From: Alex Murray <alex.murray@canonical.com>
To: Dave Hansen <dave.hansen@intel.com>, dave.hansen@linux.intel.com
Cc: bp@alien8.de, linux-kernel@vger.kernel.org, tglx@linutronix.de,
x86@kernel.org
Subject: Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability
Date: Thu, 14 Nov 2024 10:28:22 +1030 [thread overview]
Message-ID: <87h68avg81.fsf@canonical.com> (raw)
In-Reply-To: <7fc07eff-b4a1-4f8d-a9de-dba057d5c9c6@intel.com>
On Wed, 2024-11-13 at 08:00:26 -0800, Dave Hansen wrote:
> While I applaud your trust in my employer, I don't see quite as bright
> of a line between security and functional problems.
>
> Here's the bottom line: I agree that setting a taint flag for old
> microcode seems like a good idea. But I also think that there's enough
> of a "vulnerability" (security or otherwise) to justify placing
> "old_microcode" alongside the CPU security vulnerabilities that have
> known exploits.
>
> I'm lazy and don't want to read and filter the microcode changelogs. I
> also don't want to have to trust my colleagues to precisely agree on
> where that line is between a security and functional problem.
>
The only other data point then to mention is that all the major distros
(Debian[1], Ubuntu[2] and Fedora[3]) are still only shipping the previous
security update release (20240910) in their stable releases - *not* the
more recent release with the functional updates in 20241029 - in which
case anyone running a current stable release would then show as being
"vulnerable". I can't speak for the other distros, but for Ubuntu we
generally only ship things which are called out as specific security
fixes in our security updates *and* we generally prioritise security
updates over bug fixes (which these 'functional' updates appear be
rather than fixing actual exploitable security issues).
> So I'm leaning toward setting:
>
> TAINT_CPU_OUT_OF_SPEC
> plus
> X86_BUG_OLD_MICROCODE
>
> and calling it a day.
Does this mean you are thinking of dropping the userspace entry in the
cpu vulnerablities sysfs tree? If so then I am not so concerned, since
my primary concern is having something which looks scary to
users/sysadmins ("your CPU has an unpatched vulnerablity") which they
can't do anything about since their distribution has a different
definition of what counts as a security update compared to the upstream
kernel maintainers. If the sysfs entry is dropped then this is not so
visible to end-users and hence there is less panic.
[1] https://packages.debian.org/search?keywords=intel-microcode
[2] https://launchpad.net/ubuntu/+source/intel-microcode
[3] https://packages.fedoraproject.org/pkgs/microcode_ctl/microcode_ctl/fedora-41.html
next prev parent reply other threads:[~2024-11-13 23:58 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-07 17:06 [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability Dave Hansen
2024-11-08 23:36 ` Andrew Cooper
2024-11-12 17:15 ` Dave Hansen
2024-11-12 6:37 ` Alex Murray
2024-11-12 15:51 ` Dave Hansen
2024-11-13 3:29 ` Alex Murray
2024-11-13 16:00 ` Dave Hansen
2024-11-13 23:58 ` Alex Murray [this message]
2024-11-14 0:37 ` Dave Hansen
2024-11-18 8:35 ` Alex Murray
2024-11-13 9:28 ` Nikolay Borisov
2024-11-14 2:09 ` Andrew Cooper
2024-11-18 20:02 ` Dave Hansen
2024-11-19 17:45 ` Pawan Gupta
2024-11-19 18:49 ` Dave Hansen
2024-11-19 19:31 ` Pawan Gupta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h68avg81.fsf@canonical.com \
--to=alex.murray@canonical.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox