Hello - I'm not entirely sure how the microcode update process for an Intel processor works. My question is essentially:
I'm not sure if the OS has to boot and load the patched kernel "all the time" for the update to be effective.
The reason I ask - I have a provisioning automation tool that boots the machine in to an in-memory live boot management OS (based on CentOS 7.6 linux) via PXE. If that management OS is running the patched version of the Kernel kernel-3.10.0-957.12.2.el7.x86_64, when I subsequently reboot the machine in to its installed operating system (which may or may not contain a directly patched update), is the system fully patched at this point.
Currently, the Linux Kernel release hasn't "rolled downhill" from RHEL to the CentOS team, but I expect that should happen soon.
No, nothing is stored permanently. The microcode is updated on each BIOS POST (if contained within the BIOS) and/or each boot cycle (if microcode load is supported by the O/S).
Got it - makes sense. Does Intel have any released tooling to update the microcode directly via Linux based environment - as opposed to in-kernel ?
I have been digging around to find the answer to that on the Intel site, but have not been able to determine a clean path that isn't dependent on the OS microcode update mechanism.
Thank you for the fast reply.
No - and that's on purpose; you want the microcode update applied before any malicious code has an opportunity to run. The best place for this to happen is in the BIOS, as this has best chance of ensuring that no malicious code has this opportunity. As we know, however, the scumbag OEMs and ODMs refused to keep updating the BIOS for new microcode (they simply don't care about security; yet people continue to buy their products; I don't get it). The next best (but still not optimal, IMHO) place to do this is within the O/S Kernel, so that it is done as early as possible in the O/S initialization process. Linux has had this capability for a few years. Intel and Microsoft added support to Windows 10 just last year (after the scum pushed back on the microcode updates for Spectre).