On Tue, 14 Feb 2017 19:43:48 +0100 David Craven <da...@craven.ch> wrote:
> Hi Denis, Hi, > > > With that we can still use WiFi by ignoring the intel wifi card and > > using an USB wifi card instead. > > [Thunderbolt] poses a much larger security issue, > that I would not actually gain anything from replacing my wifi card. > And besides these obvious and visible firmwares I have no clue what > other non-free firmware is running on my laptop. While security is important, it's far from being the only reason that makes free software important. When security and freedom conflicts, I usually prefer freedom. That said, if you care about free software only for the security and privacy benefits: - With Respect Your Freedom(RYF) certified computer, firmware freedom matters a lot. - Not considering non-free firmware as an issue and having most FSDG distribution users run them would make freeing firmwares appear way less important. Most GNU/Linux users aren't even aware of hardware related freedom issues, because it just works. According to many of them the ATI GPU can be used with fully free software, and some even think that everything in their distribution is free software. This doesn't help promoting the importance of having free firmwares, and way less developers would want to work on their replacement. More broadly, users that need the hardware to work would not care anymore about free firmwares anymore either. To successfully convince Atheros to liberate the firmware of the ath9k_htc compatible chips, thinkpenguin probalby needed a valid buisness case, which probably was selling USB WiFi dongles to users that desperately wanted WiFi to work with free software. > While obviously you understand hardware and the hardware you are > using, most people do not. And I think we need to make sure that > people that don't - I consider myself being one of those people - can > do the *best* with what we have and have the information available to > us to make informed decisions. I think that not using non-free firmwares is the best decision for all users collectively. If more users and developers were taking that decisions, we would not have the issue we have here: - You have hardware that doesn't work because it requires non-free firmwares. - Many non-free firmwares aren't being replaced because there is not enough interest in replacing them, because many GNU/Linux distributions still ship non-free firmwares and it works for their developers and/or users. The more interest in free software replacement, the more probability there is to have them replaced with free software. > I bought my dell xps developer edition before I had any involvement > with a GNU project, and I bought it because dell was actually > providing at least some kind of linux support. I currently can't > afford to buy a new laptop even if the one you are using is much more > free. You may be able to find cheap or gratis laptops supported by the libreboot project but it will require you to spend time for that, with no guarantee of success. As for how cheap it can get, I bought a Lenovo Thinkpad X60 for about 50E. The downside is that, at that time, I was lucky to find it that cheap, and that its CPU is single core. Since I bought it to use it for coreboot/libreboot development/testing only, I didn't need a fast CPU. > Besides I have the dream of building a replacement mainboard > with a RISCV SoC for it. But that is still beyond my capabilities :) > FYI: This dream mainboard would also feature a software defined radio > [0] instead of a wifi card - another interesting free hardware > project, although the sources have not been released yet. RISCV is probably not yet ready to be used as a laptop SOC. However there are some microcontrollers projects with that architecture: - https://www.crowdsupply.com/onchip/open-v - https://www.crowdsupply.com/sifive/hifive1 As a side note, if you think that microcontrollers are not very useful, think again because, since you have some interest in security and probably privacy as well: - Microcontrollers can have critical security functions, as it is the case in this computer: https://www.crowdsupply.com/design-shift/orwl They can also be used for password external management. - We probably have the Hardware description language source for it under a free software license. > Another thing I found very frustrating was a conversation that I had > on IRC. It went like this: > > Can guixsd run on a RPiv2? > > Yes, sure. You'll need to use vanilla linux and add some firmware, > I'll show you how to do it. > > No thank you. I don't want to use binary blobs. I'll just use another > distro until guixsd works without binary blobs. > > I expect that everyone recognizes the irony in that. I don't. I don't see any issue with the above assuming that non-free firmwares are the only difference between the "other distro" and the free software distribution. Missleading users into thinking that they run 100% free software everywhere is not a good idea: - As a user, If I run Trisquel or Parabola, I assume that everything that this distribution ships is free software. - As a user, I don't want to have to review each package for proprietary software, this is the role of the distribution. - As a user knowing how hardware works, I however know that Trisquel or Parabola are not the only software running on my computer: - Coreboot/Libreboot runs without any blobs - The proprietary Embedded controller firmware runs. - The HDD firmware runs. - Some other firmware that I'm not aware of might run on some chips. It also depends on which laptop and peripherals I use: - If I use an X60 Tablet, it might have some touchscreen controller firmware. - If I use an external mouse, it might have a firmware too. > > While this is really great and that each new free firmware is a > > great achievement > > I agree. It would be sad not to continue freeing firmwares. Especially if more and more functionality and trust is being put in them. > > When taking security seriously, the fact that a non-free firmware is > > running in peripherals that can have access to the main system's RAM > > has to be taken into account. > > > > However I don't have a clear idea on whether it has to be dealt with > > within free software policies or not, and how much it is in the > > scope of free software. > > > > I don't think we, as the free software community, can ignore it as > > it means that some non-free code can take control of your > > computer... > > Yes with buggy thunderbolt controllers this is becoming a real > problem. Yes it is, however there are mitigations in some cases: - It might be possible to have them disabled, there might also be some other workarounds. - Thunderbolt tend to be present on recent hardware, and some of that recent hardware also have an IOMMU that can protect the RAM from DMA attacks. Note that not all recent computers supports it, see https://www.qubes-os.org/hcl/ for more details. - If you take firewire, and the firewire_ohci module, you have the following module parameter: > remote_dma:Enable unfiltered remote DMA (default = N) (bool) I didn't research yet how it works to understand what it exactly means, but some hardware, in some conditions, can mitigate such issues. > I wasn't aware that there was so much documentation available about > mobile devices. How do you know all that stuff? :) - I learned most/all that knowledge by working on Replicant and researching myself the various freedom privacy and security issues. - You can however take a huge shortcut and instead read the following: http://www.replicant.us/freedom-privacy-security-issues.php I think that documentation is really important and in many cases as much important as the sofware itself. > [0] https://xtrx.io/ You forgott to add a [0] in the mail text that points to this reference. Denis.
