[csirac2]

> Are you saying the manufacturers will come up with some way of locking down their radio firmware that still permits something like OpenWRT to be installed on a router (or Linux on a laptop, for that matter)? Why would they bother when they could just lock the device down completely?

Yes. In the actual regs (which nobody seems to read), they suggest a list ("including but not limited to") a number of mechanisms by which manufacturers may choose to control the portion of their radio software that would impact the validity on their RF testing/validation/compliance results. One of them is signed firmware blobs: to me, that's the easiest, cheapest non-invasive method for WiFi module makers that won't create a huge compliance burden on the host device manufacturer. You go from having to load an unsigned firmware blob anyway, to a signed one. Which is a huge step in the right direction for firmware security anyway. As for modules which don't have blobs but do have the means to create non-compliant emissions just through the driver: it doesn't seem like much of a stretch that they could run new region-locked revs of their modules, or at least move those previously adjustable RF parameters/behaviours over to a signed image in a $0.10 SPI EEPROM chip.

All of this isn't just a PITA for users, it's a PITA for the device manufactures as well.

Particularly for laptop manufacturers. They could save $5 locking down the entire laptop, something they've never been able to do even when they try, or they could spend the extra $5 and get the module that's got a stand-alone certification and only requires them to submit a reference to the module's own FCC approval and some demonstration that the gain of the antennas in their product are in-spec.

[pdonis]

> One of them is signed firmware blobs

I'm not sure I understand what you're describing here. Suppose I have a router and I want to run OpenWRT on it. Are you saying that the router will have basically two "firmwares" in it? One that controls the radio chip only, and is signed, and has some kind of defined driver interface; and another that controls the rest of the device, and has a driver that talks to the signed blob, so as long as OpenWRT has that driver, I'm good?

Or suppose I have a laptop and I want to load Linux on it. Are you saying the wifi chip inside the laptop will have a signed firmware blob that controls the radio, and has a Linux driver interface, so I can load Linux on the laptop and talk to the chip?

Assuming the above is correct, how different is it from the way these devices are designed now?

[csirac2]

FCC is talking about the radio firmware blobs which drive the radio MCU/DSP chip. That is where you have the capability to drive the device out-of-spec. Not (necessarily) the Linux environment it is being driven from. This is a discrete, separate part to the main ARM or x86 CPU running Linux (though some SoCs are blurring those lines).

We already use firmware blobs on WiFi chips. It's why OpenWRT and friends are locked into old kernel versions for some routers: they don't have the source to the WiFi radio blob and can't recompile or reverse-engineer to make it work on newer kernels with different ABI. It's why we have a /lib/firmware directory for certain drivers in Linux: the device doesn't bother with flash memory, you have to load its firmware onto the device every power cycle into the DSP chip's memory.

So for many devices currently in existence, separate radio firmware is already how things are architected.

Some devices are flashed though, and don't require the host computer to load its own firmware, which is why I discussed a smaller EEPROM that would store signed config locking down the RF parameters and other aspects affecting certification.

Basically separate radio and OS firmware are how mobile phones currently work. That's why you see separate baseband versions from your OS version info in "about this phone": these new rules for SDR devices (separate to U-NII discussion here) will actually require a whole new FCC approval for each radio firmware change.

EDIT: And we haven't properly distinguished FCC approval process differences between modular WiFi transmitters (Eg. miniPCI-e cards) used in laptops and more expensive routers, which can self-contain and solve these issues by themselves without requiring the host device to care about U-NII security measures at all, versus cheaper/integrated products that may be crappy enough to require security measures in the main host device firmware in order to guarantee the radio firmware integrity to the FCC's satisfaction.

[pdonis]

Thanks, this is very helpful information.

> for many devices currently in existence, separate radio firmware is already how things are architected

This makes me feel better about things like laptops and routers (at least the more expensive ones), but this...

> cheaper/integrated products that may be crappy enough to require security measures in the main host device firmware in order to guarantee the radio firmware integrity to the FCC's satisfaction.

...makes me wonder about the future, since the trend for pretty much every category of device is towards "cheaper/integrated products". You mention that some SoCs blur the lines already.

> these new rules for SDR devices (separate to U-NII discussion here) will actually require a whole new FCC approval for each radio firmware change.

To make sure I understand, this would be an incentive for mobile phone manufacturers (for example) to continue to have separate radio firmware, even if they move to cheaper SoC designs, correct? Since otherwise (if there were only one firmware blob that contained both the OS and the radio controls), they would have to get FCC approval every time they wanted to push an OS update.

[csirac2]

> ...makes me wonder about the future, since the trend for pretty much every category of device is towards "cheaper/integrated products". You mention that some SoCs blur the lines already.

Yes, that's a legitimate concern, but there's a small consolation that this is a problem only for existing SoC architectures doing 5GHz. The new regs don't rule out new SoC architectures which would implement the enforced separation in silicon somehow. Although you're still stuck not having access to modular transmitter rules but that was the case already.

> To make sure I understand, this would be an incentive for mobile phone manufacturers (for example) to continue to have separate radio firmware, even if they move to cheaper SoC designs, correct?

Indeed, although I have oversimplified somewhat - some basebands do run on the same CPU as the OS, but something resembling a secure hypervisor (with secured boot, among other things) is used to enforce isolation between the baseband and OS (see OKL4).

[csirac2]

FWIW there's a recap in Ars with a response from the FCC.

http://arstechnica.com/information-technology/2015/09/fcc-op...