On 4/12/22 10:17, Nico Huber wrote:
Hello Insurgo,
On 12.04.22 16:01, Insurgo Technologies Libres / Open Technologies wrote:
On April 12, 2022 8:55:56 AM UTC, Arthur Heymans arthur@aheymans.xyz wrote:
Would it make sense to backport your fix to old releases and bump those release numbers to a .1 on the end?
Some see releases as mere synchronization tags & nice PR. Some releases are also branches in gerrit but there are none affected by this (latest is 4.12 and it was introduced in 4.13).
As you may know, coreboot distributions (talking of Heads specifically here), take releases tarballs and apply patches where needed on top of it.
In the present case, Heads currently depends on coreboot 4.11, 4.13 and 4.15 for its supported boards. I quickly attempted to backport the relevant patches to 4.13 tarball release, unsuccessfully.
have you checked if the SMM module loader v2 was used in your 4.13 builds? AIUI, it was optional and only enabled on user request.
Thanks Nico for that pointer. Community maintained Heads boards are mostly based on coreboot 4.13 as of now:
# CONFIG_X86_SMM_LOADER_VERSION2 is not set
was hidden in the savedefconfig format stored under Heads repositories for coreboot 4.13 depending boards.
Expending the saved configuration confirms non-usage of SMM2 optional loader and is therefore not considered vulnerable per reported vulnerability.
I would highly doubt other coreboot based distributions would have activated this explicitly, but will depend of the new coreboot pushed defaults from upstream releases. Let's see.
4.15 and 4.16 removed that optional configuration setting (default configuration) and seemed to have switched to SMM2 by default.
Neither coreboot 4.14, 4.15 or 4.16 releases notes explicitly noted the change to SMM2, where 4.13 announces the change. Not sure users are following coreboot discussions, but I hope coreboot distribution maintainers are.
Consequently, all downstream coreboot based distributions, and their users, may stay vulnerable if no new 4.15.1 4.16.1 are released from my understanding until 4.17 is released.
A quick exploration of other coreboot distributions I am aware of:
- Skulls uses coreboot master git at time of release (1.0.4 is based on 74d2218cc7 as of december 2021, configs are also saved in savedefconfig and are expected as well, consequently). https://github.com/merge/skulls/releases/tag/1.0.4
- Not so familiar with osboot build system. They store configs in expended full format. Sampled config for x220 was updated last month and seems to be based on coreboot 4.14+ 9probably 4.16), which is deemed to be vulnerable as well. https://notabug.org/osboot/osbmk/src/master/resources/coreboot/x220_8mb
- Not so familiar with libreboot recent buildsystem either. A sampled configuration for x200 shows coreboot config being last updated 4 months ago, making it depend on coreboot 4.14+ which is not showing 4.13 optional SMM2 loader, which also seem to default to SMM2. Hence all their boards (outside of kgpe-d16, kcma-d8 etc depending on older 4.11) being vulnerable as well: https://notabug.org/libreboot/lbmk/src/master/resources/coreboot/x200_8mb/co...
As per my precedent e-mail, I believe all coreboot based distributions (maintainers and their project users) would be grateful to have releases backporting this patchset (4.14? 4.15, 4.16) to properly support their coreboot users. Then being able to do a point release as well without all of them having to point to a random commit, happening in between coreboot releases/maintainers or trying to manually cherry-pick relevant commits and have patches deployed (if their build systems permit that) to have point releases.
Nico
Thierry