See: https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
Right now there are four known but (reasonably) benign microcodes from a non-AMD source. However, there is a tool to sign arbitrary microcode. In Xen, we've provided a stopgap mitigation to perform extra checks on microcode load on affected CPU families. This is a SHA2 digest check against hashes with believed-good provenance. This is staging only for now, in case it is overly disruptive. This will not protect against an already-compromised platform, but it will prevent an uncompromised system becoming compromised via Xen's microcode loading capabilities. On affected systems, the only complete fix is a firmware update. This is a very firmly recommended course of action. Sincerely, ~Andrew, on behalf of the Xen Security Team.
