data.)

Debian Bug Tracking System Thu, 21 Nov 2024 08:00:31 -0800

Your message dated Thu, 21 Nov 2024 15:56:26 +0000
with message-id <e1te9xe-00fw4k...@fasolo.debian.org>
and subject line Bug#1081675: fixed in vboot-utils 0~R106-15054.B+dfsg-0.1
has caused the Debian Bug report #1081675,
regarding vboot-utils: The vboot source code contain nonfree software in 
tests/futility/data.
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1081675: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081675
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: vboot-utils
Version: 0~R106-15054.B-1
Severity: serious
Tags: upstream
Justification: 1. DFSG-freeness
X-Debbugs-Cc: gnu...@cyberdimension.org

Dear Maintainer,

The vboot source code has nonfree software in tests/futility/data.

If I take bios_link_mp.bin for instance, it's an image meant to be flashed on 
the boot flash
(on the first Chromebook Pixel).

So if I do ifdtool -x bios_link_mp.bin it extracts the Management Engine 
partition which
in flashregion_2_intel_me.bin which is not empty:
 
$ ifdtool -x bios_link_mp.bin
File bios_link_mp.bin is 8388608 bytes
  Flash Region 0 (Flash Descriptor): 00000000 - 00000fff
  Flash Region 1 (BIOS): 00200000 - 007fffff
  Flash Region 2 (Intel ME): 00001000 - 001fffff
  Flash Region 3 (GbE): 00fff000 - 00000fff (unused)
  Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused)

The Management Engine firmware is then in flashregion_2_intel_me.bin

We can go furthurer with Coreboot source code to verify that it contains 
nonfree code:
$ git clone https://git.review.coreboot.org/p/coreboot.git
$ sudo apt install python3-minimal
$ python3 coreboot/util/me_cleaner/me_cleaner.py -c flashregion_2_intel_me.bin
ME/TXE image detected
Found FPT header at 0x10
Found 15 partition(s)
Found FTPR header: FTPR partition spans from 0x93000 to 0x108000
ME/TXE firmware version 8.0.20.1513
Public key match: Intel ME, firmware versions 7.x.x.x, 8.x.x.x
Checking the FTPR RSA signature... VALID

So here we see that the signature is valid, so it contains nonfree code signed 
by Intel.

ifdtool also extracts flashregion_1_bios.bin, and that kind of image should 
also have nonfree
binaries like microcode updates, MRC / FSP binaries, etc inside the "BIOS" 
partition though
I'm unsure how to verify that easily as I'm more used to more recent Coreboot 
images compatible
with cbfstool (here it uses fmap).

Though we can at least verify that it contains nonfree microcode quite easily:
$ git clone https://review.coreboot.org/p/bios_extract.git
$ sudo apt install guix
$ guix shell python2 -- python2 ./bios_extract/microcode_extract.py 
flashregion_1_bios.bin
[...]

And we then see nonfree microcode:
$ ls mcode_upd_0050*
mcode_upd_005004F8.bin  mcode_upd_005048F8.bin  mcode_upd_005090F8.bin  
mcode_upd_0050D0F8.bin
mcode_upd_005028F8.bin  mcode_upd_00506CF8.bin  mcode_upd_0050A8F8.bin

There is more files than just bios_link_mp.bin in this directory, there are 
even kernel images
which lack complete and corresponding source code and that may or may not 
contain nonfree firmwares.

One option here could be to just remove all the files in that directory 
reguardless of the vboot
version. This way if upstream keeps adding more files, they will also not be 
shipped.

Now just removing the tests files might break compilation as the Makefile uses 
these files,
but it might be possible to just disable the tests using files that contain 
code by patching the
Makefile.

Also note that I didn't report the bug to upstream (maybe I should have) as 
they don't have the
same policy than Debian. Google may already have the right to redistribute 
these images
(I've no idea what kind of agreement they have with the providers of nonfree 
software like Intel)
as they already redistributed them inside the chromebook themselves, and if 
they didn't have the
right to redistribute them through some other means, they might not have added 
it in the first
place in their source code repository. Though it's also possible that it's also 
a bug upstream
but we have no way to know without bugreporting first.

I also started bugreporting that bug inside other distributions like Trisquel 
which is a downstream
of Debian. Since these utilities are widespread maybe we need to coordinate 
with all the distributions
that have policies that require not to ship nonfree software in certain 
repositories. Guix is also
affected (I didn't bugreport yet), Fedora might be affected as well, etc.

I'm also not sure if other distros that don't have rules like the DFSG, FSDG, 
etc would
be interested or not as I'm unsure if they have the right to redistribute these 
binaries
or not (it might depend on the jurisdiction they operate in) or if they would 
even care.

