers *STILL* believe that they have some sort of quotes
proprietary secret advantage quotes by following the incredibly stupid
and copyright-illegal practice established over five years ago by
tom's old manager, such that even when they've been told by their
managers and by the Vice President, "respect copyright law" they STILL
can't let go of their mindset, which i've witnessed is heavily
entrenched at the engineer level.

l.

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large att
Parobalth
2016-11-03 18:55:33 UTC
Permalink
Thanks a lot for your long and insightful reply.
I am also glad to read that the current prototypes seem to work fine and that
your last update on crowdsupply.com "Observations from Zhuhai" was
rather positive.

kind regards
Paro
Post by Luke Kenneth Casson Leighton
Post by Parobalth
My original message went to moderation queue because it exceeded the
allowed file size. So I am forwarding my message without the pdf
attachment to the list.
yep. there's a deliberate 40k limit so that people don't try to use
alain's mail system as a file server!
Post by Parobalth
At the forum of NextThing Chip is a thread about Chip and a
possible RYF certification. I wrote there that I think that is unlikely
to happen and linked to
https://www.crowdsupply.com/eoma68/micro-desktop/updates/fsf-ryf-background.
Then someone else mentioned that a closed-source BootROM is used for Chip.
because it's a ROM it's fine. it's not modifiable, it's directly
readable and thus may be audited. now, if it was Boot *EEPROM* and
required a secret key to write to it, and that secret key was not
available, *then* that would be a problem.
the response about TI, Freescale etc. doing exactly the same thing is
perfectly correct. BootROMs are normal and are acceptable under RYF
rules.
it's when that bootloader *requires* firmware that is proprietary (or
requires secret key signing), *that's* when the problems start and RYF
Certification may not be obtained.
Post by Parobalth
I wonder if the mentioned statements are correct and how it relates to
the RYF certification of the EOMA68-A20 Libre Tea card.
looks fine to me... up until the point where you notice that the CHIP
has an on-board SD-based WIFI module where the firmware source is *NOT
AVAILABLE*. now, with that in mind, i can predict how this will go.
the FSF will go something like, "we look at this from the perspective
of end-users being quotes tempted quotes to install proprietary
firmware or software. if you ship this hardware with an on-board WIFI
module where the *ONLY* option is to install proprietary firmware,
people will be "too tempted" to operate it without WIFI, particularly
given the extremely low price, here. therefore, sorry, we cannot
grant you RYF Certification. if you create an SBC without WIFI
actually on-board, or with WIFI that has full source, come back to
us".
now i know for a fact that there simply aren't any SD-based WIFI
modules anywhere in the world for which there is source code
available.... so they're screwed, unfortunately. they'll need to
provide a variant which doesn't have on-board SD-based WIFI (at all).
for the rest of the processor, we know that they've demanded (due to
community pressure but also due to the fact that they're a USA-based
Corporation, where Copyright law actually matters) that allwinner
provide an entirely copyright-legal set of sources as a *binding
condition* of the purchase of the actual R8 SoCs.
3D MALI... can be left out.... (as we learned from EOMA68-A20
Certification Application)
CEDRUS.... can be installed... that's fine...
the risk is that they have allwinner try to pull the wool over
NextThingCo's eyes on boot0, boot1, and stuffing things like libdram.a
and libhdmi.a and libnand.a into the kernel source (in direct
violation of the agreement made at the Managerial level). allwinner's
engineers *STILL* believe that they have some sort of quotes
proprietary secret advantage quotes by following the incredibly stupid
and copyright-illegal practice established over five years ago by
tom's old manager, such that even when they've been told by their
managers and by the Vice President, "respect copyright law" they STILL
can't let go of their mindset, which i've witnessed is heavily
entrenched at the engineer level.
l.
_______________________________________________
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachm

Loading...