Looking At The New "Critical" Security Firmware Update Hitting Systems - Delivers New Intel Microcode
Earlier this week the Linux Vendor Firmware Service began surging with activity following many new system firmware files being uploaded for what appears to be a "high severity upcoming security issue" but currently undisclosed. That issue hasn't been made public yet, but after poking around it is updating the Intel CPU microcode.
After that earlier article, Red Hat's Richard Hughes who is the lead LVFS/fwupd lead developer commented that they shipped more than 156,000 firmware updates to end-users in a single day. The day after they were still at around twice their usual volume. For hardware with LVFS support for firmware updates, it's been a busy week but that only covers a small portion of the hardware out there.
As a summary, *yesterday* we shipped over 156,000 firmware updates to end users. Today it's less than yesterday, but still x2 normal.
— Richard Hughes (@hughsient) January 19, 2022
No formal announcement has yet been made about this security issue, but with having a Dell XPS 9380 around that is one of the many systems having seen firmware updates in recent days, I decided to run some comparisons. The XPS 13 9380 firmware page noted its new v00.1.17.0 is indeed to "address security vulnerabilities" but has no other public information. I compared the prior v00.1.16.1 update from November to this new v00.1.17.0 release on the same 9380 laptop.
After upgrading the system firmware, the most obvious difference is a new Intel CPU microcode revision for the i7-8565U "Whiskey Lake" processor in use. The CPU microcode was at 0xea but this brand new system firmware now loads firmware 0xec.
Meanwhile Intel's Linux processor microcode GitHub repo of all their binaries continues to show Whiskey Lake (WHL-U) as 0xea for the most recent microcode version available. Thus it would appear that this new security vulnerability is indeed in relation to Intel CPUs given this new 0xec microcode it's shipping. (Intel's security center meanwhile has no new listings since November aside from an Apache log4j entry.)But Whiskey Lake is several generations old... Among the flurry of system firmware updates this week was also the Dell XPS 9310 as a latest-generation Tiger Lake notebook. With also having that on hand, I did a similar test there... The XPS 9310 firmware update pushed out last week notes the firmware update addresses "security vulnerabilities". When going from the prior release (v3.3) to the new firmware (v3.4), it also means bumping the Intel CPU microcode on the Core i7 Tiger Lake.
The Tiger Lake microcode on the 9310 with the transition to this security firmware update went from 0x88 to 0x9a. The Intel Linux CPU microcode repository meanwhile lists 0x88 as the latest available.
So this flurry of system firmware updates over the past week does seem to point to it being for shipping new Intel CPU microcode and whatever other changes may be included as part of the update - unknown due to the incomplete change-log and binary-only firmware files. But in any event these firmware updates are spanning at least several generations of Intel CPUs and newer microcode than what is otherwise publicly available. These system firmware updates via the Linux Vendor Firmware Service have been marked as "critical".
Good news? At least whatever security issue(s) are being addressed, it doesn't seem to have much of an imapct on performance at least from my very initial testing on both the Whiskey Lake and Tiger Lake hardware... With lack of information available, I just ran some of the usual benchmarks that in the past have been impaired by other CPU security mitigations and other common workloads. At least in the limited selection of tests so far, I am not seeing any measurable difference from the system firmware / microcode versions. Once the security details become public and also having any microcode updates for desktop CPUs (rather than the Dell XPS units that can be quick to throttle under intense load), it will be easier to make definitive statements about performance... But at least as of writing, whatever the new security issue is it doesn't seem to have any broad performance impact.
Also, this isn't any Linux-specific vulnerability. Dell for example has also posted new Windows firmware binaries for the same systems around the same dates and also marked as "urgent" updates, e.g.
Presumably more information will come to light on February's patch Tuesday unless it ends up being an out of band disclosure. Stay tuned and be sure to run fwupdmgr update if your system supports firmware updates... Or if you are on Microsoft Windows, your preferred means of updating system firmware.
If you enjoyed this article consider joining Phoronix Premium to view this site ad-free, multi-page articles on a single page, and other benefits. PayPal or Stripe tips are also graciously accepted. Thanks for your support.