In late 2024 Intel introduced a flag into the kernel that highlights that a system might be running with outdated microcode, therefore making it potentially vulnerable.
I recently noticed that in my dmesg something like this would pop up:
...
Dec 12 07:42:27 rockstorw kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.18.0-lp156.16.ga1b61b5-default root=LABEL=ROOT nomodeset plymouth.enable=0 rd.kiwi.oem.maxdisk=5000G
Dec 12 07:42:27 rockstorw kernel: x86/CPU: Running old microcode
Dec 12 07:42:27 rockstorw kernel: BIOS-provided physical RAM map:
Dec 12 07:42:27 rockstorw kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000057fff] usable
...
You notice here that I am using the kernel backport setup, so you might not see this message under normal circumstances (yet).
As my system is quite old and does not receive any new BIOS updates (well, it hasn’t been for around 4 years), no new BIOS-driven microcode updates have been released.
I double-checked using:
cat /sys/class/dmi/id/bios_version
and compared it to the latest available BIOS downloads, just to be sure.
Note: If running Rockstor using Tumbleweed that’s not a problem because it seems there is an official package available to have kernel based microcode updates:
ucode-intel
However for Leap 15.x (and of the creation date of this post also Leap 16.x) no official package is available. There are a few community packages, and after doing a high-level investigation, those seem legit. I considered it a small/non-existent risk (but you, dear reader, might feel otherwise), so after backing up my Rockstor configuration as well as refreshing my data backups, I installed one of the community packages using the command line:
zypper addrepo https://download.opensuse.org/repositories/home:Sauerland/15.6/home:Sauerland.repo
zypper refresh
zypper install ucode-intel
It does not seem to require a reboot. However, in order to see whether the error messsage disappears, I initiated one anyway. The resulting dmesg output shows the warning message disappeared.
...
Dec 12 08:27:31 rockstorw kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.18.0-lp156.16.ga1b61b5-default root=LABEL=ROOT nomodeset plymouth.enable=0 rd.kiwi.oem.maxdisk=5000G
Dec 12 08:27:31 rockstorw kernel: BIOS-provided physical RAM map:
Dec 12 08:27:31 rockstorw kernel: BIOS-e820: [mem 0x0000000000000000-0x0000000000057fff] usable
...
Note: while I understand that amd does not have a similar flag highlighting outdated microcode, if you determine that you want/need that updated as well (because the BIOS is not being updated by the manufacturer anymore) there are similarly the official Tumbleweed package, as well as community packages for AMD microcode updates:
ucode-amd
Again, you will need to decide whether a community package is too high of a risk compared to the potential additional protection before installing it from one of those sources.
At the same time, if your Rockstor instance is not exposed to the public network, your attack surface for any exploits based on vulnerable microcode might also not be worth worrying about …