Language Selection

English French German Italian Portuguese Spanish

Google and fwupd sitting in a tree

Filed under
GNU
Linux
Google
Hardware
GNOME

I’ve been told by several sources (but not by Google directly, heh) that from Christmas onwards the “Designed for ChromeBook” sticker requires hardware vendors to use fwupd rather than random non-free binaries. This does make a lot of sense for Google, as all the firmware flash tools I’ve seen the source for are often decades old, contain layer-on-layers of abstractions, have dubious input sanitisation and are quite horrible to use. Many are setuid, which doesn’t make me sleep well at night, and I suspect the security team at Google also. Most vendor binaries are built for the specific ODM hardware device, and all of them but one doesn’t use any kind of source control or formal review process.

The requirement from Google has caused mild panic among silicon suppliers and ODMs, as they’re having to actually interact with an open source upstream project and a slightly grumpy maintainer that wants to know lots of details about hardware that doesn’t implement one of the dozens of existing protocols that fwupd supports. These are companies that have never had to deal with working with “outside” people to develop software, and it probably comes as quite a shock to the system. To avoid repeating myself these are my basic rules when adding support for a device with a custom protocol in fwupd:

I can give you advice on how to write the plugin if you give me the specifications without signing an NDA, and/or the existing code under a LGPLv2+ license. From experience, we’ll probably not end up using any of your old code in fwupd but the error defines and function names might be similar, and I don’t anyone to get “tainted” from looking at non-free code, so it’s safest all round if we have some reference code marked with the right license that actually compiles on Fedora 31. Yes, I know asking the legal team about releasing previously-nonfree code with a GPLish licence is difficult.

Read more

Matthew Garrett (Google): Extending proprietary PC...

  • Matthew Garrett: Extending proprietary PC embedded controller firmware

    I'm still playing with my X210, a device that just keeps coming up with new ways to teach me things. I'm now running Coreboot full time, so the majority of the runtime platform firmware is free software. Unfortunately, the firmware that's running on the embedded controller (a separate chip that's awake even when the rest of the system is asleep and which handles stuff like fan control, battery charging, transitioning into different power states and so on) is proprietary and the manufacturer of the chip won't release data sheets for it. This was disappointing, because the stock EC firmware is kind of annoying (there's no hysteresis on the fan control, so it hits a threshold, speeds up, drops below the threshold, turns off, and repeats every few seconds - also, a bunch of the Thinkpad hotkeys don't do anything) and it would be nice to be able to improve it.

    A few months ago someone posted a bunch of fixes, a Ghidra project and a kernel patch that lets you overwrite the EC's code at runtime for purposes of experimentation. This seemed promising. Some amount of playing later and I'd produced a patch that generated keyboard scancodes for all the missing hotkeys, and I could then use udev to map those scancodes to the keycodes that the thinkpad_acpi driver would generate. I finally had a hotkey to tell me how much battery I had left.

    But something else included in that post was a list of the GPIO mappings on the EC. A whole bunch of hardware on the board is connected to the EC in ways that allow it to control them, including things like disabling the backlight or switching the wifi card to airplane mode. Unfortunately the ACPI spec doesn't cover how to control GPIO lines attached to the embedded controller - the only real way we have to communicate is via a set of registers that the EC firmware interprets and does stuff with.

More by Michael Larabel

  • Google To Require "Designed For Chromebook" Devices Support Fwupd Firmware Updates

    Hughes shared the anecdote about the Fwupd requirement in this blog post while out of frustration also outlining how device manufacturers should work with him in Fwupd support for their products. That includes either specification or code access under a compatible license and without NDAs, the need for hardware access, understanding of device versioning, and other requirements.

Growing the fwupd ecosystem

  • Growing the fwupd ecosystem

    Yesterday I wrote a blog about what hardware vendors need to provide so I can write them a fwupd plugin. A few people contacted me telling me that I should make it more generic, as I shouldn’t be the central point of failure in this whole ecosystem. The sensible thing, of course, is growing the “community” instead, and building up a set of (paid) consultants that can help the OEMs and ODMs, only getting me involved to review pull requests or for general advice. This would certainly reduce my current feeling of working at 100% and trying to avoid burnout.

    As a first step, I’ve created an official page that will list any consulting companies that I feel are suitable to recommend for help with fwupd and the LVFS. The hardware vendors would love to throw money at this stuff, so they don’t have to care about upstream project release schedules and dealing with a gumpy maintainer like me. I’ve pinged the usual awesome people like Igalia, and hopefully more companies will be added to this list during the next few days.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Android Document Scanning and Developer-Focused TV Box

  • The 15 Best Document Scanner Apps for Android Devices in 2020

    It doesn’t matter whether you are an Office job holder, a businessman, or a student; you will face a situation where scanning some papers or documents seem to be essential. But finding a scanner is tough in many places nowadays. You can deal with such a problem if you have installed any document scanner apps on your Android device. In PlayStore, some scanner apps can turn your mobile phone into a tiny scanner. So, just by installing a useful document scanner App, you can scan notes and documents anytime, anywhere.

  • Google ADT-3 is a Developer-Focused TV Box for Android TV on Android 10

    Back in 2014, Google killed Google TV and announced Android TV, and as a result, introduced ADT-1, the first developer kit specifically designed for Android TV.

