Tivoization

There is a paradoxical class of firmware, for which the source code is free software, because it carries a free software license, but specific hardware, for which these programs are designed, renders any binaries produced from that source code nonfree in practice. That is because that hardware requires the binary to be signed by the hardware manufacturer, either in order to run at all, or in order to make use of crucial hardware facilities, effectively forbidding users to run modified versions. We call these programs tivoized blobs.

While it is still physically possible to replace the released binary on the hardware that enforces signatures, it is useless to do so, since the hardware would refuse to run the modified version, or to do some special job such as decoding the DRM. Therefore, the freedom #1 (one of the four essential freedoms) is missing, and that binary is not free, even though the source code may carry a free software license. Indirectly, tivoization affects the other freedoms (to use and to distribute modified versions), because any modification of the firmware by yourself will result in broken hardware. The binary may qualify as open source, because the term “open source” is defined in terms of how the source is treated.

The publisher or the manufacturer may advertize this forced signature check as a “feature.” Here is their argument: your computer won't boot (or will lack important features) if the hardware detects corrupted firmware, so tivoization protects you and your data. But we should wonder: whom does it protect, and from whom? Who is the owner of this lock? Who decides what is good or bad software for our own computing? If it is not us, then this computer is not loyal.

The tivoization is a not a security feature, it is a trap for our freedoms. It prevents users from upgrading their own hardware or firmware, and it suggests a false sense of security by giving the control of their computer only to some “trusted” firmware provider, compelling users to take the provider's word for their safety.

The firmware that drives the hardware at the lowest level also has the most control over it. It often contains back doors and vulnerabilities which only the “trusted” provider (trusted by the hardware) is allowed to fix.

Preventing unsigned or self-signed versions of the firmware to be run is a way for the manufacturer and publisher to keep the control over your computing, even more than if the source code itself were proprietary! It only serves the purpose of the publisher or manufacturer, and has no benefit to the software user or the hardware owner. On the other hand, supposing some models of hardware will run modified versions, there is no advantage for you in using the manufacturer's signed version instead of a self-signed variant.

Among the most important additions in the GNU General Public License version 3, in 2007, was to prohibit taking a GPLv3-covered program and distributing it under tivoization, because it denies users the freedom, in practice, to modify the program and then use the modified version.

As stated by the GNU Free System Distribution Guidelines, operating systems which provide such firmware are not free, whether the upstream source code is free or not.