NVIDIA Publishes Nouveau Patches For Secure Boot, Unified Firmware Loading

Written by Michael Larabel in NVIDIA on 18 January 2016 at 09:00 AM EST. 36 Comments
NVIDIA has released new patches today for helping the open-source Nouveau driver step towards properly supporting the GeForce GTX 900 "Maxwell" graphics cards as well as better supporting Tegra.

The first patch series sent out today was authored by NVIDIA's Alexandre Courbot and provides unified firmware loading functions. He explained, "This patchset centralizes the firmware-loading procedure to one set of functions instead of having each engine load its firmware as it pleases. This helps ensure that all firmware comes from the same place, namely nvidia/chip/. This changes where the firmware is fetched from for falcon/xtensa/bios, but these locations never seemed to have been official anyway. Also for most (all?) chips supported by Nouveau there is corresponding internal firmware, so disruption should be minimal/non-existent. If this assumption is wrong, feel free to drop patches 3-5. At the very least, firmware officially provided by NVIDIA should be looked up using the new functions for consistency."

That patch series was followed by a second patch series also from Courbot. This second patch series is the latest for secure boot for dGPU and Tegra. This adds secure boot support to Nouveau, which is needed for when NVIDIA is finally able to release their signed firmware image files for the GeForce GTX 900 series. With Maxwell, NVIDIA began requiring signed firmware and that's led the Nouveau developers to call the new GPUs very open-source unfriendly. These patches also work with the signed firmware images of the Tegra X1 based Pixel C and SHIELD TV, which in turn can also be used on the Jetson TX1.

NVIDIA hasn't yet said when they will finally ship the signed firmware images for the GTX 900 series, which is a requirement in order to finally allow open-source hardware acceleration on these newer GPUs that have now been out for more than one year. However, with all of this code now in place, soon as the firmware is to ship, everything will hopefully be squared away. All this time the Nouveau developers have been just waiting on NVIDIA to be able to provide these signed binary blobs.

This secure boot code isn't to be confused with UEFI SecureBoot. Of the NVIDIA secure boot, it's explained in one of the patches as:
On GM20x and later GPUs, firmware for some essential falcons (notably FECS) must be authenticated by a NVIDIA-produced signature and loaded by a high-secure falcon in order to access certain registers, in a process known as Secure Boot.

Secure Boot requires the building of a binary blob containing the firmwares and signatures of the falcons to be loaded. This blob is then given to a high-secure falcon running a signed loader firmware that copies the blob into a write-protected region, checks that the signatures are valid, and finally loads the verified firmware into the managed falcons and switches them to a priviledged mode.
Hopefully these signed firmware blobs will arrive prior to NVIDIA shipping Pascal GPUs so that Maxwell owners can finally take advantage of the open-source Nouveau driver, if they wish to part ways with the high-performance proprietary NVIDIA Linux driver. The next opportunity for these Nouveau DRM patches published today to be mainlined will be the Linux 4.6 kernel.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week