Gigabyte is refusing to provide GPL source code for BMC firmware

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
hmartin

hmartin

Well-Known Member
Sep 20, 2017
402
362
63
39
Hi, like many of you I have purchased some Gigabyte motherboards that were featured here (MJ11-EC1, MC12-LE0).

The BMC on these motherboards runs Linux:
Code: 
$ binwalk 126121.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
163848        0x28008         CRC32 polynomial table, little endian
213604        0x34264         CRC32 polynomial table, little endian
393216        0x60000         JFFS2 filesystem, little endian
5636096       0x560000        CramFS filesystem, little endian, size: 40951808, version 2, sorted_dirs, CRC 0x417607BC, edition 0, 27801 blocks, 6575 files
46596160      0x2C70040       uImage header, header size: 64 bytes, header CRC: 0x596F847A, created: 2024-03-12 06:08:06, image size: 2792592 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC9C2F025, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.14.17-ami"
46596224      0x2C70080       Linux kernel ARM boot executable zImage (little-endian)
46613079      0x2C74257       gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
49479680      0x2F30000       JFFS2 filesystem, little endian
50003968      0x2FB0000       CramFS filesystem, little endian, size: 5963776, version 2, sorted_dirs, CRC 0xBCBB0E63, edition 0, 1566 blocks, 131 files
I consider it due diligence to request GPL source code from vendors, especially in light of recent disclosures that BMC firmwares from several major vendors such as Intel and Lenovo did not incorporate security fixes in lighttpd:
arstechnica.com

Hackable Intel and Lenovo hardware that went undetected for 5 years won’t ever be fixed

Multiple links in the supply chain failed for years to identify an unfixed vulnerability.
arstechnica.com arstechnica.com

So I requested the source code for the BMC firmware from Gigabyte eSupport in January 2024.

When they did not follow up for several months, I asked them again in May 2024 and received this response:
Dear halmartin,

Sorry for the wait, as internally discussed, we are sorry the GPL source code cannot be provided on this platform. Please consult your product sales for the related request.

If any further help is needed, please provide us with the invoice so that we can check accordingly.

== Original 2/7/2024 ==
Regards, GIGABYTE
Click to expand...
I do not work for a company with a business relationship with Gigabyte, but I know people here do.

Would someone with an ear inside Gigabyte mind telling them how foolish (and license infringing) the above response is?

Otherwise I'm going to start the long and painful journey of contacting copyright holders and going the FSF/SFC legal route because I'm so extremely tired of vendors ignoring their open-source licenses obligations in the year of our RCE, 2024.

@Patrick it would be so, so amazing if for future hardware reviews, you made it a point to ask the vendor where customers/users can obtain the GPL source code. It's a small question to ask but will make a big difference if vendors realize that customers are expecting them to provide it.

Everyone is pearl clutching about supply chain attacks but the brutal truth is that no one is checking their supply chain. This is even harder to do when vendors willfully violate open source licenses and refuse to provide the source code.
 
Last edited:
  • Like
Reactions: Phence, vincele6, Haldi and 9 others
R

RolloZ170

Well-Known Member
Apr 24, 2016
8,985
2,856
113
germany
base source code is GPL and available, but the special customized AMI code for gigabyte boards should not provided thought.
with a little reverse engineering you can get all you need.
Code: 
# Created and Signed by MDS : 646f19b135c0645708b0a1c87f5602d5
#
# Automatically generated SPX Project Configurations: Don't edit
# SPX version: 4.0
# Fri, 28 Jul 2023 11:27:35 +0800
#

