2024-04-03 - coreboot Leadership Meeting Minutes - coreboot

5 Apr 2024


      # 2024-04-03 - coreboot Leadership Meeting Minutes
## Attendees
David Hendricks, Werner Zeh, Felix Held, Felix Singer, Jay Talbott,
Jon Murphy, Jonathon Hall,
Julius Werner, Martin Roth, Matt DeVillier, Maximilian Brune, Nicholas
Chin, Philip Molloy, Mina
Asante, Nico Huber, Linus Lackner.
## Announcements & Events
  * OCP Regional Summit: Lisbon, Portugal on April 24–25, 2024
[https://www.opencompute.org/summit/regional-summit]
* FOSSY conference: August 1-4 2024 in Portland, Oregon, USA
[https://sfconservancy.org/fossy/]
    * **[Community track
proposals](https://sfconservancy.org/fossy/community-tracks) are open
until
April 18, 2024**
* COSCUP - Taipei, Taiwan on 2024/08/03 ~ 2024/08/04
[https://coscup.org/2024/en/landing]
* OSFC will be in Bochum Germany - September 3-5, 2024
[https://www.osfc.io/]
    * **[Call for participation](https://talks.osfc.io/osfc-2024/cfp)
is open until May 31st, 2024**
* OCP Global Summit: San Jose, California on October 15–17, 2024
[https://www.opencompute.org/summit/global-summit]
## Open Action Items
  * 2024-03-20
    * [Open] Martin: Add a note to the gerrit guidelines to email the
leadership.
  * 2024-03-06
    * [Open] Martin: To update documentation on gerrit contributing guidelines.
      * https://doc.coreboot.org/contributing/index.html
  * 2024-01-10
    * [Open] Werner: Push patch based on https://ticket.coreboot.org/issues/522
        * Nico: https://review.coreboot.org/q/topic:enforce_region_api
    * [Open] Daniel: Look at how we want to localize (non console)
strings for coreboot. Long term
project.
## Minutes
### [Martin] Handle GOP drivers
  * How do we intend to handle GOP driver init going forward? Do we
know what graphics card
manufacturers are planning? (when) will we lose legacy option rom
support on external graphics
cards? Currently the option rom is specified by the PCI specification,
so maybe we don’t need to
worry.
I’m thinking we could look at something modular, like yabel or x86emu
currently do for the legacy
option roms.
    * Graphics card manufacturers often support both UEFI and legacy
option ROM init. They may get rid
of legacy option ROMs at some point...
    * coreboot may need to implement a wrapper for a few calls needed.
    * Martin has a list of what needs to be supported for the AMD GOP driver.
### [Martin] [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)
liblzma build
compromise
  * The liblzma vulnerability did not impact coreboot source, but it
did affect our build server
images. Something similar could be done to coreboot to introduce some
sort of vulnerability into
the codebase.
What do we need to do to help protect the coreboot codebase against
similar attacks?
    * Isolate test targets in makefiles from normal builds?
    * Move all binaries out of the coreboot tree?
      * Relocating binaries probably won't help.
    * Julius: liblzma had a few issues that helped obfuscate the
problem, such as using autoconf and
automake that generate unreadable Makefiles.
    * Get rid of release tarballs?
      * [https://coreboot.org/downloads.html]
      * The vulnerability was injected into the release tarballs.
coreboot has reproducible builds, so is
there a purpose for having tarballs?
      * Werner: Having the source tarballs is useful in his case.
        * Corporate release processes make it difficult to point at a
source code repo. Much easier to just
point at a release tarball with everything needed.
      * Tarballs themselves are not reproducible. This can depend on
things like the version of `tar`
installed.
        * [reproducible-builds.org] has some suggestions on how to fix this.
### [Martin] Gitiles is still disabled
  * It was disabled since a web crawler was hitting it with a lot of
requests, causing a lot of
traffic and CPU utilization, and ultimately DOS'ing Gerrit.
    * What do we want to do until it’s re-enabled?
    * Should we just re-enable it now, blocking user-agents for known
web-crawlers and see how things
go?
      * Main advantage is that you click on a hash in Gerrit and it
brings you to the source code.
      * We can't block IP addresses, but we can block user-agents.
        * FelixS has volunteered to work on this.
### [Werner][https://review.coreboot.org/c/coreboot/+/69159]
  * TPM patch was merged that breaks timeless builds somehow. .text
and another section end up
overlapping other sections.
    * This might need a recent patch to increase bootblock size.
      * [https://review.coreboot.org/c/coreboot/+/80348] <-- only
applies to AMD right now.
    * Why was this not caught by Jenkins?
      * It depends on the configuration, and only breaks if TPM is enabled
# Next meeting
  * April 17, 2024.
   * [coreboot Calendar](https://coreboot.org/calendar.html).
# Notice
  * Decisions shown here are not necessarily final, and are based
    on the current information available. If there are questions or comments
    about decisions made, or additional information to present, please put
    it on the leadership meeting agenda and show up if possible to discuss it.
    Of course items may also be discussed on the mailing list, but as it's
    difficult to interpret tone over email, controversial topics frequently
    do not have good progress in those discussions. For particularly
    difficult issues, it may be best to try to schedule another meeting.
# coreboot leadership meeting minutes
     [2024-04-03](https://docs.google.com/document/d/1NRXqXcLBp5pFkHiJbrLdv3Spqh1Hu086HYkKrgKj...).