[opensuse-buildservice] Packaging UHD firmware binaries (source available under GPL)
Hi all, I wanted to ask if it is OK to package precompiled binary firmware images (for USRP devices and so on), who's source code is available under GPL? I don't want to go into the hassle of cross-compiling the firmware as that would require an immense amount of work to get that right... The firmware I'm talking about is available here: https://github.com/EttusResearch/UHD-Mirror/tree/release_003_005_001/firmwar... So I guess that should be ok? Best regards, J Brauchle
El 10/04/13 06:02, Joschi Brauchle escribió:
Hi all,
I wanted to ask if it is OK to package precompiled binary firmware images (for USRP devices and so on), who's source code is available under GPL?
Precompiled when sources are available ? hrmm.. it is not ideal but I see that it requires a toolchain we don't have around.. I say go for it.. ;) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Wed, Apr 10, 2013 at 5:56 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 10/04/13 06:02, Joschi Brauchle escribió:
Hi all,
I wanted to ask if it is OK to package precompiled binary firmware images (for USRP devices and so on), who's source code is available under GPL?
Precompiled when sources are available ? hrmm.. it is not ideal but I see that it requires a toolchain we don't have around..
I say go for it.. ;)
A nightmare for the security team though. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Ok, thanks for pointing that out! I completely understand that such a procedure is not desirable. The only other way I could think of is using a "pullin" package (like fetchmsttfonts) that uses a downloading script to fetch the binary firmware. On 04/11/2013 12:58 AM, Claudio Freire wrote:
On Wed, Apr 10, 2013 at 5:56 PM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
El 10/04/13 06:02, Joschi Brauchle escribió:
Hi all,
I wanted to ask if it is OK to package precompiled binary firmware images (for USRP devices and so on), who's source code is available under GPL?
Precompiled when sources are available ? hrmm.. it is not ideal but I see that it requires a toolchain we don't have around..
I say go for it.. ;)
A nightmare for the security team though.
-- Dipl.-Ing. Joschi Brauchle, M.S. Institute for Communications Engineering (LNT) Technische Universitaet Muenchen (TUM) 80290 Munich, Germany Tel (work): +49 89 289-23474 Fax (work): +49 89 289-23490 E-mail: joschi.brauchle@tum.de Web: http://www.lnt.ei.tum.de/
Am 11.04.13, schrieb Claudio Freire <klaussfreire@gmail.com>:
A nightmare for the security team though.
This firmware is run on the Cypress FX2 USB/FPGA bridge and the FPGA softcore. It is just uploaded to the USRP, and has no access to the host memory (USB can not issue DMA from the device side). I do not see any security issues here. Regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen phone: +49 241 53809034 mobile: +49 151 50412019 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Thu, Apr 11, 2013 at 7:29 AM, "Stefan Brüns" <Stefan.Bruens@rwth-aachen.de> wrote:
Am 11.04.13, schrieb Claudio Freire <klaussfreire@gmail.com>:
A nightmare for the security team though.
This firmware is run on the Cypress FX2 USB/FPGA bridge and the FPGA softcore. It is just uploaded to the USRP, and has no access to the host memory (USB can not issue DMA from the device side). I do not see any security issues here.
The security team would have to make sure the binaries in those packages are indeed restricted to that usage. And they would have to understand pretty well what that device's capabilities are to be able to judge risk levels. That's the nightmare. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Thu, Apr 11, 2013 at 11:55:52AM -0300, Claudio Freire wrote:
On Thu, Apr 11, 2013 at 7:29 AM, "Stefan Brüns" <Stefan.Bruens@rwth-aachen.de> wrote:
Am 11.04.13, schrieb Claudio Freire <klaussfreire@gmail.com>:
A nightmare for the security team though.
This firmware is run on the Cypress FX2 USB/FPGA bridge and the FPGA softcore. It is just uploaded to the USRP, and has no access to the host memory (USB can not issue DMA from the device side). I do not see any security issues here.
The security team would have to make sure the binaries in those packages are indeed restricted to that usage. And they would have to understand pretty well what that device's capabilities are to be able to judge risk levels. That's the nightmare.
How is different from kernel-firmware? Regards, Martin -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Thu, Apr 11, 2013 at 2:02 PM, Martin Koegler <martin.koegler@chello.at> wrote:
On Thu, Apr 11, 2013 at 11:55:52AM -0300, Claudio Freire wrote:
On Thu, Apr 11, 2013 at 7:29 AM, "Stefan Brüns" <Stefan.Bruens@rwth-aachen.de> wrote:
Am 11.04.13, schrieb Claudio Freire <klaussfreire@gmail.com>:
A nightmare for the security team though.
This firmware is run on the Cypress FX2 USB/FPGA bridge and the FPGA softcore. It is just uploaded to the USRP, and has no access to the host memory (USB can not issue DMA from the device side). I do not see any security issues here.
The security team would have to make sure the binaries in those packages are indeed restricted to that usage. And they would have to understand pretty well what that device's capabilities are to be able to judge risk levels. That's the nightmare.
How is different from kernel-firmware?
I guess it's not. I don't know how's the review process for kernel firmware, I've never submitted it, but it must be quite extensive and laborious. Just pointing it out. When there are no sources, you have no choice. When there are sources, you do. Even if building the toolchain will probably be hard, it might be easier than going through such a laborious review process every time a submission is needed. Building the toolchain is a one-time task, whereas reviewing the binary is not. If it's impossible because it includes proprietary tools... well... no choice either. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (5)
-
"Stefan Brüns" -
Claudio Freire -
Cristian Rodríguez -
Joschi Brauchle -
Martin Koegler