Announcement

Collapse
No announcement yet.

Intel Releases New "20220809" CPU Microcode For Latest Security Vulnerability

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Intel Releases New "20220809" CPU Microcode For Latest Security Vulnerability

    Phoronix: Intel Releases New "20220809" CPU Microcode For Latest Security Vulnerability

    As part of today's "Patch Tuesday", Intel has made a new round of security vulnerabilities public -- including a new processor advisory that affects their latest Xeon Scalable and Core wares resulting in new CPU microcode being required...

    Intel Releases New "20220809" CPU Microcode For Latest Security Vulnerability - Phoronix
    https://www.phoronix.com/news/Intel-20220809-Microcode
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    A write-up on what this CPU microcode fixes: https://arstechnica.com/information-...for-sgx-users/
    • Likes 4

    Comment

    • #3
      Originally posted by birdie View Post
      A write-up on what this CPU microcode fixes: https://arstechnica.com/information-...for-sgx-users/
      From that article:
      stale data may be exposed by an attacker who controls the OS and can read from the legacy xAPIC
      Is it just me, or does it seem like we're being "protected" from a lot of stuff that requires a black-hat to physically control our systems, in which case we are screwed regardless?

      Or maybe I'm reading this article wrong. I'm, of course, no expert on SGX enclaves.

      Comment

      • #4
        Originally posted by andyprough View Post

        From that article:


        Is it just me, or does it seem like we're being "protected" from a lot of stuff that requires a black-hat to physically control our systems, in which case we are screwed regardless?

        Or maybe I'm reading this article wrong. I'm, of course, no expert on SGX enclaves.
        SGX on your PC doesn't protect you, it protects the media industry's DRM. The black-hat in front of the computer messing with this thing would be you. You don't need this microcode update, they need it.

        SGX is also a probable backdoor into your computer, it has network access and is fully independent of the OS. A computer inside a computer.
        • Likes 7

        Comment

        • #5
          Originally posted by andyprough View Post

          From that article:


          Is it just me, or does it seem like we're being "protected" from a lot of stuff that requires a black-hat to physically control our systems, in which case we are screwed regardless?

          Or maybe I'm reading this article wrong. I'm, of course, no expert on SGX enclaves.
          Physical control is not relevant here, this is a different threat model. Normally, data in SGX enclaves is protected even against a malicious os; the present attack undermines this guarantee. If you don't use SGX (you probably don't), then this time you don't need to care at all. The microcode updata is likely not going to slow down anything for you either.
          • Likes 4

          Comment

          • #6
            Bleh. I just updated everything. Not being constructive here unfortunately...

            But I'm getting ever more frustrated by all these sidechannel holes in CPUs.
            Intel might just have more holes than the actual swiss cheese.
            • Likes 2

            Comment

            • #7
              Originally posted by jntesteves View Post

              SGX on your PC doesn't protect you, it protects the media industry's DRM. The black-hat in front of the computer messing with this thing would be you. You don't need this microcode update, they need it.

              SGX is also a probable backdoor into your computer, it has network access and is fully independent of the OS. A computer inside a computer.
              Yeah, what you are saying does ring true. So we are being given microcode "security updates" to protect our computers from our own selves. How tragic.
              • Likes 1

              Comment

              • #8
                Originally posted by andyprough View Post

                Yeah, what you are saying does ring true. So we are being given microcode "security updates" to protect our computers from our own selves. How tragic.
                This is an incomplete understanding since SGX usage isn't limited to DRM. SGX is used by a lot of security sensitive software including the Signal messenger, so vulnerabilities here can and do real world harm and should be fixed.
                • Likes 4

                Comment

                • #9
                  Originally posted by RahulSundaram View Post

                  This is an incomplete understanding since SGX usage isn't limited to DRM. SGX is used by a lot of security sensitive software including the Signal messenger, so vulnerabilities here can and do real world harm and should be fixed.
                  Yes. To be clear here, SGX can be used for protection in scenarios where the operating system and/or computer owner is not trusted. This, as already mentioned, includes DRM and Signal, but also things like remote attestation (for corporate IT, cloud computing or similar).
                  • Likes 2

                  Comment

                  • #10
                    Originally posted by jntesteves View Post

                    SGX on your PC doesn't protect you, it protects the media industry's DRM. The black-hat in front of the computer messing with this thing would be you. You don't need this microcode update, they need it.

                    SGX is also a probable backdoor into your computer, it has network access and is fully independent of the OS. A computer inside a computer.
                    You're thinking of Intel ME. SGX is nothing more than APIs for an enclave that can run code while knowing it's not in a VM and isn't modified. As said above, Signal uses it for encryption purposes.

                    Unfortunately, running trusted code of any kind on an untrusted system is very complicated and full of edge cases.
                    • Likes 1

                    Comment

                    Previous 1 2 template Next
                    Working...
                    X