Date: Mon, 18 Jun 2007 09:54:40 -0700
From: Sherry Moore <sherry.moore at sun.com>
Subject: Re: 2007/349 [Intel Microcode Update Support]
> The -i option requires privilege to write to the destination.
>
> The -u option requires privilege secpolicy_ucode_update(),
> which is currently PRIV_ALL. The privilege checking will be
> performed by the driver. User with "Maintenance and Repair"
> profile will be allowed to execute "/usr/sbin/ucodeadm -u" to
> update microcode.
>
> What privilege does the -i subcommand require? How does it
> compare to the secpolicy_ucode_update() privilege required for
> the -u subcommand? Presumably, the two subcommands require
> identical privilege, but it's best to be explicit.
Actually I meant to say
The -i option requires write permission to the destination.
It does not require secpolicy_ucode_update() privilege.
Does that create a way for a user with privilege less than
secpolicy_ucode_update() to arrange to update microcode by writing it
to the location from which it will be read on a subsequent boot and
then rebooting?
-- Glenn
