So you think you found a hardware issue: from misunderstandings to CVEs

Main Track,

Writing correct firmware requires understanding hardware at the lowest possible level. More frequently than the average programmer, firmware authors may discover fundamental problems with the hardware which must be reported to the manufacturer. Getting resolution of these types of issues can be tedious and frustrating for all parties involved at the best of times. In the worst cases communication may break down between reporter and manufacturer resulting in denial of a problem, obfuscation and poor or no resolution of a problem.

The difficulties in reporting hardware issues stem from many of the cultural issues with traditional proprietary firmware. As with open firmware, there needs to be a better path forward for the industry for hardware issues.

This talk will focus on some of the experiences at Oxide Computer finding and reporting hardware issues to manufacturers during the course of building our products. We've found several at this point and show no signs of stopping. Special attention will be given to security issues and why reporting to hardware companies may be different than reporting to software companies.

This may seem like a topic outside of the themes of open firmware. Many of the pain points in reporting issues to hardware manufacturers stem from poorly understood hardware and assumptions that the reference code is "good enough". Open firmware relies on having freely available accurate documentation from hardware vendors to write independent implementations. Bug reporting is fundamental to show vendors the value of open documentation and reporting instead of hiding issues behind proprietary blobs.

There will be some discussion about public disclosure process. Oxide's experience has been that hardware vendors will tend towards keeping things private and asking for more time to get fixes to big customers first. The talk will go over some of the trade offs involved in acquiescing to a hardware vendor's request.