A different threat model
A different threat model
Posted Mar 3, 2026 15:50 UTC (Tue) by tux3 (subscriber, #101245)Parent article: Garrett: To update blobs or not to update blobs
But often my threat model is the opposite, on modern hardware it's like the *user* is the threat in the threat model!
It's not that I expect a state-sponsored attacker to burn a CPU-level backdoor to root my home devices, where I don't have any valuable $WORK stuff or that I'm hiding evil plans to [redacted] the [redacted]. But I still don't like not being the owner of the firmware I run. I don't trust closed firmware not to be a buggy mess in general, alleged backdoors or not.
When my AMD CPU has a vuln that allows a local attacker to load unsigned microcode, I want it patched on my servers, and I absolutely want it unpatched on my homes devices, because maybe I will get to be the threat in the threat model and run my own code on the CPU I bought, someday. If the BIOS has a flaw that lets me patch it with unsigned code, that's wonderful. Maybe someday I will be able to patch open firmware.
I won't upgrade my Sony headphone's firmware, because the airoha vuln might finally let me patch the voices and customize the unused button to stop it auto-connecting to the wrong device every time it boots.
I won't upgrade my console's firmware. Maybe someday someone finds a glitch and I can have my music player, and my ebook reader, and all my little homebrews that I like.
I wish I could glitch my Android phone to bypass verified boot. But that one I update, à contrecœur .
I trust the hardware vendors to not burn expensive backdoors on me, but I don't trust their firmware to do things that are in my best interest, or increasingly that let me run code at all without hardware attestation getting in the way.
Patch your servers. Break your home devices.