Openess Score seem to be broken for Dasharo (coreboot+SeaBIOS) for PC Engines v24.05.00.01 #917
Comments
pietrushnic
added this to the Dasharo (coreboot+SeaBIOS) for PC Engines v24.08.00.01 milestone
|
Ohh.. Found couple of bugs and fixed them: Dasharo/Openness-Score#10 There were some uncaught cases because of it. Seems the real ratio is 33.1 of open-source to 66.9% closed-source |
|
@miczyg1 I have no idea why. Can you explain to me why Dasharo (coreboot+UEFI) v0.9.0 has a higher Openness Score? At least it would be comparable. Maybe that is because of binary size, and we essentially benefit from a bigger binary size, which seems weird. |
|
Probably comes down to binary size, SeaBIOS is 53KiB, UEFIPayload is almost 2M |
|
We should consider modifying the Openness Score to promote empty space. A smaller codebase means a smaller TCB, which means potentially fewer places where bugs can occur, lower maintenance costs, etc. Otherwise, we end up in a situation like here, where firmware with 2M UEFI code as payload has theoretically better statistics than something with a minimal footprint. Another improvement we need is to have a summary table, on the Supported Hardware page, where we compare various code bases and can show the real footprint openness of the given solution. |
Most likely because of the payload. UEFI Paylaod is ~2MB of open-source code and we compare raw open-source to closed-source ratio. Obviously coreobot+UEFI will have more open-source code thus more openness. The tool does the pure maths. It neither lies nor will return results based on feelings.
It is what it is. It is also not a good situation where you have a minimalistic implementation, but the blobs are overwhelming the open-source code by a few times. Say, 200KB of coreboot native code plus 1MB of FSP (and let's not forget a couple MBs of ME FW). What Openness Score should actually say about it? How one can otherwise represent the open-source percentage? I'm open to suggestions @pietrushnic
The diagrams have a visual representation of empty space and how much % it takes in the image. |
I think TCB is good direction.
Yes, but the architecture of information focuses on the openness of the code deployed, not on the size. When we have many scores published, we can say something about various releases and builds. So essentially, two requests:
|
OK, how do we measure/calculate TCB in the context of firmware images?
I don't quite understand it. So code can be more open or less open? How does that help in calculations? Either the source is open or closed, period. Anything other than that is just delusion.
Well, you could compare how many closed-source bytes you have removed to achieve the same goal (i.e. booting) vs proprietary firmware. That would be rather liberation percentage, not openness percentage. But I think it is still worth to give it a try (I think initially we wanted to have a comparison mode for this utility). Of course, that only makes sense if you have a proprietary firmware for given platform (which is not the case for apus).
That calls for some database which would serve such comparison tables or a service to which one can upload the output of Openness Score utility to feed it. Request is valid, but creating such service/database is rather out of scope of this utility at first glance. |
That is a good question, and it should be executed in code. Still, since we have no way to effectively and in a scalable way explore, scan, and report which paths are executed, we have to assume that potentially all code inside binary can be executed and belongs to TCB. We can say we already measured that because it is the size of the code components in firmware.
More or less code can be open; this is what the openness score measures in relation to the whole image size.
Where are you going with this? Probably, I didn't express myself correctly. You wrote,
This is a very good idea.
Yes, but for apu, we have multiple firmware flavors between which we could compare.
We already have such a "database," which is called docs.dasharo.com. All published open score docs could be parsed to get results and put in the table to compare. |
Please note that data files and bits are already excluded/separated from the code bits.
The utility calculates the code size in both categories, open-source and closed-source. There is no more or less open code. It is either closed or open componentwise. So it is focused around the size, despite what you say:
I meant to "how division into more or less open code helps?". To me there is no division in more or less open. Either opened or closed. I wasn't referring to empty space. I'm open to suggestions how we can emphasize empty space.
Results would not be that meaningful since both flavours are partially open-source. One would simply get a different empty space and open-source code ratios.
Why would we write a parser for content that we generate from a more structured data in a programming language? That's a waste of resources to parse MD. It would be better to feed Openness Score utility with all those binares and export the data in some CSV for further processing, rather than write a parser just to extract the data and gather it in one place... It's like going to Rome via China. |
|
This "libération score" is exactly what the FSF freedom ladder would be looking for to promote FOSS firmware alternatives that they try to bring up front of RYF. That would be really helpful. |
|
IMO comparing binary sizes to determine openness is always going to be unfavorable towards the open components:
|
I admit I used the wrong words. You are right. There is either open or closed source code. There is a gray area where code is open for some and not open for others, e.g., FSP, but it is irrelevant for Openness Score. It was a mistake that should not distract us from achieving a conclusion about what should be improved.
