Purism on Spectre and Meltdown and the microcode update

10 risposte [Ultimo contenuto]
ivanB1975
Offline
Iscritto: 08/29/2017

We all know about the recent discovered security issue related to modern x86 cpus.
As free software community we can use the most recent kernel to mitigate the meltdown attacks.
For the Spectre ones instead, we are deep on the #####.
We cannot apply microcode updated on our systems. This because for principle microcode is proprietary software.
I read in older post a war of extremism between who completely exclude the use of microcode updates (see libreboot) and who instead say that since microcode is already running in the system, updates should be used when absolutely necessary like for example now.

I agree with the latter since in my view spectre exploit is a fact and I want to mitigate this problem. But I cannot because the distro blocks the microcode updates. In the old post this behavior was compared to the proprietary software that imposes on the user something.
I am still free to find a way to apply the microcode, but this is an hack. Not everybody can do that.
In the same old post some people risked to be banned because promoting the use proprietary software (the microcode).
I am not trying to create a flame or so, but to make people think to find solutions.

Coming to Purism, this post: https://puri.sm/posts/meltdown-spectre-and-the-future-of-secure-hardware/ to my eyes appears to be quite reasonable. Maybe because I am a reasonable person and I don't like wars of religion. I would like to have a nice discussion about these topics.
It is interesting that reasonable discussions come from a company that is so much demonized in here.

How do you think we can solve this problem (the microcode update), do you think that using a librebooted laptop makes you immune from spectre attacks?
I am curious to ear different opinion and maybe possible solutions.

ivanB1975
Offline
Iscritto: 08/29/2017

yep I agree but this is for a possible future, but in the meantime now should we not try to mitigate the problem for our actual hardware?

ivanB1975
Offline
Iscritto: 08/29/2017

I wonder if running a os in a virtual machine is safer

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

For Meltdown, it is not. In particular, the memory of other virtual machines can be read.

ivanB1975
Offline
Iscritto: 08/29/2017

Thanks :)

Magic Banana

I am a member!

I am a translator!

Offline
Iscritto: 07/24/2010

But I cannot because the distro blocks the microcode updates.

How is Trisquel "blocking" updates? That would be DRM! I believe you confuse "not proposing" with "blocking": no Trisquel developer is working to prevent you from installing something on your system.

ivanB1975
Offline
Iscritto: 08/29/2017

Blocks meaning doesn't provide any package to facilitate the update. Using distro packages is the preferred way to do the update while the manual update is not.
I tried the manual and also to use packages from ubuntu unsuccessfully

onpon4
Offline
Iscritto: 05/30/2012

Trisquel would have its GNU FSDG status rightly revoked if it provided proprietary software.

ivanB1975
Offline
Iscritto: 08/29/2017

yep, I know but I am thinking that for this particular case a different strategy should be adopted.
Because taking such a strict position can be sustained only ditching the actual CPUs in toto. It is clear that this is not possible at the moment, so some sort of compromises should be used.
Many people are pretty upset (see Linus T. on some public mailing lists) and this could be the right moment for alternatives to emerge. But It will require a lot of time.

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

I've decided not to send what I just wrote because I've already fanned enough PureFlames in this forum. Instead I'll just say that I completely agree with you, and that I would like to share this thumbnail from a video called "Why you should support the Librem 5 phone", as I believe it is meme-worthy.

purelinux.png
chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

Example usage: Someone shares a screenshot of their i3-gapped solarized desktop on /r/unixporn.

"Impressive. But do you run PURE LINUX?"

purelinux.png