[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reconsidering Debian’s Inclusion of Non-Free Firmware - A Call for Discussion

Matthias Urlichs <matthias@urlichs.de> writes:

> On 08.03.25 15:36, Simon Josefsson wrote:
>> One difference is that you could chose to trust their hardware (CPUs)
>> but don't trust their software (non-free firmware).
>
> True. But so, again, what's the material difference between "the
> firmware is baked into the hardware and cannot be changed" vs. "the
> firmware can be updated"?
>
> Answer: there isn't one. They're both software, except that the vendor
> can choose to fix bugs on the latter.

One plausible argument is that if the vendor is capable of resolving
bugs in writable firmware, it also suggests that a targeted attack is
considerably easier than with hardware, which can presumably be trusted
to remain identical, unless one is a significant target.

However, for the majority of typical users, having the most recent
microcode/firmware is likely a significant advantage for security, even
if it is some non-free binary blob (usually not even using the user
facing ISA that the user can understand).
Reply to: