Embedded Open Modular Architecture/EOMA68/Considerations

From eLinux.org
Jump to: navigation, search

External Factors, Considerations and Influences

On the face of it, creating an EOMA68 compliant device should quite simple (deceptively so): make some hardware, slap some softare on it, sell it, forget it. That's how it's done with standard products, so the same should apply to EOMA68 compliant devices, right?

WRONG.

The reason is very simple: The lifecycle of EOMA68 Cards and Housings does not end with their sale by the Retailer.

There are in fact a huge number of factors that need to be taken into consideration, ranging from possible patents, hardware interoperability, software interoperability, patent trolls, DRM, Tivoisation, repair procedures, diagnostics procedures, third party peripherals, components sourcing, NDAs, documentation, source code availability, used, recycled or repurposed card and housing mis-selling and mis-labelling, and much more. Incredibly, all of these factors and many more could, if not dealt with, lead to end-users throwing EOMA68-compliant devices away in disgust (or fear!) where we now know from investigations of "recyclers" that the products may actually end up back in circulation (even if they are mis-labelled).

This part of the Specification therefore covers as many issues as possible (not specifically related to Hardware design or to Software: these are covered by separate pages) that could have some adverse effect on EOMA68 in some way, either through bringing the reputation of EOMA68 into disrepute, or by causing unanticipated incompatibility: the list really is too long to enumerate, so we do the best that we can.

Precedence

It is very important to understanding of EOMA68 the order of precedence of factors which need to be considered.

  1. SAFETY. The absolute top priority is Safety of end-users (and any other people who may come into contact with EOMA68 Cards and Housings, including but not limited to factory-workers, transportation workers, retail store staff and many more)
  2. SIMPLICITY FOR END-USERS. As opposed to "over-simplification of the software, or the hardware, for the convenience of the Manufacturer or Retailer"
  3. FREEDOM. As defined by the FSF, being the "Four Freedoms", but applied not just to software but also to PCB designs, Casework designs, ASIC designs.
  4. CONVENIENCE. This is deliberately placed a long way down the list: convenience does not come at the cost of safety, security, freedom or anything else.

Specialist Tools, Equipment and Software

From the example and lesson of the Vehicle Industry and the "On-board Diagnostics" equipment fiasco which has been ongoing for decades, specialist tools, equipment and software for the purposes of installing firmware, or managing Cards, or operating the device, or components utilised anywhere in Cards or Housings, or even just for opening up casework, is simply not permitted, including after the Cards or Housings are distributed.

The lesson of the OBD scenario is particularly relevant from several perspectives:

  1. Firstly, the hardware protocol had to be reverse-engineered in order for people to interoperate with it
  2. Secondly, once hardware-level interoperability had been achieved, it was discovered that the data format is not self-describing and there is no provision for ascertaining the available features (unlike COM, which has "Interface self-describing Capabilities" as a fundamental and integral part of its design). So although there was a core format that appeared to be common across a wide range of manufactured vehicles, various manufacturers had added proprietary "extensions" without declaring or publishing the same, on a per-vehicle and even "per-vehicle-firmware-upgrade" basis.
  3. Thirdly, the connectors utilised varied drastically from vehicle to vehicle. The author of this standard was shocked to have been shown (over 15 years ago), by one small independent garage, an ENTIRE SUITCASE stuffed with adapter cables. Early efforts to standardise the connectors actually resulted in the complete opposite, as Manufacturers resorted to DELIBERATELY putting custom connectors (in violation of common sense) as a desperate last-ditch effort to use the well-known utterly flawed practice of "security by obscurity".
  4. Fourthly, the proprietary software available which vaguely keeps up-to-date with the thousands of vehicles ever manufactured (and their associated firmware updates) was ultra-expensive, ran on the oldest most out-of-date computing equipment known to man, and was itself DRM-locked such that the only way for a garage to utilise it without paying the exorbitant ongoing license fees just to use it for older vehicles was to remove the legacy PC's BIOS backup battery, so as to reset the clock back to a date preceding the "expiration" date associated with the proprietary software's badly-designed DRM.
  5. Fifthly, several court cases against reverse-engineers have been initiated over the years. There are also several efforts by groups such as the EFF and others to pursue changes to the law in various countries, all with a view to ensuring that drivers and garages have a "Right to Repair" their own legitimately and wholly-owned vehicles without fear of retribution or harm or damage to their vehicle. The primary (but no sole) purpose of these court proceedings is to compel Vehicle Manufacturers to provide full and complete documentation of the custom data formats and custom communications protocols, removing their designation as "proprietary" and "trade secret".
  6. Sixthly, despite numerous "attempts" by various Vehicle Manufacturers to "fix" problems, vehicles to this day remain vulnerable to hacking attempts via their OBD Interface (including some that could cause death or injury, such as engaging a single brake disk on only one wheel when a vehicle is travelling at over 70mph).
  7. Sevently, rather than acknowledge these problems and deal with them, some of the manufacturers incredibly seek to SUE the Security Researchers who act in a responsible and ethical manner after bringing the vulnerabilities to the attention of the manufacturer!

