Thanks for the well thought out post @Dlonk, I appreciate your perspective. I’d like to share my own perspective about why the firmware jail is about providing the best options available today to all users, not catering to the needs of those with insider access.
This, in my opinion, is where the “game” starts. Linking the definition of “software” exclusively to where the program is stored doesn’t make sense any more.
I think the intent is clear - if the proprietary firmware is perfect, so that we never need to care whether it’s a program executed by a processor or a bunch of NAND gates with the same effect, then it doesn’t count as software.
Maybe that’s true for some things, like a mouse. The mouse probably has firmware that knows how to read the optical sensor, infer movements from the image observed, and report those movements over USB. The mouse firmware shouldn’t count as software. But again, the fact that it’s stored in ROM is at most only part of this determination.
I don’t think these things have been true for wireless hardware for some time now, regardless of where we store the firmware. Wi-Fi devices perform complex tasks and are exposed to data potentially controlled by an attacker.
Remote code execution vulnerabilities have affected Wi-Fi device firmware, allowing code execution on the card itself. Wi-Fi firmware has bugs (just take a look at the history of linux-firmware for firmware updates, though unfortunately most of the updates give minimal details).
And back to the mouse - if your mouse is wireless, then suddenly it is exposed to attacker controlled data and may be exploitable. You do have to care about its firmware now, it should count as software, even though it is burned into a flash ROM chip. (This is technically about the receiver, but the mouse is of course part of this system too.)
I’m not necessarily saying that Wi-Fi cards with firmware provided by the OS should count as RYF. I am saying that Wi-Fi cards with firmware burned into a ROM are worse in today’s environment. Calling them better is harmful.
The best situation of course would be cards with free firmware, there’s an entirely different discussion about why that doesn’t exist today. But without that option, we offer the best we can - put the blob somewhere you can see, inspect, and control, and offer no Wi-Fi as an option when possible if that meets your needs or you prefer a different card. If we keep pushing the limit in every way we can, we will make progress toward the ultimate goal.