*Second:* I’m not willing to accept, that CPU/MMU - Microcode can be
changed just by some OS/SW-Updates *without* any physical and local
interventions or with *a secret „ONE WAY“* passwords/ticket
*directly coming from the manufacture company*. Otherwise "very bad
hackers" are able to change the critical CPU/MMUs - Microcode to
prepare some „spyglass-situation|attacks“, which NO uper-layered
"Security-SW or OS“ ever can detect.
*This is a very bad situation (even if this exist many years ago). *
You appear to have the impression that microcode updates are completely
unsigned code that anyone can modify. You might find this an interesting
read:
http://inertiawar.com/microcode/
It explains how microcode updates work in general and specifically how
they work on Intel chips. You cannot simply perform arbitrary microcode
updates on a system. And microcode updates will only load if they are
newer than the one already applied. So you cannot just load an older
insecure version of microcode if an update has already been applied by
either the bios or the kernel. Microcode updates only increase security,
they could only decrease it if Intel released a microcode update that
introduced a weakness and signed that. At the point where you don't
trust your vendor on that level anymore you might as well give up on any
sort of proprietary hardware that needs any sort of binary blobs, which
some decide to do.
*INFO:*
It looks HPE has realized this *serious security thread* and developed
a special ILO-Chip hat help to solve this real problem.
*siehe:*
http://www.zdnet.de/88300819/schutz-vor-firmware-attacken-hpe-sichert-proliant-server-ab/?_ga=2.128992076.1543857168.1515237773-947033226.1515237773&inf_by=5a50b18d671db879058b47d8
👍
*I hope other HW manufactures *(DELL, IBM, CISCO, Oracle, etc.) *are
asap. also have/providing some solution for this problem.*
The link you have provided shows that HPE wants to make sure its
firmware, i.e. UEFI and components are secured. They do not talk about
preventing microcode updates, which I don't think this provides as those
are CPU features directly. I'm not sure if those can be disabled by the
chipset/mainboard as its basically just a special instruction sent to
the CPU (pretty sure they can't be prevented by that).
