1 |
On Sat, Mar 7, 2020 at 11:26 AM Ivan T. Ivanov <iivanov.xz@×××××.com> wrote: |
2 |
> |
3 |
> Quoting Rich Freeman (2020-03-06 23:13:55) |
4 |
> > |
5 |
> > The patched firmware executes before any software you boot, assuming |
6 |
> > your device was patched before the hacker got his hands on it. |
7 |
> > |
8 |
> |
9 |
> Well, they say that vulnerability is inside ROM code [1], which |
10 |
> is executed before any firmware. And because this is ROM it could |
11 |
> not be patched. |
12 |
> |
13 |
|
14 |
The root vulnerability is indeed in ROM. The firmware patches |
15 |
partially mitigate the vulnerability. |
16 |
|
17 |
Without a firmware patch the CPU is vulnerable to both hardware and |
18 |
software attacks. |
19 |
|
20 |
With the firmware patch the CPU is still vulnerable to |
21 |
hardware/physical attacks, but is apparently no longer vulnerable to |
22 |
software attacks. |
23 |
|
24 |
Obviously both attack vectors matter depending on your use case, but |
25 |
software attacks are obviously far more widely applicable. If you |
26 |
don't patch your firmware then even a server which is completely |
27 |
protected physically is still vulnerable. Even if you don't intend to |
28 |
use these features in your CPU, a hacker who manages to get into your |
29 |
server could use the vulnerability to implant a rootkit that is |
30 |
protected by the CPU from detection by the OS. |
31 |
|
32 |
So, even though a firmware update doesn't entirely close the |
33 |
vulnerability, it is still important to deploy. |
34 |
|
35 |
Note that while in this case it is apparently not possible to fix the |
36 |
problem with firmware, there are known CPU hardware problems that can |
37 |
be fixed via software. It really depends on the nature of the |
38 |
problem. In this case we're talking about a TPM where a threat model |
39 |
is an attacker with physical access that is trying to play games with |
40 |
the busses/etc, and as such it is important that it initialize using |
41 |
code in ROM that is known-good. |
42 |
|
43 |
-- |
44 |
Rich |