On 2025-03-07 19:33:53 +0100 (+0100), Simon Josefsson wrote: [...]
The recent AMD Microcode vulnerability is a good case-study on the dangers of permitting non-free code to run on your CPU:https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hackingThere is no way for me as a user to audit that the Debian installer images is not including vulnerable microcode, since source code for the firmware is not available.
[...]Note that there's similarly no way for you as a user to audit the microcode that shipped with your processor, and without Debian supplying microcode updates it would be on you to track security announcements from the hardware vendor and update it yourself with the same inscrutable blobs (or not update it, I guess that's also a choice).
In theory, the work required to check that microcode updates supplied through nonfree-firmware match official vendor checksums would be roughly the same as if you fetched them from the hardware vendor to install manually yourself.
-- Jeremy Stanley
signature.asc
Description: PGP signature
