lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <001092d4-8431-488b-a98d-3aa5d4ecb692@intel.com>
Date: Tue, 12 Nov 2024 09:15:05 -0800
From: Dave Hansen <dave.hansen@...el.com>
To: Andrew Cooper <andrew.cooper3@...rix.com>, dave.hansen@...ux.intel.com
Cc: bp@...en8.de, linux-kernel@...r.kernel.org, tglx@...utronix.de,
 x86@...nel.org
Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to
 be a vulnerability

On 11/8/24 15:36, Andrew Cooper wrote:
>> You can't practically run old microcode and consider a system secure
>> these days.  So, let's call old microcode what it is: a vulnerability.
> 
> The list becomes stale 4 times a year, so you need to identify when it's
> out of date, and whatever that something is has to be strong enough to
> cause distros to backport too.  Perhaps a date in the header, so you can
> at least report "status vulnerable, metadata out of date".

I don't want to get too fancy about this.  I'm assuming that mainline
and the stable kernels will be regularly fed new metadata.  The only way
to have out-of-date metadata should be by running an out-of-date kernel
in which case you have bigger problems on your hands.

> Also, you want to identify EOL CPUs.  Just because they're on the most
> recent published ucode doesn't mean they're not vulnerable.

That's a good idea too.  But I think it deserves a separate discussion
and separate patch.

> Under some hypervisors, you get fed the revision 0x7fffffff.  Others
> might tell you the truth, or it may be the truth from when you booted. 
> For this, probably best to say "consult your hypervisor".

Good point.  We should probably just say "unknown" when running as a
guest, or just not have the sysfs file at all.

> Failure to publish information, or not publishing fixes for in-support
> parts should be considered a vulnerability.  (*ahem*, AMD)
> 
> Or you could just simplify the whole path to "yes".  It's true, even if
> people don't know.

This series answers the question:

	Has the vendor published a newer OS-loadable microcode than you
	are running right now?

It doesn't seek to answer the question:

	Is the microcode that you are running right now vulnerable to
	anything (that the kernel knows about)?

I think the first question is quite answerable in a pretty factual way.
The second question is much hardware.  It's worth answering for sure ...
with another patch. :)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