You are not logged in.
Hi guys,
I used to never really use microcode updates. However, recently I was exposed to some kind of low level rootkit like malware on my UEFI bios or within the Intel NIC PXE like system.
see:
https://platypusattack.com/
An attacker can use intel rapl to potentially find encryption keys and other secrets. I noticed this when intel_rapl kernel module was not able to be disabled and other conditions where they were trying to maintain persistance. It could effect every linux OS on intel platform post Sandybridge with SGX enclaves built in.
So from now on, I will be utilizing microcode updates to protect myself going forward from these kinds of attacks where SGX instructions are present. I thought I should share with others so they can evaluate their choice in keeping their microcode up to date depending on their hardware and the presence of intel SGX enclaves instructions.
Last edited by czeekaj (2024-03-15 16:49:55)
Offline
Hello:
... will be utilizing microcode updates to protect myself ...
As far as I know, it is enough to keep your system up to date.
In the last nine years, have seen intel-microcode packages updated once every blue moon, probably because my box runs on a legacy (EOL 03/2013) Intel Yorkfield (Core™2 Quad Q9550) processor.
The intel-microcode package is/has been there as part of the installation/upgrades from the start:
~$ apt list | grep installed | grep -i microcode
--- snip ---
intel-microcode/oldoldstable-security,now 3.20231114.1~deb10u1 amd64 [installed]
~$
And then there is what you can see here.
Microcode for Intel and amd64 CPUs all the way from up Jesse down to Ceres.
So any time a microcode package gets upgraded, it is made available for you in the Devuan repositories.
You would have to take intentional steps to keep your system apt from actually downloading and installing it.
I may be missing something in your particular case, but in my opinion, keeping your system up-to-date is not an option to consider.
It is something you do.
Best,
A.
Last edited by Altoid (2024-03-15 18:44:19)
Offline
yeah on a Q9550 I could see you just leave the old microcode packages. It's not something you update often! But I was deliberately removing it, depends on the hardware honestly. some UEFI systems have quite a few features that may expose the user to more attack vectors than other systems. It all depends I am sure. I'm sure there are realtek micro controllers that play much nicer than others for instance.
Offline
I don't know about others, but my old machine works fine even without the microcode...
Offline
of course. I have been using an old x200 thinkpad with 0 microcode just fine there is that whole memory sinkhole thing because the APIC register can move I believe you can partially disable it though? My laptop ever a dell e6410 I installed the oldest bios available and it doesn't include microcode either. I just advise what I read skylake and onwards SGX is present and continues to be a thing on todays Xeon processors. So microcode helps mitigate issues.
Most people recommend it, as CPUs come with baked in microcode anyway. My concern is when loading microcode can flip some CPU registers.
Last edited by czeekaj (2024-03-16 16:26:48)
Offline
On my computers, I forget what it is that does not work with microcode installed, alsa line-out|hdmi I think.
Shady.
Offline