Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gkbrk 8 days ago

> You can physically do it with a microcode update.

It's also anti-consumer that CPU vendors don't let customers who own the CPU perform whatever updates they want because they don't give out signing keys.

charcircuit 8 days ago | parent [-]

If malware could install microcode it could break the security of the system. There is more consumer benefit than harm by locking it down to trusted updates.

EvanAnderson 8 days ago | parent | next [-]

The security model could allow the end user to install keys for the root of trust for the CPU, much like how UEFI Secure Boot allows you to install your own keys. That CPUs don't have this functionality may not be purposefully anti-consumer (and just laziness), but the net effect is anti-consumer.

As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).

cesarb 8 days ago | parent [-]

> As it stands, besides preventing the user from making modifications to CPU functionality, the user is also forced to "trust" updates that might be created for specific anti-consumer purposes (say, compelled by government security services).

That would be less of an issue if the updates were auditable (that is, security researchers could read and study them), even if users weren't able to modify them. Unfortunately, other than some early CPU designs, AFAIK microcode updates are always encrypted. I suspect that their reason is to protect "trade secrets" on details of their CPU design.

g-b-r 8 days ago | parent | prev [-]

Trusted, sure