Intel engineer Dave Hansen sent out the "request for comments" patch that would have old Intel microcode be reported as a vulnerability for the system. Hansen explained with the patch cover letter (Thu, 07 Nov 2024):
"You can't practically run old microcode and consider a system secure these days. So, let's call old microcode what it is: a vulnerability. Expose that vulnerability in a place that folks can find it:
/sys/devices/system/cpu/vulnerabilities/old_microcode
This is obviously imperfect. But it means that a single file can be maintained with a single list of microcode versions and there is no need to track which version fixed a given bug."
The Linux kernel would maintain a list of the latest Intel microcode versions for each CPU family, which is based on the data from the Intel microcode GitHub repository. In turn this list would need to be kept updated with new Linux kernel releases and as Intel pushes out new CPU microcode files.
This patch does not prevent Linux users from running outdated Intel CPU microcode or anything along those lines. It's simply about reporting a new X86_BUG_OLD_MICROCODE flag if the CPU microcode for that booted processor is known to be an outdated version. Via the proposed /sys/devices/system/cpu/vulnerabilities/old_microcode interface will be "Vulnerable" if outdated.
Source: