Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability
From: Alex Murray
Date: Tue Nov 12 2024 - 01:37:56 EST
>
> == Microcode Revision Discussion ==
>
> The microcode versions in the table were generated from the Intel
> microcode git repo:
>
> 29f82f7429c ("microcode-20241029 Release")
This upstream microcode release only contained an update for a
functional issue[1] - not any fixes for security issues. So it would not
really be correct to say a machine running the previous microcode
revision is vulnerable. As such, should the table of microcode revisions
only be generated from the upstream microcode releases that contain
fixes for security issues?
ie.
> +{ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, .vendor = X86_VENDOR_INTEL, .family = 0x6, .model = 0xb7, .steppings = 0x0002, .driver_data = 0x12b }
should ideally be:
> +{ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, .vendor = X86_VENDOR_INTEL, .family = 0x6, .model = 0xb7, .steppings = 0x0002, .driver_data = 0x129 }
to correspond with the previous microcode release that contained actual
security fixes.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241029