[TomV1971]

That was a very long time ago.

Microcode can be loaded by the BIOS.

[xxs]

Most of the microcode nowadays is loaded by the OS (not BIOS)

[chopin]

Today I learned something.

Doesn't that open a huge attack surface? This code would run super-privileged isn't it?

[0x0]

CPUs will only accept uploads of microcode if they can verify the digital signature, of which the private keys are only known to the CPU manufacturer (i.e. Intel or AMD). Probably it will also only allow upgrades, not downgrades, on a running system. So the only "attack" you can perform if you've gained root is to patch CPU security vulnerabilities by upgrading to a newer valid microcode, and then also only until the next reboot.

[Operyl]

Can also be loaded at boot time by the kernel, etc.

[cjbprime]

Or even after boot time, I think -- you shut down one CPU at a time to load it.