Sign In
Close
The state of open-source hardware by Mircea
I am a great fan of open-source software and have been for over a decade now. Recently I've been asking myself a few questions, regarding the state of FOSS and how much of it we truly get to rely on in our everyday lives. Note that this post will be a bit long, and might require a good understanding of hardware and firmware in general (I'm not above average at this chapter myself).
Many of us choose to install and use open software for various activities: Some of us have a FOSS operating system (Linux instead of Windows), others just use free alternatives to commercial software for their work (LibreOffice instead of Microsoft Office), some gamers prefer free games over commercial alternatives (Xonotic instead of Team Fortress), and the list goes on. I'm among those who take comfort in the idea of going full FOSS, which I have since I permanently made the switch to openSUSE Linux. While for me it's an ideological thing too since I feel that I'm supporting something free that was created by others like me, I also take comfort in knowing that I'm always using trusted software: When the source code and compiled binary are both in a trusted repository that anyone can check, you know it's far more unlikely that someone would sneak in programs that spy on you or attempt to control your machine... things that Windows 10 or Apple's OS are notorious for doing.
Recently however, I've become more aware of something that doesn't stand out right away: You can't truly go full open-source... at least not very easily. While you can install a FOSS operating system like Linux, you're still using a computer that has a proprietary BIOS coded by the manufacturer. The BIOS is just the tip of the iceberg: Various other components have proprietary firmware which cannot be changed. This is most obvious with video cards, who rely on a binary blob for the video driver to work with... however the issue exists for every component at the end of the day, including motherboard chips and the network card and the hard drive and the monitor on your desk.
To this day this hasn't been something people had to give much thought to: The firmware is only responsible for providing an API for other drivers to work with, you almost never need to modify and update such a thing, usually it's easy to forget it even exists to begin with. But with computing power increasing, firmwares are becoming an increasing concern... especially among the surveillance and online censorship scandals society has found itself in during the past year. There will come a day when the BIOS will be capable of secretly sending whole files from your machine to an external server, effectively stealing files off your drive or logging pressed keys (which can reconstruct messages you type or your passwords). Censorship in the name of safety from random dangers has also been forced on us, and there may come a day when network card manufacturers could be required to include content blacklists directly in the firmware of network cards. In the very distant future, video cards may even come with firmware that can detect copyright in images using an external database, effectively blacking out your screen if something forbidden pops up! We need to have an alternative ready before those kinds of disasters can start happening.
Amid such concerns, I've grown interested in how much open-source hardware and firmware we have access to right now, to protect ourselves from hidden software or applications being forced on us by devices themselves. I want to imagine a world where every motherboard and video card and hard drive has FOSS alternatives on the market shelves, meaning they come unlocked software wise and anyone can code a firmware for them... including the ability to install and update your own firmware of choice after you take your device home and plug it into your computer. Unfortunately this idea faces at least three major issues I'm aware of:
- Most computer hardware manufacturers create their products with intent for their software to not be modified, making that difficult both by design and by law. It's easy to see why this happens: The production of motherboards or video cards or LCD monitors is an industrial scale business, which requires large costly factories and employees that must be paid well... it's not something you can do at home, or that a few people can create a Kickstarter campaign for.
- Updating the firmware on a device is very difficult. I am a casual programmer, and even I wouldn't have any idea how I could possibly take my webcam or drawing tablet and replace the software embedded into it! Is this even physically possible through the USB cable, granted the firmware is most likely mounted on a read-only chip? Further more, components the computer rely on to run are hard to update while the computer is running, however the computer must run to do the update thus creating a paradox... imagine taking down your chipset to update it for instance, it would be the equivalent of plucking out your RAM while the computer is powered on and processing data!
- Updating the firmware on a device is extremely risky. One little mistake and your device will be bricked, which basically means you'll have to throw it away and get a new one. This happens because the firmware you're updating is often also the firmware used to make the device communicate with the computer: If that is erased or corrupted, you have no way to connect the device again in order to get a new firmware installed.
For this ideal world to be possible, a few changes would need to be made. For point 1, we'd need corporations willing to produce FOSS hardware without seeking any control over the software we put on them... I believe there have been attempts in the past, this is definitely not impossible. For points 2 and 3, the device would need to have two different chips and essentially two firmwares: One that handles only connectivity (allows you to read and write to the chip) and said chip which contains the actual firmware (operates the functionality of the device)... this way the device can always be repaired if you brick the firmware, as you're not affecting the area which writes to the medium where the firmware is stored. The computer itself would have to allow booting into a special mode, which basically shuts down usage of all connected devices (including its own chipset) so that the firmware can be updated safely... in realtime this would almost never be possible as you'd need to suspend access to the CPU / video card / hard drive which would instantly crash the system.
I wish to know to what extent this has been done so far: Are there any open-source motherboards (including the BIOS) and video cards and other components, which are available in shops now or any of us can order online from across the world? If not then I'm wondering if this might ever happen: Could we live to have affordable computers and laptops and smartphones that are fully FOSS, meaning we can put our own firmware into any component without requiring advanced technical knowledge or there being a risk of breaking it?
Journal Information
- Views:
- 190
- Comments:
- 1
- Favorites:
- 0
- Rating:
- General
Link
9df90f5f
I know that there's coreboot, which looks like it only replaces the BIOS (/UEFI). Its fork-like thing, Libreboot (as far as I can tell from a few minutes of looking around, Coreboot takes a "running some proprietary software is better than not running at all" approach, while Libreboot takes the stricter alternative), has on its website a list of problems with proprietary components of processors themselves. I'm not going to rewrite it all here, but, to summarize, modern Intel and AMD processors have small systems within the chip that run proprietary software and have the potential to do scary things (in particular, connect to the network by themselves, which theoretically gives it the ability to update itself this way, though I don't see any mention of this ever actually happening, from a quick reading). Intel's apparently trying to use theirs in order to do media DRM, which seems sort of concerning to me in terms of "have control over your own computer" (though I've never heard of this outside this webpage, so this evidently isn't amazingly widespread). It looks like unless you want to only use processors from 2012 or earlier, you would have to buy a computer running on ARM or similar (e.g. the in my opinion extremely expensive Talos II) to avoid this.
But even if you replace the BIOS and processor, you still have all the other stuff that you talked about in this journal. I recall that the NSA apparently developed some way to hide their spyware within hard drive firmware, for instance. I think that the problem with this is economic; there is (relatively) little demand for hardware with free firmware, and a lot of it (for example, video cards) seems to be made by a small handful of companies who spend millions or billions of dollars developing a chip or architecture or that sort of thing and then let other companies use it in their products (though I am not at all familiar with this process, and there is a chance that my understanding of how it works could have some fundamental flaw), so there's not enough money to do all the "R&D" to make a custom video card, for example, it seems to me. And then you have all the different components that would need to have this done to them, which makes it even worse. So, it would be very hard, I think, to replace every single proprietary component.
You might be able to do this by some restricted interface. For hard drives, for exmaple, we might take the (as I understand it, created as an abstraction by the OS) view that they're just collections of blocks, where you can read from and write to a block, and that's it. But then (even ignoring that I think there are all sorts of e.g. error-recovery features that make a hard drive practical) you can't do things like SMART (a way to get information on the health of the hard drive; for example, I think one of the SMART features that some hard drives support is a counter of the total number of times it's gone into physical freefall and taken precautions against the head coming into contact with the platter, though I've just recently learned about SMART, so I'm not too familiar with its capabilities). I think that there's an unavoidable tradeoff between a low attack surface/space for proprietary stuff to squeexe through and functionality.
I'm fine with something as simple, say, a microwave oven that uses proprietary software, because it's straightforward (you put a time in, put a power in, press the start button, it runs the microwave and spins your food around while counting down, and then stops, and other simple tasks) and giving access would be more trouble than it's worth. (Unless it's one of those appliances that lets you post to Twitter and do other things, though I've never seen one of those outside of a store, so I don't think they've caught on much.) My microwave won't become part of a botnet, and no one will use it to spy on me. Likewise, I suppose that, under strict conditions--no backdoor waiting to be activated, no security flaws (of course, an impossible task), I would accept a hard drive or something with proprietary firmware, as long as the firmware just controlled the internals of the hard drive and nothing else. (It is possible that if someone is very interested in hard drives and wants to mess around with them, they'd oppose this; can't you apply this same argument to computers, they'd say? Just run Windows and never connect it to a network (no backdoor) and you're good to go? That may discount what I'm saying here.) But I don't think that this could make much of a profit, I don't know if it would be practical to do if money wasn't an issue, and I don't think that it's strictly possible, anyhow.
And even then, it's still possible for hardware manufacturers to embed backdoors or DRM or accidental flaws into hardware itself, not even firmware (e.g. those recent 2 problems with Intel processors, the names of which I can't remember now). So, I think that, unless you have your own laboratory to examine the chips, there's some level of trust that goes into using anything you didn't build yourself out of transistors and wire. That being said, though, it would be nice to see more free firmware and similar.
I wrote this while tired and without too much review, so if you find a sentence that doesn't seem to make sense, don't spend too much time scrutinizing it, lest I be responsible for taking your time away from something more useful :)