Community
cancel
Showing results for 
Search instead for 
Did you mean: 
sygibson
Beginner
1,037 Views

Does an OS patch apply permanent update to processor against Zombieload and associated flaws?

Hello - I'm not entirely sure how the microcode update process for an Intel processor works. My question is essentially:

 

  • I boot a machine in to an OS with a patched/updated Microcode update for the Zombieload attacks
  • then; if I reboot the machine in to another OS , is the Microcode update now "permanenly" updated to the Processor(s)

 

I'm not sure if the OS has to boot and load the patched kernel "all the time" for the update to be effective.

 

The reason I ask - I have a provisioning automation tool that boots the machine in to an in-memory live boot management OS (based on CentOS 7.6 linux) via PXE. If that management OS is running the patched version of the Kernel kernel-3.10.0-957.12.2.el7.x86_64, when I subsequently reboot the machine in to its installed operating system (which may or may not contain a directly patched update), is the system fully patched at this point.

 

Currently, the Linux Kernel release hasn't "rolled downhill" from RHEL to the CentOS team, but I expect that should happen soon.

 

Thank you.

~~shane

 

 

0 Kudos
3 Replies
n_scott_pearson
Super User Retired Employee
79 Views

No, nothing is stored permanently. The microcode is updated on each BIOS POST (if contained within the BIOS) and/or each boot cycle (if microcode load is supported by the O/S).

...S

sygibson
Beginner
79 Views

Got it - makes sense. Does Intel have any released tooling to update the microcode directly via Linux based environment - as opposed to in-kernel ?

 

I have been digging around to find the answer to that on the Intel site, but have not been able to determine a clean path that isn't dependent on the OS microcode update mechanism.

 

Thank you for the fast reply.

~~shane

 

n_scott_pearson
Super User Retired Employee
79 Views

No - and that's on purpose; you want the microcode update applied before any malicious code has an opportunity to run. The best place for this to happen is in the BIOS, as this has best chance of ensuring that no malicious code has this opportunity. As we know, however, the scumbag OEMs and ODMs refused to keep updating the BIOS for new microcode (they simply don't care about security; yet people continue to buy their products; I don't get it). The next best (but still not optimal, IMHO) place to do this is within the O/S Kernel, so that it is done as early as possible in the O/S initialization process. Linux has had this capability for a few years. Intel and Microsoft added support to Windows 10 just last year (after the scum pushed back on the microcode updates for Spectre).

...S

Reply