Ariadne Conill 🐰Jun 16, 2024
AMD is the only x86 CPU vendor I will remotely bother with at this point, but folks shouldn't use x86 anyway if they can avoid it: https://www.theverge.com/2024/6/14/24178751/intel-raptor-lake-crash-fix-etvb-not-yet
Intel says it still doesn’t have the true fix for its crashing i9 desktop chips

Despite what you might have seen earlier today, Intel says it doesn’t have a final fix for its 13th and 14th Gen Intel Core i9 “Raptor Lake” and “Raptor Lake S” chips just yet.

The Verge
Show threadAriadne Conill 🐰Jun 16, 2024
and for the love of all things, apply CPU microcode updates on your machines, *especially* with x86, where basically *zero* x86 cores have been taped out in the past 20 years that did not immediately need bugfixing in microcode
Show threadKATastrophEJun 16, 2024
@ariadne and then you have the gnu libre people who remove any microcode blobs, even though there is one running on there cpu anyway... might as well update it to get security fixes
Show threadJulius Schwartzenberg - ЮліусJun 17, 2024

@kate @ariadne if you're only running free software and you have all the sources, the security fixes are not that relevant given one really does curation of all the software they end up running :)

Security fixes would be relevant if you do end up running untrusted code (for instance in a JavaScript sandbox). But then you're letting non-free software in without curation.

I would say the main reason for the microcode updates would be to solve bugs, stability issues for this group.

Show threadKATastrophEJun 17, 2024
@jschwart @ariadne but all open-source software is basically untrusted code, or do you really read through all the billions of lines of code that run on your machine? you might have a feeling of security, but i think it's wrong to think you automatically have security if you only run open-source software (see the xz exploits)
Show threadJulius Schwartzenberg - ЮліусJun 17, 2024
@kate @ariadne I agree with that, but if you consider attack scenarios for a situation where the malicious program would be in something like xz, being part of your system software, then a patched CPU vulnerability would not really save you.
Show threadKATastrophEJun 17, 2024
@jschwart @ariadne that's the point, updating microcode won't hurt you and only close potential security holes. literally no downsides updating something that runs on your cpu already
Show threadJulius Schwartzenberg - ЮліусJun 17, 2024

@kate @ariadne generally yes, if you take a known blob that's already out there for years and known to fix particular issues, then I see no issues.

But some systems make it a habit of blindly fetching and applying each microcode blob that's made available. Such a habit where new blobs are regularly introduced into a system without going through any kind of scrutiny first is not something that should happen for granted I think.
I would feel more comfortable with some control over that.

Show threadKATastrophE
@jschwart @ariadne but you can't really inspect microcode blobs, no? at least i never heard that anyone makes the effort to analyze them and e.g. check what change when a particular bug is fixed
Jun 17, 2024 at 11:48amWeb
Show threadJulius Schwartzenberg - ЮліусJun 17, 2024

@kate @ariadne exactly, this is too difficult or they might even be encrypted. One could analyze them by looking at their behavior, but essentially we don't know what's really happening. Maybe new bugs or performance regressions come along.

While a particular group of attack scenarios may be addressed by an update, if those scenarios are not applicable, there are reasons to stick with a particular version that's already been around for some time over continuously updating.