Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] New Intel vulnerability?
Date: Fri, 06 Mar 2020 13:48:21
Message-Id: CAGfcS_kGyPxutFLLftCXVTbd1mJwxcYkCAGwJa9WOv4Qvov1zg@mail.gmail.com
In Reply to: [gentoo-user] New Intel vulnerability? by Michael
1 On Fri, Mar 6, 2020 at 3:50 AM Michael <confabulate@××××××××.com> wrote:
2 >
3 > I have lost count with the naming scheme of Intel's embedded spyware to know
4 > if this is yet another vulnerability, or something to convince me to throw
5 > away the last Intel powered box still in my possession (mind you its >10yr
6 > old):
7 >
8 > https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-thats-unfixable/
9
10 The article is actually pretty well-written. I haven't studied the
11 issue in any depth but here are my impressions:
12
13 1. You need a firmware update to prevent software vulnerabilities.
14 2. Even with a firmware update you are vulnerable to somebody with
15 physical access to your device.
16
17 The whole issue centers around TPM essentially. This potentially
18 impacts you if you don't care about TPM, but it impacts you more if
19 you do care about TPM.
20
21 If you don't use TPM (probably many on this list), then your main
22 concern should just be with getting your firmware patched (#1 above).
23 Otherwise you could be vulnerable to rootkits that hijack the TPM on
24 your machine and use it to spy on you in hard-to-detect ways. Based
25 on the article a firmware patch should block the ability for software
26 to get into your TPM and mess with it. Then you're basically safe.
27 If you aren't using TPM you're already vulnerable to somebody with
28 physical access to your device, so there is no real change in the
29 threat model for you.
30
31 Now let's get to those who use TPM or the other impacted trusted
32 services. You use these if:
33 1. You rely on secure boot (with any OS - Linux does support this
34 though I imagine it is rare for Gentoo users to use it).
35 2. You rely on TPM-backed full disk encryption. This includes
36 Bitlocker and most commercial solutions. This doesn't include LUKS.
37 If your disk is unreadable if you remove it from the computer, but you
38 don't need any password to boot it, then you're probably using
39 TPM-backed encryption.
40 3. You are Netflix/etc and are relying on remote attestation or any
41 of the technologies RMS would term "treacherous computing."
42 4. You are a corporate owner of computers and are relying on the same
43 technologies in #3 but to actually protect your own hardware. Or
44 maybe if you're the only person in the world using Trusted GRUB.
45
46 If you fall into this camp you need to still update your firmware to
47 address the non-TPM-user and to avoid making it trivial for software
48 to steal your keys/etc. However, you need to be aware that you are no
49 longer secure against physical theft of your device. Somebody who
50 steals your laptop with passwordless encryption might be able to break
51 the encryption on your device. They would need to steal the entire
52 laptop though - if you throw out a hard drive nobody will be able to
53 recover it from the trash. If you're Netflix I'm not sure why you're
54 even bothering with this stuff because all your content is already
55 available in full quality on torrent sites, but I guess you can lose
56 even more sleep over it if you want to. If you're using secure boot
57 then somebody with physical access might be able to change the
58 authorization settings and let another OS boot. If you're a
59 corporation with sensitive data you probably have the biggest impact,
60 because you're distributing laptops to people who lose them and who
61 don't have a ton of security hygiene to begin with.
62
63 The only people who probably will consider replacing hardware are
64 corporate users. Most on this list are going to be fine with a
65 firmware update as you're probably not using the TPM features.
66 Indeed, even getting those working on Linux is a PITA - I'm not aware
67 of any distro that has TPM-backed encryption out of the box. Windows
68 has this in the pro edition (Bitlocker) and it is probably fairly
69 popular.
70
71 If you use LUKS-based encryption you are going to be secure with
72 patched firmware as long as nobody installs a keylogger on your
73 device. That will be easier with the vulnerability, though somebody
74 could just hack the keyboard hardware anyway and LUKS wouldn't protect
75 you against that. TPM has pros and cons compared to LUKS in general.
76 If you don't patch your firmware then it is possible a rootkit might
77 get in there and steal your keys at boot time.
78
79 If somebody has more to add from researching this more I'm all ears.
80 Now I need to check if my windows tablet with Bitlocker is vulnerable.
81 This also shows the downside to TPM encryption - it is convenient but
82 if somebody steals a laptop and just keeps it stored away they could
83 always use a vulnerability like this to break in sometime in the
84 future. It is probably still worth using as a minimum because it does
85 protect against hard drive loss, and it works if your TPM isn't
86 vulnerable.
87
88 --
89 Rich

Replies

Subject Author
Re: [gentoo-user] New Intel vulnerability? Michael <confabulate@××××××××.com>
Re: [gentoo-user] New Intel vulnerability? Wols Lists <antlists@××××××××××××.uk>