Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp727284ybh; Wed, 11 Mar 2020 09:35:33 -0700 (PDT) X-Google-Smtp-Source: ADFU+vucoS1jQ1n9BE/BrZvuCkSKH3cYpLanF490QTo2Epv2jyesxCh5tKnkG+FtYWsRY1/YgZgO X-Received: by 2002:a9d:7d89:: with SMTP id j9mr2822863otn.47.1583944532866; Wed, 11 Mar 2020 09:35:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583944532; cv=none; d=google.com; s=arc-20160816; b=fkbPGqQRNK3PuJHe88pm83NmBHJttUxDGjj7iiftBXWo9s4FqcUWsNW4YPmJqcDJ7A 6NA1tUQrU+LHr2mH0ZewfVwfFnIKkEZn44hSdDbFbBr/kJ5STEiYXsd1J1Sb+NoUCbBJ kFsV0uKM4Mx9ZDEjcpTmqeaJt+iDLJACUMKgDtZp562Ml75S40HIkUpFq0jfjnMOfvQv BUCYkkCrony4/qQ+KH8Eit3luywpGafXvJEYf3fEVto7fJAaCehPuACnVmjkmZjxtSpF elpq23gGDxqOVF8LEhXBA+X50ljy6z7HHvWvQzCzepYviZAJdOqy3HmbDirgDr4ft6+E WEug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:subject:from:dkim-signature; bh=o0UQBcv3ClfkZ3GTWOkSjQXsHKOgPqPeFIPaUV59z/Q=; b=FMfdX86SRtaJYWPQqHdsPbk2PvOTnvGNHHRMdXlKDxrL8qizh0tXS8gp6sU5Fc6KfB 7J4eV1P0SKElDstgHa8PgwXvqOhcEBytjrJSN9XaBDuV4wrnjweEXqhQVp8eruis2yTQ u0la/UBG+9frUyjrAb6Gmq3zDKyB+awCh7MOk3PyglUobuviL6kYVzyspnzD5t3qFkNS Wgitn1tZoXV3wHEBa3npJT354L/XVnEs21TXNjNaH1xpuPZAkC7aLsubp+RIFWD5bdgt 2Z8crv6NU/MunJk03JiCHVa5TOoIHASLob4YrSQWhAaul/wwQKZDAsSnUmFKlF8PgeNO ONeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KeVuR3rT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v6si1478584oif.149.2020.03.11.09.35.20; Wed, 11 Mar 2020 09:35:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=KeVuR3rT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730323AbgCKQeL (ORCPT + 99 others); Wed, 11 Mar 2020 12:34:11 -0400 Received: from us-smtp-delivery-1.mimecast.com ([205.139.110.120]:25228 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729809AbgCKQeL (ORCPT ); Wed, 11 Mar 2020 12:34:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583944450; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o0UQBcv3ClfkZ3GTWOkSjQXsHKOgPqPeFIPaUV59z/Q=; b=KeVuR3rTpuYOJl/b6STrfy9OheahvUbm6uiuCzHpBAmi6nJOQ1ZfXiMScv7+GWcvkQfzH1 PHNfEvhPu+6YZcZE/YtNtw5DcNSCJmkE5KhEmmhGcLo88VAcpTz1Sf2c1d3FQ7At4bSge1 mAfpckwvzG5fSBYqaXzLmojP+vyWMK0= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-46-TDU8xIAONriR0ZKt1nhKAg-1; Wed, 11 Mar 2020 12:34:06 -0400 X-MC-Unique: TDU8xIAONriR0ZKt1nhKAg-1 Received: by mail-wr1-f72.google.com with SMTP id v6so1173123wrg.22 for ; Wed, 11 Mar 2020 09:34:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=o0UQBcv3ClfkZ3GTWOkSjQXsHKOgPqPeFIPaUV59z/Q=; b=Y8Lzqojb8TsWe0tNI+DKjWdR8tYKrGrgRhj4VlpUI5bNboHnYuoshDcQGx7Ll0msOc qWFMX5r0wIuJVRhZ21F7PWMNbk+lpsVuWZGGf3rHMqaECjrktObLsR0tgafFyISAgudI b/ysFHY5aUcZYzJDZehdpmTG7+LP8EvL5a0JiRQwASLkJnx5ujRhlXC9ID+BVhfyGbaY lXZBEG89fqND0oY1aIj187yJS44fY4gZi3Vi4m9N5ihDpygikWbzUvDtTkS4zYU3Evws 7GDwK7pW2XK6vvEeTCpKIR6a7TKfuiHrSpYpGOeMCREGmpg9KIqhxRJ5tSZ1LNXvzaF8 tkGA== X-Gm-Message-State: ANhLgQ06R5M6P1qZVcPT3PhsX6KlSej1E8zYGKNx3T49EAE8oA9/cogi hJaDOgozjozw1cWbQBgcZm1frWTVusilqeesi/MHDXIz9zW10JyXdAxq4PBNSUbu1BeMAxj4+aA