Re: Meltdown / Spectre

[Pjotr Prins]

On Wed, Jan 10, 2018 at 03:04:44PM +0100, Gábor Boskovits wrote:
>    I don't believe that making a microcode update available makes
>    the situation worse. An earlier version is a non-free component
>    of the system anyway.  I believe, that it might well worth to
>    provide the possibility to update it.  I think it would be
>    beneficial, if we got a singned blob for that, because you
>    implicitly trust for example intel by buying their cpu, so a blob
>    signed by them could also be trusted.  The second thing that
>    comes to my mind is to have a free tool to perform the microcode
>    update, so that we can inspect, that nothing else on the system
>    gets modified.  I'm not very much into the microcode update
>    stuff, but I think, that given the two assumptions I mentioned,
>    it would be safe to provide these updates without compromising
>    freedom and security more than what the current situation is.

I agree with you. The fact that we run untrusted hardware hardly gets
improved if we can't fix it ;). GNU Guix, however, by virtue of being
a GNU project is hampered by its free software credentials. We have to
do what people expect from free software.

The only way around this is to provide tooling outside GNU Guix.
Fortunately that is not too hard since microcode is independent
of the rest of the tooling. We could create a channel for this,
something to discuss at FOSDEM. Channels provide a workaround for
purely free software - one reason some of us are reluctant to
introduce them. You can see microcode patches coming for other
hardware too.

Pj.
--