On Wed, 24 Jan 2018, David Woodhouse wrote: > I'm kind of tempted to turn it into a whitelist just by adding 1 to the > microcode revision in each table entry. Sure, that N+1 might be another > microcode build that also has issues but never saw the light of day... Watch out for the (AFAIK) still not properly documented where it should be (i.e. the microcode chapter of the Intel SDM) weirdness in Skylake+ microcode revision. Actually, this is related to SGX, so anything that has SGX. When it has SGX inside, Intel will release microcode only with even revision numbers, but the processor may report it as odd (and will do so by subtracting 1, so microcode 0xb0 is the same as microcode 0xaf) when the update is loaded by the processor itself from FIT (as opposed as being loaded by WRMSR from BIOS/UEFI/OS). So, you could see N-1 from within Linux if we did not update the microcode, and fail to trigger a whitelist (or mistrigger a blacklist). -- Henrique Holschuh
