[kuhsaft]

Ah. I see. So the blobs are loaded into the separate microprocessors. Either way, it's the same as pretty much any modern phone, where the modem (and other secondary processors) are running some proprietary firmware and is communicating with the OS processor.

I don't see how it's different from running a free open-source ASOP OS. On the mainstream Android devices, the wireless hardware is also isolated and communication is done via IOMMU.

There's some debate as to whether using the USB stack for communication to the modem in the Librem 5 is less secure than IOMMU as well.

[seba_dos1]

Pretty much any modern phone is also full of blobs that run on the main CPU to ensure basic functionality, with only a handful of exceptions. Just consider how many features stop working or get severely degraded on various phones when you use a clean AOSP build on them (provided that you can do it at all in the first place). Android's driver infrastructure effectively encourages non-free blobs in "vendor" partitions, and many things are purposely moved from the GPLv2 kernel to the userspace so they don't have to be copylefted. If you want to run a non-Android OS on these devices you either have to fill the gaps yourself or use these blobs through compatibility layers.

> at that point you still are trusting external communication to those devices with their proprietary blobs

Just as you do with any kind of peripheral, whether it implements what it's doing purely in hardware or with an embedded microcontroller.

> There's some debate as to whether the USB stack for communication to the modem is less secure than IOMMU as well.

You can have "some debate" on absolutely anything, but that doesn't yet mean it makes any sense. You have communication protocols on top of IOMMUs as well which are subject to exactly the same security considerations as potential exploits in the USB stack, so whatever debate you're referring to is unlikely to be held in good faith. I wonder why you mention it unprompted, as it's fairly off-topic here.

[kuhsaft]

> Just consider how many features stop working or get severely degraded on various phones when you use a clean AOSP build on them.

That's mainly because of device trees. The firmware also isn't distributed via separate flash storage on the device, but I don't consider that making a difference. It's still proprietary firmware running on proprietary hardware. On Qualcomm-based Pixel devices, cellular, WiFi, Bluetooth, and GNSS are all isolated and sandboxed.

> It's also interesting that you mention it unprompted, as it's fairly off-topic here

A primary reason people complain about proprietary blobs is security. People claim that the Librem 5 is more open and secure, but it still uses the same proprietary modules as a Pixel running GrapheneOS. Does Librem 5 have signature checks for the firmware and a tamper-proof bootloader to load the firmware and OS, or can someone sell you a compromised Librem 5?

Is it more free, open, and secure than a Pixel running Android? Because, the only difference I'm seeing is how the firmware is stored and Google Play Services. And with GrapheneOS, only how the firmware is stored. Everything else points to a more insecure system with Librem 5.

[seba_dos1]

> That's mainly because of device trees.

Huh? The device tree is the one thing trivially recoverable from the blob. I'm talking about drivers, the same kind as when you install, let's say, the non-free Nvidia driver on a PC. They run as part of the OS and handle various stuff, most commonly comms like VoLTE/VoWiFi, but often also camera ISPs, GPUs, fingerprint readers etc.

> are all isolated and sandboxed

So isolated that you can break them by repartitioning your eMMC/UFS.

> A primary reason people complain about proprietary blobs is security.

The primary reason I care about blobs is freedom and practical aspects that come out of it. Dealing with blobs is always a PITA and severely limits what you can do with the hardware. The peripherals would be nice to have freed, but it's the main CPU and storage that is supposed to be my (the user's) domain and only mine. My Librem 5 came with a GNU/Linux distro on it, but if I wanted to port, say, FreeBSD to it there's all I need to be able to it. I can't do that with an AOSP device fed with blobs from the "vendor" image, at least not without spending years on reverse engineering.

The Librem 5 is one of the handful phones out there that make it this easy. It is also the only one I'm aware about that's still being sold where you have the hardware ECAD and MCAD designs available - and not just to look at, but published on a free license. I think it has earned its bragging rights when it comes to freedom and openness.

> can someone sell you a compromised Librem 5?

Of course, just like any other PC. You want to reflash it before use, obviously.

The SoC supports High Assurance Boot, you can burn your key into its efuses and have it only ever accept software that's cryptographically signed by you.

[kuhsaft]

I see. So it is better in the sense that the drivers are open-source. Though the drivers in Android/GrapheneOS are not open-source, I believe the drivers are also isolated from full kernel-level access.

But it still brings the point that you can't make a phone without proprietary chips and firmware from the mobile industry giants.

> You want to reflash it before use, obviously.

