Might be interesting for a few folks here?

---------- Forwarded message --------- Von: Richard Hughes hughsient@gmail.com Date: Di., 25. Jan. 2022 um 12:20 Uhr Subject: [Lvfs-announce] LVFS Community Meeting: Alternate Branches To: lvfs-announce@lists.linuxfoundation.org

Hi all,

We normally only allow the silicon vendor, the ODM or the OEM to upload firmware for hardware, and only if that entity has legal permission to upload the file to the LVFS. The security model for fwupd relies on standardised registries like USB and PCI, along with immutable DMI information to ensure that only the correct vendors can ship firmware for their own hardware, and nothing else.

This strict rule breaks down where the OEM responsible for the hardware considers the device end-of-life and so will no longer receive updates (even for critical security issues). There may also be a situation where there exists an alternate (not provided by the vendor) free software re-implementation of the proprietary firmware, which may be desired for licensing reasons.

In these situations we can now allow another legal entity to also upload firmware for the hardware, but with a few restrictions:

* The end user must manually and explicitly opt-in to the new firmware stream, perhaps using fwupdmgr switch-branch, with a suitable warning that there is no vendor support available and that the hardware warranty is now invalid. This means that the alternate firmware must set the device branch appropriately without any additional configuration.

* The alternate firmware must not ship with any code, binaries or generated assets from the original hardware vendor (perhaps also including trademarks) unless written permission is provided in writing by the original hardware vendor.

Some real world examples might be providing a Open Source BCM57xx GPL firmware for Broadcom network hardware, or providing a coreboot system firmware for a long-EOLed Lenovo X220 ThinkPad. In this instance, the LVFS may be the legal entity distributing the firmware, which is actually provided by a trusted contributor who has permissions to upload and hardware to test the update. In other cases another legal entity (like coreboot itself) or an individual trusted contributor may be considered the distributor.

In all cases the specifics should be discussed with the LVFS maintainers, as should any concerns by licensors or existing distributors.

I've decided to make this functionality the topic of the first LVFS Community Meeting which is happening this Friday at 1700 GMT. See https://github.com/fwupd/fwupd/wiki/LVFS-Community-Meeting-2022-01-28 for instructions. If you would like me to add you to the Google calendar invite please let me know. If you're not comfortable joining the Community Meeting I'm happy to get private feedback via email too.

Richard _______________________________________________ LVFS-announce mailing list LVFS-announce@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/lvfs-announce