[Assist] [assist] Shepherd, firmware and intel-ucode

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Mon May 27 14:01:11 GMT 2019 

On Sun, 26 May 2019 18:53:57 -0600
Javier <je-vv at e.email> wrote:

> Also, it seems Parabola doesn't include the intel-ucode package,
> which is loaded into the HW as an initrd in Arch.  I see the
> iucode-tool though.  How does Parabola deals with intel ucode
> upgrades (amd ones as well for that matter)?  I'm afraid several
> security issues are closed through ucode upgrades, so it's important
> to keep them up to date I'd guess.
Security is always relative to a threat model.

For instance for most smartphone manufacturer, having the device users
being able to replace the bootloader is a security issue. For me
and many people in the free software movement, not being able to replace
that code is a freedom, privacy and security issue.

Here, since it's common for proprietary software to include more
malware-features (surveillance, restrictions, etc) in the later
revisions and that the Intel microcode is nonfree and encrypted[1],
using nonfree microcode carries additional risk.

If you manage not to run any nonfree software and that you are not
forced to run any program you don't want on a given computer, the bugs
related to speculative execution stops becoming an issue[2].

> Finally, for FW in general, currently on Arch I don't bother about
> installing specific FW for the most part.  Depending on the system I
> use, the only particular packages I've installed on Arch:
> 
> nouveau-fw
I don't know what's inside but many GPUs that are supported by Nouveau
have a free software firmware that is shipped directly by the Linux
kernel.

> linux-firmware
We have some firmwares in linux-libre-firmware too, but only the ones
that are free software.

As several drivers require a proprietary firmware to work (because no
one replaced them yet with free software) some hardware may not work.

The most common issues are the WiFi card not working and/or the GPU
driver not working.

For ATI/AMD GPUs, this can easily be fixed, by modifying linux-libre to
make the driver still load, and testing the change for your specific
GPU. It won't give 3D acceleration but it still enables you to use many
features like multi-display, native display resolutions, etc.

> Not sure if there are global FW packages in Parabola that would avoid
> discovering the hard way what FW is missing to get some HW working.
You could test it on a livecd. You could also test Trisquel as it also
uses linux-libre (but it uses an older version, so for instance some
ATI GPUs might only work in newer versions).

> Also, it came to my attention that for some wireless drivers [1], one
> needs to get the FW from the linux kernel, is there a way get an
> unofficial package with the FW instead, to also keep the FW up to
> date, and not get with a stale outdated FW?
This is not the way to go with Parabola and most of the distributions
that are validated by the FSF.

As some hardware doesn't work without nonfree software, most of the
distributions will simply not support that hardware to ensure that the
software remains fully free.

The way that the users deal with is is usually to do the opposite:
instead of trying to make the hardware work by using nonfree software,
they typically choose hardware that works with their distribution.

For instance to get working WiFi they typically either:
- buy a computer that already works with fully free software like the
  ones listed on the FSF website: fsf.org/ryf
- assemble a similar computer themselves. The process is documented in
  the Libreboot documentation[3].
- are lucky and the computer they currently have work fine with fully
  free distributions. Unlike the two solutions above, this doesn't mean
  that the computer is fully free as the boot software (BIOS/UEFI) is
  not necessarily free in this case. 
- add an external WiFi card when it's a laptop (as many boot software
  (BIOS/UEFI) refuse to boot if you removed or changed the internal WiFi
  card.
- change the Internal WiFi card (in the case of a laptop where the
  BIOS/UEFI doesn't have such restrictions or in the case of desktop
  computers.

> I'd like to understand what implications there are by migrating, and
> these are like big topics for me.
- You get a fully free software distribution. As nonfree software is
  malware[5] most of the time, you have way better guarantees for your
  freedom privacy and security.
  While everything is not perfect as software has bugs, including
  sometimes freedom issues that are found and fixed, we have a least a
  fighting chance to make the software really respect users freedom,
  and most of the time it does.
- Some hardware may not work. It's best to try a livecd of Trisquel or
  Parabola and try to test as much hardware as possible with that. You
  could also install it aside Arch and use a dual-boot system until
  you're confident enough to do the migration.

The issues that are typically found in nonfree applications are also
found elsewhere if the software is nonfree. 

For instance if the WiFi firmware is nonfree nobody can fix the bugs
but the company that owns the copyright on that firmware.

And that company interests might not be to fix the issues that are
important to you, or to the community of users in general, but instead
make as much money as possible.

This means that security issues like the WPA group key issue might
remain unfixed, that features could not be added to the driver due to
the inability to change the Fimrware, etc.

In contrast the ath9k driver which doesn't require a nonfree
firmware is one of the driver that gets most of the work to improve the
WiFi stack. The ath9k_htc driver and compatible firmware also
gets fixes and improvement.

> BTW, I'd like to avoid migrating to openRC if my plan is to migrate
> to Shepherd, to avoid going through 2 learning curves.  If the
> suggestion is to wait until Shepherd moves to the Pcr repo, then I
> might migrate only until then, but is there a way to find out (news
> subscription or similar) other than monitoring where the package is?
GuixSD[4] is a fully free GNU/Linux distribution that already has GNU
Shepherd. As it is also fully free, all the comments above about
hardware support also applies to it.

References:
-----------
[1]https://en.wikipedia.org/wiki/Intel_Microcode#Microcode_update_format
[2]https://jxself.org/afraid.shtml
[3]https://libreboot.org/
[4]https://www.gnu.org/software/guix/
[5]https://www.gnu.org/proprietary/proprietary.html

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/assist/attachments/20190527/b87b32a6/attachment-0001.sig>

More information about the Assist mailing list