How are Intel/Amd Microcode Issues Delivered? Is it possible to block them?
Answers to your questions, one by one:
How are the microcode update files published?
- They are simple, rather small, files, published by the processor makers.
How are they loaded into the CPU?
- Your processor comes with an initial version, that it boots up with.
- Your processor has a sequence of instructions to initiate a microcode upload.
- The BIOS/UEFI of your system may have a newer version, that it will load into the processor before your boot-loader gets control.
- The operating system may have an even newer version. If so, it will load it into the processor during system start.
How are new versions normally transferred into your computer:
- If the BIOS gets updated by you, it could contain a newer version.
- Your operating system may be setup for receiving microcode update through system update. (All current ones can)
- If somebody nice from Intel gives you the encryption key for their microcode, you could encrypt/sign a modified version, place it on your hard-drive, and load it with some instructions.
- If somebody else can run processes on your system with System/root rights (e.g. Virus, Trojan), they can even do it for/to you.
How could somebody apply such an update without me knowing?
- These days, BIOS/UEFI implementations are entire operating systems in themselves, with all modern features, networking, usb, graphics, ... support.
- Most network cards runs an entire, independent Operating System too. Aside from bugs, which you can bet there are, these firmwares all have (partly) documented remote communication protocols.
- Somebody exploiting a bug in your NIC, or using the magic_key/protocol, could send a correctly signed microcode update to your CPU.
How feasible is this type of attack?
- For somebody with authority over the key-holders: Very easy.
- For the savvy neighbor kid: impossible
Yes, it's absolutely possible to shun them. And there's no kind of enforcing. Nor any particular way you shouldn't be able to rollback.
Updates either come with newer BIOS, or OS loads them. In the latter case, we can assume either you are on Linux or on Windows.
In the first situation, they get loaded from linux-firmware/intel-ucode, in the second they come via normal Windows Update. And as such you can install/uninstall them at will.
If you are really paranoid, delete any instance of mcupdate_AuthenticAMD.dll
and mcupdate_GenuineIntel.dll
you find on your system.