microcode store (was Re: Looking to get into a Mini Computer...)

On Fri, Jul 25, 2014 at 4:54 PM, jwsmobile <jws at jwsss.com> wrote: It's possible and not even terribly difficult to detect an altered BIOS, if you have a image or even just a crytographic hash of the correct BIOS image. There are tricks that a BIOS could do to attempt to conceal its presence, like an OS rootkit, but there is no way to do it without any detectable effects. It's also possible to install a non-vendor BIOS, which would render any back doors in the vendor-supplied BIOS useless. If the processor microcode has a back door, either built into the chip or installed as an update at runtime, that's far harder to detect, because there's no documented mechanism (and probably no undocumented mechanism) for reading back the microcode or microcode patch. While it appears based on the Snowden leaks that the NSA already has the ability to install BIOSes with back doors, it is unknown whether they have similar capability with microcode. The cost to develop that ability would be very high, the potential benefit to them is absolutely huge, so I wouldn't be quick to write it off. If you're referring to Intel x86 parts, you are incorrect. The mechanism is there, and it is routinely used. BIOSes contain a microcode update which is installed at power-up, and Windows will install newer ones. Even Linux has support for installing the microcode updates. Here's an Intel web page with a list of Intel processors supporting microcode updates, and a downloadable file containing the updates as of October 2012: https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21925&a… They have in all their x86 parts since the K8 (their first 64-bit x86 microarchitecture, introduced in 2003), and they currently distribute microcode updates for the K10 (2007) and newer: http://www.amd64.org/microcode.html