Ariadna Konilla (Ariadne Conill), create a music player Audacious, the initiator of the IRCV3 protocol development initiator and the leader of the Alpine Linux security team, spoke with criticism of the CPO Fund policy for propritation firmware and microcode, as well as rules Initiative” Respect Your Freedom “aimed at certifying devices corresponding to Requirements for privacy and freedom of users. According to ARIANDA, the Fund’s policy restricts users with obsolete equipment, stimulates manufacturers who want to receive a certificate to relieve hardware architecture, does not contribute to the development of free alternatives to proprietary firmware and interferes with the use of proper security methods.
The problem is caused by the fact that the “Respect Your Freedom” certificate can only get a device, all supplied software in which should be free, including firmware, downloadable using the main CPU. At the same time, the firmware used on additional built-in processors can be closed if they do not mean updates after entering the device in the hands of the consumer. For example, the device must be supplied with a free BIOS, but the microcode loaded to the CPU to the CPU, firmware to the I / O devices and the configuration of the internal links FPGA may remain closed.
The situation is created that if the proprietary firmware is loaded during the initialization process by the operating system, the equipment cannot obtain the CPO Fund certificate, but if the firmware is loaded for the same purposes with a separate chip – the device can be certified. Such an approach is considered as flawed, since in the first case the firmware in sight, the user controls its download, knows about it, can conduct an independent security audit and, in the event of a free analogue, it is easy to replace. In the second case, the firmware is a black box that is problematic to check and the presence of which the user may not guess, falsely believing that all software under its control.