# 2024-04-03 - coreboot Leadership Meeting Minutes ## Attendees David Hendricks, Werner Zeh, Felix Held, Felix Singer, Jay Talbott, Jon Murphy, Jonathon Hall, Julius Werner, Martin Roth, Matt DeVillier, Maximilian Brune, Nicholas Chin, Philip Molloy, Mina Asante, Nico Huber, Linus Lackner.
## Announcements & Events * OCP Regional Summit: Lisbon, Portugal on April 24–25, 2024 [https://www.opencompute.org/summit/regional-summit] * FOSSY conference: August 1-4 2024 in Portland, Oregon, USA [https://sfconservancy.org/fossy/] * **[Community track proposals](https://sfconservancy.org/fossy/community-tracks) are open until April 18, 2024** * COSCUP - Taipei, Taiwan on 2024/08/03 ~ 2024/08/04 [https://coscup.org/2024/en/landing] * OSFC will be in Bochum Germany - September 3-5, 2024 [https://www.osfc.io/] * **[Call for participation](https://talks.osfc.io/osfc-2024/cfp) is open until May 31st, 2024** * OCP Global Summit: San Jose, California on October 15–17, 2024 [https://www.opencompute.org/summit/global-summit] ## Open Action Items * 2024-03-20 * [Open] Martin: Add a note to the gerrit guidelines to email the leadership. * 2024-03-06 * [Open] Martin: To update documentation on gerrit contributing guidelines. * https://doc.coreboot.org/contributing/index.html * 2024-01-10 * [Open] Werner: Push patch based on https://ticket.coreboot.org/issues/522 * Nico: https://review.coreboot.org/q/topic:enforce_region_api * [Open] Daniel: Look at how we want to localize (non console) strings for coreboot. Long term project. ## Minutes ### [Martin] Handle GOP drivers * How do we intend to handle GOP driver init going forward? Do we know what graphics card manufacturers are planning? (when) will we lose legacy option rom support on external graphics cards? Currently the option rom is specified by the PCI specification, so maybe we don’t need to worry. I’m thinking we could look at something modular, like yabel or x86emu currently do for the legacy option roms. * Graphics card manufacturers often support both UEFI and legacy option ROM init. They may get rid of legacy option ROMs at some point... * coreboot may need to implement a wrapper for a few calls needed. * Martin has a list of what needs to be supported for the AMD GOP driver. ### [Martin] [CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094) liblzma build compromise * The liblzma vulnerability did not impact coreboot source, but it did affect our build server images. Something similar could be done to coreboot to introduce some sort of vulnerability into the codebase. What do we need to do to help protect the coreboot codebase against similar attacks? * Isolate test targets in makefiles from normal builds? * Move all binaries out of the coreboot tree? * Relocating binaries probably won't help. * Julius: liblzma had a few issues that helped obfuscate the problem, such as using autoconf and automake that generate unreadable Makefiles. * Get rid of release tarballs? * [https://coreboot.org/downloads.html] * The vulnerability was injected into the release tarballs. coreboot has reproducible builds, so is there a purpose for having tarballs? * Werner: Having the source tarballs is useful in his case. * Corporate release processes make it difficult to point at a source code repo. Much easier to just point at a release tarball with everything needed. * Tarballs themselves are not reproducible. This can depend on things like the version of `tar` installed. * [reproducible-builds.org] has some suggestions on how to fix this. ### [Martin] Gitiles is still disabled * It was disabled since a web crawler was hitting it with a lot of requests, causing a lot of traffic and CPU utilization, and ultimately DOS'ing Gerrit. * What do we want to do until it’s re-enabled? * Should we just re-enable it now, blocking user-agents for known web-crawlers and see how things go? * Main advantage is that you click on a hash in Gerrit and it brings you to the source code. * We can't block IP addresses, but we can block user-agents. * FelixS has volunteered to work on this. ### [Werner][https://review.coreboot.org/c/coreboot/+/69159] * TPM patch was merged that breaks timeless builds somehow. .text and another section end up overlapping other sections. * This might need a recent patch to increase bootblock size. * [https://review.coreboot.org/c/coreboot/+/80348] <-- only applies to AMD right now. * Why was this not caught by Jenkins? * It depends on the configuration, and only breaks if TPM is enabled # Next meeting * April 17, 2024. * [coreboot Calendar](https://coreboot.org/calendar.html). # Notice * Decisions shown here are not necessarily final, and are based on the current information available. If there are questions or comments about decisions made, or additional information to present, please put it on the leadership meeting agenda and show up if possible to discuss it. Of course items may also be discussed on the mailing list, but as it's difficult to interpret tone over email, controversial topics frequently do not have good progress in those discussions. For particularly difficult issues, it may be best to try to schedule another meeting. # coreboot leadership meeting minutes [2024-04-03](https://docs.google.com/document/d/1NRXqXcLBp5pFkHiJbrLdv3Spqh1Hu086HYkKrgKjeDQ/edit?pl=1). _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
