News: 0001504558

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Intel Linux Patch Would Report Outdated CPU Microcode As A Security Vulnerability

([Intel] 3 Hours Ago Old Intel Microcode As A Vulnerability)


A patch posted on Thursday by one of Intel's long-time Linux kernel engineers would begin treating outdated Intel CPU microcode as a security vulnerability that would be reported to user-space via the existing sysfs vulnerabilities reporting.

Intel engineer Dave Hansen sent out the "request for comments" patch that would have old Intel microcode be reported as a vulnerability for the system. Hansen explained with [1]the patch cover letter:

"You can't practically run old microcode and consider a system secure these days. So, let's call old microcode what it is: a vulnerability. Expose that vulnerability in a place that folks can find it:

/sys/devices/system/cpu/vulnerabilities/old_microcode

This is obviously imperfect. But it means that a single file can be maintained with a single list of microcode versions and there is no need to track which version fixed a given bug."

The Linux kernel would maintain a list of the latest Intel microcode versions for each CPU family, which is based on the data from the Intel microcode GitHub repository. In turn this list would need to be kept updated with new Linux kernel releases and as Intel pushes out new CPU microcode files.

This patch does not prevent Linux users from running outdated Intel CPU microcode or anything along those lines. It's simply about reporting a new X86_BUG_OLD_MICROCODE flag if the CPU microcode for that booted processor is known to be an outdated version. Via the proposed /sys/devices/system/cpu/vulnerabilities/old_microcode interface will be " Vulnerable " if outdated.

This addition seems straight-forward and logical given that new CPU microcode updates are required either for fixing security issues outright or in tandem with updated kernel code for enabling new mitigations. But at the same time it's surprising this reporting wasn't added years ago - though perhaps now acknowledging it's going to be a never-ending game. We'll see if it gets picked up by the mainline Linux kernel as well as if it ends up being adapted for AMD CPU microcode reporting.



[1] https://lore.kernel.org/lkml/20241107170630.2A92B8D3@davehans-spike.ostc.intel.com/



npwx

Espionage724

<rebelpacket> hey, quick question, is there any way to speed up the
performance of uquake-x11?
<Deek> rebelpacket: If you want to accelerate it, throw it harder.