On 5/20/19 12:02 PM, Mike Banon wrote:
Huge Thanks to Martin Roth, finally we got a permission from AMD to merge the new microcode patches - and Martin has just merged them ! ;-) So the things became slightly easier and luckily now you could disregard some microcode-related parts of my last message. And we need to walk the same path for the AtomBIOS ROMs - should be successful there as well, although perhaps would take another year or so :P
That is good news about the patches. However, it will require the inclusion of AtomBIOS to be usable in most cases, including my own.
Thanks for going over the patch+blob options. It does appear we are now stuck on just the AtomBIOS verification, assuming the AMD microcode patches make it into coreboot 4.10. Unfortunately, system firmware is now being targeted via remote attacks and I'm not sure how many different AMD APU systems I'd have to scan to be reasonably sure I don't have an exploited copy. If I use a copy from gerrit or github, then I'm relying strictly on https security; this is true whether or not hashes are posted since they are not good assurance unless they are signed.
If there is any appeal you can make to AMD about AtomBIOS, I think it could be of great benefit for anyone looking to AMD and coreboot as more secure alternatives (and not just for older CPUs).