Kernel Deblobing

From Gentoo Wiki
Jump to:navigation Jump to:search
This page contains changes which are not marked for translation.

From Wikipedia: A binary blob is a closed-source binary-only piece of software without publicly available source code. Since 1996, Linux kernel includes an increasing amount of binary blobs to handle devices with closed-sources firmware only (and among these devices, those without technical documentation which would authorize free firmware development for them). Proprietary software always introduces freedom, security, or privacy concerns.

Deblobing is the operation which removes binary blobs from source code to get a completely blob-free kernel. This is done with two shell scripts written by Brian Brazil, Jeff Moe, and Alexandre Oliva, named deblob-check and deblob-<version>, where <version> represents the kernel revision. A third script which is for Linux tarballs, deblob-main, is not used here. See the scripts README to get information about them.

Those scripts are provided by the Free Software Foundation Latin America, for each kernel revision. FSFLA mainly provides Linux-libre distribution.

Once deblobed the kernel is compiled as usual. Deblobing kernel obviously means that devices that exclusively support proprietary firmware cannot be used. Generally this includes all new Intel wireless cards. Nvidia graphic cards will only use the nouveau open source driver.

See below how to get a list of removed blobs without kernel compilation.

Deblobing rt-sources

For sys-kernel/rt-sources, set the USE flag deblob in /etc/portage/make.conf, sources will be automatically deblobed after being emerged.

Deblobing gentoo-sources (or any other sources)

Starting with kernel version 4.14, the whole firmware tree has been dropped. So, for new kernel versions, deblobbing is no longer necessary.

deblob USE flag no more deblobs sys-kernel/gentoo-sources, this must be manually done.

linux-4.4.26-gentoo is used in the following example.

Emerging sources

When using the default ACCEPT_LICENSE="-* @FREE", first accept the linux-firmware license needed for Gentoo sources.

root #echo 'sys-kernel/gentoo-sources linux-firmware' >> /etc/portage/package.license
/etc/portage/package.license may be a directory, in this case issue for example:
root #echo 'sys-kernel/gentoo-sources linux-firmware' > /etc/portage/package.license/gentoo-sources

Then emerge Gentoo sources:

root #emerge --ask sys-kernel/gentoo-sources

Then set /usr/src/linux symlink to the emerged sources if symlink USE flag is not set for Gentoo sources:

First get the list of available sources:

root #eselect kernel list
[1] linux-4.1.37-gentoo *
[2] linux-4.4.26-gentoo

… then choose the right ones:

root #eselect kernel set linux-4.4.26-gentoo

Then change directory to /usr/src/linux:

root #cd /usr/src/linux

Downloading deblob scripts

Scripts are on Linux-libre server. First make some vars to simplify lines to be entered:

  • version will contain sources version and is the only one to be adapted, a minor version number is not mandatory;
  • main will be generated, containing version without minor revision if needed, 4.4 for 4.4.26;
    (If there is a release candidate string, 4.5-rc7 for example, enter main by hand —there is usually no rc string with gentoo-sources.)
  • url will contain downloading URL.

Making the vars:

root #version=4.4.26
root #if [ `echo $version | tr -cd '.' | wc -c` == 2 ]; then main=`echo ${version%.*}`; else main=$version; fi


root #wget $url$version-gnu/deblob-$main
root #wget $url$version-gnu/deblob-$main.sign
root #wget $url$version-gnu/deblob-check
root #wget $url$version-gnu/deblob-check.sign

Make the scripts executable by root only:

root #chmod 744 deblob-$main deblob-check

Verifying signatures

First import or update the Linux-libre server key:

root #gpg --keyserver --recv-key BCB7CF877E7D47A7

Then verify the signatures:

root #gpg --verify deblob-$main.sign deblob-$main
root #gpg --verify deblob-check.sign deblob-check
For each verification this warning is usual, because server's key was imported but not trusted:
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

The important output is Good signature for each script.

Python version

Deblob scripts use the Python 3.8 interpreter. Emerge it:

root #emerge --ask --noreplace --oneshot dev-lang/python:3.8

Deblob command

Deblobing can now be started (remember the main var):

root #PYTHON="python3.8" ./deblob-$main

During the operation, which may be long, all deblobing information is displayed. After kernel compilation -gnu suffix will be appended to it's name, 4.4.26-gentoo-gnu in this example.

List of removed blobs

To get the list of removed blobs with their kernel symbol names, redirect the deblob command output to a file:

root #PYTHON="python3.8" ./deblob-$main > /path/to/file/deblob-$version.log

As kernel sources can be re-emerged after being deblobed, this is a convenient way, without kernel compilation, to investigate if targeted hardware should work without binary blobs.

External resources