Reproducibility and microcode updates
Dan Shearer
dan at shearer.org
Tue Jun 22 13:08:48 UTC 2021
On Tue, Jun 22, 2021 at 04:33:00PM +0200, Bernhard M. Wiedemann wrote:
> On 22/06/2021 12.50, Dan Shearer wrote:
> > https://travisdowns.github.io/blog/2021/06/17/rip-zero-opt.html . We
> > capture as much as we can about the build/test environment, but of
> > course not the microcode version :-)
>
> It says it ran on Ubuntu and that has
> https://packages.ubuntu.com/search?suite=default§ion=all&arch=any&keywords=intel-microcode&searchon=names
>
> On openSUSE, the package is called ucode-intel.
>
> So you just need to keep track of what packages are installed in which
> version and that is a smart thing to do anyway.
> The part you miss is which microcode version is running at that point
> and that you could get from
> cat /sys/devices/system/cpu/cpu*/microcode/version
That's useful, thanks!
> I also remember a bug when [...]
In brief, this is where we know that the Trusting Trust paper [1]
remains valid, despite David Wheeler's technique [2]. Because even if we
can build our toolchain from scratch we have no idea about the microcode
or higher-level firmware than the microcode.
Even merely building a toolchain from scratch is a pretty
specialist/obssesive job. I know tcc will build an old version of gcc
(4.7.x , before gcc moved to C++) because I've done it, but I soon got
lost going deeper down. Then I discovered that the bootstrappable
project was doing this, and also mes [3]. So I presume these good folk
will eventually keep recursing down to the firmware, then the microcode,
and finally up the keyboard cable to their own fingernails.
Dan
[1] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
[2] http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html
[3] https://gitlab.com/janneke/mes
More information about the rb-general
mailing list