Debian testing/unstable also allows Realtek firmware

9 respostas [Última entrada]
nadebula.1984
Desconectado
Joined: 05/01/2018

I installed hard disks containing pre-installed, blobless Debian into my newly obtained ThinkPad that came with a Realtek 8188CE. I was so surprised (again) that it was also operational, as was in Trisquel 10.

It seems that I have to investigate the kernel. Maybe a Linux-libre kernel could prevent such extremely-dangerous firmware from being loaded? (I had to physically remove it again.)

gaseousness
Desconectado
Joined: 08/25/2020

echo "options rtl8192ce use_dev_fw=0" | sudo tee -a /etc/modprobe.d/prevent-firmware.conf

^ I'd imagine one could try to something like this to try to disable it on the software end.

"rtl8192ce (supported devices)

Supports PCI-E devices based on the RTL8188CE and RTL8192CE chips."
https://wiki.debian.org/rtl819x#Drivers

Aftwards, try rebooting or reloading the module to see if it works

lanun
Desconectado
Joined: 04/01/2021

Would you suggest replacing those mysteriously-working-nonfree-firmware NICs with AR9380 or AR9382 ones? Or alternatively with a libre usb adapter?

I guess that would not solve the mystery, but at least mitigate the security risks you are mentioning.

nadebula.1984
Desconectado
Joined: 05/01/2018

I'd love to do so, if there were no white-list restrictions. It's temporarily not supported by coreboot yet.

Update: After a recent update, Debian testing/unstable no longer loads the firmware. That's good.

lanun
Desconectado
Joined: 04/01/2021

I see. I thought coreboot would allow users to bypass these restrictions, but maybe I am confusing with libreboot.

If the problem has now been solved on Debian testing, there is some hope that the solution will propagate. Did you check if it is also solved with Trisquel 10?

EDIT: I might have a better question: how could we check it, without ever having to plug in the incriminated hardware? This is a recurring problem, and it is not created by new hardware but by older hardware that are not properly identified as problematic. I have no idea of the actual threat but surely any nonfree stuff should be disposed of appropriately when any alternative solution is available.

nadebula.1984
Desconectado
Joined: 05/01/2018

Update: I asked community member to help remove the white list. Therefore I could install Atheros and throw away the Realtek.

Someone already modified the SPI flash of the computer, therefore the UEFI image couldn't be trusted. Implementing coreboot is the next step.

Legimet
Desconectado
Joined: 12/10/2013

Trisquel's kernel is a deblobbed version of Ubuntu's kernel. I don't think Ubuntu's kernel is derived from Debian, because it has proprietary blobs.

lanun
Desconectado
Joined: 04/01/2021

> I don't think Ubuntu's kernel is derived from Debian, because it has proprietary blobs.

Indeed. Unless Canonical finds it funny to reblob a deblobbed kernel.

nadebula.1984
Desconectado
Joined: 05/01/2018

Many Debian-based non-free distributions re-introduce blobs to its kernel, not just Ubuntu.

lanun
Desconectado
Joined: 04/01/2021