I think that is non-obvious to the majority of users buying a phone.

> The SoC supports High Assurance Boot, you can burn your key into its efuses and have it only ever accept software that's cryptographically signed by you.

An important consideration for consumers is that their data is secure if they lose their phone. Without a secure boot process by default, that's a hard sell for the common masses.

[seba_dos1]

The real question is whether it affects me as a user. The RF spectrum used by cellular networks is highly regulated, so I wouldn't be able to use it freely either way. The PC keyboard I type on right now most likely has some kind of microcontroller running some code in it, but it's of little consequence to me whether it's free or not. I do care about what runs on *my* system though, as that has tangible implications, and I care about it the same way whether it's my laptop or my phone.

> that is non-obvious to the majority of users

Yes, and the consequences of that can be seen in TFA - locking things down due to ill-defined security concerns. Why not go a bit further - the most secure device is the one you can't use to do anything at all.

On a side note, app attestation is already unironically getting us there - you have to either accept that you have no control over "your" device or not be able to use it to interface with the world. For me, any platform that allows applications to attest the environment they run in is insecure by design, as it can be exploited against me.

> An important consideration for consumers is that their data is secure if they lose their phone

Well, it's a good thing that PureOS is LUKS-encrypted by default then. It even has a smartcard reader, so key storage can be decoupled from the phone's hardware.

[handedness]

> Why not go a bit further - the most secure device is the one you can't use to do anything at all.

That's not far off a reasonable criticism of Purism's security model, that a device so wholly compromised it requires one to activate all physical kill switches to disable the hardware in order to so much as safely enter one's device PIN (per Purism's own site content), that it's no longer useful.

Everyone has to make their own trade-offs, but for me that's a model so questionable that its utility value rapidly approaches zero.

[kuhsaft]

>> An important consideration for consumers is that their data is secure if they lose their phone

> Well, it's a good thing that PureOS is LUKS-encrypted by default then.

My bad, I meant leave their phone unattended. Wherein someone can compromise the device from boot, so that when unlocked, the device is fully compromised.

[handedness]

> You can have "some debate" on absolutely anything, but that doesn't yet mean it makes any sense.

Sure, but from the fact that anything can be debated it does not follow that any given debate is nonsensical, which is kind of what you did there.

> ...whatever debate you're referring to is unlikely to be held in good faith.

I don't know which is odder, that assertion, or the notion that two completely different security models can't be debated in good faith because they're effectively identical, because of hand-wavy reasons like, "You have communication protocols on top of IOMMUs as well which are subject to exactly the same security considerations as potential exploits in the USB stack..."

Certainly there's some kind of argument to be made that the Librem 5 is relevant to this post as its adherents see it as a viable alternative to iOS and/or Android-based devices. I disagree, but everyone's willing to make different compromises and that's fair.

I only mention that because a contingent of voices as high in volume as they are few in number endlessly shoehorning the Librem 5 into numerous threads no matter how much of a non-sequitur it takes, has me suddenly paying more attention these days to what's coming from the Purism camp. The more I do the more disingenuous the rhetoric seems.

It may just be a coincidence, but for a project with such a fraught history and tarnished reputation, it doesn't do anything to increase my trust in it.

[fsflover]

> no matter how much of a non-sequitur it takes

I explained in the other comment why I thing that GNU/Linux phones are relevant, where I posted. You can discuss my arguments, but you can't just dismiss them all with a single general wording like this.

> a project with such a fraught history and tarnished reputation

Another unsubstantiated attack on a free software project from the GrapheneOS crowd, with no links or argumentation.

[kuhsaft]

> I only mention that because a contingent of voices as high in volume as they are few in number endlessly shoehorning the Librem 5 into numerous threads no matter how much of a non-sequitur it takes, has me suddenly paying more attention these days to what's coming from the Purism camp. The more I do the more disingenuous the rhetoric seems.

It seems to be mainly fsflover. You can search “Librem 5” messages in HN and it’s flooded with messages by them.

https://hn.algolia.com/?dateEnd=1777075200&dateRange=custom&...

https://hn-wrapped.kadoa.com/fsflover

[fsflover]

At least I don't reply to every comment about GrapheneOS with "it's not as free as Librem 5 and you have to pay Google, and you have to rely on blobs running on the main CPU" etc. This is exactly what the GrapheneOS crowd is doing with my comments.

[seba_dos1]

I have to admit that I had a kind of knee-jerk reaction there, as this "debate" is very often brought up in FUD pieces without much substance behind it.