This unbelievably ridiculous situation is one which simply may not be tolerated in regard to EOMA68, because all of the above interferes with the tagline "Just Plug It In: It Will Work" as well as simply flat-out scaring people silly, such that they would want absolutely nothing to do with EOMA68 if it suffered from any of the above insane problems!

There is a simple way to ensure that this practice does not affect EOMA68 compliant hardware: not only will Certification not be granted if specialist tools, software or equipment are required to use, diagnose, repair, operate or initialise EOMA68 compliant hardware, but if party endeavours to "change the rules of the game" after first distribution, Certification will be automatically revoked for all and any hardware that critically relies on or depends on the same. This is regardless of whether it is a third party that endeavours to seek patent royalties, forces NDAs, claim or seek copyright, trademark infringment, enables or activates DRM, or deactivates services (online or otherwise) on which DRM measures critically rely (please note that this includes 3G / 4G / LTE or other wireless services, particularly those that are "locked" to a particular vendor).

Thus it becomes in the best interests of Manufacturers to put pressure on such third parties (should the situation arise) to very quickly resolve the situation (or to ensure that the situation never arises by not making a design be critically dependent on one exclusive technology). Note that "paying up" does NOT constitute "resolution". Certification is still guaranteed to be revoked under these circumstances, as the threat is still present. An example of "Resolving the situation" would be "buying up the third party's patent, Trademark or Copyright claim" followed by "issuing a clear and royalty-free license". Also, challenging the patent or requesting a review would also constitute "Resolving the situation" (as long as there does not also exist the possibility (or an actual) Court Order requiring that products be impounded, held or otherwise prevented and prohibited from distribution, sale or use).

About the only possible exception here is for FPGA-based EOMA68 Cards (or Cards or Housings whihch require or utilise FPGAs). Given that FPGAs typically require proprietary software, it is a reasonable expectation that they continue to be programmable for the duration of their operational lifespan. However, even here: if the proprietary software suddenly becomes unavailable (or stops working due to OS incompatibility, or due to bugs), Certification of any product utilising FPGAs that are critically dependent on that software will be revoked, even if the product is otherwise still functional and operational. The reason for this is because any third party may, at any time, wish to re-program the on-board FPGA, and would, at that time, discover that this is simply no longer possible. It really is therefore in the best interests of anyone considering utilising FPGAs to ensure that the tools and toolchain required to program them are entirely "Libre".

DRM and Tivoisation

For purely practical reasons related to the anticipated lifespan of EOMA68, neither DRM nor Tivoisation is permitted in either EOMA68 Housings or Cards. The reason for this is very straightforward: the tagline over the anticipated decade lifespan of the standard is "Just plug it in: it will work". So there is anticipated to be a huge range of decade-old all the way up to modern Housings that are expected to interoperate without hassle with a decade-old all the way up to modern EOMA68 Cards.

