Nonfree test data found in vboot-utils source code

Hi,

During my work on GNU Boot I found nonfree software in vboot source code.

Since Trisquel also redistributes the vboot source code as the source code that corresponds to the vboot-utils packages, it also accidentally redistributes nonfree software.

Here's how to reproduce the issue:

$ lsb_release -a

No LSB modules are available.

Distributor ID: Trisquel

Description: Trisquel GNU/Linux Aramo (11.0.1)

Release: 11.0.1

Codename: aramo

$ apt source vboot-utils

$ ls vboot-utils-0~R99-14469.B/tests/futility/data/

bios_link_mp.bin EC_RW.bin kern_preamble.bin ro_vpd.bin zinger.pem

bios_mario_mp.bin fw_gbb.bin minimuffin.pem sample.vbprik2 zinger.signed

bios_peppy_mp.bin fw_vblock.bin minimuffin.signed sample.vbpubk2 zinger.unsigned

bios_zgb_mp.bin hammer_dev.bin minimuffin.unsigned short_junk.bin

dingdong.pem hoho.pem random_noise.bin vmlinuz-amd64.bin

dingdong.signed hoho.signed README vmlinuz-arm.bin

dingdong.unsigned hoho.unsigned rec_kernel_part.bin zinger_mp_image.bin

Here we can see many nonfree software. Here bios_mario_mp.bin is a nonfree BIOS. I also managed to extract the nonfree Intel microcode from it with Guix's python2 and bios_extract in a different version of vboot[1]. This directory also contains images of chromebook boot firmwares, which usually contains nonfree software like intel MRC or FSP binaries.

Trisquel 10 also has vboot-utils but I didn't check if the revision used has these tests or not.

I've also verified on Debian that Debian Bookworm is affected but I need to look into how to bugreport in Debian as well. Also many other distributions are affected but we need to start reporting the bug somewhere. I'm also unsure if at this point we need to communicate more broadly instead of contacting each distributions individually.

In GNU Boot, removing the affected directory didn't have any impact on the build.

Also while looking for GNU Boot, I didn't find the test file being used inside the Makefile nor Android.mk so maybe it's as simple as removing that directory.

Also over time vboot seems to add more and more files inside that directory, so removing an individual files might not be the best option.

References:

[1]https://savannah.gnu.org/bugs/?66137

[2]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081675

edit1: fix code syntax edit1: try again to fix code syntax

Edited Sep 13, 2024 by Luis Guzmán

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information