# Basic Configuration
CONFIG_SPX_Bootloader_Pristine_ex-6.3.0.0.0=YES
CONFIG_SPX_Bootloader_amiext_ex-6.23.0.0.0=YES
CONFIG_SPX_Bootloader_arch_arm_ex-6.1.0.0.0=YES
CONFIG_SPX_Bootloader_basesoc_ast_ex-6.7.0.0.0=YES
CONFIG_SPX_Bootloader_platform_ast2500evb_ex-6.8.0.0.0=YES
CONFIG_SPX_Bootloader_soc_ast2500_ex-6.2.0.0.0=YES
CONFIG_SPX_Busybox_ex-6.11.0.0.0=YES
CONFIG_SPX_Busybox_Fixes_ex-6.8.0.0.0=YES
CONFIG_SPX_Busybox_Pristine_ex-6.1.0.0.0=YES
CONFIG_SPX_Busybox_oem_ex-6.2.0.0.0=YES
CONFIG_SPX_Kernel_Pristine_ex-6.1.0.0.0=YES
CONFIG_SPX_Kernel_amiext_ex-6.58.0.0.0=YES
CONFIG_SPX_Kernel_arch_arm_ex-6.1.0.0.0=YES
CONFIG_SPX_Kernel_basesoc_ast_ex-6.17.0.0.0=YES
CONFIG_SPX_Kernel_initramfs_ex-6.1.0.0.0=YES
CONFIG_SPX_Kernel_oem_ast2500evb_ex-6.2.0.0.0=YES
CONFIG_SPX_Kernel_platform_ast2500evb_ex-6.1.0.0.0=YES
CONFIG_SPX_Kernel_soc_ast2500_ex-6.5.0.0.0=YES
CONFIG_SPX_PackagesVersion-6.8.0.0.0=YES
CONFIG_SPX_RebuildFirstLoader-6.1.0.0.0=YES
CONFIG_SPX_buildtools-6.1.0.0.0=YES
CONFIG_SPX_defaulthost-6.1.0.0.0=YES
CONFIG_SPX_glibc_jessietargetoverride-6.1.0.0.0=YES
CONFIG_SPX_libcjson-6.0.0.0.0=YES
CONFIG_SPX_libgcrypt20_jessietargetoverride-6.1.0.0.0=YES
CONFIG_SPX_libjson_jessietargetoverride-6.1.0.0.0=YES
CONFIG_SPX_librtlog-6.1.0.0.0=YES
CONFIG_SPX_libstorelib-6.5.1.0.0=YES
CONFIG_SPX_libstorelibIR-6.5.1.0.0=YES
CONFIG_SPX_libtasn1_6_jessietargetoverride-6.0.0.0.0=YES
CONFIG_SPX_libupnp_jessietargetoverride-6.7.0.0.0=YES
CONFIG_SPX_lldpd_jessietargetoverride-6.0.0.0.0=YES
CONFIG_SPX_mountallapp-6.4.0.0.0=YES
CONFIG_SPX_netsnmp_jessietargetoverride-6.1.0.0.0=YES
CONFIG_SPX_ntp_jessietargetoverride-6.2.0.0.0=YES
CONFIG_SPX_openssh_jessietargetoverride-6.5.0.0.0=YES
CONFIG_SPX_openssl_jessietargetoverride-6.6.0.0.0=YES
CONFIG_SPX_pcre3_jessietargetoverride-6.0.0.0.0=YES
CONFIG_SPX_rndisinf-6.2.0.0.0=YES
CONFIG_SPX_rules-6.5.0.0.0=YES
CONFIG_SPX_stunnel_jessietargetoverride-6.1.0.0.0=YES
CONFIG_SPX_sys_defaultcfg-6.1.0.0.0=YES
CONFIG_SPX_sys_ip6tables-6.2.0.0.0=YES
CONFIG_SPX_sys_iptables-6.2.0.0.0=YES
CONFIG_SPX_sys_ipv6-6.1.0.0.0=YES            #USER_SELECTED
CONFIG_SPX_sys_libcpp-6.1.0.0.0=YES
CONFIG_SPX_sys_libcurl3-6.0.0.0.0=YES
CONFIG_SPX_sys_libjpeg-6.1.0.0.0=YES
CONFIG_SPX_sys_lua-6.3.0.0.0=YES
CONFIG_SPX_sys_lua_libs-6.2.0.0.0=YES
CONFIG_SPX_sys_mount_cifs-6.0.0.0.0=YES
CONFIG_SPX_sys_ntpcfg-6.2.0.0.0=YES            #USER_SELECTED
CONFIG_SPX_sys_parted-6.2.0.0.0=YES
CONFIG_SPX_sys_radius-6.1.0.0.0=YES
CONFIG_SPX_sys_redis-6.26.0.0.0=YES
CONFIG_SPX_sys_rsyslog_gnutls_jessie-6.0.0.0.0=YES
CONFIG_SPX_sys_ssh-6.6.0.0.0=YES
CONFIG_SPX_sys_timezone-6.2.0.0.0=YES
CONFIG_SPX_telnet_busybox_configuration-6.1.0.0.0=YES
CONFIG_SPX_@ARCH_ARM-6.4.0.0.0=YES
CONFIG_SPX_@BASESOC_AST-6.1.0.0.0=YES
CONFIG_SPX_sys_ldap-6.2.0.0.0=YES
CONFIG_SPX_sys_base_ex-6.22.0.0.0=YES
CONFIG_SPX_Bootloader_oem_ast2500evb_ex-6.1.0.0.0=YES
CONFIG_SPX_Bootloader_ex-6.10.0.0.0=YES
CONFIG_SPX_crosscc_jessie-6.2.0.0.0=YES
CONFIG_SPX_defshell-6.2.0.0.0=YES
CONFIG_SPX_sys_noudev-6.1.0.0.0=YES            #USER_SELECTED
CONFIG_SPX_@OEM_AMI-6.4.0.0.0=YES            #USER_SELECTED
CONFIG_SPX_@PLATFORM_WolfPass-6.4.0.0.0=YES            #USER_SELECTED
CONFIG_SPX_@SOC_AST2500-6.7.0.0.0=YES
CONFIG_SPX_target_jessie-6.3.0.0.0=YES
CONFIG_SPX_Kernel_ex-6.8.0.0.0=YES
CONFIG_SPX_Kernel_modules_ex-6.8.0.0.0=YES
CONFIG_SPX_FEATURE_GLOBAL_^ARM^_ENDIAN_LITTLE=YES
CONFIG_SPX_FEATURE_GLOBAL_^AST^_FAILSAFE_WATCHDOG=2

