A patch posted on Thursday by one of Intel’s long-time Linux kernel engineers would begin treating outdated Intel CPU microcode as a security vulnerability that would be reported to user-space via the existing sysfs vulnerabilities reporting.
Intel engineer Dave Hansen sent out the “request for comments” patch that would have old Intel microcode be reported as a vulnerability for the system. Hansen explained with the patch cover letter:
“You can’t practically run old microcode and consider a system secure these days. So, let’s call old microcode what it is: a vulnerability. Expose that vulnerability in a place that folks can find it:
/sys/devices/system/cpu/vulnerabilities/old_microcode
This is obviously imperfect. But it means that a single file can be maintained with a single list of microcode versions and there is no need to track which version fixed a given bug.”
The Linux kernel would maintain a list of the latest Intel microcode versions for each CPU family, which is based on the data from the Intel microcode GitHub repository. In turn this list would need to be kept updated with new Linux kernel releases and as Intel pushes out new CPU microcode files.
This patch does not prevent Linux users from running outdated Intel CPU microcode or anything along those lines. It’s simply about reporting a new X86_BUG_OLD_MICROCODE flag if the CPU microcode for that booted processor is known to be an outdated version. Via the proposed /sys/devices/system/cpu/vulnerabilities/old_microcode interface will be “Vulnerable” if outdated.
This addition seems straight-forward and logical given that new CPU microcode updates are required either for fixing security issues outright or in tandem with updated kernel code for enabling new mitigations. But at the same time it’s surprising this reporting wasn’t added years ago – though perhaps now acknowledging it’s going to be a never-ending game. We’ll see if it gets picked up by the mainline Linux kernel as well as if it ends up being adapted for AMD CPU microcode reporting.
