| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <59718ea7-efab-4975-a4e8-89c1d114a2e5@citrix.com> Date: Fri, 8 Nov 2024 23:36:46 +0000 From: Andrew Cooper <andrew.cooper3@...rix.com> To: dave.hansen@...ux.intel.com Cc: bp@...en8.de, linux-kernel@...r.kernel.org, tglx@...utronix.de, x86@...nel.org Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability > You can't practically run old microcode and consider a system secure > these days. So, let's call old microcode what it is: a vulnerability. The list becomes stale 4 times a year, so you need to identify when it's out of date, and whatever that something is has to be strong enough to cause distros to backport too. Perhaps a date in the header, so you can at least report "status vulnerable, metadata out of date". Also, you want to identify EOL CPUs. Just because they're on the most recent published ucode doesn't mean they're not vulnerable. Under some hypervisors, you get fed the revision 0x7fffffff. Others might tell you the truth, or it may be the truth from when you booted. For this, probably best to say "consult your hypervisor". Failure to publish information, or not publishing fixes for in-support parts should be considered a vulnerability. (*ahem*, AMD) Or you could just simplify the whole path to "yes". It's true, even if people don't know. I really want to like this, but it's a giant can of worms, with as many political challenges as technical. ~Andrew P.S. I do like that you've labelled debug microcode as vulnerable. It's just software in a different form factor, and we know how buggy software generally is.
Powered by blists - more mailing lists