On Tue, 14 Feb 2017 19:43:48 +0100
David Craven <da...@craven.ch> wrote:

> Hi Denis,
Hi,

> 
> > With that we can still use WiFi by ignoring the intel wifi card and
> > using an USB wifi card instead.  
> 
> [Thunderbolt] poses a much larger security issue,
> that I would not actually gain anything from replacing my wifi card.
> And besides these obvious and visible firmwares I have no clue what
> other non-free firmware is running on my laptop.
While security is important, it's far from being the only reason that
makes free software important.
When security and freedom conflicts, I usually prefer freedom.

That said, if you care about free software only for the security and
privacy benefits:
- With Respect Your Freedom(RYF) certified computer, firmware freedom
  matters a lot.
- Not considering non-free firmware as an issue and having most FSDG
  distribution users run them would make freeing firmwares appear way
  less important.
  Most GNU/Linux users aren't even aware of hardware related freedom
  issues, because it just works. According to many of them the ATI GPU
  can be used with fully free software, and some even think that
  everything in their distribution is free software.
  This doesn't help promoting the importance of having free firmwares,
  and way less developers would want to work on their replacement.
  More broadly, users that need the hardware to work would not care
  anymore about free firmwares anymore either.
  To successfully convince Atheros to liberate the firmware of the
  ath9k_htc compatible chips, thinkpenguin probalby needed a valid
  buisness case, which probably was selling USB WiFi dongles to users
  that desperately wanted WiFi to work with free software.

> While obviously you understand hardware and the hardware you are
> using, most people do not. And I think we need to make sure that
> people that don't - I consider myself being one of those people - can
> do the *best* with what we have and have the information available to
> us to make informed decisions.
I think that not using non-free firmwares is the best decision for all
users collectively. If more users and developers were taking that
decisions, we would not have the issue we have here:
- You have hardware that doesn't work because it requires non-free
  firmwares.
- Many non-free firmwares aren't being replaced because there is not
  enough interest in replacing them, because many GNU/Linux
  distributions still ship non-free firmwares and it works for their
  developers and/or users.

The more interest in free software replacement, the more probability
there is to have them replaced with free software.

> I bought my dell xps developer edition before I had any involvement
> with a GNU project, and I bought it because dell was actually
> providing at least some kind of linux support. I currently can't
> afford to buy a new laptop even if the one you are using is much more
> free.
You may be able to find cheap or gratis laptops supported by the
libreboot project but it will require you to spend time for that, with
no guarantee of success.
As for how cheap it can get, I bought a Lenovo
Thinkpad X60 for about 50E. The downside is that, at that time, I was
lucky to find it that cheap, and that its CPU is single core. Since I
bought it to use it for coreboot/libreboot development/testing only, I
didn't need a fast CPU.

> Besides I have the dream of building a replacement mainboard
> with a RISCV SoC for it. But that is still beyond my capabilities :)
> FYI: This dream mainboard would also feature a software defined radio
> [0] instead of a wifi card - another interesting free hardware
> project, although the sources have not been released yet.
RISCV is probably not yet ready to be used as a laptop SOC. However
there are some microcontrollers projects with that architecture:
- https://www.crowdsupply.com/onchip/open-v
- https://www.crowdsupply.com/sifive/hifive1

As a side note, if you think that microcontrollers are not very
useful, think again because, since you have some interest in security
and probably privacy as well:
- Microcontrollers can have critical security functions, as it is the
  case in this computer: https://www.crowdsupply.com/design-shift/orwl
  They can also be used for password external management.
- We probably have the Hardware description language source for it
  under a free software license.

> Another thing I found very frustrating was a conversation that I had
> on IRC. It went like this:
> 
> Can guixsd run on a RPiv2?
> 
> Yes, sure. You'll need to use vanilla linux and add some firmware,
> I'll show you how to do it.
> 
> No thank you. I don't want to use binary blobs. I'll just use another
> distro until guixsd works without binary blobs.
> 
> I expect that everyone recognizes the irony in that.
I don't. I don't see any issue with the above assuming that non-free
firmwares are the only difference between the "other distro" and the
free software distribution.

Missleading users into thinking that they run 100% free software
everywhere is not a good idea:
- As a user, If I run Trisquel or Parabola, I assume that everything
  that this distribution ships is free software.
- As a user, I don't want to have to review each package for
  proprietary software, this is the role of the distribution.
- As a user knowing how hardware works, I however know that Trisquel or
  Parabola are not the only software running on my computer:
  - Coreboot/Libreboot runs without any blobs
  - The proprietary Embedded controller firmware runs.
  - The HDD firmware runs.
  - Some other firmware that I'm not aware of might run on some chips.
    It also depends on which laptop and peripherals I use:
    - If I use an X60 Tablet, it might have some touchscreen controller
firmware.
    - If I use an external mouse, it might have a firmware too.

> > While this is really great and that each new free firmware is a
> > great achievement  
> 
> I agree.
It would be sad not to continue freeing firmwares. Especially if more
and more functionality and trust is being put in them.

> > When taking security seriously, the fact that a non-free firmware is
> > running in peripherals that can have access to the main system's RAM
> > has to be taken into account.
> >
> > However I don't have a clear idea on whether it has to be dealt with
> > within free software policies or not, and how much it is in the
> > scope of free software.
> >
> > I don't think we, as the free software community, can ignore it as
> > it means that some non-free code can take control of your
> > computer...  
> 
> Yes with buggy thunderbolt controllers this is becoming a real
> problem.
Yes it is, however there are mitigations in some cases:
- It might be possible to have them disabled, there might also be some
  other workarounds.
- Thunderbolt tend to be present on recent hardware, and some of that
  recent hardware also have an IOMMU that can protect the RAM from DMA
  attacks. Note that not all recent computers supports it, see
  https://www.qubes-os.org/hcl/ for more details.
- If you take firewire, and the firewire_ohci module, you have the
  following module parameter:
  > remote_dma:Enable unfiltered remote DMA (default = N) (bool)
  I didn't research yet how it works to understand what it exactly
  means, but some hardware, in some conditions, can mitigate such
  issues.

> I wasn't aware that there was so much documentation available about
> mobile devices. How do you know all that stuff? :)
- I learned most/all that knowledge by working on Replicant and
  researching myself the various freedom privacy and security issues.
- You can however take a huge shortcut and instead read the following:
  http://www.replicant.us/freedom-privacy-security-issues.php

I think that documentation is really important and in many cases as
much important as the sofware itself.

> [0] https://xtrx.io/
You forgott to add a [0] in the mail text that points to this reference.

Denis.

Reply via email to