pull request: liquidio: remove lio_23xx_vsw.bin

pull request: liquidio: remove lio_23xx_vsw.bin

[Derek Chickles]

Hi,

We would like to remove one firmware binary from this repository per our security team's concerns (Cavium was acquired by Marvell).

Thanks,
Derek
--
The following changes since commit 83f1d7781300b52785c062a8285da59042c0d1ff:

  Merge branch 'ath10k-20230215' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/linux-firmware (2023-02-15 14:27:03 -0500)

are available in the git repository at:


  https://github.com/dchickles/linux-firmware.git liquidio-20230222

for you to fetch changes up to c6008409440f18da7109e20a3f8db0c6c0a0586b:

  liquidio: remove lio_23xx_vsw.bin (2023-02-22 18:48:26 -0800)

----------------------------------------------------------------
Chickles, Derek (1):
      liquidio: remove lio_23xx_vsw.bin

 LICENCE.cavium_liquidio   | 361 ------------------------------------------------------------------------------------------------
 WHENCE                    |   3 -
 liquidio/lio_23xx_vsw.bin | Bin 20434408 -> 0 bytes
 3 files changed, 364 deletions(-)
 delete mode 100644 liquidio/lio_23xx_vsw.bin

Re: pull request: liquidio: remove lio_23xx_vsw.bin

[Josh Boyer]

On Fri, Feb 24, 2023 at 7:27 PM Derek Chickles <dchickles@marvell.com> wrote:
>
> Hi,
>
> We would like to remove one firmware binary from this repository per our security team's concerns (Cavium was acquired by Marvell).

What security concerns would those be?  Where would users of these
devices get firmware from?

> Thanks,
> Derek
> --
> The following changes since commit 83f1d7781300b52785c062a8285da59042c0d1ff:
>
>   Merge branch 'ath10k-20230215' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/linux-firmware (2023-02-15 14:27:03 -0500)
>
> are available in the git repository at:
>
>
>   https://github.com/dchickles/linux-firmware.git liquidio-20230222
>
> for you to fetch changes up to c6008409440f18da7109e20a3f8db0c6c0a0586b:
>
>   liquidio: remove lio_23xx_vsw.bin (2023-02-22 18:48:26 -0800)
>
> ----------------------------------------------------------------
> Chickles, Derek (1):
>       liquidio: remove lio_23xx_vsw.bin
>
>  LICENCE.cavium_liquidio   | 361 ------------------------------------------------------------------------------------------------

There are multiple liquidio firmware files under this license.  You
can't remove it just because you want to remove only one firmware.

josh

>  WHENCE                    |   3 -
>  liquidio/lio_23xx_vsw.bin | Bin 20434408 -> 0 bytes
>  3 files changed, 364 deletions(-)
>  delete mode 100644 liquidio/lio_23xx_vsw.bin

RE: [EXT] Re: pull request: liquidio: remove lio_23xx_vsw.bin

[Derek Chickles]

> From: Josh Boyer <jwboyer@kernel.org>
> Sent: Monday, February 27, 2023 7:42 PM
> To: Derek Chickles <dchickles@marvell.com>
> Cc: linux-firmware@kernel.org; Satananda Burla <sburla@marvell.com>
> Subject: [EXT] Re: pull request: liquidio: remove lio_23xx_vsw.bin
> > 
> ----------------------------------------------------------------------
> On Fri, Feb 24, 2023 at 7:27 PM Derek Chickles <dchickles@marvell.com>
> wrote:
> >
> > Hi,
> >
> > We would like to remove one firmware binary from this repository per our
> security team's concerns (Cavium was acquired by Marvell).
> 
> What security concerns would those be?  Where would users of these
> devices get firmware from?

Hi,

Thanks for the comments.

Per the commit text, this firmware was originally just a proof-of-concept
and not released to customers, but it had a default password that hackable.
Commit text below for reference:

  Removing lio_23xx_vsw.bin which has a security vulnerability.
  This binary was published originally as a proof-of-concept and is
  not installed in any production devices and should not be used. In
  addition, the aforementioned LiquidIO devices are end of service.

The full security advisory can be found here:
 https://www.marvell.com/content/dam/marvell/en/public-collateral/server-processors/marvell-security-advisory-liquid-io2.pdf

> 
> > Thanks,
> > Derek
> > --
> > The following changes since commit
> 83f1d7781300b52785c062a8285da59042c0d1ff:
> >
> >   Merge branch 'ath10k-20230215' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/linux-firmware
> > (2023-02-15 14:27:03 -0500)
> >
> > are available in the git repository at:
> >
> >
> >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dchick
> > les_linux-
> 2Dfirmware.git&d=DwIBaQ&c=nKjWec2b6R0mOyPaz7xtfQ&r=8Rw3U3rPX
> > 8xw42aFKYrg3JmXeZiOQmTC82HBznxAHSw&m=-
> 19_Yj8VxC4EAW3wExRJagpBzNcwgVMR7
> > qAtxPhgGzncOscuAHJ4Rr-oPQcI-3gk&s=GxsrbcsMV9Jsxfx3-LO0s3DtK0rEN-
> SO2UpH
> > sG5dTG4&e=  liquidio-20230222
> >
> > for you to fetch changes up to
> c6008409440f18da7109e20a3f8db0c6c0a0586b:
> >
> >   liquidio: remove lio_23xx_vsw.bin (2023-02-22 18:48:26 -0800)
> >
> > ----------------------------------------------------------------
> > Chickles, Derek (1):
> >       liquidio: remove lio_23xx_vsw.bin
> >
> >  LICENCE.cavium_liquidio   | 361 -------------------------------------------------------
> -----------------------------------------
> 
> There are multiple liquidio firmware files under this license.  You can't
> remove it just because you want to remove only one firmware.
> 

