Welcome to Friendica.Eskimo.Com

Home of Censorship Free Hosting

E-mail, Web Hosting, Linux Shell Accounts terminal or full remote desktops.

captainkangaroo via Linux

6 months ago

captainkangaroo
6 months ago

Intel Linux Patch Would Report Outdated CPU Microcode As A Security Vulnerability

A patch posted on Thursday by one of Intel's long-time Linux kernel engineers would begin treating outdated Intel CPU microcode as a security vulnerability that would be reported to user-space via the existing sysfs vulnerabilities reporting.

^{www.phoronix.com}

in reply to captainkangaroo

Nanook

in reply to captainkangaroo 6 months ago

Microcode would not be a concern with that particular CPU.

Linux reshared this.

in reply to captainkangaroo

ryannathans

in reply to captainkangaroo 6 months ago

How does it know if the microcode is outdated?

in reply to ryannathans

@ryannathans @captainkangaroo I'm going to make the wild assumption that the kernel will have a table of the current microcode versions at the time of it's release, but I doubt that
will get updated except by kernel upgrades.

Linux reshared this.

in reply to Nanook

Strit

in reply to Nanook 6 months ago

There's probably an efivar that reads the current microcode version.

in reply to Nanook

DaPorkchop_

in reply to Nanook 6 months ago

Debian-based distros (and probably most othera as well) actually have a package called "intel-microcode" which gets updated fairly regularly.

in reply to DaPorkchop_

Nanook

in reply to DaPorkchop_ 6 months ago

@DaPorkchop_ Oddly, if you build your own kernel and remove the system provided one, the package gets automatically removed as well which is weird, because it is really still needed regardless.

Linux reshared this.

in reply to Nanook

ryannathans

in reply to Nanook 6 months ago

If that's the case, why wouldn't they put the microcode in the kernel?

in reply to ryannathans

Nanook

in reply to ryannathans 6 months ago

@ryannathans Why bloat the kernel with the microcode for every intel processor that might need it (and there is a similar thing for AMD) when you don't have that specific processor? It does make more sense for it to be a separate, especially on memory constrained systems. I mean if you've got 256GB of RAM probably not a big deal but if you've got 256MB a big deal.

Linux reshared this.

in reply to Nanook

ryannathans

in reply to Nanook 6 months ago

The kernel compilation is already configurable between megabytes and gigabyte+

Distros pick their featureset

This entry was edited (6 months ago)

Unknown parent

Cousin Mose

Unknown parent 6 months ago

I mean, it’s still good to know if you’re vulnerable right (for sake of discussion)?

This entry was edited (6 months ago)

Unknown parent

Nanook

Unknown parent 6 months ago

@GolfNovemberUniform @captainkangaroo Yes and Linux includes software to do this.

Linux reshared this.

Unknown parent

IrritableOcelot

Unknown parent 6 months ago

The article does specify that it would report if the newest version of the firmware for the CPU family is not installed, so it doesn't seem like this is that particular kind of BS.

Unknown parent

stuner

Unknown parent 6 months ago

It sounds like the criterion is "is newer microcode available". So it doesn't look like a marketing strategy to sell new CPUs.

in reply to captainkangaroo

ouch

in reply to captainkangaroo 6 months ago

The Linux kernel would maintain a list of the latest Intel microcode versions for each CPU family, which is based on the data from the Intel microcode GitHub repository. In turn this list would need to be kept updated with new Linux kernel releases and as Intel pushes out new CPU microcode files.

Sounds like that would be outdated for everyone without a rolling distro.

in reply to ouch

Atemu

in reply to ouch 6 months ago

Stable distros can and will backport security fixes. Good ones that is.

in reply to ouch

AndrewZabar

in reply to ouch 6 months ago

Yeah, methinks this will be one of those alerts pretty much everyone will be like "yeah, yeah, I know" and click to silence those notifications.

in reply to ouch

trolololol

in reply to ouch 6 months ago

Sounds like a user space application, there's no place for this in the kernel. So would you need to upgrade kennel and reboot to update the list? Nonsense.

This entry was edited (6 months ago)