Netgate SG-1000 microFirewall

Author Topic: Intel CPUs Massive Security Flaw issue  (Read 6258 times)

0 Members and 1 Guest are viewing this topic.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4971
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: Intel CPUs Massive Security Flaw issue
« Reply #90 on: January 13, 2018, 10:31:58 am »
So are you saying pfsense hardware isn't a security product?

Offline Ryu945

  • Full Member
  • ***
  • Posts: 139
  • Karma: +2/-0
    • View Profile
Re: Intel CPUs Massive Security Flaw issue
« Reply #91 on: January 13, 2018, 10:41:45 am »
So are you saying pfsense hardware isn't a security product?

I am saying that standard hardware likely has some vulnerability in it somewhere.  Here is an example of a company that advertises a cell phone they custum made the hardware to try to remove these vulnerabilities.  That is their claim at least.

https://www.silentcircle.com/about-us/
« Last Edit: January 14, 2018, 10:22:32 am by Ryu945 »

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4971
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: Intel CPUs Massive Security Flaw issue
« Reply #92 on: January 13, 2018, 01:23:47 pm »
I would say those companies are actually similar to pfsense in that they use readily available consumer grade hardware and run a tightly secured OS and software.

I think any processors that are immune to spectre are immune accidentally.  I really don't think anyone purposely made a CPU to be immune to these attacks, but they will soon be doing it for sure.

Offline robi

  • Hero Member
  • *****
  • Posts: 1008
  • Karma: +78/-2
    • View Profile
Re: Intel CPUs Massive Security Flaw issue
« Reply #93 on: January 13, 2018, 02:14:09 pm »
I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it.
Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years.

pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not.

Offline w0w

  • Sr. Member
  • ****
  • Posts: 581
  • Karma: +35/-8
  • kernel panic attack
    • View Profile
Re: Intel CPUs Massive Security Flaw issue
« Reply #94 on: January 15, 2018, 12:54:26 pm »
Do not update microcode now, wait.
Withdrawn Broadwell & Haswell CPU Microcode Update:  Intel provides the CPU microcode updates required to address Variant 2, which manufacturers like Lenovo then incorporate into their UEFI firmware. Intel has notified manufacturers of quality issues in the initial Broadwell and Haswell microcode updates with instructions to no longer distribute the affected microcode. As such, Lenovo has withdrawn previously issued UEFI firmware containing the affected Broadwell and Haswell CPU microcode. We will issue revised UEFI firmware updates as soon as possible following Intel’s release of revised Broadwell and Haswell CPU microcode. Servers affected by this issue are noted, below, as “Earlier update X withdrawn due to a microcode quality issue.”

I'd love to see some general-purpose tool to edit BIOS files and update microcode inside them. Something that would know most BIOS formats, open the BIN file, advise which binary microcode file to choose, and compile a new image from it.
Because most manufacturers won't care to release BIOS updates for motherboards older than 1-2 years.

pfSense would also want to have a nice GUI somewhere to allow us to browse for a microcode pack we can download from Intel etc. and apply it at each boot at runtime. And write in the logs whether the runtime update was successful or not.

It is not so simple. Every BIOS is copyrighted by AWARD, AMI and whoever else... Phoenix  ;D. So you just can't edit it without buying proper license and most manufacturers use also security checks, for example I just can not flash edited BIOS into Asus motherboard with standard methods — only BIOS flashback function or hardware tools, also there are some special BIOSes like HP uses for their enterprise grade hardware.
Even not so universal tool for BIOS modding like UBU have had copyright problem with AMI.