If you look closely at the License file the section deleted was referring to
the lio_vsw_23xx.bin file specifically. Since this file is being removed the
License section is also being removed.

Regards,
Derek

> josh
> 
> >  WHENCE                    |   3 -
> >  liquidio/lio_23xx_vsw.bin | Bin 20434408 -> 0 bytes
> >  3 files changed, 364 deletions(-)
> >  delete mode 100644 liquidio/lio_23xx_vsw.bin

Re: [EXT] Re: pull request: liquidio: remove lio_23xx_vsw.bin

[Josh Boyer]

On Mon, Feb 27, 2023 at 12:12 PM Derek Chickles <dchickles@marvell.com> wrote:
>
> > From: Josh Boyer <jwboyer@kernel.org>
> > Sent: Monday, February 27, 2023 7:42 PM
> > To: Derek Chickles <dchickles@marvell.com>
> > Cc: linux-firmware@kernel.org; Satananda Burla <sburla@marvell.com>
> > Subject: [EXT] Re: pull request: liquidio: remove lio_23xx_vsw.bin
> > >
> > ----------------------------------------------------------------------
> > On Fri, Feb 24, 2023 at 7:27 PM Derek Chickles <dchickles@marvell.com>
> > wrote:
> > >
> > > Hi,
> > >
> > > We would like to remove one firmware binary from this repository per our
> > security team's concerns (Cavium was acquired by Marvell).
> >
> > What security concerns would those be?  Where would users of these
> > devices get firmware from?
>
> Hi,
>
> Thanks for the comments.
>
> Per the commit text, this firmware was originally just a proof-of-concept
> and not released to customers, but it had a default password that hackable.
> Commit text below for reference:

My apologies, Derek.  I started looking at this, got distracted, and
then did not remember that I had not looked at the actual commit in
the pull request.  You've provided perfectly clear and sufficient
detail.

>   Removing lio_23xx_vsw.bin which has a security vulnerability.
>   This binary was published originally as a proof-of-concept and is
>   not installed in any production devices and should not be used. In
>   addition, the aforementioned LiquidIO devices are end of service.
>
> The full security advisory can be found here:
>  https://www.marvell.com/content/dam/marvell/en/public-collateral/server-processors/marvell-security-advisory-liquid-io2.pdf

Thank you for this link.

Pulled and pushed out.

josh

> > > Thanks,
> > > Derek
> > > --
> > > The following changes since commit
> > 83f1d7781300b52785c062a8285da59042c0d1ff:
> > >
> > >   Merge branch 'ath10k-20230215' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/linux-firmware
> > > (2023-02-15 14:27:03 -0500)
> > >
> > > are available in the git repository at:
> > >
> > >
> > >
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dchick
> > > les_linux-
> > 2Dfirmware.git&d=DwIBaQ&c=nKjWec2b6R0mOyPaz7xtfQ&r=8Rw3U3rPX
> > > 8xw42aFKYrg3JmXeZiOQmTC82HBznxAHSw&m=-
> > 19_Yj8VxC4EAW3wExRJagpBzNcwgVMR7
> > > qAtxPhgGzncOscuAHJ4Rr-oPQcI-3gk&s=GxsrbcsMV9Jsxfx3-LO0s3DtK0rEN-
> > SO2UpH
> > > sG5dTG4&e=  liquidio-20230222
> > >
> > > for you to fetch changes up to
> > c6008409440f18da7109e20a3f8db0c6c0a0586b:
> > >
> > >   liquidio: remove lio_23xx_vsw.bin (2023-02-22 18:48:26 -0800)
> > >
> > > ----------------------------------------------------------------
> > > Chickles, Derek (1):
> > >       liquidio: remove lio_23xx_vsw.bin
> > >
> > >  LICENCE.cavium_liquidio   | 361 -------------------------------------------------------
> > -----------------------------------------
> >
> > There are multiple liquidio firmware files under this license.  You can't
> > remove it just because you want to remove only one firmware.
> >
>
> If you look closely at the License file the section deleted was referring to
> the lio_vsw_23xx.bin file specifically. Since this file is being removed the
> License section is also being removed.
>
> Regards,
> Derek
>
> > josh
> >
> > >  WHENCE                    |   3 -
> > >  liquidio/lio_23xx_vsw.bin | Bin 20434408 -> 0 bytes
> > >  3 files changed, 364 deletions(-)
> > >  delete mode 100644 liquidio/lio_23xx_vsw.bin