Improving the security model of the LVFS

There are lots of layers of security in the LVFS and fwupd design, including restricted account modes, 2FA, and server side AppStream namespaces. The most powerful one is the so-called vendor-id that the vendors cannot assign themselves, and is assigned by me when creating the vendor account on the LVFS. The way this works is that all firmware from the vendor is tagged with a vendor-id string like USB:0x056A which in this case matches the USB consortium vendor assigned ID. Client side, the vendor-id from the signed metadata is checked against the physical device and the firmware is updated only if the ID matches. This ensures that malicious or careless users on the LVFS can never ship firmware updates for other vendors hardware. About 90% of the vendors on the LVFS are locked down with this mechanism. Some vendors have to have IDs that they don’t actually own, a good example here is for a DFU device like the 8bitdo controllers. In runtime mode they use the USB-assigned 8bitdo VID, but in bootloader mode they use a generic VID which is assigned to the chip supplier as they are using the reference bootloader. This is obviously fine, and both vendor IDs are assigned to 8bitdo on the LVFS for this reason. Another example is where Lenovo is responsible for updating Lenovo-specific NVMe firmware, but where the NVMe vendor isn’t always Lenovo’s PCI ID. Read more

Programming: Vim, Qt Shader and Python

  • Vim Text Editor for Beginners Part 1 - Introduction

    In my newly refreshed Vim series, you'll learn all the things you'll need to know in order to use this text editor in your daily workflow. In this first video, we'll get Vim installed take an initial look.

  • Vim Text Editor for Beginners Part 2 - Combining Files

    In my newly refreshed Vim series, you'll learn all the things you'll need to know in order to use this text editor in your daily workflow.

  • Qt Shader Tools Looks To Become Official Qt6 Module

    The currently-experimental Qt Shader Tools allows for graphics/compute shader conditioning and used by the in-development Qt graphics abstraction layer for supporting Vulkan / Metal / Direct3D / OpenGL APIs. Qt Shader Tools offers various shader features in preparing them for consumption by different graphics APIs. Qt Shader Tools is currently used ahead of time for QtGUI with Qt 5.14+. But for Qt 6.0, Qt Shader Tools is going through the appropriate steps for becoming a formal Qt 6 module for compiling and translating shaders between interfaces.

  • Python Positional-only parameters

    I have downloaded Python 3.8 and start to play around with those latest python functions. In this article, we will look at the Positional-only parameter syntax which is a function parameter syntax / to indicate that some function parameters must be specified positionally and cannot be used as keyword arguments which means after the / syntax we may specify a value for each parameter within that function.

  • For Loop in Python Explained With Practical Examples

    If you are just getting started to learn Python, you must be in search of something to explore for loop in Python. Of course, our list of free python resources should help you learn about it quickly. In either case, we shall help you learn more about the ‘for‘ loop in python using a couple of important examples.

Games: Pygame, The Long Dark, DXVK and Shovel Knight

  • Enable your Python game player to run forward and backward

    In previous entries in this series about creating video games in Python 3 using the Pygame module, you designed your level-design layout, but some portion of your level probably extended past your viewable screen. The ubiquitous solution to that problem in platformer games is, as the term "side-scroller" suggests, scrolling. The key to scrolling is to make the platforms around the player sprite move when the player sprite gets close to the edge of the screen. This provides the illusion that the screen is a "camera" panning across the game world. This scrolling trick requires two dead zones at either edge of the screen, at which point your avatar stands still while the world scrolls by.

  • Survival Mode in The Long Dark just got a lot bigger with the ERRANT PILGRIM update

    As promised, Hinterland Studio have released a huge update to the Survival Mode side of The Long Dark named ERRANT PILGRIM. It brings in a whole new region to explore, Bleak Inlet. Once a home to a thriving industrial Cannery, seismic activity cut-off Bleak Inlet from the rest of the Great Bear mainland. Exploring is not for the faint of heart, being Timberwolf territory but the treasures contained in the industrial complex may just be enough to warrant the journey.

  • DXVK Reportedly Going Into "Maintenance Mode" Due To State Of Code-Base

    While DXVK tends to be much-loved by Linux gamers for allowing more Direct3D 10/11 Windows games to run nicely on Linux with Wine or Proton (Steam Play) thanks to its fairly complete translation of D3D10/D3D11 API calls to Vulkan, it looks like Philip Rebohle is at least contemplating shifting it just into maintenance-mode. The DXVK lead developer recently commented that DXVK is "entering maintenance mode" and he doesn't want to make any significant changes or additions to the code.

  • Shovel Knight: King of Cards and Shovel Knight Showdown are out, completing the series

    Starting off with a successful Kickstarter crowdfunding campaign back in 2013 and growing into a massive multi-part 8-bit inspired world, Shovel Knight: Treasure Trove now finally finished. Note: Keys provided by GOG.com to us. Originally having a goal of $75,000 and a Linux/macOS stretch goal at $130,000 it proved to be popular ending on $311,491. It's taken six years for Yacht Club Games to get here starting with Shovel of Hope, followed by Plague of Shadows in 2015, Specter of Torment in 2017, and now King of Cards and Shovel Knight Showdown in 2019.