Those blobs, if backdoored, could have massive security implications.
Also those blobs are often targeted at specific kernel versions, so in 2 years when the upstream vendors stop releasing updated blobs, then it no longer becomes possible to upgrade the kernel, making it very very hard to keep last gen devices secure.
This exact problem is why I was forced to admit there is no secure path to use Android today, and a big reason why I gave up on smartphones entirely.
AMD and Intel both have their share of proprietary blobs, in their "open source" packages, including microcode. Where do you see a secure path, for any computing, especially high performance?
> Where do you see a secure path, for any computing, especially high performance?
I believe POWER9 is the only modern option that doesn't use blobs? Of course that doesn't remove the possibility of hardware backdoors (nothing does, except maybe an electron microscope and a lot of free time), but that's a higher bar.
I do in fact have a Power9 workstation next to my desk, though sadly not in use as the biggest security wins for my workflow come from QubesOS which cannot run on Power9, yet.
People rightly disapprove of the AMD and Intel blobs and do what they can to disable or remove them, but at least those have stable interfaces that don't decay when there is a new kernel version. Basically every x86_64 processor ever made can run the latest version of the Linux kernel. Would that it were for Qualcomm.
Intel microcode is signed so you can't run open source microcode even if you were able to create it, and the microcode is encrypted so you can't reverse engineer it anyway.
On long obsolete AMD K8 CPUs, there was some work on reverse engineering the microcode back in 2017:
Not sure if the Broadcom GbE NICs they use require firmware. It would seem odd to me that they'd go so far as to include an open FPGA[0] for board management and system bringup to avoid closed firmware blobs, only to then rely on a network interface with firmware requirement.
> Also those blobs are often targeted at specific kernel versions, so in 2 years when the upstream vendors stop releasing updated blobs, then it no longer becomes possible to upgrade the kernel, making it very very hard to keep last gen devices secure.
Is this true for the blobs in the Snapdragon 8 Gen 3 Mobile Platform?
Isn't it true that even if the firmware was open, as long as the hardware is closed it could still be backdoored and doing things you don't want it to? Where do you draw the line?
Because Purism cheated and just moved the blobs into a chip that you can't update and made it go through a separate processor[1]. FSF-endorsement is meaningless. This is worse than having a loadable blob from a kernel.
You can't update the firmware at all and you are still running it.
Librem 5 has very dated hardware that barely runs. It has only Cortex A53 cores @ 1.5 GHz that were released in 2012. You will see it even lag in Purism's videos.
Modern Android phones have better OS, hardware security, battery life and will be useful for longer and cheaper.
Librem 5 now costs 1000 USD, the same price that Google Pixel 8 Pro costs which also has guaranteed 7 years of OS support. Will you want to use Librem 5 in 7 years?
Also let's not forget how Purism took forever to ship the devices and was declining refunds from people that didn't even get sent the device and waited way over a year.
Oh and there are Android phones that can run on mainline kernels.
Yes: Librem 5 is a full desktop, with my full control, "Thinkpad T400 in mobile". It will always run latest Linux and all desktop apps. I can use it as a full desktop connected to keyboard/screen. On the other hand, Android is not a general purpose computer, which only runs what Google allows you to run.
You should try SXMo if you want to see how smoothly Librem 5 and even Pinephone can work if the software is optimized.
> You can't update the firmware at all and you are still running it.
Is there even theoretically an attack vector here?
Yes, Purism has been having problems with refunds. It doesn't affect security or freedom of they devices. Don't buy from them if you will want a refund.
They don't have spare parts in the online shop, but people on the forum were able to buy them or repair the devices by contacting Purism directly. AFAIK in case of a larger demand, Purism promised to provide spare parts more explicitly.
It is the closest we have to a freedom respecting device. The baseband processor is still a closed blob but it is a lot better than pretty much everything else out there. Maybe Pinephone eventually will get there as well.
Also those blobs are often targeted at specific kernel versions, so in 2 years when the upstream vendors stop releasing updated blobs, then it no longer becomes possible to upgrade the kernel, making it very very hard to keep last gen devices secure.
This exact problem is why I was forced to admit there is no secure path to use Android today, and a big reason why I gave up on smartphones entirely.