Processors
Processors (Intel® Core™, Intel® Xeon®, etc); processor utilities and programs (Intel® Processor Identification Utility, Intel® Extreme Tuning Utility, Intel® Easy Streaming Wizard, etc.)
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
12349 Discussions

Does an OS patch apply permanent update to processor against Zombieload and associated flaws?

sygibson
Beginner
1,156 Views

Hello - I'm not entirely sure how the microcode update process for an Intel processor works. My question is essentially:

 

  • I boot a machine in to an OS with a patched/updated Microcode update for the Zombieload attacks
  • then; if I reboot the machine in to another OS , is the Microcode update now "permanenly" updated to the Processor(s)

 

I'm not sure if the OS has to boot and load the patched kernel "all the time" for the update to be effective.

 

The reason I ask - I have a provisioning automation tool that boots the machine in to an in-memory live boot management OS (based on CentOS 7.6 linux) via PXE. If that management OS is running the patched version of the Kernel kernel-3.10.0-957.12.2.el7.x86_64, when I subsequently reboot the machine in to its installed operating system (which may or may not contain a directly patched update), is the system fully patched at this point.

 

Currently, the Linux Kernel release hasn't "rolled downhill" from RHEL to the CentOS team, but I expect that should happen soon.

 

Thank you.

~~shane

 

 

0 Kudos
3 Replies
n_scott_pearson
Super User Retired Employee
198 Views

No, nothing is stored permanently. The microcode is updated on each BIOS POST (if contained within the BIOS) and/or each boot cycle (if microcode load is supported by the O/S).

...S

sygibson
Beginner
198 Views

Got it - makes sense. Does Intel have any released tooling to update the microcode directly via Linux based environment - as opposed to in-kernel ?

 

I have been digging around to find the answer to that on the Intel site, but have not been able to determine a clean path that isn't dependent on the OS microcode update mechanism.

 

Thank you for the fast reply.

~~shane

 

n_scott_pearson
Super User Retired Employee
198 Views

No - and that's on purpose; you want the microcode update applied before any malicious code has an opportunity to run. The best place for this to happen is in the BIOS, as this has best chance of ensuring that no malicious code has this opportunity. As we know, however, the scumbag OEMs and ODMs refused to keep updating the BIOS for new microcode (they simply don't care about security; yet people continue to buy their products; I don't get it). The next best (but still not optimal, IMHO) place to do this is within the O/S Kernel, so that it is done as early as possible in the O/S initialization process. Linux has had this capability for a few years. Intel and Microsoft added support to Windows 10 just last year (after the scum pushed back on the microcode updates for Spectre).

...S

Reply