'cannot be part of an effective prevention measure' [LWN.net]

'cannot be part of an effective prevention measure'

Posted Jan 18, 2006 0:54 UTC (Wed) by xoddam (subscriber, #2322)
In reply to: Misunderstanding of embedded system designers by karim
Parent article: GPLv3: a first look

That use case would be compatible with this draft of the GPLv3, yes.
Thankyou for pointing out the loophole; the final licence may close it.

Supposing some OS kernel is licensed under a GPLv3 which retains this
loophole and used in a system such as you describe -- the GPLv3 kernel is
constrained not to be part of an 'effective prevention measure', meaning
that it is explicitly permitted to use the kernel (modified or not) as a
tool to reverse-engineer the DRM-enabled firmware, devices and
applications.

An OS kernel is fairly well positioned to do this job. I think DRM
device developers would be best advised not to use a GPLv3 kernel.

(Log in to post comments)

'cannot be part of an effective prevention measure'

Posted Jan 18, 2006 16:23 UTC (Wed) by karim (subscriber, #114) [Link]

FWIW, you'd be amazed what can be done by a piece of
hardware. So a scenario where the hardware has a latch
that can only be set once until hard-reset or power
down is very possible. Whether you can get the OS to
boot or not, and regardless of what that OS tries to
do, that hardware won't change state ... that's one
thing that's nice about hardware, you actually get to
control what software can and cannot do ...

Karim

'cannot be part of an effective prevention measure'

Posted Jan 20, 2006 3:24 UTC (Fri) by xoddam (subscriber, #2322) [Link]

> Whether you can get the OS to boot or not, and regardless
> of what that OS tries to do, that hardware won't change state ...

So I fisrt boot the unmodified, signed kernel to which I have the source
(six months behind the current free version) and have the hardware fully
enabled. Now I use some kernel exploit (reported and promptly fixed some
time in the last six months) to kexec an updated kernel, configured as I
please. Voilà! I 0wn my own box.

'cannot be part of an effective prevention measure'

Posted Jan 20, 2006 3:48 UTC (Fri) by karim (subscriber, #114) [Link]

Ah ... yes ... thanks for bitting ... At last someone steps
up to the challenge ;D

It's worthy to note that the problem you allude to is
something a designer of such a system would absolutely need
to catter for even today. IOW, this is not an unknown issue.

Think no glibc ... think selinux ...

Not that it's easy to get it right. The hacks we've seen on
some consoles are based on similar ideas ...

Karim

'cannot be part of an effective prevention measure'

Posted Jan 20, 2006 8:04 UTC (Fri) by xoddam (subscriber, #2322) [Link]

"the problem you allude to"

There's a problem? I'm not alluding to a problem, I'm working out how to
exercise my rights under the GPL :-)

I understand that if I receive a box with a differently-licenced
operating system then such exploits may violate the DMCA and its
equivalents in countries (such as my own) which have free-trade
agreements with the USA. The purpose of the DRM clause in the draft
GPLv3 is to ensure that GPL software is not used to take away the rights
of its users to use the software as they please.

Given that there is no GPLv3-licenced kernel, and that if there ever is
one it is not likely to be used inside such restricted devices,
*somebody* has to break bad laws and put up a spirited defence to them in
court or a time will come when they are considered normal and therefore
proper.