INTEL-SA-00528 mitigation ucodes

[l00k]

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html I don't see updated ucodes which mitigate this issue. Is database up to date?

[andyhhp]

Intel-SA-528 protections are not runtime loadable, hence not included here.

You need a full firmware update from your OEM to mitigate the security issue.

[l00k]

@andyhhp thank you for fast answer. I understand but I was using ucodes from this repository to build modified BIOS and flash it 2-3 months before official BIOS release. Any chance to get it? I really need it cuz SGX now fails while performing Remote attestation.

[hmh]

Either Intel managed to change them to be runtime loadable, or a subset of such updates are supposed to be runtime loadable. The latest release (20220207) has fixes for INTEL-SA-00528...

It is also possible that the full fix requires a firmware update, and early-loading is a partial fix. It would be nice to get either a confirmation that "the new set of updates fully addresses INTEL-SA-00528" from Intel, or a confirmation that one should still pester the hardware vendor to get a proper firmware update to get the full fix, because the O.S. microcode update cannot fix the whole issue.

[whpenner]

The mitigation for INTEL-SA-00528 must be loaded at BIOS (at FIT) to be effective. @l00k Those MCUs are now available with the release earlier this week.

[l00k]

Thx for info I have already extracted it from one of official releases I understand for future updates MCU will be not saved in this repo?

[whpenner]

I'm not aware of any changes being planned for this repo, at this point. Where did you hear that future updates wouldn't be here?

[l00k]

Maybe I expressed wrongly. I asked about future MCU updates (non runtime loadable) - will it be included here? This one which I have mentioned in first post was not included here

[whpenner]

We generally won't move non-runtime loadable MCUs if there isn't a good reason to. If we are updating many MCUs, then we do try to update everything to the latest publicly available MCU. In this case for the three INTEL-SA-00528 affected products, we choose not to publish those since there was no value for OS loading and we didn't want to trigger Linux distros to do unnecessary work. I understand that you were taking the MCUs and "stitching" them into your BIOS and there was value from doing that. Let me see if we can find a way to handle this.