Processors
Intel® Processors, Tools, and Utilities
14536 Discussions

Does an OS patch apply permanent update to processor against Zombieload and associated flaws?

sygibson
Beginner
‎05-15-2019 01:03 AM
2,110 Views

Hello - I'm not entirely sure how the microcode update process for an Intel processor works. My question is essentially:

 

  • I boot a machine in to an OS with a patched/updated Microcode update for the Zombieload attacks
  • then; if I reboot the machine in to another OS , is the Microcode update now "permanenly" updated to the Processor(s)

 

I'm not sure if the OS has to boot and load the patched kernel "all the time" for the update to be effective.

 

The reason I ask - I have a provisioning automation tool that boots the machine in to an in-memory live boot management OS (based on CentOS 7.6 linux) via PXE. If that management OS is running the patched version of the Kernel kernel-3.10.0-957.12.2.el7.x86_64, when I subsequently reboot the machine in to its installed operating system (which may or may not contain a directly patched update), is the system fully patched at this point.

 

Currently, the Linux Kernel release hasn't "rolled downhill" from RHEL to the CentOS team, but I expect that should happen soon.

 

Thank you.

~~shane

 

 

0 Kudos

Link Copied

3 Replies
n_scott_pearson
Super User
‎05-15-2019 01:22 AM
1,152 Views

No, nothing is stored permanently. The microcode is updated on each BIOS POST (if contained within the BIOS) and/or each boot cycle (if microcode load is supported by the O/S).

...S

0 Kudos
Copy link
sygibson
Beginner
‎05-15-2019 01:25 AM
1,152 Views
In response to n_scott_pearson

Got it - makes sense. Does Intel have any released tooling to update the microcode directly via Linux based environment - as opposed to in-kernel ?

 

I have been digging around to find the answer to that on the Intel site, but have not been able to determine a clean path that isn't dependent on the OS microcode update mechanism.

 

Thank you for the fast reply.

~~shane

 

In response to n_scott_pearson
0 Kudos
Copy link
n_scott_pearson
Super User
‎05-15-2019 01:46 AM
1,152 Views

No - and that's on purpose; you want the microcode update applied before any malicious code has an opportunity to run. The best place for this to happen is in the BIOS, as this has best chance of ensuring that no malicious code has this opportunity. As we know, however, the scumbag OEMs and ODMs refused to keep updating the BIOS for new microcode (they simply don't care about security; yet people continue to buy their products; I don't get it). The next best (but still not optimal, IMHO) place to do this is within the O/S Kernel, so that it is done as early as possible in the O/S initialization process. Linux has had this capability for a few years. Intel and Microsoft added support to Windows 10 just last year (after the scum pushed back on the microcode updates for Spectre).

...S

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.