Bug 218136

I just noticed a possible problem with the 6.6.x series of kernels under F39. In short, since 6.6.x CONFIG_MICROCODE_INTEL is now hidden under CONFIG_EXPERT, which is not selected by default in Fedora kernels.

This means that the early_microcode loop in dracut never succeeds and therefore all initramfs(es) are now generated without any microcode inside, thus creating a security issue as no remediations eventually available are applied. In my case hardinfo complained that I was vulnerable to "gather data sampling" vulnerability.

I patched my dracut as indicated in https://groups.google.com/g/linux.debian.bugs.dist/c/5LP38VmSNFw and actually my dmesg went from:

Nov 12 12:03:11 fedora kernel: GDS: Vulnerable: No microcode
Nov 12 12:03:11 fedora kernel: microcode: Microcode Update Driver: v2.2.

to:

Nov 12 14:28:10 fedora kernel: microcode: updated early: 0x7e -> 0xac, date = 2023-02-27
Nov 12 14:28:10 fedora kernel: microcode: Microcode Update Driver: v2.2.

Maybe this can be considered a regression? My dracut is:

[14:55:25] fcomolli@fedora ~ $ rpm -q dracut
dracut-059-15.fc39.x86_64
[14:55:28] fcomolli@fedora ~ $

and my kernel is:

[14:55:46] fcomolli@fedora ~ $ uname -a
Linux fedora 6.6.0-360.vanilla.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon
Oct 30 05:03:23 UTC 2023 x86_64 GNU/Linux
[14:56:07] fcomolli@fedora ~ $

Thanks for looking.