Any application of DRM in the Housings automatically interferes with that tagline, and would thus bring the EOMA68 Standard into disrepute. To avoid this occurrence, DRM is simply not permitted. Or... it is permitted... but only if (just as in the GPLv3) the DRM key is published (under an in-perpetuity, irrevocable and royalty-free unencumbered license). Imagine if there is a DRM-locked peripheral in a Housing that only worked with a certain third party Manufacturer's Computer Card. How on earth would the tagline "Just plug in it: It Will Work" be a guaranteed promise when another manufacturer's EOMA68 Card does not work with that DRM-locked Housing?

Tivoisation (the practice of DRM-locking the software including but not limited to the bootloader so that it can never be replaced or upgraded) is also not permitted. End-users will also have certain expectations that older Cards will continue to function in newer Housings well beyond the manufacturer's anticipated lifespan (of their own company, even, let alone of the Card). So as to ensure that the projected eco-conscious benefits of EOMA68 actually materialise, end-users must be able to upgrade and replace the bootloader and the full OS on their own legitimately-purchased hardware (at their own expense). A third party manufacturer cannot be expected to assist end-users with the process of ensuring that their legitimately-purchased Card continues to function in another third party's (more modern) Housings, but neither should they be permitted to prevent end-users from ensuring that their Card continues to function.

Given that some Cards may be FPGA Cards, and given that some may be "Pass-through" Cards, it is simply too complex and too costly to implement DRM or Tivoisation. Passthrough Cards would require arbitrary OSes to have drivers written, because Pass-through Cards (which would typically have a USB port and/or HDMI or other video output) may be plugged into tablets (with any OS), smartphones (with any OS), laptops (with any OS), desktops (with any OS) - any device with a USB port or an HDMI port with such a massive list of OSes that it becomes utterly impractical to consider writing DRM-locked proprietary drivers to support such an overwhelming array of devices and OSes. Therefore, for purely logical and practical reasons, DRM and Tivoisation are simply prohibited.

Exception to DRM and Tivoisation

There is one and only one exception, under very specific circumstances: Virtualisation. If there is a CPU in the Card, and the CPU is capable of "Hardware Virtualisation" - the capability to run one or more OSes as "guests" under a "Host" OS - those "Guest" OSes are permitted to run DRM and Tivoisation, as long as it is entirely software-isolated within the "Virtualised Container" that in absolutely no way affects the end-user's ability to replace the "Host" OS at their own discretion, and does not affect the end-user's ability to use any of the hardware features of Cards or Housings.

A good test of compliance with this Exception would be: if the "Virtualised OS" is not running (or the Host OS entirely replaced), do all of the features of the Card still function (with the exception of those provided exclusively by the "Virtualised OS") and does it still function in all available EOMA68 Housings? If the answer is "no" to this question, the Card is not compliant with the EOMA68 Specification.

An example therefore of a non-compliant Card would be that the Virtualised OS sends proprietary (DRM-related) messages to a peripheral (a screen or storage device) that is an integral part of a Housing which, without those messages, the screen or storage device is either inoperable or operates with reduced capability (this practice is well-known to be implemented in portable USB-based DVD-RW drives). Thus in this example, if the operation of the Housing's built-in peripheral requires the Virtualised OS to be running, that is non-compliance with the EOMA68 specification.

It's worth noting that through Virtualisation, entire proprietary OSes may best be deployed. Given that proprietary OSes are extremely unlikely to be able to keep drivers up-to-date over decades-long periods with the huge projected range of future Housings, Virtualisation is about their only sensible deployment option. The "Host" OS (most likely GNU/Linux-based) would be responsible for helping normalise the interaction with the outside world to a limited subset of "abstracted hardware drivers" (for Networking, screen, keyboard etc) providing soft-emulation that maps down to real-world hardware. QEMU, VMWare, L4KA and XEN all have this well-known capability: some even provide optimised hardware-acceleration as well, making the "Virtualisation" route less burdensome for the proprietary OS vendor.