-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-23-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages vboot-utils depends on:
ii  flashrom            1.3.0-2.1
ii  libc6               2.36-9+deb12u8
ii  libssl3             3.0.14-1~deb12u2
ii  vboot-kernel-utils  0~R106-15054.B-1

Versions of packages vboot-utils recommends:
ii  cgpt            0~R106-15054.B-1
ii  coreboot-utils  4.15~dfsg-3

vboot-utils suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: vboot-utils
Source-Version: 0~R106-15054.B+dfsg-0.1
Done: Bastian Germann <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
vboot-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <b...@debian.org> (supplier of updated vboot-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Nov 2024 13:20:44 +0100
Source: vboot-utils
Architecture: source
Version: 0~R106-15054.B+dfsg-0.1
Distribution: unstable
Urgency: medium
Maintainer: Sophie Brun <sop...@offensive-security.com>
Changed-By: Bastian Germann <b...@debian.org>
Closes: 1081675 1084077
Changes:
 vboot-utils (0~R106-15054.B+dfsg-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload
   * Exclude non-free files (Closes: #1081675)
   * Upgrade to llvm-toolchain 19 (Closes: #1084077)
Checksums-Sha1:
 167afaec7beb684d526d6e66d4e2d24dbf1fa7b8 2270 
vboot-utils_0~R106-15054.B+dfsg-0.1.dsc
 281a37412b50d09636fbd9ab860cefe24af57b4e 2447372 
vboot-utils_0~R106-15054.B+dfsg.orig.tar.xz
 89692738380a3264e7d63f6fbae5bade0e820242 11592 
vboot-utils_0~R106-15054.B+dfsg-0.1.debian.tar.xz
 1909d7ce902b661cd50ac1b94fa3deb86f4b69eb 6272 
vboot-utils_0~R106-15054.B+dfsg-0.1_source.buildinfo
Checksums-Sha256:
 a91d447421762c36f78e8265b73e8a8e6f71a798002883b6a669995280db87f4 2270 
vboot-utils_0~R106-15054.B+dfsg-0.1.dsc
 5cb02557adb12776fbe8c8ed0f0dee7304d489f0ed80028351f37195158423f0 2447372 
vboot-utils_0~R106-15054.B+dfsg.orig.tar.xz
 556ee84a01f677b68cf78d7aadf4ade0537f9c2536d3163de3cbd1b54c578bc7 11592 
vboot-utils_0~R106-15054.B+dfsg-0.1.debian.tar.xz
 39049f1b5ec06b36a248885b96631159bc50ed4f6b9d14c5569cc9d41a343bec 6272 
vboot-utils_0~R106-15054.B+dfsg-0.1_source.buildinfo
Files:
 a17a153309258bb9c362f0fbe57f7844 2270 admin optional 
vboot-utils_0~R106-15054.B+dfsg-0.1.dsc
 cdd9372e50fd40518a7f958cad690b59 2447372 admin optional 
vboot-utils_0~R106-15054.B+dfsg.orig.tar.xz
 ead4fcfb53be18c598d990cce4158bda 11592 admin optional 
vboot-utils_0~R106-15054.B+dfsg-0.1.debian.tar.xz
 7b377b438f25de3d691180d2e3f0bb14 6272 admin optional 
vboot-utils_0~R106-15054.B+dfsg-0.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmc/TqYQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFAHdDACJHqUaDHcvZWkyJLimqLqFhmRp2Raia3fh
DfGWOnAwpvMgIKWNJjwZO+ps17vCg/YHYB1x04L5n6O1idhvmXu6x7ebxF3KnMUR
mQ97jDL8yTqDbfXqM14XzqENcl6/OkqN5J0o6En4zIR3MfFGk8KQd7j3Wo0Gz+HX
5B6KcZfTOZfLsO4ciWSxX8V67gJI1WNIWvLKHEO9ufkF7BKJPnnDwLECm9HfD855
NLez6z9nRE1iW2bXscP9XFjYGV4Tgho3rpuwY6buZdeAtu8iEaSrZojzqUypqC0b
X83ib9jMGl9cnCjqbxVOkyP2SxtrtsXoEyjJlHepOsSAbFmAiG+QrKzOi8L2tycf
ofF8Ke+r9sfHWKesDGrZeGkpvBFqUruOfz355j4UuaaXLwK/Ar294izlkRZfeA03
/ABx+eZ8KSDmPmUubyKi7pfhSsl/V4pMXrfPXe/GXPEKunQAqzvXKHiKtMUTDZSO
mE05ppFOrkcZcTz+a6ut5EgpXDw9aqY=
=dHzm
-----END PGP SIGNATURE-----

pgphVDQEL2FQz.pgp
Description: PGP signature

--- End Message ---

Bug#1081675: marked as done (vboot-utils: The vboot source code contain nonfree software in tests/futility/data.)

Reply via email to