Intel Linux Patch Would Report Outdated CPU Microcode As A Security Vulnerability

Written by Michael Larabel in Intel on 7 November 2024 at 08:39 PM EST. 17 Comments
INTEL
A patch posted on Thursday by one of Intel's long-time Linux kernel engineers would begin treating outdated Intel CPU microcode as a security vulnerability that would be reported to user-space via the existing sysfs vulnerabilities reporting.

Intel engineer Dave Hansen sent out the "request for comments" patch that would have old Intel microcode be reported as a vulnerability for the system. Hansen explained with the patch cover letter:
"You can't practically run old microcode and consider a system secure these days. So, let's call old microcode what it is: a vulnerability. Expose that vulnerability in a place that folks can find it:

/sys/devices/system/cpu/vulnerabilities/old_microcode

This is obviously imperfect. But it means that a single file can be maintained with a single list of microcode versions and there is no need to track which version fixed a given bug."

The Linux kernel would maintain a list of the latest Intel microcode versions for each CPU family, which is based on the data from the Intel microcode GitHub repository. In turn this list would need to be kept updated with new Linux kernel releases and as Intel pushes out new CPU microcode files.

Old Intel microcode patch reporting


This patch does not prevent Linux users from running outdated Intel CPU microcode or anything along those lines. It's simply about reporting a new X86_BUG_OLD_MICROCODE flag if the CPU microcode for that booted processor is known to be an outdated version. Via the proposed /sys/devices/system/cpu/vulnerabilities/old_microcode interface will be "Vulnerable" if outdated.

This addition seems straight-forward and logical given that new CPU microcode updates are required either for fixing security issues outright or in tandem with updated kernel code for enabling new mitigations. But at the same time it's surprising this reporting wasn't added years ago - though perhaps now acknowledging it's going to be a never-ending game. We'll see if it gets picked up by the mainline Linux kernel as well as if it ends up being adapted for AMD CPU microcode reporting.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week