Date: Thu, 14 Jun 2007 15:51:46 -0700
From: Bart Smaalders <bart.smaalders at sun.com>
Subject: PSARC/2007/349 Intel Microcode Update Support
Extracting from the proposal:
A new command ucodeadm(1M) is introduced to report processor
microcode revision, install microcode files on a target system,
and update microcode on a live system.
# ucodeadm -h
usage:
ucodeadm -v
Shows running microcode version.
ucodeadm -u microcode-text-file
Updates microcode to the latest matching version found in
microcode-text-file.
ucodeadm -i [-R path] microcode-text-file
Installs microcode on the file system to be used
during subsequent boot.
ucodeadm will be installed in /usr/sbin/. Text for ucodeadm
man page is attached as ucodeadm.man.txt.
The -v option can be performed by a non-privileged user.
The -i option requires privilege to write to the destination.
The -u option requires privilege secpolicy_ucode_update(),
which is currently PRIV_ALL. The privilege checking will be
performed by the driver. User with "Maintenance and Repair"
profile will be allowed to execute "/usr/sbin/ucodeadm -u" to
update microcode.
What privilege does the -i subcommand require? How does it compare to
the secpolicy_ucode_update() privilege required for the -u subcommand?
Presumably, the two subcommands require identical privilege, but it's
best to be explicit.
-- Glenn
