On 6/23/19 12:00 PM, Stefan Reinauer via coreboot wrote: Thanks for the info. Didn't know that. Now, one has to wonder how many skilled developers actually do read and understand their code. IIRC Leah Rowe paid someone $90.000 for adding some code to LibreBoot. I'm mentioning this because it leads to the assumption that boot coding must be a pretty difficult task.

On 24.06.19 17:17, ron minnich wrote: You are saying this as if it would be magically better if it were open source. It's not legible code at all. Without a rewrite of its cherries, we would still have no idea about it. Its integration into coreboot is open source, btw. And even supposed to be reviewed. But it looks like hell. Parts of it never made any sense and most of the rest is copy- paste degraded. So much for reviewed code. I bet the integration of FSP-S has already outgrown the amount of code of an FSP-S rewrite. Oh, and I'm rather sure FSP is optional. If it weren't, selling coreboot products with it would seem like a GPL violation, at least to me. Well, I experience this very differently. Reviews aside, I spent most of my time with bug fixing. And most of the bugs I encounter are either due to unnecessary software complexity or because somebody ignored the little documentation that exists. Those aren't boot-coding problems. Nico

On 6/24/19 10:17 PM, ron minnich wrote: Here's the source. Leah Rove writes that she "paid 90,000 USD to Raptor Engineering to port the ASUS KGPE-D16 and KCMA-D8 to Libreboot". https://libreboot.org/news/leah-fundraiser.html

On Mon, 24 Jun 2019 08:17:14 -0700 ron minnich <rminnich(a)gmail.com> wrote: Not only that. For people that don't run any nonfree code somewhere else, the main thing to worry in that context should rather be all the nonfree software that is used during boot (FSP, Management Engine OS, PSP, SMU, etc), or at the lowest levels, and the CPU microcode. On the hardware supported by Libreboot, it's possible to get rid of most of the issues as they make sure that what they ship is fully free software. However, even with Libreboot, some very minor issues, compared to the rest, still need to be solved: - The Management Engine has a ROM that might still do unknown things once the computer is booted. For the computers with a GM45 chipset. - The Thinkpads have nonfree code on the embedded controller, this could be abused as a keylogger or could inject commands. This looks less a concern as it would need to be triggered in some way. - All x86 computers have a microcode, and so it may contain a similar backdoor than the one shown in the "Reverse Engineering x86 Processor Microcode". The microcode updates may also contain a backdoor so that won't solve the issue either. The ARM laptops supported by Libreboot are not affected. The supported AMD computers could also be not affected if/when their microcode are fully understood and that there are free software microcode patches to fix the most problematic issues. There is also some minor packaging work to be done on ARM, for instance there is no tor-browser release for ARM GNU/Linux yet, but I heard that some people are working on that. However for people that also run other nonfree software, including JavaScript in web pages, there is way too much things to care about to make sure that this software cannot somehow gain more privileges. This could still be improved by whitelisting some known free JavaScript programs (LibreJS does some of that), and/or making the websites work without Javascript. This could be worked on in the popular free and open source software web frameworks, and in the programs that block Javascript (like noscript, libreJs, etc). There is probably a long way to go for that, even if some minor improvements could have major usability improvements at the beginning. Denis.

Julius, good point. You're right. I was about to talk to the author and ask if he would mind some help. I'd like to see this code get in. On Mon, Jun 24, 2019 at 5:28 PM Julius Werner <jwerner(a)chromium.org> wrote: > > > We're reviewing the STM code, of course. > > While we're on the topic, can someone please ask the NSA to honor our > coding style? ;) I don't want to get involved because it's really not > my area, but it looks pretty terrible at the moment (full of camelCase > and ALL_CAPS identifiers, C99 comments, typedefs to non-coreboot > types, commented-out code, incorrect or missing license headers, > #pragma pack() instead of __packed, etc.). If they just want to > copy&paste wholesale UEFI files to coreboot, they should dump them in > vendorcode instead.

On 23.06.19 12:04, Hubert Ruch wrote: roughly 80 days of work for board bringup w/ such a complex and badly documented hw platform doesn't seem unusual. ARM is *much* easier here. --mtx -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info(a)metux.net -- +49-151-27565287