On Fri, Mar 6, 2020 at 3:50 AM Michael <confabul...@kintzios.com> wrote: > > I have lost count with the naming scheme of Intel's embedded spyware to know > if this is yet another vulnerability, or something to convince me to throw > away the last Intel powered box still in my possession (mind you its >10yr > old): > > https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-thats-unfixable/
The article is actually pretty well-written. I haven't studied the issue in any depth but here are my impressions: 1. You need a firmware update to prevent software vulnerabilities. 2. Even with a firmware update you are vulnerable to somebody with physical access to your device. The whole issue centers around TPM essentially. This potentially impacts you if you don't care about TPM, but it impacts you more if you do care about TPM. If you don't use TPM (probably many on this list), then your main concern should just be with getting your firmware patched (#1 above). Otherwise you could be vulnerable to rootkits that hijack the TPM on your machine and use it to spy on you in hard-to-detect ways. Based on the article a firmware patch should block the ability for software to get into your TPM and mess with it. Then you're basically safe. If you aren't using TPM you're already vulnerable to somebody with physical access to your device, so there is no real change in the threat model for you. Now let's get to those who use TPM or the other impacted trusted services. You use these if: 1. You rely on secure boot (with any OS - Linux does support this though I imagine it is rare for Gentoo users to use it). 2. You rely on TPM-backed full disk encryption. This includes Bitlocker and most commercial solutions. This doesn't include LUKS. If your disk is unreadable if you remove it from the computer, but you don't need any password to boot it, then you're probably using TPM-backed encryption. 3. You are Netflix/etc and are relying on remote attestation or any of the technologies RMS would term "treacherous computing." 4. You are a corporate owner of computers and are relying on the same technologies in #3 but to actually protect your own hardware. Or maybe if you're the only person in the world using Trusted GRUB. If you fall into this camp you need to still update your firmware to address the non-TPM-user and to avoid making it trivial for software to steal your keys/etc. However, you need to be aware that you are no longer secure against physical theft of your device. Somebody who steals your laptop with passwordless encryption might be able to break the encryption on your device. They would need to steal the entire laptop though - if you throw out a hard drive nobody will be able to recover it from the trash. If you're Netflix I'm not sure why you're even bothering with this stuff because all your content is already available in full quality on torrent sites, but I guess you can lose even more sleep over it if you want to. If you're using secure boot then somebody with physical access might be able to change the authorization settings and let another OS boot. If you're a corporation with sensitive data you probably have the biggest impact, because you're distributing laptops to people who lose them and who don't have a ton of security hygiene to begin with. The only people who probably will consider replacing hardware are corporate users. Most on this list are going to be fine with a firmware update as you're probably not using the TPM features. Indeed, even getting those working on Linux is a PITA - I'm not aware of any distro that has TPM-backed encryption out of the box. Windows has this in the pro edition (Bitlocker) and it is probably fairly popular. If you use LUKS-based encryption you are going to be secure with patched firmware as long as nobody installs a keylogger on your device. That will be easier with the vulnerability, though somebody could just hack the keyboard hardware anyway and LUKS wouldn't protect you against that. TPM has pros and cons compared to LUKS in general. If you don't patch your firmware then it is possible a rootkit might get in there and steal your keys at boot time. If somebody has more to add from researching this more I'm all ears. Now I need to check if my windows tablet with Bitlocker is vulnerable. This also shows the downside to TPM encryption - it is convenient but if somebody steals a laptop and just keeps it stored away they could always use a vulnerability like this to break in sometime in the future. It is probably still worth using as a minimum because it does protect against hard drive loss, and it works if your TPM isn't vulnerable. -- Rich
