Are CPU microcode updates always ignored by Hypervisors?

linux kvm-virtualization

Yes, hypervisors (the ones which aren't unusually broken, at least) will always refuse microcode update access from guests (VMs). Any microcode updates must be delivered either by the hypervisor itself, or by system firmware/boot-loader.

The reason for this is the most obvious: security. A microcode update can change visible details of the ISA (instruction set architecture), and disturb the whole system, up to and including crashing other VMs that were not prepared for the ISA changes, etc (refer to the Intel TSX microcode fix that removed the Intel TSX-NI instructions for an example).

Also, there are microcode-update-level attacks, and those, when successful, will bring down the entire system. Thus, one VM could crash the hypervisor and all other VMs. Refer to the Inertiawar paper on Intel microcode updates for an example.

Also, an hypervisor might expose to the guest a different, sometimes synthesized CPU model, than the one it is really running at. The guest has no business trying to update the microcode of such a CPU.

Microcode updates are, therefore, an attack surface all hypervisors worth something will close down.

Related

Allow internet access for ec2 instances with private IP addresses inside a public subnet?
Cannot start sshd service: Failed to start openssh.service: Unit not found
What is the unit of a "page" in /proc/<pid>/statm
HAProxy - Add response header based on request host
Private address space IP found in X-Forwarded-For
get a list of instances on ec2 without termination protection?
How to do proper VPS timekeeping?
Error: XFS filesystem is not valid as a default fs type
Cloudflare and .DE domain
Google Cloud Instance hostname (Compute Engine)
Cygwin Windows < Linux rsync - connection unexpectedly closed
The math of waiting to be sitted