Which firmware in common laptops

Mon Mar 2 16:10:57 UTC 2015

On Monday 2. March 2015 15.58.59 Paul van der Vlis wrote:
> Op 02-03-15 om 14:58 schreef Paul Boddie:
> > On Monday 2. March 2015 14.26.02 Paul van der Vlis wrote:
> >> I am most interested in the devices what have replaceable firmware.
> >> Because somebody could do bad things with it, like they did with the
> >> firmware of harddisks.
> > 
> > I think there definitely needs to be more discussion around firmware
> > which can or cannot be upgraded, particularly since a lot of people seem
> > to disagree with the FSF's position on this.
> 
> For me there is not so much difference between to upload closed-firmware
> by the OS or to have a flashrom with closed-firmware feeding such a
> controller with cloesed-firmware. (But closed-firmware should not be
> distributed with an open source OS.)
> 
> When it's about firmware on a non-flashable ROM, I have the same
> conclusion as the FSF.
> 
> I would like to have open hardware/firmware, but that's not easy to
> realize. For me closed firmware is not the biggest problem, but I would
> like to make a sha256sum of it for security.

There are certainly plenty of considerations: whether it is closed or open to 
begin with, whether it can change, how it can change, who can change it, and 
who actually can make meaningful changes (whether it's open or closed, again). 
If you trust the manufacturer even if the firmware is closed, but don't trust 
further modifications (from whatever source), being able to verify that the 
firmware remains unchanged is also critical.

> > From one perspective, making the firmware
> > immutable is a bad thing for people who want to fix or improve it,
> > ultimately consigning hardware to waste if it turns out to be critically
> > flawed, but from another perspective, if only the manufacturer is in a
> > position to upgrade the firmware, then they are exercising rights that
> > they deny to the hardware's owners.
> 
> Correct. But realize that maybe not only the manufacturer can do it. The
> code could be stolen, confiscated, extorted, or "part of a deal". China
> now wants sourcecode before buying hardware.

In the end, the poor end-user is last in the queue, and potentially many other 
parties have their opportunities to deny the end-user various freedoms. I can 
understand the FSF's position, certainly, although it also raises the issue of 
whether the firmware is guaranteed to be immutable, say, if it is provided in 
flash memory whose contents are supposedly protected.

> > It's understandable to say that if there's a choice between only some
> > people having the right to upgrade firmware and nobody being able to do
> > it, then the latter prevents one group of people from having power over
> > the other, potentially. However, there's always the argument that such
> > power can be exercised by merely getting the firmware "right first time"
> > (for whatever purpose) and then relinquishing the right to upgrade in
> > order to satisfy the FSF criteria.
> > 
> > Sorry to drag things off topic, although I'll gladly point out Novena [1]
> > for anyone not already aware of it as a useful reference for such
> > matters.
> > 
> > Paul
> > 
> > [1] http://www.kosagi.com/w/index.php?title=Novena_Main_Page
> 
> This is really interesting hardware. Maybe I will order it, is there
> more information available? I would like to read a "critical article".

Well, there's a crowd-funding campaign that got financed three times over [2], 
and the developers have a proven track record and have been very transparent 
about their operations, meaning that there's been a lot to learn from just 
following what they are doing.

Paul

P.S. I haven't ordered a Novena, so this isn't an endorsement by any means.

[2] https://www.crowdsupply.com/kosagi/novena-open-laptop