Patch set updated for coreboot: cb882f1 NOTFORMERGE: ec/lenovo/h8: permanently enable wifi/trackpoint/touchpad, disable bluetooth/wwan - coreboot-gerrit

12 Oct 2014

Francis Rowe (info@gluglug.org.uk) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7058
-gerrit
commit cb882f1bb75aa2ccc5fa62284eacf5ee59029348
Author: Francis Rowe info@gluglug.org.uk
Date:   Mon Oct 13 00:14:53 2014 +0100
NOTFORMERGE: ec/lenovo/h8: permanently enable wifi/trackpoint/touchpad, disable bluetooth/wwan
Wifi is enabled by default: most users will want wifi.
    Intel wifi chipsets might be a security risk due to non-free firmware (these chipsets have DMA access)
    and could leak data over a side-channel. Switching to a non-intel wifi chipset (without firmware, or with free firmware) is recommended.
Disable wwan. These chipsets have non-free firmware in them and direct memory access.
    Disable bluetooth (potential security risk).
Enable trackpoint and touchpad. There is no reason to disable these.
Change-Id: Ic76ab9ab9c865f30312378e18af58bece6c3260a
    Signed-off-by: Francis Rowe info@gluglug.org.uk
---
 src/ec/lenovo/h8/h8.c     | 22 ++++++++++++----------
 src/ec/lenovo/pmh7/pmh7.c | 11 ++++-------
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/src/ec/lenovo/h8/h8.c b/src/ec/lenovo/h8/h8.c
index 79ef3cd..dd6f73c 100644
--- a/src/ec/lenovo/h8/h8.c
+++ b/src/ec/lenovo/h8/h8.c
@@ -245,9 +245,11 @@ static void h8_enable(device_t dev)
ec_write(H8_FAN_CONTROL, H8_FAN_CONTROL_AUTO);
-	if (get_option(&val, "wlan") != CB_SUCCESS)
-		val = 1;
-	h8_wlan_enable(val);
+	// Permanently enable wifi
+	// Intel wifi could be a security risk because it uses firmware. Wlan chip has DMA
+	// and could leak data over a side-channel. Using another manufacturer is recommended.
+	// see http://libreboot.org/docs/index.html#recommended_wifi
+	h8_wlan_enable(1);
h8_trackpoint_enable(1);
    h8_usb_power_enable(1);
@@ -255,14 +257,14 @@ static void h8_enable(device_t dev)
    if (get_option(&val, "volume") == CB_SUCCESS)
    	ec_write(H8_VOLUME_CONTROL, val);
-	if (get_option(&val, "bluetooth") != CB_SUCCESS)
-		val = 1;
-	h8_bluetooth_enable(val);
-
-	if (get_option(&val, "wwan") != CB_SUCCESS)
-		val = 1;
+	// Permanently disable bluetooth (potential remote security risk)
+	h8_bluetooth_enable(0);
-	h8_wwan_enable(val);
+	// Permanently disable wwan
+	// These wwan chips have firmware in them - they have to. It's a small OS that handles communication
+	// with a telecoms provider. The issue is that this could allow remote access to the machine,
+	// and the cards have direct memory access. It could potentially leak data.
+	h8_wwan_enable(0);
if (conf->has_uwb) {
    	if (get_option(&val, "uwb") != CB_SUCCESS)
diff --git a/src/ec/lenovo/pmh7/pmh7.c b/src/ec/lenovo/pmh7/pmh7.c
index cb0e27b..38ca77a 100644
--- a/src/ec/lenovo/pmh7/pmh7.c
+++ b/src/ec/lenovo/pmh7/pmh7.c
@@ -106,7 +106,6 @@ static void enable_dev(device_t dev)
 {
    struct ec_lenovo_pmh7_config *conf = dev->chip_info;
    struct resource *resource;
-	u8 val;
resource = new_resource(dev, EC_LENOVO_PMH7_INDEX);
    resource->flags = IORESOURCE_IO | IORESOURCE_FIXED;
@@ -118,13 +117,11 @@ static void enable_dev(device_t dev)
    pmh7_backlight_enable(conf->backlight_enable);
    pmh7_dock_event_enable(conf->dock_event_enable);
-	if (get_option(&val, "touchpad") != CB_SUCCESS)
-		val = 1;
-	pmh7_touchpad_enable(val);
+	// Permanently enable touchpad
+	pmh7_touchpad_enable(1);
-	if (get_option(&val, "trackpoint") != CB_SUCCESS)
-		val = 1;
-	pmh7_trackpoint_enable(val);
+	// Permanently enable trackpoint
+	pmh7_trackpoint_enable(1);
 }
struct chip_operations ec_lenovo_pmh7_ops = {

    