I just noticed a possible problem with the 6.6.x series of kernels under F39. In short, since 6.6.x CONFIG_MICROCODE_INTEL is now hidden under CONFIG_EXPERT, which is not selected by default in Fedora kernels. This means that the early_microcode loop in dracut never succeeds and therefore all initramfs(es) are now generated without any microcode inside, thus creating a security issue as no remediations eventually available are applied. In my case hardinfo complained that I was vulnerable to "gather data sampling" vulnerability. I patched my dracut as indicated in https://groups.google.com/g/linux.debian.bugs.dist/c/5LP38VmSNFw and actually my dmesg went from: Nov 12 12:03:11 fedora kernel: GDS: Vulnerable: No microcode Nov 12 12:03:11 fedora kernel: microcode: Microcode Update Driver: v2.2. to: Nov 12 14:28:10 fedora kernel: microcode: updated early: 0x7e -> 0xac, date = 2023-02-27 Nov 12 14:28:10 fedora kernel: microcode: Microcode Update Driver: v2.2. Maybe this can be considered a regression? My dracut is: [14:55:25] fcomolli@fedora ~ $ rpm -q dracut dracut-059-15.fc39.x86_64 [14:55:28] fcomolli@fedora ~ $ and my kernel is: [14:55:46] fcomolli@fedora ~ $ uname -a Linux fedora 6.6.0-360.vanilla.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 30 05:03:23 UTC 2023 x86_64 GNU/Linux [14:56:07] fcomolli@fedora ~ $ Thanks for looking.
Forwarded by mail: https://lore.kernel.org/kernel-janitors/c67bd324-cec0-4fe4-b3b1-fc1d1e4f2967@leemhuis.info/
FWIW, Linus said that this doesn't need fixing on the kernel side: https://lore.kernel.org/kernel-janitors/CAHk-=wiV+NM+jLKbSj_Ej9RaXpu4akWV03G_wXyTSHZhArq1tg@mail.gmail.com/