On Friday, April 27, 2018 at 7:18:37 AM UTC-4, mstv...@gmail.com wrote: > Is a second-hand CPU safe? > Is second-hand RAM safe?
Are second-hand keyboards safe? Second-hand mouses? Second-hand SSDs? Second-hand optical-drives? Second-hand power-management chips? Second-hand displays? Is any component safe if it was out of your sight for more than 30 minutes? There's no winning in this thought experiment. cf "On trusting trust." -- But yeah, CPUs: from what I understand, Intel microcode updates are not persistent across power cycles. This is why, though an OS can push updates for the current session, it is "more permanent" to deploy the microcode updates in the BIOS/firmware (esp. in a multi-boot system or in a system where the OS lags in microcode update support). Anyway, when you get your used machine, reflash the BIOS using the manufacturer's most recent release or reflash it with coreboot if that's your thing. Same with any devices that have firmware update support (SSDs, etc.). Also fun side note: many contemporary SED/HW-FDE SSDs will not allow firmware updates if a) the updates aren't signed by the manufacturer's keys and/or b) the drive is security configured (ATA password, TCG OPAL), even though unlocked. a) is good (or as good as the manufacturer is about securing their signing keys anyway); b) means you have to temporarily de-configure security before updating the firmware (less good..but I like the trade-off of knowing the drive will reject firmware updates unless I go out of my way to perform a security operation that is unusual). B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c11f7130-c2b0-438e-a68d-da127fb3acdd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
