Hi,
As part of my work on GNU Boot, I found nonfree software in vboot[1] in tests/futility/data. The same binaries also probably have free software with missing corresponding source code but I didn't take the time to confirm that yet.
We'll take bios_link_mp.bin as an example. As many people know, is used in the first Chromebook pixel, and it's easy to extract things like the Management Engine firmware (with ifdtool -x) and to verify it with me_cleaner (though I'm unsure how to print which partitions it has and print that they are verified). It's also possible to extract things like the MRC binary as well with cbfstool (with cbfstool layout and then using the BOOT_STUB region of fmap).
Several distributions ended up using vboot source code to make some vboot-utils packages. It includes distributions like Debian, Fedora, Guix, Trisquel, etc. So these distributions ended up redistributing the mrc.bin for instance when they published the source version of the vboot-utils package.
Since all these distributions have repositories where redistributing nonfree software is forbidden, they automatically have a bug to solve here so I started bug reporting to them.
The distributions could also workaround and somehow remove the binaries from the source they publish but this then brings a question of maintenance over time, so this is what bring me here.
Questions on vboot: ------------------- Who is the vboot upstream, is it Coreboot or is it Google? Who should we discuss with when trying to understand if it's possible to find a solution.
Does anyone redistributing the vboot source code also has the right to distribute the binaries as-is (including things like Intel Microcode)? Since they come with no licenses there is also nothing that forbids reverse engineering, right?
Would it be possible to somehow remove or move the binaries somewhere else like in a separate git repository and make them optional in the tests? Or should we create free binaries somehow? Though I fear that the later somehow defeat the intent of the tests.
References: ----------- [1]https://review.coreboot.org/vboot.git
Denis.