From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leah Rowe Subject: Re: What do Meltdown and Spectre mean for libreboot x200 user? Date: Fri, 19 Jan 2018 14:29:36 +0000 Message-ID: References: <405e966d-581d-d6f5-e085-ecad532ffcc6@gluglug.org.uk> <87shb8qxl4.fsf@gmail.com> <6e931622-65fc-fe0b-491f-3e94c6acdf0b@gluglug.org.uk> <87lggzb6ei.fsf@igalia.com> <0be07fb0-eebc-89b5-fe3b-5b7162fecea8@gluglug.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35276) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ecXgc-0007qx-1C for guix-devel@gnu.org; Fri, 19 Jan 2018 09:30:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ecXgW-0000KC-53 for guix-devel@gnu.org; Fri, 19 Jan 2018 09:30:30 -0500 Received: from web006.ispnoc.net ([2a00:1ca8:e:2::8476:d9ce]:55943) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ecXgV-0000Jq-Jp for guix-devel@gnu.org; Fri, 19 Jan 2018 09:30:23 -0500 In-Reply-To: <0be07fb0-eebc-89b5-fe3b-5b7162fecea8@gluglug.org.uk> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Andy Wingo Cc: guix-devel@gnu.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 19/01/18 14:26, Leah Rowe wrote: > Hi Andy, > > On 15/01/18 13:25, Andy Wingo wrote: >> Greets, > >> On Mon 15 Jan 2018 12:32, Leah Rowe >> writes: > >>> The implications [of Meltdown/Spectre] at firmware level are >>> non-existent (for instance, these attacks can't, to my >>> knowledge, be used to actually run/modify malicious code, just >>> read memory, so it's not as if some evil site could install >>> malicious boot firmware in your system). > >> I agree that it's unlikely that a site could install boot >> firmware, but AFAIU it's not out of the realm of possibility. >> The vector I see would be using Meltdown/Spectre to read >> authentication/capability tokens which could be used to gain >> access, either via some other RCE vuln or possibly via remote >> access. Maybe evil code could find an SSH private key in a >> mapped page, for example, which the evil server could use to SSH >> directly to your machine. But I admit that it's a bit farfetched >> :) > > If the attack is used in order to gain access to GPG keys, it could > be used to impersonate you. If it is used in order to read private > SSH keys, then it could be used to log onto your servers for > instance, and install malicious firmware. > > Of course, this can be mitigated by write-protecting. Libreboot > systems support this, for the most part, though write protection > of boot flash is not enabled by default, for ease-of-use reasons. > > It is not far fetched at all. I highly recommend that you take care > as to what code runs on your system, especially with things like > web browsers. If you give someone SSH into a system (e.g. shared > server) but they don't need code execution (e.g. the SSH daemon is > there for them to have SCP access), make sure noexec is set on > their directory's mountpoint. Things like that. Do you use Google? Do you use Twitter? What about your bank? Government website? anything that serves you javascript is a potential threat. Even if an organisation is benevolent, who is to say that they don't get compromised at one point and start being used as a vessel for attack at some point. - -- Leah Rowe Libreboot developer and project founder. Use free software. Free as in freedom. https://www.gnu.org/philosophy/free-sw.html Use a free BIOS - https://libreboot.org/ Use a free operating system, GNU+Linux. Support computer user freedom https://fsf.org/ - https://gnu.org/ Minifree Ltd, trading as Ministry of Freedom | Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | Web: https://minifree.org/ -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiANAACgkQ/0W3TPnR z5TI4gf/bpwmVhu+xCqp+y9+YEm9WVj8b8vGNIwE140uQMIbXY5Ck1lWiBwePJCb HOa3Mi3zk+wd+JCiuilgmqz8wFyuOBMt+GeJ/w6Gh7WYTMxtHeYOTegMfpEclTLw 8w23UUG+j2zAoUMYoQSZJ7IG163wlSHrKSLMtdHEnktFGhX5qlYJVYeQfr3k2kc3 j/mJuvOEIjLZLPSJxiQvQAKBsdYPw1UFjrcsEcwe6AuPAXnHnmPuft7D1gc47F8g STy+shxlvkggJAQY6/rdMMRPflC4c2/JU7NtsdexgRICHBs8Akj4h/gN763fsTR5 HSsNRusXUSkLrMYolY6hv9JbnEGBPA== =PQ/l -----END PGP SIGNATURE-----