FnYyVpmH6SmO7Ro9J9gVyia+d X-Received: by 2002:a7b:c854:: with SMTP id c20mr4344406wml.99.1583944444069; Wed, 11 Mar 2020 09:34:04 -0700 (PDT) X-Received: by 2002:a7b:c854:: with SMTP id c20mr4344393wml.99.1583944443866; Wed, 11 Mar 2020 09:34:03 -0700 (PDT) Received: from x1.localdomain (2001-1c00-0c0c-fe00-fc7e-fd47-85c1-1ab3.cable.dynamic.v6.ziggo.nl. [2001:1c00:c0c:fe00:fc7e:fd47:85c1:1ab3]) by smtp.gmail.com with ESMTPSA id c23sm9228728wme.39.2020.03.11.09.34.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Mar 2020 09:34:03 -0700 (PDT) From: Hans de Goede Subject: Re: Updating cypress/brcm firmware in linux-firmware for CVE-2019-15126 To: chi-hsien.lin@cypress.com, Christopher Rumpf , Chung-Hsien Hsu Cc: linux-firmware@kernel.org, Linux Kernel Mailing List References: <93dba8d2-6e46-9157-d292-4d93feb8ec1a@redhat.com> <3cf961a6-56c8-81fb-3bf9-fc36e2601d2c@cypress.com> Message-ID: <0a5933fc-ae5f-07fa-2e36-8924ea5c2b27@redhat.com> Date: Wed, 11 Mar 2020 17:34:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <3cf961a6-56c8-81fb-3bf9-fc36e2601d2c@cypress.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 3/5/20 4:50 AM, Chi-Hsien Lin wrote: > (+Chris) > > On 03/04/2020 7:45, Hans de Goede wrote: >> Hi, >> >> On 2/26/20 11:16 PM, Hans de Goede wrote: >>> Hello Cypress people, >>> >>> Can we please get updated firmware for >>> brcm/brcmfmac4356-pcie.bin and brcm/brcmfmac4356-sdio.bin >>> fixing CVE-2019-15126 as well as for any other affected >>> models (the 4356 is explicitly named in the CVE description) ? >>> >>> The current Cypress firmware files in linux-firmware are >>> quite old, e.g. for brcm/brcmfmac4356-pcie.bin linux-firmware has: >>> version 7.35.180.176 dated 2017-10-23, way before the CVE >>> >>> Where as https://community.cypress.com/docs/DOC-19000 / >>> cypress-fmac-v4.14.77-2020_0115.zip has: >>> version 7.35.180.197 which presumably contains a fix (no changelog) >> >> Ping? >> >> The very old age of the firmware files in linux-firmware is really >> UNACCEPTABLE and very irresponsible from a security POV. Please >> fix this very soon. >> >> If you do not reply to this email I see no choice but to switch >> the firmwares in linux-firmware over to the ones from the SDK which >> you do regularly update, e.g. those from: >> https://community.cypress.com/docs/DOC-19000 >> >> Yes those are under an older, slightly different version of the Cypress >> license, which is less then ideal, but that license is still acceptable >> for linux-firmware (*) and since you are not providing any updates to >> the special builds you have been doing for linux-firmware you are >> really leaving us no option other then switching to the SDK version >> of the firmwares. > > Hans, > Chris owns the Cypress firmware upstream strategy and will explain our going-forward strategy to you. Ping? It has been a week and we have not heard anything from Chris about this yet? Regards, Hans