Apr 12, 2022, 10:25 by insurgo@riseup.net:
On 4/12/22 10:17, Nico Huber wrote:
Hello Insurgo,
On 12.04.22 16:01, Insurgo Technologies Libres / Open Technologies wrote:
On April 12, 2022 8:55:56 AM UTC, Arthur Heymans arthur@aheymans.xyz wrote:
Would it make sense to backport your fix to old releases and bump those release numbers to a .1 on the end?
Some see releases as mere synchronization tags & nice PR. Some releases are also branches in gerrit but there are none affected by this (latest is 4.12 and it was introduced in 4.13).
As you may know, coreboot distributions (talking of Heads specifically here), take releases tarballs and apply patches where needed on top of it.
In the present case, Heads currently depends on coreboot 4.11, 4.13 and 4.15 for its supported boards. I quickly attempted to backport the relevant patches to 4.13 tarball release, unsuccessfully.
have you checked if the SMM module loader v2 was used in your 4.13 builds? AIUI, it was optional and only enabled on user request.
Thanks Nico for that pointer. Community maintained Heads boards are mostly based on coreboot 4.13 as of now:
# CONFIG_X86_SMM_LOADER_VERSION2 is not set
was hidden in the savedefconfig format stored under Heads repositories for coreboot 4.13 depending boards.
Expending the saved configuration confirms non-usage of SMM2 optional loader and is therefore not considered vulnerable per reported vulnerability.
I would highly doubt other coreboot based distributions would have activated this explicitly, but will depend of the new coreboot pushed defaults from upstream releases. Let's see.
4.15 and 4.16 removed that optional configuration setting (default configuration) and seemed to have switched to SMM2 by default.
Neither coreboot 4.14, 4.15 or 4.16 releases notes explicitly noted the change to SMM2, where 4.13 announces the change. Not sure users are following coreboot discussions, but I hope coreboot distribution maintainers are.
Consequently, all downstream coreboot based distributions, and their users, may stay vulnerable if no new 4.15.1 4.16.1 are released from my understanding until 4.17 is released.
I definitely agree that it would be a good thing to create the release branches for 4.14, 4.15, and 4.16 and port at least these security changes, then do a .1 release with those updates, and remove the original tarballs from our download page.
Even if this isn't needed for a particular project like Heads, I think it's our responsibility to go back and fix security issues like this.
I'll see what I can do to make this happen.
Martin