[Ksummit-discuss] [TECH TOPIC] Firmware signing

James Bottomley James.Bottomley at HansenPartnership.com
Wed Jul 29 16:38:08 UTC 2015 

On Wed, 2015-07-29 at 16:35 +0100, David Woodhouse wrote:
> On Wed, 2015-07-29 at 08:00 -0700, James Bottomley wrote:
> > 
> > 
> > Really, no, there aren't.  Firmware is an operating system independent
> > blob which runs on a separate processor without modification for
> > Windows, Linux, Solaris or any other OS.  As such, there's no way it can
> > be considered a derived work of (or even based on) the Linux Kernel.
> > This...
> 
> I don't ever think anyone would claim that the firmware is a derived
> work of the Linux kernel. Or that it is based on the Linux kernel.

OK, got that.

> That's a straw man. But it's also not really necessary for the point
> you were making, which might as well start here:
> 
> > ...it falls under the aggregation terms of clause 2 of the GPL:
> >         
> >         In addition, mere aggregation of another work not based on the
> >         Program with the Program (or with a work based on the Program)
> >         on a volume of a storage or distribution medium does not bring
> >         the other work under the scope of this License.
> > 
> > So it definitely doesn't have to be distributed under GPL and can be
> > aggregated with GPL components like Linux.
> 
> I understand that opinion. But the whole 'mere aggregation on a volume
> of a storage or distribution medium' thing is fairly ambiguous, and
> there is plenty of scope for interpretation.

No, it's not, you missed quoting the part that defines it.  It
specifically applies to aggregates of additional components which are
*not* based on the work.  The exact legal test for applying this
paragraph to a component is "not based on the work".

> Certainly it seems intended to cover at *least* the case of things like
> the old "shareware CDs", allowing GPL'd software to be included on
> those as well as non-GPL'd software. Those are collective works, and
> without the exception *would* have been prohibited by the GPL. (Again,
> just in terms of what you are permitted to do with the GPL'd thing,
> without ever making the bizarre claim that the non-GPL'd parts are in
> any way derivative of or based on the GPL'd parts.)
> 
> 
> It's possible to interpret that same clause as negating the *entirety*
> of the paragraphs that precede it — permitting *any* combination of GPL
> and non-GPL works as long as you call it 'aggregation' — and ignoring
> the ill-defined word 'mere' that precedes it, and the context 'on a
> volume of a storage or distribution medium' that follows.

No, the GPL relies on a specific copyright mechanism to apply to an
aggregated work, see below.

> One could then argue that even linking a proprietary piece of native
> code into a GPL'd work and calling it directly is permitted — it's
> still merely aggregation. Obviously, that doesn't seem like a
> *reasonable* interpretation, as it would clearly make the licence
> inconsistent with itself. So I wouldn't bet on a court backing that
> interpretation — but then again, courts have done stupider things.

No you can't.  Whether the aggregate paragraph I quoted applies is very
specific in legal terms.  It only applies to the combination of the work
with something which is not a derivative of the work.

> Then there's a whole spectrum of other possibilities, between the
> minimal 'allow GPL'd stuff to appear on shareware CDs' to the excessive
> 'allow anything as long as you call it aggregation' interpretations
> that I have outlined.

Well aggregate has a very specific legal meaning:

        AGGREGATE: A collection of particular persons or items, formed
        into one body

the mere act of aggregation does not constitute making a derivative
work.  We have to make other additional legal arguments if we want to
claim the aggregation is also a derivative.

> Your viewpoint, while a valid opinion, falls closer to the latter end
> of that spectrum than mine does.
> 
> The fact remains that there is scope for reasonable people to disagree,
> that *none* of us are right until it's tested, and there *is* a reason
> for cautious people to err on the side of caution.

No, the paragraph is clear and has a well defined legal test: Unless you
can opine that the component you're aggregating is *also* based on the
work, the clause I quoted applies and the aggregation is allowed without
the component having to be under GPL.

> You make a point about Linux-specific firmware being a 'greyer area',
> which is true precisely *because* of the ambiguity here. That, along
> with many other factors, would affect a court's perception of whether
> the the two parts are indeed 'merely aggregated on a volume of a
> storage or distribution medium', or whether they are tied together as a
> coherent 'whole which is based in part on the [kernel]'. 
> 
> 
> I'm not going to tell you that your opinion on the 'mere aggregation on
> a volume of a storage or distribution medium' thing is wrong, although
> I happen to disagree with it.
> 
> But I *am* telling you that you are wrong to claim that there is *no*
> risk. And that Greg is similarly wrong to make his absolute 'not true
> at all' claim.

Really, no, the GPL is very carefully written to follow the tenets of
copyright law and specifically and deliberately never defines what
constitutes a derivative work because it relies on case law to do that.
This means the copyleft capture applies only to something which in legal
terms is a derivative of the work.  An aggregate may or may not be a
derivative work, but the mere act of aggregation does not create a
derivative (and there is definite case law on this), you have to apply
additional arguments to determine if an aggregate is also a derived
work.  You already agreed that most firmware is not a derived work of
the kernel, ipso facto, it's an aggregate which is not based on the work
and thus falls under the clause I quoted.  That's why this clause
exactly says "aggregation of another work not based on the Program".

Binary modules may fall under the GPL because there's an untested legal
argument based on more than mere aggregation that they are derived works
of the kernel.  Unless you can make some argument for why a piece
firmware is a derived work of the kernel, the aggregation paragraph
applies because it passes the "not based on the work" test and thus it
does not fall under the GPL.

James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5819 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150729/623e9942/attachment-0001.bin>

More information about the Ksummit-discuss mailing list