From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id QN+jHnMWOmFDbQAAgWs5BA (envelope-from ) for ; Thu, 09 Sep 2021 16:13:07 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MKkCGnMWOmG6EgAAbx9fmQ (envelope-from ) for ; Thu, 09 Sep 2021 14:13:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C05931E30E for ; Thu, 9 Sep 2021 16:13:06 +0200 (CEST) Received: from localhost ([::1]:52130 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mOKnZ-0006mH-9c for larch@yhetil.org; Thu, 09 Sep 2021 10:13:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54756) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mOKli-0005Pc-TF for help-guix@gnu.org; Thu, 09 Sep 2021 10:11:10 -0400 Received: from cyberdimension.org ([80.67.179.20]:42046 helo=gnutoo.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1mOKle-0008Ul-Hi for help-guix@gnu.org; Thu, 09 Sep 2021 10:11:10 -0400 Received: from gnutoo.cyberdimension.org (localhost [127.0.0.1]) by cyberdimension.org (OpenSMTPD) with ESMTP id 01f18277; Thu, 9 Sep 2021 14:06:51 +0000 (UTC) Received: from primarylaptop.localdomain (localhost.localdomain [::1]) by gnutoo.cyberdimension.org (OpenSMTPD) with ESMTP id 3a243fc1; Thu, 9 Sep 2021 14:06:50 +0000 (UTC) Date: Thu, 9 Sep 2021 16:10:46 +0200 From: Denis 'GNUtoo' Carikli To: Vagrant Cascadian Subject: Re: Guix on the MNT Reform Message-ID: <20210909161046.7f1b13ca@primarylaptop.localdomain> In-Reply-To: <87czpjqak9.fsf@yucca> References: <87ftcaqxer.fsf@dustycloud.org> <874kbogf1h.fsf@dustycloud.org> <877dgjd441.fsf@d2.com> <87mtordcqq.fsf@dustycloud.org> <20210907063652.697bd4e3@primarylaptop.localdomain> <87h7ewb5mg.fsf@dustycloud.org> <20210907220719.538f582a@primarylaptop.localdomain> <87wnnr9wfp.fsf@dustycloud.org> <87czpjqak9.fsf@yucca> X-Mailer: Claws Mail 4.0.0 (GTK+ 3.24.30; i686-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/I.0AJQNs3A.f=lcyzIeA0ty"; protocol="application/pgp-signature"; micalg=pgp-sha256 Received-SPF: pass client-ip=80.67.179.20; envelope-from=GNUtoo@cyberdimension.org; helo=gnutoo.cyberdimension.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1631196787; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=FUyiaFQA4k795RVus6PvQTYfT5vOHlg+WW6Na0Tl3N8=; b=D/0Uhgs5MT5YPoZwbSHau352i4ExxlVGH8D/hd1uSod6ZDtMNqBkJ3tVhS7BwEShofc9kH lr25h7+MkErnUSa7BH/W12Nlw/eo7IkbxIzcrWvWtJ/wVB1m97W0UfbVR2R6dlDB8EwFbB ZDlhYcYu8uQROiUOEadmS0nEfnp7YjPbKYMQsTowIihE97NXCk34h8hSeFWAndriLhPMX5 IRjkfsN0+rVyJUYJYvJG52LEJ+E8/jIe/L3Eq4YtUSyJRMsPCdwsVXvl6cUec0YcISRBLH 3Ueas+TuRJiv/LNnJQB3PeW31XfHIgI90MA42POvsY6qIQZdKsbKjwo9d4o0FA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1631196787; a=rsa-sha256; cv=none; b=XmsEw1rb5KLas1ZWekTyKQTAnDQ0hfYZdaPeZuJ2FuPi2Pz0aFNyBwKDtYX048Jit1wI19 Lrk9X9ph6tsniqpfpDNLX1cXGfEdvSMAjQIhSa2qWJhzN9bui/HBK45IN8tYse6hzJE/Fa IRmdmAOW8SPLuetymJ17O8Ts7K0xg2WXRCDSwSm5Kcb4u+ZmYE4ihY4BYfZUEKyzBaLm9D 3wrCD93vMrluNWTiI8yjqaBOF7z8K8iGwRO03YH3IsoWYx5Y29GeQfKg3ID5vx8GeMixxc w/PFUp9Eh2GbMbgMpgCbH8XbhVE7v5aEEgR3y+Tae+PJvl2BjUSX67CzK/Zn9w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -4.51 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: C05931E30E X-Spam-Score: -4.51 X-Migadu-Scanner: scn1.migadu.com X-TUID: EbChD/ngV3Xz --Sig_/I.0AJQNs3A.f=lcyzIeA0ty Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Wed, 08 Sep 2021 09:47:02 -0700 Vagrant Cascadian wrote: > On 2021-09-08, Christine Lemmer-Webber wrote: > > Denis 'GNUtoo' Carikli writes: > >> Here this I'MX8 issue also affect the Librem5 for instance, and > >> probably several other devices as well. And the neat thing about > >> the Librem 5 is that as I understand is that the modem and the > >> WiFi cards are removable. > > > > I am guessing the Pinephone has a similar issue (or more) though > > I'm not sure. >=20 > The Pinephone doesn't have that specific issue, as it's a different > CPU (Allwinner A64), the same used on the pine64+ and pinebook, which > are supported in Guix's u-boot. I vaguely recall those boards having > similar types of issues early on requiring some binary blobs, but it > was fixed in u-boot upstream with a free implementation! WiFi: ----- For any FSDG compliant distribution, the issue with the Pinephone will