# WolfPass  Configuration
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_FLASH_TYPE_SPI=YES
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_FLASH_START=0x20000000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_FLASH_SIZE=0x8000000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_ERASE_BLOCK_SIZE=0x10000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_FLASH_BANKS=2
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_USED_FLASH_START=0x20000000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_USED_FLASH_SIZE=0x3F00000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_UBOOT_MONITOR_SIZE=0x40000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_UBOOT_ENV_START=0x20040000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_UBOOT_ENV_SIZE=0x10000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_MEMORY_START=0x80000000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_MEMORY_SIZE=0x1DE00000
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_MEMORY_ECC_ENABLE=YES            #USER_SELECTED
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_NIC_COUNT=2
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_UBOOT_ENABLE_I2C_BUS=3
CONFIG_SPX_FEATURE_^WolfPass^_LAN_AND_DRAM_TEST_CMD=YES            #USER_SELECTED
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_SD_SLOT_COUNT=0
CONFIG_SPX_FEATURE_GLOBAL_^WolfPass^_EMMC_FLASH_COUNT=0

# AST2500 Configuration
more to follow after this.......
 
Last edited:
hmartin

hmartin

Well-Known Member
Sep 20, 2017
402
362
63
39
RolloZ170 said:
base source code is GPL and available
Click to expand...
Have a link to that?

RolloZ170 said:
special customized code for gigabyte boards should not provided thought.
Click to expand...
If Gigabyte are modifying GPL code for their motherboards, then yes they need to provide that. Their feelings on the proprietary nature of said modifications are moot. Proprietary kernel modules or libraries are of course outside the scope of this request.
 
  • Like
Reactions: vincele6 and Psycho_Robotico
hmartin

hmartin

Well-Known Member
Sep 20, 2017
402
362
63
39
RolloZ170 said:
linux google yourself. special MegaRAC BMC code is from AMI.
Click to expand...
LMGTFY is not a valid response to a GPL request. You've linked to the AMI product page of MegaRAC, which contains no source code corresponding to what Gigabyte is using in their BMC.

RolloZ170 said:
you have to ask AMI.
Click to expand...
I'm afraid I, and the GPL license, have to disagree with you here. Whether Gigabyte got their GPL licensed BMC source code from AMI or Bob's Burgers, it doesn't matter. The device manufacturer has an obligation to provide GPL source code for GPL licensed software they're shipping in their product. I am not an AMI customer, I am a Gigabyte customer.

You don't go to Google to request the GPL source code for a Samsung phone. I find it hard to take your replies in good-faith, you have added nothing to the discussion at hand.
 
Last edited:
  • Like
Reactions: vincele6, nasbdh9, ericloewe and 2 others
R

RolloZ170

Well-Known Member
Apr 24, 2016
8,985
2,856
113
germany
hmartin said:
is not a valid response to a GPL request. You've linked to the AMI product page of MegaRAC, which contains no source code corresponding to what Gigabyte is using in their BMC.
Click to expand...
AMI BMC contains some open source(linux)
you can only get sourcecode of the GPL parts inside.
hmartin said:
You don't go to Google to request the GPL source code for a Samsung phone.
Click to expand...
what if its not GPL ?
you are expecting all firmware to be GPL ?
 
R

RolloZ170

Well-Known Member
Apr 24, 2016
8,985
2,856
113
germany
hmartin said:
The device manufacturer has an obligation to provide GPL source code for GPL licensed software they're shipping in their product. I am not an AMI customer, I am a Gigabyte customer.
Click to expand...
was a misunderstanding:
you can get the sourcecode of the (complete functional) BMC only from the licensor AMI(NDA), its not GPL.
all other GPL parts inside the firmware is publicy available.
 
hmartin

hmartin

Well-Known Member
Sep 20, 2017
402
362
63
39
RolloZ170 said:
all other GPL parts inside the firmware is publicy available.
Click to expand...
No, they are not. Linking to vendor marketing fluff and telling me to go ask AMI are not relevant or helpful.

