On 3/9/22 03:20, Borislav Petkov wrote: > AFAICT, you want to hook into microcode_check() which runs after the > microcode update and do your EUPDATESVN there... There's a little bit in the cover letter that _implies_ why EUPDATESVN isn't called during the actual microcode update: > This series implements the infrastructure needed to track and tear > down bare-metal enclaves and then run EUPDATESVN. This is expected > to be triggered by administrators via sysfs at some convenient time > after a microcode update, probably by the microcode update tooling > itself. This allows the (non-destructive) ucode update and the destructive EUPDATESVN procedure to happen at different times. If we just want to make the ucode update itself call EUPDATESVN via microcode_check(), that makes the ucode update itself destructive to SGX enclaves. That's not the end of the world, but this series is going to some amount of trouble (including new ABI) to avoid it. Perhaps we need to hear more about why this is so much of an issue.