On 01/11/2018 05:05 AM, Nico Huber wrote: I forgot to include my usual suffix mentioning that blobs are required for video (and power management) I believe it is still much better than the C2D laptops in terms of security despite the video blob as it has an IOMMU [1] and no ME/PSP. [1] with the high end quad core CPU option I was and still am under the impression that fixing both issue classes requires microcode updates, can you link to a better explanation?

This assumes security was a concern in the first place, which is not what I see where I live/work. On 01/11/2018 11:27 PM, Timothy Pearson wrote:

Hi Nico, I've had a small discussion with bridgman from AMD (at Phoronix forums) and he told me that VBIOS needed by G505S - aka "gfx init for AMD" - - is "effectively open source" - a byte code which is possible to parse with [AtomDis] open source interpreter Only problem is that the last update of AtomDis was at 2011 - so, while it should be able to parse 100% of G505S integrated / discrete GPUs AtomBIOSes (because these GPUs were developed before 2011 if I am correct) maybe AtomDis couldn't parse everything for the modern AMD GPUs Me: " @bridgman why you don't just open source the complete source code of VBIOS, to let the open source community improve it and fix some bugs? With the help of flashrom open source project, anyone is able to reflash their VBIOS through In-System-Programming. We just don't have the original source code of VBIOS, and the creation of open source VBIOS from scratch is like reinventing the wheel - a huge wheel, which is way too much for unpaid work Just share the complete source code of VBIOS and let the open source community fix the bugs for you for free! A win-win solution. Why not do it? For the bystanders like me, it gives an impression that either 1) VBIOS source code is a horrible quality, too ashamed to release it to public 2) VBIOS contains some hidden backdoors, hence the need for secrecy 3) AMD is not that friendly to open source community, if instead of sharing what you already got, you want the people to start reinventing the wheel and waste countless of unpaid work hours on it " brigman: " It is effectively open source. The data tables are all documented in atombios.h. They are just data structures. The command table parameters are all documented in atombios.h (also just data structures). The command tables are all written in byte code to begin with. The source to the interpreter is open source so you can dump command tables and see exactly what they are doing. You can even write your own command tables in byte code or edit exiting ones if you wanted to. Those are the only things the driver uses from the vbios. The whole point of the data and command tables is to encapsulate board specific configuration details on the actual board itself so that the driver doesn't need explicit knowledge about every board configuration out there. To summarize: 1. We use an interpreter in VBIOS in order to (a) fit a lot of functionality into a small ROM, (b) give us a degree of CPU independence. My understanding is that this is pretty common practice; either way it's not likely to change unless OEMs buying AMD chips are willing to spend more $$ on the ROM for our hardware than for competitors hardware AND we are willing to go back to having different BIOS code for each of the different CPUs our chips are used with. 2. As agd5f said, the VBIOS source code is bytecode similar to what you get out of the disassembler, although the disassembler output is formatted more neatly. It's not like there is a single master copy of VBIOS source written in C that could be "opened once" - every HW vendor tweaks their BIOS images before production and AFAIK those changes are not ours to publish. Relatively more of the changes are in data tables than in command tables but both get changed and so we need to use both in the driver if we want driver functionality to correctly match the HW config. There are literally thousands of different HW subsystems, each with their own VBIOS image and hence each with their own slightly different source code... and the associated HW differences DO generally need to be considered when the driver runs. 3. A couple of people have started projects to replace VBIOS with a fully open solution, but my impression is that they all run into the same issues: - initial implementation is straightforward but ongoing maintenance is a big and boring effort nobody wants to own - you lose CPU independence unless you are willing to maintain AND TEST a lot more different VBIOS builds - without an interpreter the resulting implementation won't fit in the on-card ROM unless you cut back functionality We make enough information for an open source BIOS replacement available as part of the open source driver effort (data table & command table headers, bytecode interpreter, open source drivers using the tables) although I don't think we support VBIOS re-flashing in general. It is easy to get the same result by over-riding tables in the driver code, however, and I believe there is an existing quirk mechanism. 4. Over time I think you will see a trend away from using AtomBIOS calls simply because ROM size limits the amount of complexity that can be supported in ROM-resident tables while HW complexity is continuing to grow as quickly as ever. My understanding is that DAL/DC makes somewhat less use of AtomBIOS calls but it also replaces a relatively painless sharing model (drivers for all OSes/platforms make the same AtomBIOS calls for the fiddly HW-specific bits) with a much-harder-to-sell sharing model (drivers for all OSes/platforms share native driver code for the fiddly HW-specific bits). I understand that this seems unnecessary (and maybe even counter-productive) if you believe that modesetting is trivial, but I don't know how to reconcile your views on modesetting with the views of developers working on the code at different vendors. Once we figure out how to close that gap the rest of the discussion should become easier. " Best regards, Mike Banon On Thu, Jan 11, 2018 at 1:05 PM, Nico Huber <nico.h(a)gmx.de> wrote:

Am 14.03.2018 22:46 schrieb David Hobach: I have. I have the relevant patchset up for review: https://review.coreboot.org/#/c/blobs/+/23315/ and currently always apply it on top of my coreboot build (for the Thinkpad X230 in my case; has then revision "1f" and verified functionality using https://github.com/speed47/spectre-meltdown-checker or similar tools) martin

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-up… -- Merlin Büge

On 03/20/2018 04:17 AM, Martin Kepplinger wrote: There are some of the last released high end xeon/core 771/775 CPU's getting updates in the future too.

On 20.03.2018 22:25, Taiidan(a)gmx.com wrote: It's probably easier for you if you load the microcode update from your OS. You obviously have no idea what you are talking about. AFAIK, nobody who has the right to submit to the blobs repository has commented yet on newer microcode updates or was asked personally if this is acceptable. You might have noticed that microcode updates are not public domain but licensed. You still didn't get what Spectre is about, did you? It's just one of many side-channel attacks that are possible when you run untrusted code on your machine. These updates just help with one instance of a much bigger problem and won't magically make your computer (and the software you run) secure. Have a look at [1] or uMatrix. These are much better mitigations, IMHO. But if you are really security concerned you already know that anyway. Nico [1] https://noscript.net/

On 21.03.2018 00:03, Taiidan(a)gmx.com wrote: You. You seem to rate the convenience to have a binary in the blobs repository higher than possible redistribution issues. Though, we might have a simple misunderstanding here. I now realized that you were trying to cherry-pick that commit into a different re- pository. This thread is about a change to the blobs repository which is independent of the coreboot source repository and has different rules. Anyway, I wasn't telling not to fix it, I was just offended by the way you want to fix it and your arrogance. You can mitigate Spectre in many ways. These microcode updates are just part of one way. And putting them into coreboot is just one way to apply them. And having them in the blobs repository is just for convenience. Yet, you claimed the lat- ter must happen. The files are explicitly distributed by Intel for Linux distributors, we are not a Linux distributor. And, FWIW, Intel hasn't ever contributed to our blobs repository. You are already free to add any microcode update to coreboot you want. And we kind of ask people by prompting during coreboot configuration. Not every license is an EULA btw. Yep, but they were submitted a long time ago. And that stopped at some point. I don't know yet if due to licensing issues or just because it's more convenient for Google to maintain their own, hidden blobs repo. So does Rowhammer, any caching related side-channel attacks, hyper- threading related side-channel attacks, I don't know maybe more. These attacks exist and are possible, some may be more complicated than Spectre but most of all: They are not as popular as Spectre. Sorry, easily? Even a Spectre attack isn't that easy. It depends a lot on the code around your VM (no matter the microcode updates in ques- tion). You can make it secure against Spectre even without these micro- code updates. Good analogy, you are right. No matter how careful you are, you may get powned at some point. But what you suggest doesn't seem much better, trigger all mines you can spot all day with a gas mask on that only protects you against one kind of mines that hasn't been spotted yet in the wild. Nico