Reproducibility and microcode updates

Dan Shearer dan at
Tue Jun 22 13:08:48 UTC 2021

On Tue, Jun 22, 2021 at 04:33:00PM +0200, Bernhard M. Wiedemann wrote:

> On 22/06/2021 12.50, Dan Shearer wrote:
> > . We
> > capture as much as we can about the build/test environment, but of
> > course not the microcode version :-)
> It says it ran on Ubuntu and that has
> On openSUSE, the package is called ucode-intel.
> So you just need to keep track of what packages are installed in which
> version and that is a smart thing to do anyway.
> The part you miss is which microcode version is running at that point
> and that you could get from
> cat /sys/devices/system/cpu/cpu*/microcode/version

That's useful, thanks!

> I also remember a bug when [...] 

In brief, this is where we know that the Trusting Trust paper [1]
remains valid, despite David Wheeler's technique [2]. Because even if we
can build our toolchain from scratch we have no idea about the microcode
or higher-level firmware than the microcode. 

Even merely building a toolchain from scratch is a pretty
specialist/obssesive job. I know tcc will build an old version of gcc
(4.7.x , before gcc moved to C++) because I've done it, but I soon got
lost going deeper down. Then I discovered that the bootstrappable
project was doing this, and also mes [3]. So I presume these good folk
will eventually keep recursing down to the firmware, then the microcode,
and finally up the keyboard cable to their own fingernails.



More information about the rb-general mailing list