Concerns about the security risk of Chinese chips

Continuing the discussion from Comparing specs of upcoming Linux phones:

Allwinner is a shady company in my opinion, since it continues to violate the GPL after years of complaints by the community. I really wish that someone would take the company to court.

However, this particular issue only effected the Allwinner H3, A83T and H8 processors that were running Allwinner’s Linux 3.4 kernel (not the mainline kernel). Since the PinePhone is using the Allwinner a64 and most of its ports are using Linux 5.7, it isn’t effected. At this point, the PinePhone basically runs mainline Linux, except for HDMI Audio. (I don’t think any of the PP ports are using hardware video encoding, which isn’t supported by the free drivers.)

I think it is hypocritical to harp on about how bad the Chinese government is for inserting spy chips in Supermicro servers used by Apple and Amazon, without acknowledging that there is more credible evidence from the Snowden leaks that the US, German and French governments have inserted inserting spy chips in ICT equipment.

For citizens of the 5-eyes countries and Japan that have participated in the NSA spying program, the spying by their own governments is a greater threat to their privacy than the spying of the Chinese government. The Snowden documents showed that the NSA had agreements to get access to the servers of Microsoft, Google, Yahoo!, Facebook, Dropbox and Apple. Google and Apple claim that they no longer have such agreements and are now encrypting their content to prevent such the NSA from gaining unlawful access, but reports say that the mass surveillance of the NSA continues in an altered form.

As for the chip companies themselves, I don’t think it is a good idea to say a company is bad just because it is Chinese. It is best to look at the policies at the particular chip companies, since I don’t think their nationality has much to do with it. Rockchip and PINE64 are Chinese companies that are pretty good in my opinion, but Huawei/HiSilicon and Allwinner are more questionable. I also think that American companies Apple and Qualcomm have done some morally questionable things.

Here is how I rank the makers of mobile SoC’s in terms of their respect for free software and openness in general (with headquarters in parentheses):

  1. NXP (Eindhoven, Netherlands and Austin, Texas, USA)
    The Motorola->Freescale operations had a long history of been being more open and Linux friendly which continues today in the Austin facilities. The mobile kernel, μClinux, started with porting Linux to Motorola’s DragonBall processors in 1998. The i.MX 6 and 8M can run on 100% free software (except the DDR timing trainer code during bootup); its developers contribute directly to the mainline Linux drivers for its chips; allows the public to view its documentation without an NDA (although registry with a company email is required to download the Reference Manuals and Application Notes); has a public forum to ask questions; promises 10 or 15 years of production of its SoC’s.
  2. Rockchip (Fuzhou, Fujian, China)
    Used to not be very open, but working with Google on Chromebooks caused it to start publishing the source code for its Linux kernels. In 2016, the company created a Github account and wiki. In 2017, Rockchip started publishing its FOSS drivers and documentation for its chips at its http://opensource.rock-chips website. All its documentation is publicly downloadable and the RK3399 can now run on 100% free software, although it’s still experimental.
  3. Broadcom (San Jose, California, USA)
    The only mobile SoC manufacturer which has released free/open source drivers for its GPU (VideoCore). Requires proprietary blobs to boot its chips (which is a problem for the Raspberry Pi). Requires an NDA to view its documentation.
  4. Qualcomm (San Diego, California, USA)
    Shares its kernel source code on CodeAurora, which makes it easier for the community to create free/open source drivers for mainline Linux. It’s Snapdragon SoC’s eventually gets mainline Linux support although it usually takes about 3 years after being released. Accessing its documentation requires signing an NDA and Qualcomm shares no public information about its Adreno GPUs. Freedreno drivers can run its Adreno GPUs, but proprietary blobs are required to use the WiFi, Bluetooth, cellular modem and GNSS in the Snapdragon.
  5. Amlogic (Santa Clara, California, USA)
    Shares its code and some documentation at openlinux.amlogic.com, but much of the content on the site hasn’t been updated since 2016, aside from the source code for its kernel releases. Much of its technical documentation isn’t publicly available and some code access requires signing a Service Level Agreement (SLA). On the other hand, Amlogic has paid developers at LibreBay to add mainline Linux support for some of its processors, including the Mali GPUs.
  6. Samsung (Seocho District, Seoul, South Korea)
    Requires signing an NDA to get its documentation. Some of its Exynos chips now have mainline Linux support and many of the recent Galaxy models with Exynos are getting LineageOS ports. The free Lima driver can be used with its Mali GPUs, but Exynos requires proprietary blobs to use its WiFi, Bluetooth, cellular modem and GNSS.
  7. Allwinner (Zhuhai, Guangdong, China)
    Allwinner has been violating the GPL for years by not releasing the source code for its kernels. It used to answer questions and give documentation to the community, which is why its older A64 processor has excellent support in mainline Linux, but it stopped answering questions, which is why the A80 and later processors don’t have good mainline Linux support. Its A64 can run on 100% free software (although no support for hardware video encoding).
  8. MediaTek (Hsinchu, Taiwan)
    None of its SoC’s get mainline Linux support. It took steps in 2014 to start working with the FOSS community, and we had a few phone models that even got CyanogenMod ports, but that only happened for a brief window of time, and then MediaTek stopped publicly releasing the kernel source code. Because it only sells its chips to device makers (and not to the general public), it technically is only required to share its changes to the Linux kernel with the device makers under the GPL 2.0, so the device makers and not MediaTek are the ones violating the GPL.
  9. UNISOC (Shanghai, China)
    There is no mainline Linux support for the UNISOC SCxxxx and Tiger SoC’s and all their documentation requires signing an NDA. UNISOC is owned by the Chinese state.
  10. Apple (Cupertino, California, USA)
    Has a policy of locking the bootloaders of its devices, so the user can’t change the operating system and forcing the user to jailbreak the its devices to do simple things like change the ring tone or install software which isn’t found in the Apple Store. Because Apple only produce its A-series processors for internal use, there are no hardware partners that get the documentation, so little chance of it ever leaking. When Apple forked KHTML to create WebKit, the GPL license forced it to remain as FLOSS, but Apple does deserve some credit for not privatizing the BSD command line tools underneath OS X, which it has released as Darwin and for supporting the development of LLVM and Clang and for creating Swift as a FOSS programming language. However, Apple’s goal in developing these tools has been to eliminate the use of GPL software such as GCC. Apple actively cooperated with the NSA for a while, but after being embarrassed by the Snowden revelations, it now resists governmental surveillance.
  11. Huawei/HiSilicon (Shenzhen, Guangdong, China)
    Like Apple, Huawei locks the bootloaders of all its devices and there is no way to gain root access for most of its devices except to pay for expensive proprietary cracks. Nobody but Huawei gets documentation for its HiSilicon Kirin processors. Unlike Apple which maintains and contributes to some FOSS projects, Huawei appears to have an active aversion to FOSS, although it is hard to know what is inside its Harmony OS. Huawei is not state-owned like UNISOC, but it has a history of ties with the Chinese military, and it is a facilitator of surveillance by the Chinese government.
18 Likes

A very comprehensive response. :+1:

1 Like

If you’re paranoid, you could run armshaker. It is a tool which systematically test registers to uncover, if they exist, a processor’s hidden instructions by monitoring the executions for anomalies on Armv8-A.

BTW if someone gets their hands on a Dogwood or early Evergreen, I would be interested in the results.

The guy behind that tool made it for his master thesis but didn’t find any weird stuff in the CPUs he tested, only bugs in QEMU/Linux.

5 Likes

Re/ the subject: I have more concerns about the security risk of chips not made in China, but in US or Germany, for example.

1 Like

That seems totally logical… NOT!

1 Like

Logical or NOT?

I feel like this same discussion has come up multiple times on the forum. That said, thanks @amosbatto for the comprehensive overview of chip companies’ openness and FOSS-friendliness.

1 Like

I have more concerns about the security risk of chips made [ ] in US

US has a track record in this domain, e.g. Sisco network equipment …

NOT. Distrust individual companies. When you paint an entire country you do an injustice to the people who have nothing to do with the corruption of one or more companies.

2 Likes

Shouldn‘t you say this to the original poster?

Did I somehow not? Or do you think because I replied to you, it only applies to you?

Consider it implied.

while in the Matrix don’t look at the lady in red or …

Interesting overview, thanks. I agree with NXP being on top here. I’m slightly surprised to see Rockchip as #2, in the past I haven’t had the idea they were very committed to open source, especially getting things into the upstream kernel, but happy to see it seems to have improved with newer chips.

Where would you rank Marvell Armada?

Working with Google on Chromebooks caused Rockchip to start publishing its kernel source code in 2016, and Rockchip has gotten progressively better since then. As far as I know, Rockchip doesn’t actively commit to mainline Linux, but it does provide its source code, which the community can use to get support in mainline Linux.

Probably just below Qualcomm. Marvell Armada publishes all the documentation for public download, which is fantastic. However, I can’t find any evidence that Amlogic has continued to publish the source code for its Linux kernels after 4.14 at https://github.com/MarvellEmbeddedProcessors/
Maybe the company moved to a new platform, but I can’t find it.
At any rate, up to Linux 4.14, its processors had pretty good mainline Linux support:
https://elinux.org/Marvell_EBU:Mainline_Linux

3 Likes