On 4/12/22 10:17, Nico Huber wrote:
Hello Insurgo,
On 12.04.22 16:01, Insurgo Technologies Libres / Open Technologies wrote:
On April 12, 2022 8:55:56 AM UTC, Arthur Heymans
<art...@aheymans.xyz> wrote:
Would it make sense to backport your fix to old releases and bump
those release numbers to a .1 on the end?
Some see releases as mere synchronization tags & nice PR.
Some releases are also branches in gerrit but there are none affected by
this (latest is 4.12 and it was introduced in 4.13).
As you may know, coreboot distributions (talking of Heads
specifically here), take releases tarballs and apply patches where
needed on top of it.
In the present case, Heads currently depends on coreboot 4.11, 4.13
and 4.15 for its supported boards. I quickly attempted to backport
the relevant patches to 4.13 tarball release, unsuccessfully.
have you checked if the SMM module loader v2 was used in your 4.13
builds? AIUI, it was optional and only enabled on user request.
Thanks Nico for that pointer. Community maintained Heads boards are
mostly based on coreboot 4.13 as of now:
# CONFIG_X86_SMM_LOADER_VERSION2 is not set
was hidden in the savedefconfig format stored under Heads repositories
for coreboot 4.13 depending boards.
Expending the saved configuration confirms non-usage of SMM2 optional
loader and is therefore not considered vulnerable per reported
vulnerability.
I would highly doubt other coreboot based distributions would have
activated this explicitly, but will depend of the new coreboot pushed
defaults from upstream releases. Let's see.
4.15 and 4.16 removed that optional configuration setting (default
configuration) and seemed to have switched to SMM2 by default.
Neither coreboot 4.14, 4.15 or 4.16 releases notes explicitly noted the
change to SMM2, where 4.13 announces the change. Not sure users are
following coreboot discussions, but I hope coreboot distribution
maintainers are.
Consequently, all downstream coreboot based distributions, and their
users, may stay vulnerable if no new 4.15.1 4.16.1 are released from my
understanding until 4.17 is released.
A quick exploration of other coreboot distributions I am aware of:
- Skulls uses coreboot master git at time of release (1.0.4 is based on
74d2218cc7 as of december 2021, configs are also saved in savedefconfig
and are expected as well, consequently).
https://github.com/merge/skulls/releases/tag/1.0.4
- Not so familiar with osboot build system. They store configs in
expended full format. Sampled config for x220 was updated last month and
seems to be based on coreboot 4.14+ 9probably 4.16), which is deemed to
be vulnerable as well.
https://notabug.org/osboot/osbmk/src/master/resources/coreboot/x220_8mb
- Not so familiar with libreboot recent buildsystem either. A sampled
configuration for x200 shows coreboot config being last updated 4 months
ago, making it depend on coreboot 4.14+ which is not showing 4.13
optional SMM2 loader, which also seem to default to SMM2. Hence all
their boards (outside of kgpe-d16, kcma-d8 etc depending on older 4.11)
being vulnerable as well:
https://notabug.org/libreboot/lbmk/src/master/resources/coreboot/x200_8mb/config/libgfxinit_corebootfb
As per my precedent e-mail, I believe all coreboot based distributions
(maintainers and their project users) would be grateful to have releases
backporting this patchset (4.14? 4.15, 4.16) to properly support their
coreboot users. Then being able to do a point release as well without
all of them having to point to a random commit, happening in between
coreboot releases/maintainers or trying to manually cherry-pick relevant
commits and have patches deployed (if their build systems permit that)
to have point releases.
Nico
Thierry
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org