Re: [PATCH v5 0/9] Support microcode updates affecting SGX

[Borislav Petkov <bp@alien8.de>]

On Tue, May 24, 2022 at 09:15:00PM +0200, Thomas Gleixner wrote:
> Cathy,
> 
> On Fri, May 20 2022 at 18:38, Cathy Zhang wrote:

Btw, this mail has this here too:

> Historically, microcode updates are applied by the BIOS or early in
> boot. In recent years, several trends have made these old approaches
> less palatable.

Actually, late loading is the old method. Early came after it.

> > First, the cadence of microcode updates has increased to deliver
> > security mitigations. Second, the value of those updates has increased,
> > meaning that any delay in applying them is unacceptable. Third, users
> > have become accustomed to approaches like hot patching their kernels
> > and have a growing aversion to reboots in general.

I had missed that argument: so how do those users update their kernels?
Livepatching? I don't think you can replace a whole live kernel - that
would be magic. Unless you kexec but then you can early load microcode
too.

So if you reboot your kernel because you've installed a new one, you can
just as well update microcode.

So sorry but I'm not buying this argument.

For cloud vendors who cannot reboot because they've promised their users
ponies, that's their problem. They might have a somewhat ok-ish argument.

But not for normal users - they can just as well reboot their machines
and do kernel updates together with microcode.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette