Apr 12, 2022, 10:25 by insu...@riseup.net: > > On 4/12/22 10:17, Nico Huber wrote: > >> Hello Insurgo, >> >> On 12.04.22 16:01, Insurgo Technologies Libres / Open Technologies wrote: >> >>> On April 12, 2022 8:55:56 AM UTC, Arthur Heymans <art...@aheymans.xyz> >>> wrote: >>> >>>>> Would it make sense to backport your fix to old releases and bump >>>>> those release numbers to a .1 on the end? >>>>> >>>> Some see releases as mere synchronization tags & nice PR. >>>> Some releases are also branches in gerrit but there are none affected by >>>> this (latest is 4.12 and it was introduced in 4.13). >>>> >>> As you may know, coreboot distributions (talking of Heads specifically >>> here), take releases tarballs and apply patches where needed on top of it. >>> >>> In the present case, Heads currently depends on coreboot 4.11, 4.13 and >>> 4.15 for its supported boards. I quickly attempted to backport the relevant >>> patches to 4.13 tarball release, unsuccessfully. >>> >> have you checked if the SMM module loader v2 was used in your 4.13 >> builds? AIUI, it was optional and only enabled on user request. >> > > Thanks Nico for that pointer. Community maintained Heads boards are mostly > based on coreboot 4.13 as of now: > >> # CONFIG_X86_SMM_LOADER_VERSION2 is not set >> > > was hidden in the savedefconfig format stored under Heads repositories for > coreboot 4.13 depending boards. > > > > Expending the saved configuration confirms non-usage of SMM2 optional loader > and is therefore not considered vulnerable per reported vulnerability. > > > > I would highly doubt other coreboot based distributions would have activated > this explicitly, but will depend of the new coreboot pushed defaults from > upstream releases. Let's see. > > 4.15 and 4.16 removed that optional configuration setting (default > configuration) and seemed to have switched to SMM2 by default. > > Neither coreboot 4.14, 4.15 or 4.16 releases notes explicitly noted the > change to SMM2, where 4.13 announces the change. Not sure users are following > coreboot discussions, but I hope coreboot distribution maintainers are. > > Consequently, all downstream coreboot based distributions, and their users, > may stay vulnerable if no new 4.15.1 4.16.1 are released from my > understanding until 4.17 is released. > I definitely agree that it would be a good thing to create the release branches for 4.14, 4.15, and 4.16 and port at least these security changes, then do a .1 release with those updates, and remove the original tarballs from our download page.
Even if this isn't needed for a particular project like Heads, I think it's our responsibility to go back and fix security issues like this. I'll see what I can do to make this happen. Martin _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org