I'm afraid I have to disagree with that. When you go to the report, you see graphs which are expressed in %. On top of the report you have: The architecture of information, which our culture perceives, is that things are read from left to right and from top to bottom. It is expected that the information on top will be the most important. Sayin that the information architecture in the report focuses on %, relative value to size. It is not the size itself because you may have two of the same graphs based on different sizes, and you would not know that unless you dive deeper into the report. Even if you do so, you still need help understanding what you compare to. What does So, my point is that we must align information architecture in the report with what is essential. How to do that is a good question; I have already made some proposals.
Great that we agree on.
In numbers, yes, but depending on how you present that, code space has a big difference. If you show % of the flash occupied by open and closed sources side by side, it may be meaningful to some users. Let's not fall into the false consensus effect.
It is excellent you already know a better solution. It sound much better then your previous comment:
Initially, you describe the need for a database; if we consider CSV a database you had in mind, I have nothing against it. My point was that this feature needs no additional infrastructure, as you said, and is not that complex. |
Are there any next steps we would like to take on that? I wonder if we should lobby anything regarding that. Please note there are competing solutions like LVFS HIS. |
It is true, but why not turn that into an advantage? A smaller footprint means a better solution. The comparison is valid if we compress the open part and ME is also compressed. We cannot avoid errors while evaluating the impact of a compressed binary blob. Still, it is better to make that comparison and provide a note about that instead of not providing any information. OTOH, your point is valid because our goal should not be to optimize for the amount of open-source code but to minimize the amount of closed-source code. Open-source code here is just a tool that helps to achieve that. This may lead to the further conclusion that cutting binary blobs and eliminating parts of them is good. Still, I doubt you can distribute modified binaries (maybe we could optimize FSP for size). Still, in adjusting it, we should provide only tools and validate outcomes instead of distributing modified versions of binary blobs. So, the conclusion leans toward liberation, but what in the case of already liberated releases? We should have measures of TCB size, which could be expressed as the amount of free space to some extent and, of course, should be presented in the comparison table. Are there better ideas? |
But that's still based on size of the open and closed code itself. Same metric but expressed in different aspect/view.
Everything is bytes.
I would also say to watch out and not expose too much information, to keep the reports readable and contain only important information. Wherever possible, I would like to stick to strict calculations.
CSV would be trivial from the utility perspective. CSV may be later imported by something more complex and easily converted to a format/database/structure that is more suitable for querying/searching/summarizing/comparing etc. At least that's what I had in mind when proposing a CSV output. |
That's correct. The blobs will only increase in size, while minimalistic implementations such as coreboot are not growing in size significantly.
I could argue a little bit with that.
I would say coreboot doesn't include code that you would never use on a given platform, but includes code that you can potentially use.
Yes it does, but detecting it is not trivial. I would like to avoid parsing ME IFWI header if possible... For UEFI I already extract this from the report generated by UEFIExtract/UEFITool, because UEFITool parses the ME FW structures.
Accounting for compression would cause irregular results when calculating the %. Displaying more bytes of code than binary size would also be confusing. Also determining blobs compression methods sounds unfeasible, given that each blob may have custom/different compression algorithm. The utility also checks if all files have been classified and if the sum of classified files/regions sums up to the total binary size. For these reasons I have kept the original, compressed sizes. |
I am curious to know how it matters to the user. If looking at those numbers, users need to learn how extensive the considered code base was; it doesn't matter (1% of 10MB vs. 1% of 100MB - you still see 1%, but the conclusion is entirely different). We have to change that to something that would express the value of open-source firmware better.
It should be mentioned in the report wherever we provide a number.
Everything depends on the threat model, but we are treated as advisors here (the same thing is true for fwupd HSI and FSF RYF). Pure numbers only help if one knows how to interpret them. Our job is to assist in interpretation; we have enough experience, data, and knowledge to do that.
I will work on an improved version of this report when the time comes.
I don't think there's a need for that. |
|
I rbi k the value shows best when comparing against stock bios for each of the firmware of each platform. Historical comparison shows eg:
OptiPlex. Talos. There would be interesting historical analysis to be done with raw data of all those stock vs open firmware, with again changes happening for old boards like haswell with NRI when merged and replacing Mrc blob wiry native ram init. My point here is that the scores alone without comparing to stock shows empty space where there would be blobs there otherwise. Just like platforms running linuxboot would be interesting to compare versus their stock uefi alternatives prior of stripping and dxe replaced by linuxboot. |
Openness Score for pcengines_apu2_seabios_v24.05.00.01.rom
Open-source code percentage: 13.1%
Closed-source code percentage: 86.9%
FMAP regions
CBFS COREBOOT
The text was updated successfully, but these errors were encountered: