Bill Allombert <ballo...@debian.org> writes: > Le Fri, Mar 07, 2025 at 07:33:53PM +0100, Simon Josefsson a écrit : >> pan...@disroot.org writes: >> >> > I urge Debian to rethink its decision to officially include non-free >> > firmware and correct the social contract. Instead of making non-free >> > firmware the default, Debian should ensure that users consciously >> > choose to install it while being made aware of the implications. >> >> I agree and would personally come back to use Debian on some of my >> laptops if there was a supported way to install Debian from official >> installer images that did not promote non-free software by including >> firmware on them. >> >> The recent AMD Microcode vulnerability is a good case-study on the >> dangers of permitting non-free code to run on your CPU: >> >> https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking > > Do not fall for the marketing. What was broken was the DRM which > forbid you to fix the firmware on your own CPU. This is no more a > vulnerability than letting you boot your own OS.
My point was that there is no reasonable way to gain confidence about security properties of any piece of non-free microcode. Everyone can now produce AMD microcode that corrupts your machine in advanced ways that evade detection, but we don't know if such malicious corruption is included in the official microcode. Having source code for the microcode would help gain confidence in it, and is the reasonable request. If the request is denied, I would consider the vendor not trustworthy and look into options. This is a similar vulnerability as installing a non-free operating system like Windows. You essentially have to trust the vendor to provide you with software, which you have no good way of auditing and ultimately end up in their control. It wouldn't be a big problem if software were free of vulnerabilities and never needed updates, but just like Windows has had bugs, microcode have bugs. https://www.gnu.org/philosophy/free-software-even-more-important.html /Simon
signature.asc
Description: PGP signature
