Free Software Policy with Semi-Firm Firmware

Kyle Rankin

https://kylerank.in/talks/misc/semifirm_firmware.html

Semi-Introduction

• I'm no firmware expert
• At best, a semi-developer for firmware
• This isn't a technical talk
• This is a policy talk
• I did make hardware running free software and open firmware
• Challenging to make it all free
• Open hardware depends on free firmware
• Current open hardware policy out of date.

This Talk

• What is Firmware?
• Firmware Isn't Firm
• Firmware Isn't (Usually) Free
• Repects Your Freedom Certification
• RYF Proprietary Exceptions
• Making an modern RYF device
• Firmware Policy Improvements.

What is Firmware?

• Hardware: physical chips, electronics, etc
• Software: instructions the CPU executes
• Firmware: sits between hardware and software
• Traditionally instructions flashed onto chips
• Write-once, read-only afterwards
• Provide interface between OS (drivers) and hardware
• BIOS, video cards, network cards, sound cards, hard drives.

Firmware Isn't Firm

• More like tofu: firm, semi-firm, soft
• Firm: write-once
• Semi-Firm: field-upgradable with hardware flasher
• Soft: OS-upgradable with software flasher
• Some load run-time instructions/configs at initialization
• Sometimes OS provides initialization-time instructions/config
• Even CPU gets microcode updates
• One semi-distinction from software, is which chip executes code.

Why Firmware Isn't Firm

• Firmware has bugs
• Field upgrades enable bug fixes, new features
• Hardware has bugs
• Firmware sometimes fixes hardware in the field
• How Intel responded to Meltdown/Spectre
• Also allows firmware to be replaced.

Firmware Isn't (Usually) Free

• Most firmware is proprietary
• More hidden than software, less focus in FOSS
• Pain mostly felt in FOSS world
• More focus recently for few reasons:
• 100% free OS available
• Interest in open hardware (RISC-V et al)
• Firmware attacks growing concern
• Coreboot and EC firmware recent FOSS examples
• Even then, there are blobs.

Respects Your Freedom Certification

• RYF is FSF's certification for open hardware
• Currently one of few criteria concerning FOSS and firmware
• Most certified products network adapters
• Also older modified Thinkpads, 3D printers
• Generally older hardware, because of modern firmware
• Requires *all* product software be free software
• Also cannot steer user toward non-free software
• RYF allows (some) proprietary firmware!

Respects Your Freedom Certification

Firmware Exception

However, there is one exception for secondary embedded processors. The exception applies to software delivered inside auxiliary and low-level processors and FPGAs, within which software installation is not intended after the user obtains the product. This can include, for instance, microcode inside a processor, firmware built into an I/O device, or the gate pattern of an FPGA. The software in such secondary processors does not count as product software.

Respects Your Freedom Certification

Firmware Exception Exception

• Exception makes explicit exception for BIOS
• "The BIOS of a PC runs on the CPU, not on a separate secondary processor, so this exception does not apply to the BIOS."
• Essential distinction is whether CPU or secondary processor runs firmware
• Also whether user must install software
• Rules out modern Intel platforms w/ ME, modern peripherals.

Making a Modern RYF Device

• Making a modern RYF-compliant computer is difficult
• Software side is (relatively) easy
• Firmware is the sticking point
• Two real-life examples:
• Librem 14 laptop
• Librem 5 phone.

Making a Modern RYF Device

Librem 14 Overview

• Reference 10th Gen Intel laptop
• Video/Eth/WiFi cards use FOSS drivers
• Runs 100% Free Software OS (PureOS)
• Coreboot BIOS, FOSS "LibremEC" EC firmware
• Doesn't qualify for RYF.

Making a Modern RYF Device

Librem 14 Blobs

• Following coreboot blobs disqualify it:
• Intel FSP (initializes RAM and PCIe, SATA, etc)
• Intel Management Engine
• CPU microcode (probably?)
• In future: WiFi blob jail.

Making a Modern RYF Device

Blob Jail

• Atheros WiFi only blob-free option
• Older WiFi specs, getting harder to find
• WiFi patent-encumbered, expensive to make brand new card
• Backup plan: Intel WiFi + init blobs in "blob jail" in boot firmware
• Boot firmware validates blob, passes to kernel at boot
• OS can be 100% FOSS
• CPU doesn't "execute" blob, only copies file to hardware.

Making a Modern RYF Device

Librem 5 Overview

• In-house ARM-based Linux smartphone
• Designed from start to comply with RYF
• Runs same PureOS as laptop
• Modem, WiFi/BT on M.2 cards
• Hardware chosen for optimum FOSS support
• Required much kernel work, ongoing to mainline
• Some firmware "blobs" are FOSS
• Has closed blobs, but designed in RYF-compliant way.

Making a Modern RYF Device

Librem 5 Blobs

• Touchscreen, WWAN: "soft" firmware, no init blob
• Others require run-time loading
• Load blobs from ROM storage outside of CPU
• USB-C chip, DDR training, DP
• New SparkLAN WiFi needs blob jail
• None "taint" user.

Firmware Policy Improvements

• Need policy to reflect current state of hardware
• Current policy:
• Non-CPU copy blob from ROM? OK
• CPU copy blob from flash storage? Maybe OK?
• CPU copy blob from disk? Not OK?
• CPU execute blob from disk? Not OK
• ROM-copy hoops require extra chips, flash software to update
• Distinction w/o difference
• Run-time blob init unlikely to change
• Need exception when blob copied not executed
• Exception for CPU security microcode updates
• Ideally sliding scale/levels instead of binary.

Conclusion

• With software free, firmware in spotlight
• Firmware isn't firm, more like tofu
• "Soft" firmware allows open replacement
• Many people trying to do the right thing
• Hardware is hard, open hardware is harder
• Need updated policy guidance
• Allow incremental process toward 100% free.

Thank You

Additional Resources

• This talk: https://kylerank.in/talks/misc/semifirm_firmware.html
• RYF cert criteria: https://ryf.fsf.org/about/criteria
• Purism firmware projects: https://source.puri.sm/firmware