[Bug 2130658] Re: hashed microcode updates

Luci Stanescu 2130658 at bugs.launchpad.net
Tue Jan 13 11:14:58 UTC 2026 

The possible downsides to bundling the microcode with the kernel are:
- For users, inability to downgrade microcode without also downgrading the kernel.
- For Ubuntu Security Team, inability to release microcode updates outside the kernel release cycle. This had been curtailed by the AMD SHA-checking patch, but some flexibility still remains. Microcode updates are released well in advance of any communication of what they fix, so their SHAs could be included in kernel releases, without the corresponding microcode updates.
- Creating an inconsistency with the intel-microcode package, which does not have these limitations.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to amd64-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/2130658

Title:
  hashed microcode updates

Status in amd64-microcode package in Ubuntu:
  New
Status in dracut package in Ubuntu:
  New
Status in initramfs-tools package in Ubuntu:
  New
Status in linux package in Ubuntu:
  New

Bug description:
  Apologies that this isn't better -- I've been putting this off for too
  long as it is, and doing a poor job seems like it's better than
  waiting until I can do a good job.

  AMD has some problems with microcode updates -- the signature
  verification is not right. (Google put together a microcode update to
  recreate the xkcd random comic.)

  The AMD kernel developers have pushed a mitigation to the Linux kernel
  that hardcodes a single SHA256 hash of the latest microcode update.
  When userspace tries to patch the microcode, the kernel driver will
  compare the proposed new microcode and if it matches, then it is
  loaded. If it doesn't match, then it is not loaded.

  This is simple and easy. I'm afraid it isn't responsive to how we
  deliver updates to our users:

  - the kernel is delivered on its own timeframe; our updates even more so, perhaps over the course of months
  - the amd64-microcode package is delivered on its own timeframe; our updates can be timed with more precision than the kernel updates, but it would be nice to follow AMD closely without stress.

  If we deliver a new kernel with an updated hash from upstream before
  we have delivered the microcode, users will probably be reverted to
  running the factory firmware.

  If we deliver a new microcode package before we have delivered an
  updated kernel, users will probably be reverted to running the factory
  firmware.

  Running the factory firmware might be a performance, safety, security,
  or feature regression vs the user's immediately previous boot. Users
  might not even notice anything anything is wrong.

  I don't pretend to have the best possible solution, so treat this idea
  as something to be improved:

  We should amend our systems to be more flexible in which microcodes we
  will load, to allow loading any of the previous N microcode packages
  that we have shipped.

  We should amend our microcode packages to allow installing multiple
  versions and manage the multiple versions similarly to the Linux
  kernel "keep most recent three" sort of behavior.

  We should amend our kernel to expose in the filesystem, even when not
  running, which microcodes it can load.

  We should amend our initramfs generators to include the newest
  microcode that a kernel can load, for each initramfs that we generate.

  
  Ideally, we would collaborate with Debian on this issue. Probably Debian's situation is better than ours, since they have significantly fewer kernels to wrangle, over fewer supported releases, but I suspect their users would also benefit from some de-coupling.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/amd64-microcode/+bug/2130658/+subscriptions

More information about the foundations-bugs mailing list