On 05/01/2017 10:38 AM, Jean-Philippe Ouellet wrote: > *Sigh*... Yep. We were right to be concerned (of course). And now we > have something other than our tin foil hats to point at too: > > https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/ > > I want my RISC-V laptop already! >
I don't know if it helps things, but I recently disabled the CONFIG_INTEL_MEI, CONFIG_INTEL_MEI_ME, and CONFIG_INTEL_MEI_TXE kernel options in my kernel branches as soon as I was made aware of their existence. My hope is that the ME hardware can't be exploited using those methods if they don't exist in the kernel in the first place; that someone would have to find another way. But again, I have no idea if that's useful or not. For what it's worth, my systems still boot and run properly, but the newest machine I have access to is of the Sandy Bridge era; I have no idea if newer machines actually need those options baked into the kernel in order to run. Can anyone advise? https://github.com/rtiangha/qubes-linux-kernel Also, if anyone has any other ideas on kernel options to disable for various security concerns (ME related or not), let me know. For the moment, I've implemented almost all of the KSPP's recommended settings that are applicable to a certain kernel branch, except for the ones about loadable modules since I don't know how it affect u2mfn or any other user-compiled kernel modules a Qubes user may want to install. I haven't encountered any issues on my machines (or at least, any that I've noticed), but those could use more testing as well: https://github.com/rtiangha/qubes-linux-kernel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/oe7qck%24dro%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.