On Wed, Oct 25, 2017 at 6:44 AM, Jarkko Sakkinen <jarkko.sakki...@linux.intel.com> wrote: > I'm implementing a fix for CVE-2017-15361 that simply blacklists > vulnerable FW versions. I think this is the only responsible action from > my side that I can do.
I'm not sure this is ideal - do Infineon have any Linux tooling for performing firmware updates, and if so will that continue working if the device is blacklisted? It's also a poor user experience to have systems using TPM-backed disk encryption keys suddenly rendered unbootable, and making it as easy as possible for people to do an upgrade and then re-seal secrets with new keys feels like the correct approach.
