Debian testing/unstable also allows Realtek firmware
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
I installed hard disks containing pre-installed, blobless Debian into my newly obtained ThinkPad that came with a Realtek 8188CE. I was so surprised (again) that it was also operational, as was in Trisquel 10.
It seems that I have to investigate the kernel. Maybe a Linux-libre kernel could prevent such extremely-dangerous firmware from being loaded? (I had to physically remove it again.)
echo "options rtl8192ce use_dev_fw=0" | sudo tee -a /etc/modprobe.d/prevent-firmware.conf
^ I'd imagine one could try to something like this to try to disable it on the software end.
"rtl8192ce (supported devices)
Supports PCI-E devices based on the RTL8188CE and RTL8192CE chips."
https://wiki.debian.org/rtl819x#Drivers
Aftwards, try rebooting or reloading the module to see if it works
Would you suggest replacing those mysteriously-working-nonfree-firmware NICs with AR9380 or AR9382 ones? Or alternatively with a libre usb adapter?
I guess that would not solve the mystery, but at least mitigate the security risks you are mentioning.
I'd love to do so, if there were no white-list restrictions. It's temporarily not supported by coreboot yet.
Update: After a recent update, Debian testing/unstable no longer loads the firmware. That's good.
I see. I thought coreboot would allow users to bypass these restrictions, but maybe I am confusing with libreboot.
If the problem has now been solved on Debian testing, there is some hope that the solution will propagate. Did you check if it is also solved with Trisquel 10?
EDIT: I might have a better question: how could we check it, without ever having to plug in the incriminated hardware? This is a recurring problem, and it is not created by new hardware but by older hardware that are not properly identified as problematic. I have no idea of the actual threat but surely any nonfree stuff should be disposed of appropriately when any alternative solution is available.
Update: I asked community member to help remove the white list. Therefore I could install Atheros and throw away the Realtek.
Someone already modified the SPI flash of the computer, therefore the UEFI image couldn't be trusted. Implementing coreboot is the next step.
Trisquel's kernel is a deblobbed version of Ubuntu's kernel. I don't think Ubuntu's kernel is derived from Debian, because it has proprietary blobs.
> I don't think Ubuntu's kernel is derived from Debian, because it has proprietary blobs.
Indeed. Unless Canonical finds it funny to reblob a deblobbed kernel.
Many Debian-based non-free distributions re-introduce blobs to its kernel, not just Ubuntu.
Ubuntu does not do that:
Although, being based on Debian, it needs to build a Debian package for the kernel:
https://wiki.ubuntu.com/Kernel/FAQ/UbuntuDelta#Ubuntu_Packaging_Patches
- Vous devez vous identifier ou créer un compte pour écrire des commentaires