My OP stands, Gigabyte are using GPL licensed software in their BMC and are refusing to provide it upon request:
Also, you must do one of these things:

  • a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
  • b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
  • c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
  • d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.
Click to expand...
This is a violation of the GPL and if Gigabyte do not change their stance I will be pursuing other means to compel them to provide it.
 
  • Like
Reactions: vincele6, iron-bound, nasbdh9 and 5 others
M

mtg

Member
Feb 12, 2019
94
58
18
hmartin said:
No, they are not. Linking to vendor marketing fluff and telling me to go ask AMI are not relevant or helpful.

My OP stands, Gigabyte are using GPL licensed software in their BMC and are refusing to provide it upon request:


This is a violation of the GPL and if Gigabyte do not change their stance I will be pursuing other means to compel them to provide it.
Click to expand...
I agree, this is a GPL Violation. You may be able to get legal involved by guessing the email (legal@
gigabyte?), or asking the support rep to contact legal.

Gigabyte must provide the source as they are the ones distributing it.

I was successful using this technique for Phase One, a camera company that uses linux in their cameras. I politely asked the support person to check with legal and got a dump of their source the next week. It was mostly the based xilinx zync linux package, but still, they need to provide it, not tell me to go ask Xilinx/AMD.

FSF recently updated their FAQ, it’s their belief anyone can sue a company under GPL.
 
  • Like
Reactions: vincele6 and Brian Puccio
B

BlueFox

Legendary Member Spam Hunter Extraordinaire
Oct 26, 2015
2,457
1,871
113
Best of luck. You personally have little recourse to pursue legal action against them since you're not a party to the contract.
 
B

BlueFox

Legendary Member Spam Hunter Extraordinaire
Oct 26, 2015
2,457
1,871
113
mtg said:
Okay?
Click to expand...
So, there has yet to be an outcome in favour of the plaintiffs, which means no precedent has been set. The OP is not even in the jurisdiction where the case is being heard anyway.
 
R

RolloZ170

Well-Known Member
Apr 24, 2016
8,985
2,856
113
germany
if we get the sourcecodes we can't know if this are correct used ones. they never provide the complete code or we get src.code of windows 10 soon ?
best way is rev.engineering.
 
Last edited:
I

i386

Well-Known Member
Mar 18, 2016
4,816
1,874
113
36
Germany
I would argue that the bmc stuff runs on top of linux/doesn't derivate from the linux kernel and hence doesn't fall under the gnu gpl v2 license...
 
hmartin

hmartin

Well-Known Member
Sep 20, 2017
402
362
63
39
RolloZ170 said:
if we get the sourcecodes we can't know if this are correct used ones. they never provide the complete code or we get src.
Click to expand...
If they do not provide the complete or correct source code, they're in violation of the software license. If they don't want to voluntarily provide it, they can be legally compelled to (see: SFC vs Vizio). License compliance is not rocket science (despite numerous peoples' attempts in this thread to portray it as such).

i386 said:
I would argue that the bmc stuff runs on top of linux/doesn't derivate from the linux kernel and hence doesn't fall under the gnu gpl v2 license...
Click to expand...
If you distribute binary software derived from GPL source code, you have an obligation to provide the source code upon request whether you've made modifications or not:
You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.
Click to expand...
 
Last edited:
  • Like
Reactions: vincele6
B

BlueFox

Legendary Member Spam Hunter Extraordinaire
Oct 26, 2015
2,457
1,871
113
As mentioned previously SFC v. Visio has not concluded after 3 years in the court system, so, no, currently, Visio has not been compelled to do anything. The outcome of it may set a precedent, but only in the jurisdiction where it is being heard, the US. A court case on other side of the Atlantic will have no bearing on Europe and precedent is a common law concept, not civil law anyway.

Either way, you will find that it will be very difficult to compel them into compliance. Companies know how difficult enforcement is, so, they have little incentive to do so.
 
R

RolloZ170

Well-Known Member
Apr 24, 2016
8,985
2,856
113
germany
hmartin said:
If they do not provide the complete or correct source code, they're in violation of the software license.
Click to expand...
i sayd you cant't know.
currently they use AMI BMC firmware which includes some GPL code. Gigabyte can't provide complete source of FW, but maybe code of Lighttpd.
if they provide src. of the BMC they get in bug problems with AMI.
 
You must log in or register to reply here.
Top Bottom