[Lvfs-announce] LVFS Community Meeting: Alternate Branches

Richard Hughes hughsient at gmail.com
Tue Jan 25 11:20:29 UTC 2022


Hi all,

We normally only allow the silicon vendor, the ODM or the OEM to
upload firmware for hardware, and only if that entity has legal
permission to upload the file to the LVFS. The security model for
fwupd relies on standardised registries like USB and PCI, along with
immutable DMI information to ensure that only the correct vendors can
ship firmware for their own hardware, and nothing else.

This strict rule breaks down where the OEM responsible for the
hardware considers the device end-of-life and so will no longer
receive updates (even for critical security issues). There may also be
a situation where there exists an alternate (not provided by the
vendor) free software re-implementation of the proprietary firmware,
which may be desired for licensing reasons.

In these situations we can now allow another legal entity to also
upload firmware for the hardware, but with a few restrictions:

* The end user must manually and explicitly opt-in to the new firmware
stream, perhaps using fwupdmgr switch-branch, with a suitable warning
that there is no vendor support available and that the hardware
warranty is now invalid. This means that the alternate firmware must
set the device branch appropriately without any additional
configuration.

* The alternate firmware must not ship with any code, binaries or
generated assets from the original hardware vendor (perhaps also
including trademarks) unless written permission is provided in writing
by the original hardware vendor.

Some real world examples might be providing a Open Source BCM57xx GPL
firmware for Broadcom network hardware, or providing a coreboot system
firmware for a long-EOLed Lenovo X220 ThinkPad. In this instance, the
LVFS may be the legal entity distributing the firmware, which is
actually provided by a trusted contributor who has permissions to
upload and hardware to test the update. In other cases another legal
entity (like coreboot itself) or an individual trusted contributor may
be considered the distributor.

In all cases the specifics should be discussed with the LVFS
maintainers, as should any concerns by licensors or existing
distributors.

I've decided to make this functionality the topic of the first LVFS
Community Meeting which is happening this Friday at 1700 GMT. See
https://github.com/fwupd/fwupd/wiki/LVFS-Community-Meeting-2022-01-28
for instructions. If you would like me to add you to the Google
calendar invite please let me know. If you're not comfortable joining
the Community Meeting I'm happy to get private feedback via email too.

Richard


More information about the LVFS-announce mailing list