From: Alex Murray <alex.murray@canonical.com>
To: Dave Hansen <dave.hansen@intel.com>, dave.hansen@linux.intel.com
Cc: bp@alien8.de, linux-kernel@vger.kernel.org, tglx@linutronix.de,
x86@kernel.org
Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability
Date: Thu, 14 Nov 2024 10:28:22 +1030 [thread overview]
Message-ID: <87h68avg81.fsf@canonical.com> (raw)
In-Reply-To: <7fc07eff-b4a1-4f8d-a9de-dba057d5c9c6@intel.com>
On Wed, 2024-11-13 at 08:00:26 -0800, Dave Hansen wrote:
> While I applaud your trust in my employer, I don't see quite as bright
> of a line between security and functional problems.
>
> Here's the bottom line: I agree that setting a taint flag for old
> microcode seems like a good idea. But I also think that there's enough
> of a "vulnerability" (security or otherwise) to justify placing
> "old_microcode" alongside the CPU security vulnerabilities that have
> known exploits.
>
> I'm lazy and don't want to read and filter the microcode changelogs. I
> also don't want to have to trust my colleagues to precisely agree on
> where that line is between a security and functional problem.
>
The only other data point then to mention is that all the major distros
(Debian[1], Ubuntu[2] and Fedora[3]) are still only shipping the previous
security update release (20240910) in their stable releases - *not* the
more recent release with the functional updates in 20241029 - in which
case anyone running a current stable release would then show as being
"vulnerable". I can't speak for the other distros, but for Ubuntu we
generally only ship things which are called out as specific security
fixes in our security updates *and* we generally prioritise security
updates over bug fixes (which these 'functional' updates appear be
rather than fixing actual exploitable security issues).
> So I'm leaning toward setting:
>
> TAINT_CPU_OUT_OF_SPEC
> plus
> X86_BUG_OLD_MICROCODE
>
> and calling it a day.
Does this mean you are thinking of dropping the userspace entry in the
cpu vulnerablities sysfs tree? If so then I am not so concerned, since
my primary concern is having something which looks scary to
users/sysadmins ("your CPU has an unpatched vulnerablity") which they
can't do anything about since their distribution has a different
definition of what counts as a security update compared to the upstream
kernel maintainers. If the sysfs entry is dropped then this is not so
visible to end-users and hence there is less panic.
[1] https://packages.debian.org/search?keywords=intel-microcode
[2] https://launchpad.net/ubuntu/+source/intel-microcode
[3] https://packages.fedoraproject.org/pkgs/microcode_ctl/microcode_ctl/fedora-41.html
next prev parent reply other threads:[~2024-11-13 23:58 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-07 17:06 [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability Dave Hansen
2024-11-07 19:51 ` kernel test robot
2024-11-07 20:43 ` kernel test robot
2024-11-08 23:36 ` Andrew Cooper
2024-11-12 17:15 ` Dave Hansen
2024-11-12 6:37 ` Alex Murray
2024-11-12 15:51 ` Dave Hansen
2024-11-13 3:29 ` Alex Murray
2024-11-13 16:00 ` Dave Hansen
2024-11-13 23:58 ` Alex Murray [this message]
2024-11-14 0:37 ` Dave Hansen
2024-11-18 8:35 ` Alex Murray
2024-11-13 9:28 ` Nikolay Borisov
2024-11-14 2:09 ` Andrew Cooper
2024-11-18 20:02 ` Dave Hansen
2024-11-19 17:45 ` Pawan Gupta
2024-11-19 18:49 ` Dave Hansen
2024-11-19 19:31 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h68avg81.fsf@canonical.com \
--to=alex.murray@canonical.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.