Re: Meltdown / Spectre

[Chris Marusich <cmmarusich@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2665 bytes --]

Alex Vong <alexvong1995@gmail.com> writes:

> Hello,
>
> I hope this is on topic. Recently, 2 critical vulnerabilities (see
> https://meltdownattack.com/) affecting virtually all intel cpus are
> discovered. I am running libreboot x200 (see
> https://www.fsf.org/ryf). What should I do right now to patch my laptop?
>
> Cheers,
> Alex

According to the user named _4of7 in the #libreboot channel of the
Freenode IRC network, the email list development@libreboot.org is down.
So the Libreboot maintainers have probably not seen this email thread.

According to _4of7, currently the best way to contact the Libreboot
maintainers is IRC.  It would probably be best to ask there.  If you get
a response, please don't forget to update us here on this thread!

When I asked in #freenode today, _4of7 responded as follows:

  <_4of7> There's not much we can do from the Libreboot side, but there are
  <_4of7> mitigations on kernel side... since it's exploitable from javascript
  <_4of7> you could also e.g. not run JavaScript. specing on #libreboot IRC had
  <_4of7> the idea to run Firefox without the JIT enabled - we both tried to
  <_4of7> compile the latest ESR however, with --disable-ion, and it segfaulted.
  <_4of7> I tried to build ff 45esr instead, but that build failed.

I'm not sure who _4of7 is, so I don't know if they speak for the
Libreboot project.

Mark H Weaver <mhw@netris.org> writes:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Katherine Cox-Buday <cox.katherine.e@gmail.com> writes:
>>
>>> Chris Marusich <cmmarusich@gmail.com> writes:
>>>
>>>> Leo Famulari <leo@famulari.name> writes:
>>>
>>>> I wonder: how easy will it be to install those firmware/microcode
>>>> updates if you are using GuixSD? In particular, I'm curious about the
>>>> case of the Lenovo x200 with libreboot, since that's what I use
>>>> personally.
>>>
>>> I am also interested -- more from a philisophical perspective -- how
>>> GuixSD and GNU squares with these kinds of security updates.
>>
>> In my opinion, CPU microcode falls under "non-functional data", as
>> expressly permitted by the GNU FSDG.
>
> I strongly disagree.  CPU microcode is absolutely functional data.
> It determines how the CPU functions.

Does the GNU Project have a policy regarding this sort of thing?  I
wasn't able to find any articles on gnu.org that discuss it.

If no such policy exists, then should this topic be discussed somewhere
like gnu-system-discuss@gnu.org?  I don't know where discussions like
this normally take place within the GNU project.  It's definitely a
discussion worth having, though.

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]