On Sat, 29 Jul 2023 at 06:54, Paul Menzel <pmen...@molgen.mpg.de> wrote: > > Dear GRUB folks, > > > On x86 microcode updates often are recommended to be applied to fix > bugs. Just recently new microcode updates where published for AMD Zen 2 > processors to fix “Zenbleed” [1]. > > Currently, these updates are shipped and applied by the firmware, and – > mainly due to the proprietary and closed source x86 firmware ecosystem > is slow to ship these updates and firmware updates are cumbersome to > apply in this ecosystem – the operating systems like the Linux kernel > [2] (but I believe also Microsoft Windows) also support to apply these > updates. > > Should boot loaders be able to apply these updates, so these can be > applied on systems for operating systems without such a feature? >
Most distributions already do this via early-initrd. For example, on all ubuntu systems if you unpack initramfs with `unmkinitramfs` command you will notice early1 and early2 uncompressed initrd portions that contain Intel and AMD microcode. these are loaded and applied by kernel early on, before unpacking the rest of the initrd or initialising the system. Specifically for Zenbleed, Ubuntu Security team has shipped amd64-microcode package at CRD time, which is automatically installed by all systems and thus a reboot has already applied those. This is a standard mechanism that is already implemented by all distributions (i.e. Ubuntu, Ubuntu Core, Fedora, etc). If your distribution/device doesn't install and doesn't generate early initrd, please implement that. Reference implementations are available in initramfs-tools (debian/ubuntu), core-initrd (ubuntu core), dracut, and likely many others. It is a nice property to bundle this in the initrd, as sometimes there are microcode regressions, thus booting old kernel abi, with an old initrd, with an old microcode is desirable. > > Kind regards, > > Paul > > > [1]: https://lock.cmpxchg8b.com/zenbleed.html > [2]: https://docs.kernel.org/arch/x86/microcode.html > -- okurrr, Dimitri _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel