EmbeddedRelated.com
Forums

Open-source secure bootloader and fight against cloners

Started by Igor1024 2 years ago2 replieslatest reply 2 years ago170 views

Hi everyone,
I would like to share with you the project my friend and I are working on and would like to get feedback from the best in the field.

We spent some time on the open-source project with a secure bootloader with the idea of helping small companies in the fight against cloners. We have seen cases where cool ideas have been copied and the next level of innovation was destroyed because of a leak of resources to keep pushing innovation.

The whole ecosystem is here https://github.com/IMProject and the bootloader is here https://github.com/IMProject/IMBootloader. We also have a WEB page where a new version of the bootloader and firmware can be uploaded.

So what is your opinion on the topic? is something like this needed? any story to share with us? what should we do next?

Thanks a lot in advance!


[ - ]
Reply by Steve_WheelerOctober 18, 2022

Being retired now, I'm not in need of it. As I never worked with downloadable firmware, I don't know how appropriate or effective your approach is. However, I do believe that something of the sort is likely valuable.

Back in the 1980s, I was working for a small manufacturer of SBCs, doing software development and customer support. At the time, we had a product line of four different SBCs based on the 8088 and 80188 processor, and a few peripheral boards to go with them: floppy interfaces, bubble memory, I/O expansion, that sort of thing. We were advertising ourselves as an engineering department for companies too small to have one of their own, with the idea that our SBCs and peripherals would be used by us or our customers to prototype what our customers wanted to build. Once it was working, if their expected volume was high enough, we could design a cost-reduced custom board for them. If not, we'd continue to provide SBCs and any of our peripheral boards they needed. We expected that support for those systems would be going to our customers, who would ask for our help when the problem appeared related to our boards or software, and not their product itself.

At some point, we started getting technical support calls for one of our SBCs from people who weren't in our customer list, but who were using our SBC directly, not as part of a system from one of our customers. Eventually, we discovered that the owner of the board house that was manufacturing our PCBs was so taken with that board that he was producing more than we ordered, duplicating our EPROMs and the manuals we had written, selling them himself, and directing his customers to us for technical support.

I don't remember exactly how our boss resolved it with the board house owner, but lawyers were involved. I can say from experience that there are people who will find protection for their IP valuable, because there are people who have little or no problem appropriating the efforts of others.

Our boss, with subsequent boards, contemplated various protection schemes to prevent people from duplicating our boards, most of which provided no actual protection, so they were never used. Two that were used were using programmable logic for memory mapping or bus interfacing and not providing the equations to customers, and putting minor errors and omissions into the schematics included in our hardware manuals. It wasn't until many years later, when he was no longer with the company, that we had a customer run into problems because of the erroneous schematics, which probably says something about how necessary that "protection" was.

Anyway, that's my story.

[ - ]
Reply by DKWatsonOctober 18, 2022

Hey,

I don't know how directly related it is, but it does dovetail somewhat with the (recent) new patent laws (U.S.). Previously a design could be put forward for patent. I think in 2019 this was changed where a patent would only be granted for a working prototype. This of course stifles entrepreneurship as you can have an open source community working collectively on a design only to get it 95% complete and have it stolen, prototyped, patented and lost. Personally I remove some of my projects from Github for that very reason. Gone are the days when we could send a copy via registered mail to verify date and author. How many great ideas are now being shelved because the lonely basement tinkerer doesn't have the financial capacity to get a prototype out quick enough or to get a working model into competitive production before I.P. is claimed/stolen by others?