Re: [RFC][PATCH] x86/cpu/bugs: Consider having old Intel microcode to be a vulnerability

From: Dave Hansen
Date: Tue Nov 12 2024 - 12:18:30 EST


On 11/8/24 15:36, Andrew Cooper wrote:
>> You can't practically run old microcode and consider a system secure
>> these days. So, let's call old microcode what it is: a vulnerability.
>
> The list becomes stale 4 times a year, so you need to identify when it's
> out of date, and whatever that something is has to be strong enough to
> cause distros to backport too.  Perhaps a date in the header, so you can
> at least report "status vulnerable, metadata out of date".

I don't want to get too fancy about this. I'm assuming that mainline
and the stable kernels will be regularly fed new metadata. The only way
to have out-of-date metadata should be by running an out-of-date kernel
in which case you have bigger problems on your hands.

> Also, you want to identify EOL CPUs.  Just because they're on the most
> recent published ucode doesn't mean they're not vulnerable.

That's a good idea too. But I think it deserves a separate discussion
and separate patch.

> Under some hypervisors, you get fed the revision 0x7fffffff.  Others
> might tell you the truth, or it may be the truth from when you booted. 
> For this, probably best to say "consult your hypervisor".

Good point. We should probably just say "unknown" when running as a
guest, or just not have the sysfs file at all.

> Failure to publish information, or not publishing fixes for in-support
> parts should be considered a vulnerability.  (*ahem*, AMD)
>
> Or you could just simplify the whole path to "yes".  It's true, even if
> people don't know.

This series answers the question:

Has the vendor published a newer OS-loadable microcode than you
are running right now?

It doesn't seek to answer the question:

Is the microcode that you are running right now vulnerable to
anything (that the kernel knows about)?

I think the first question is quite answerable in a pretty factual way.
The second question is much hardware. It's worth answering for sure ...
with another patch. :)