1*4e2c7197SDave Hansen.. SPDX-License-Identifier: GPL-2.0 2*4e2c7197SDave Hansen 3*4e2c7197SDave Hansen============= 4*4e2c7197SDave HansenOld Microcode 5*4e2c7197SDave Hansen============= 6*4e2c7197SDave Hansen 7*4e2c7197SDave HansenThe kernel keeps a table of released microcode. Systems that had 8*4e2c7197SDave Hansenmicrocode older than this at boot will say "Vulnerable". This means 9*4e2c7197SDave Hansenthat the system was vulnerable to some known CPU issue. It could be 10*4e2c7197SDave Hansensecurity or functional, the kernel does not know or care. 11*4e2c7197SDave Hansen 12*4e2c7197SDave HansenYou should update the CPU microcode to mitigate any exposure. This is 13*4e2c7197SDave Hansenusually accomplished by updating the files in 14*4e2c7197SDave Hansen/lib/firmware/intel-ucode/ via normal distribution updates. Intel also 15*4e2c7197SDave Hansendistributes these files in a github repo: 16*4e2c7197SDave Hansen 17*4e2c7197SDave Hansen https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git 18*4e2c7197SDave Hansen 19*4e2c7197SDave HansenJust like all the other hardware vulnerabilities, exposure is 20*4e2c7197SDave Hansendetermined at boot. Runtime microcode updates do not change the status 21*4e2c7197SDave Hansenof this vulnerability. 22