Matthias Urlichs <matth...@urlichs.de> writes: > On 08.03.25 15:36, Simon Josefsson wrote: >> One difference is that you could chose to trust their hardware (CPUs) >> but don't trust their software (non-free firmware). > > True. But so, again, what's the material difference between "the > firmware is baked into the hardware and cannot be changed" vs. "the > firmware can be updated"? > > Answer: there isn't one. They're both software, except that the vendor > can choose to fix bugs on the latter.
One plausible argument is that if the vendor is capable of resolving bugs in writable firmware, it also suggests that a targeted attack is considerably easier than with hardware, which can presumably be trusted to remain identical, unless one is a significant target. However, for the majority of typical users, having the most recent microcode/firmware is likely a significant advantage for security, even if it is some non-free binary blob (usually not even using the user facing ISA that the user can understand).
