On 3/7/25 12:42, Soren Stoutner wrote:
On Friday, March 7, 2025 11:33:53 AM MST Simon Josefsson wrote: > pan...@disroot.org writes: > > I urge Debian to rethink its decision to officially include non-free > > firmware and correct the social contract. Instead of making non-free > > firmware the default, Debian should ensure that users consciously > > choose to install it while being made aware of the implications. > > I agree and would personally come back to use Debian on some of my > laptops if there was a supported way to install Debian from official > installer images that did not promote non-free software by including > firmware on them. > > The recent AMD Microcode vulnerability is a good case-study on the > dangers of permitting non-free code to run on your CPU: >> https://bughunters.google.com/blog/5424842357473280/zen-and-the-art- of-microco> de-hacking > > There is no way for me as a user to audit that the Debian installer > images is not including vulnerable microcode, since source code for the > firmware is not available.
FTR there is a kernel patch that was introduced specifically because of this vulnerability.
https://git.kernel.org/torvalds/c/50cef76d5cb0e199cda19f026842560f6eedc4f7The kernel patch separately verifies the sha256 of the microcode attempting to be loaded on an affected processor (both early or late) and rejects modified microcode.
If you are concerned with malware having tampered with the microcode before the kernel is loaded, there is a TPM2 PCR event log that the firmware records. You can validate that the TPM2 PCR event log and the TPM2 PCR values match to ensure that you can trust it.
This is one of the checks that 'fwupdmgr security' will run and report if they don't match.
OpenPGP_0x2D192CA624770276.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
