[Code-Crunchers] Fwd: Re: [funsec] Description of the Intel CPU bugs
Gadi Evron
ge at linuxbox.org
Thu Jun 28 10:58:30 CDT 2007
----- Forwarded message from Valdis.Kletnieks at vt.edu -----
To: Larry Seltzer <Larry at larryseltzer.com>
Subject: Re: [funsec] Description of the Intel CPU bugs
From: Valdis.Kletnieks at vt.edu
Date: Thu, 28 Jun 2007 11:45:31 -0400
Cc: funsec at linuxbox.org
On Thu, 28 Jun 2007 11:08:08 EDT, Larry Seltzer said:
> Does this mean that microcode in these CPUs is actually
> field-upgradable? I wonder if Joanna Rutkowska knows about this.
Yes, it's designed as field-upgradable and loadable into the CPU for
the current power-on cycle (in other words, it evaporates at power-off).
Most sane BIOS include a "upload current microcode from ROM into CPU as
part of POST". If your BIOS hasn't been upgraded, you can upload it during
boot (as the Microsoft patch presumably does, and the Linux microcode_ctl
utility does - http://www.urbanmyth.org/microcode/ ).
Yes, flashing your own microcode into the CPU would be the ultimate pwn-the-box,
except (a) you'd still have to arrange for it to get re-flashed at power-on,
and (b) the format is incredibly undocumented, and dependent on the exact
internal design, down to processor family and probably stepping (the current
microcode update from Intel covers 125, yes 125, different CPUs). So unless
you have docs for what bit 57 of a format-7 microcode control word for a T6500
processor does, you will almost certainly just lock the damned thing up and
require a power cycle... ;)
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
----- End forwarded message -----
--
--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.
More information about the Code-Crunchers
mailing list