[Arm-netbook] closed-source BootROM and RYF certification

Wed Nov 2 03:12:31 GMT 2016

On 11/1/16, Parobalth <parobalth at gmail.com> wrote:
> My original message went to moderation queue because it exceeded the
> allowed file size. So I am forwarding my message without the pdf
> attachment to the list.

 yep.  there's a deliberate 40k limit so that people don't try to use
alain's mail system as a file server!

> At the forum of NextThing Chip is a thread about Chip and a
> possible RYF certification. I wrote there that I think that is unlikely
> to happen and linked to
> https://www.crowdsupply.com/eoma68/micro-desktop/updates/fsf-ryf-background.
> Then someone else mentioned that a closed-source BootROM is used for Chip.

 because it's a ROM it's fine.  it's not modifiable, it's directly
readable and thus may be audited.  now, if it was Boot *EEPROM* and
required a secret key to write to it, and that secret key was not
available, *then* that would be a problem.

 the response about TI, Freescale etc. doing exactly the same thing is
perfectly correct.  BootROMs are normal and are acceptable under RYF
rules.

 it's when that bootloader *requires* firmware that is proprietary (or
requires secret key signing), *that's* when the problems start and RYF
Certification may not be obtained.

> I wonder if the mentioned statements are correct and how it relates to
> the RYF certification of the EOMA68-A20 Libre Tea card.

 looks fine to me... up until the point where you notice that the CHIP
has an on-board SD-based WIFI module where the firmware source is *NOT
AVAILABLE*.  now, with that in mind, i can predict how this will go.
the FSF will go something like, "we look at this from the perspective
of end-users being quotes tempted quotes to install proprietary
firmware or software.  if you ship this hardware with an on-board WIFI
module where the *ONLY* option is to install proprietary firmware,
people will be "too tempted" to operate it without WIFI, particularly
given the extremely low price, here.  therefore, sorry, we cannot
grant you RYF Certification.  if you create an SBC without WIFI
actually on-board, or with WIFI that has full source, come back to
us".

 now i know for a fact that there simply aren't any SD-based WIFI
modules anywhere in the world for which there is source code
available.... so they're screwed, unfortunately.  they'll need to
provide a variant which doesn't have on-board SD-based WIFI (at all).

 for the rest of the processor, we know that they've demanded (due to
community pressure but also due to the fact that they're a USA-based
Corporation, where Copyright law actually matters) that allwinner
provide an entirely copyright-legal set of sources as a *binding
condition* of the purchase of the actual R8 SoCs.

 3D MALI... can be left out.... (as we learned from EOMA68-A20
Certification Application)

 CEDRUS.... can be installed... that's fine...

 the risk is that they have allwinner try to pull the wool over
NextThingCo's eyes on boot0, boot1, and stuffing things like libdram.a
and libhdmi.a and libnand.a into the kernel source (in direct
violation of the agreement made at the Managerial level).  allwinner's
engineers *STILL* believe that they have some sort of quotes
proprietary secret advantage quotes by following the incredibly stupid
and copyright-illegal practice established over five years ago by
tom's old manager, such that even when they've been told by their
managers and by the Vice President, "respect copyright law" they STILL
can't let go of their mindset, which i've witnessed is heavily
entrenched at the engineer level.

l.