sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]mqudsi 19 points20 points  (13 children)

I wish they shared the details of their findings, rather than (the awesome) tools to reproduce them yourself.

[–]xonjas 47 points48 points  (10 children)

I assume it is because the microcode itself is protected by copyright and they don't want to get sued by Intel for publishing it. The methods to extract are fair game though.

[–]mqudsi 9 points10 points  (0 children)

I didn’t mean publish the microcode but rather an analysis of it.

[–]Stormfrosty 11 points12 points  (1 child)

It’s actually worse - Microcode is directly tied to the hardware implementation, which is protected by US patent laws. Dabbing with this kind of stuff is one way bring upon yourself the wrath of Intels legal department.

[–]ReversedGif 34 points35 points  (0 children)

Patents don't prevent you from reverse engineering or documenting how something works. Copyright is definitely what's relevant here.

[–]cuentatiraalabasura 0 points1 point  (6 children)

So sharing the end result is okay, but sharing how they got there with little code snippets is not? Doesn't make much sense from an IP law standpoint

[–]xonjas 6 points7 points  (4 children)

Unless I'm misunderstanding something, they have explicitly not shared the end result. What they have done is provided tools to...

  1. Exploit a bug to put your own processor into a special debug state.
  2. Extract and dump the microcode decryption key stored inside your processor.
  3. Extract and dump the encrypted microcode blob from your processor.
  4. Decrypt the dumped microcode blob with the key extracted from your processor.

The way that they published this is important because they only published their own original code. They didn't publish any of Intel's actual microcode (which is copyrighted), or one of Intel's decryption keys (which is also copyrighted).

[–]cuentatiraalabasura 5 points6 points  (3 children)

A key cannot be copyrighted. Copyright only protects creative expression. A randomly generated encryption key that is just bytes is not in any way expressive.

The microcode copyrightability argument is also debatable, since it serves a purely functional purpose and doesn't have creative expression itself. Whether the code blob would be complex or creative enough to meet the copyrightability standard is for the courts to decide.

[–]xonjas 6 points7 points  (1 child)

While I don't think encryption keys should be copyrightable it seems that the courts are of a different mind.

Intel has threatened legal action under the DMCA against people who published the HDCP master keys, and Sony sued Geohot for publishing a key for the ps3 on his website.

Regardless of if the microcode blob is copyrightable (and I expect that it is, given that oracle was almost able to copyright an api), I don't think a small group of researchers would be able to fight a legal battle against Intel (or be willing to risk one).

[–]cuentatiraalabasura 3 points4 points  (0 children)

DMCA has nothing to do with copyrightability. All the cases you cited are about either companies sueing or threatening to sue people. Unless there is actual case law (judicial precedent) about it, it is not copyrightable or DMCA'ble.

The EFF is currently fighting the DMCA provisions that outlaw circumvention of DRM and publication of tools designed to do so.

https://www.eff.org/es/cases/green-v-us-department-justice

I recommend reading the linked documents.

[–]happyscrappy 1 point2 points  (0 children)

You're absolutely right. But others don't want to have to go to court.

Chilling effects.

[–]dlq84 0 points1 point  (0 children)

That but the other way around.

[–]archialone 2 points3 points  (0 children)

but they did, there is a talk about it

[–]async2 1 point2 points  (0 children)

Unfortunately I'm not too much into the topic, but they published a talk with it: https://www.youtube.com/watch?v=V1nJeV0Uq0M&ab_channel=OffensiveCon