Can Intel microcode updates be rolled back?

Let's say I apply (or have applied for me by an automatic update process) a microcode update which fixes, for example, a hyperthreading bug on my Skylake chip.

Are such updates irreversible, or can I later switch back to an earlier microcode?


Solution 1:

The microcode update itself can always be rolled back since it is not persistent, although if that update is being made from firmware (i.e. UEFI/BIOS) you might to flash a modified firmware to do it:

On newer Intel platforms, microcode updates may forbid hot-downgrades for security reasons (there are three microcode version fields: revision, "SVN" and "VCN", the later two being unofficial names since they're undocumented. You are not supposed to hot-downgrade the VCN or SVN (refer to [1]), due to security and/or stability reasons). This means you'd need to modify the microcode in the firmware image to be able to downgrade. Note that the operating system kernel by itself already refuses to downgrade microcode revisions, so you'd have to work around it anyway.

Also, a few microcode updates [which, so far, have never been distributed to the general public, only to firmware OEMs, e.g. the Intel Westmere 0x206c2 microcode updates] have persistent side-effects, e.g. by changing data that gets stored in the platform TPM. These persistent side-effects exist for security reasons, to avoid "downgrade attacks" on Intel TXT and/or Intel SGX. In this case, the microcode update can be rolled back easily, but it may leave persistent side-effects in the system that forbid rolling back other firmware components (SINIT ACM for Intel TXT, for example) -- if you do roll these firmware components back, the processor will disable Intel TXT at ANY microcode revision until you upgrade the firmware component again.

[1] https://github.com/platomav/MCExtractor/wiki/Intel-Microcode-Extra-Undocumented-Header

Solution 2:

It depends on how the microcode update is applied. The microcode is patched every time the system boots, either by the motherboard firmware or the OS, so it depends on how easy or difficult it is to roll back those updates.

If the update is coming from the firmware, it should be as easy as "updating" to the older version, assuming it doesn't make any checks and complain that you're going to an older version. If the microcode is coming from Linux, it should be as easy as using your package manager to install an older version.[1] If it's coming from Windows, it may be easy or difficult, because you can easily remove updates with Control Panel, but it won't let you remove updates that "affect important operating system files."


[1] In fact, in Linux Mint (and probably others), you can easily disable the microcode updates altogether in the settings. It actually is off by default because it's proprietary code, and Linux Mint wants the default configuration to be open-source only.