[Ksummit-discuss] [TECH TOPIC] Firmware signing

James Bottomley James.Bottomley at HansenPartnership.com
Wed Jul 29 15:00:00 UTC 2015


On Wed, 2015-07-29 at 10:37 +0100, David Woodhouse wrote:
> On Tue, 2015-07-28 at 14:38 -0700, Greg KH wrote:
> > On Tue, Jul 28, 2015 at 11:54:28AM -0700, josh at joshtriplett.org wrote:
> > > > So in that case, what's the advantage of separating the firmware from
> > > > the driver?  If we can't update it without updating the driver, we could
> > > > just build it in and save a huge amount of hassle.
> > > 
> > > Licensing, which is a large part of why we have request_firmware to
> > > begin with.  Let's not make distribution kernel maintainers' lives more
> > > difficult than they already are.
> > 
> > Not true at all, please talk with some lawyers about this.
> > 
> > Or, to be clear, the lawyers I have discussed this with have no issues
> > at all with it.  Yours might differ. 
> 
> Lawyers will mostly argue anything their client wants them to.
> 
> So that isn't data; it's barely even a relevant anecdote. It certainly
> doesn't merit a blanket statement like 'not true at all'.
> 
> If anything, your anecdote tells us more about the desires of those who
> were *paying* the lawyers in question, than it does about the matter at
> hand.
> 
> Hell, *I* can find a doctor who will assert that vaccines cause autism,
> if you want one¹. 

That's not even an opinion, it's wrong on the facts.  You can always
find a crackpot willing to argue by misrepresenting the facts, but it's
not what a reasonable person (or company) should base their decisions on
and not what we should do ... unless you want to open the door to say
re-doing our geo location libraries to take into account the views of
the flat-earth society?

> Something like this is not *truly* settled until/unless there is a
> court ruling — and then only in that jurisdiction, and until/unless
> it's appealed/overruled.
> 
> So yes, I'm sure there are lawyers who will turn up in court and argue
> whatever it is that they need to argue to make that case — that a
> kernel bzImage *isn't* a "work based on the [Linux kernel]", or that a
> binary-only firmware image therein, which cannot be automatically
> extracted or separated because it is static data within one of the C
> files of a GPL'd driver, somehow *is* nevertheless "being distributed
> as a separate work".
> 
> But there are other lawyers and expert witnesses who will respond to
> those arguments with a resounding WTF.
> 
> Nobody gets to say "not true at all" before it's actually come to
> court.
> 
> In the meantime, there are genuine licensing reasons why a risk-averse
> company might elect *not* to build non-GPL firmware *into* a Linux
> kernel image. Because they might not want to end up being summoned to
> that court room, and might not want to have to pay that lawyer to make
> that argument.

Really, no, there aren't.  Firmware is an operating system independent
blob which runs on a separate processor without modification for
Windows, Linux, Solaris or any other OS.  As such, there's no way it can
be considered a derived work of (or even based on) the Linux Kernel.
Thus it falls under the aggregation terms of clause 2 of the GPL:
        
        In addition, mere aggregation of another work not based on the
        Program with the Program (or with a work based on the Program)
        on a volume of a storage or distribution medium does not bring
        the other work under the scope of this License.

So it definitely doesn't have to be distributed under GPL and can be
aggregated with GPL components like Linux.

You're not out of the woods with this, though: the licence of the
firmware must permit arbitrary redistribution (and we've seen some that
don't), so it still has to be released under a freely redistributable
licence.  And, obviously, there's a greyer area for Linux Specific
firmware, but the above applies in the general case.

Distributions, like Debian, which have a definition for what they
consider to be "free software" may obviously conclude that binary blobs
don't satisfy that definition and therefore must be confined to the
non-free part of the distribution.  We can certainly continue to ship
firmware separately as a courtesy for Debian to prevent the hardship of
having to banish the whole kernel to non-free, but it's not because
there's any shadow of a doubt about the legality of aggregating Linux
independent firmware with the Linux Kernel.

James

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5819 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150729/93bd44b2/attachment-0001.bin>


More information about the Ksummit-discuss mailing list