be the WiFi: the WiFi driver requires a nonfree firmware. There might be a way around that though: There are various Realtek drivers that are released as GPL with the binary firmware as hex arrays inside the drivers, in files with GPL headers. And I even managed to find someone at an event (CCC Camp) that did a little bit of reverse engineering on one of such binary firmwares. Since we have GPL headers, we should be legally safe here and almost everything should be permitted, including decompilation, automatic reconstruction of corresponding source code, etc. However the firmware architecture (8051) is less well supported by some of the tools like retdec for instance, but we still have tools like radare2, or sdcc that support it. And we even probably have several emulators for that architecture as well. Modem: ------ There is also another issue that affects several smartphones like the Librem5, the GTA04 (if I recall well), and the Pinephone, but it's not directly related to FSDG distributions: the modem is connected through USB. It also affects some laptops with (potentially builtin) USB modems. While it's order of magnitude better than most phones that have shared memory[2], we still need to protect against the modem being potentially malicious. To do that we might need to enable usbguard or similar things and disable usb in u-boot for instance, to be sure that the modem can't become a keyboard. On some devices it might be really easy for an attacker to make the modem become a keyboard as in some cases the modem is really a smartphone on a chip[3], and so it has some mix of Android and GNU/Linux running in one of its processor (and probably nonfree modem firmwares / OS running on the other processors). So on the GNU/Linux side of the modem you can probably reconfigure the USB peripheral to also be a keyboard. And it might not be that hard for attackers to find vulnerabilities in the modem cellular stack and escalate to the GNU/Linux part of the modem[4]. Once there, the attacker wound't be able to reconfigure the modem as a keyboard and run commands with 'Alt+F2 + curl
| sh' if usbguard blocks the USB reconfiguration of the modem. And while that kind of risk might not affect everybody, I think it would still be a good idea to address them as sometimes compromise of smartphones can lead to people being killed by repressive political regimes[5]. And it would be a bad thing if these people wound't be able to use free software because of security reasons. And here GNU/Linux has probably way more potential to achieve that than Android in the long run due to its architecture and code quality. References: ----------- [1]https://libreplanet.org/wiki/Group:Hardware/research/WiFi/Realtek [2]https://redmine.replicant.us/projects/replicant/wiki/ModemIsolationResea= rch [3]https://osmocom.org/projects/quectel-modems/wiki/Pine64_Pinephone [4]https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20video%20and%20s= lides/DEF%20CON%2027%20Conference%20-%20Xiling%20Gong%20-%20Exploiting%20Qu= alcomm%20WLAN%20and%20Modem%20Over%20The%20Air.mp4 [5]Typically smartphones and computers of dissident living abroad are targeted in order to find out who they work with in the repressive country in order to kill / torture / imprison these people. Denis. --Sig_/I.0AJQNs3A.f=lcyzIeA0ty Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEeC+d2+Nrp/PU3kkGX138wUF34mMFAmE6FegACgkQX138wUF3 4mOuXRAAgVAKYeKhMqkbCeDfzA7XT26FbFb3N9AgI7yOZrVNKviq4zdSSPmfwCUk OroPDXUpIsL02AkZ2QV492UUBZKT2OEPbVwk/Sd484WGDrFR4GTXmbJ2gv5TYodl +P/jL2e1bySBrFxoMLAvyLjo7N0PBvCvkLI0gkkoU6ro2ugfbytrQpC0/pCTh7cv P2/H7Z0J7uSs25pTSBAotUnMuMhdB48SqRSKC6huxzwprMrsqbLn7j8Ga3+x7GUA yehLzBxcG+4TCoM15ZK2TLxtBHt0iEty+lJWBzsmdTjiIOVCM1P3OZQ7Y1ABOTL+ 5apNR4Ch1bxT1rbU8cr02fcnIx4Xl6z2IvBxYnScdCJrkAhm8osYkmf79pgggVU8 pc2qAVQQRTyfNB8NcKzU3V203lomS49c76C2SWf6KjDe/8mw8p/ReTPKRnpkCCUv pxfpi8s0UVwvUcCmD9qASNJ1jdQzJpbue90xUWqaZoN9SvVrUd1zAsnci4NQ9NjC w5XNH0Va+T4FnDPvJ9RlwNQ0PmPPl5y4hzN8fZ4ouEiH9owH3xJGrMnsBBIESy6g tSqG9KV8qMudoTedPCeXImpcNxe4MDPMKP22Ot9FNUj6L704Pgfqh+qBF1/gPO81 9ZicsGJaSzyc9fKT91jqF5bqgY99v9W7EwSY1Rt5DwilHbszKl4= =BTzY -----END PGP SIGNATURE----- --Sig_/I.0AJQNs3A.f=lcyzIeA0ty--