Intel Is Bringing A Feature Upgrade To Linux That Will Make Windows Users Jealous

Red Falcon said:
One of the comments from the article:

Almost verbatim what I was thinking, especially with Intel's track record the last four years with the multitude hardware vulnerabilities.
Click to expand...
I had the same exact thought. I get the benefit but the downside is huge. When you're PC is in operation I believe CMOS is a in a read only state. To make it so that it can be written to while you're using it gives me severe heartburn.
 
dells have had this for a few years now and it works fine. the bios updates come down with windows update and are applied during reboot.
 
pendragon1 said:
dells have had this for a few years now and it works fine. the bios updates come down with windows update and are applied during reboot.
Click to expand...
The scary part:
"Under the PFRUT driver set, the update is handled entirely by the operating system, without restarting the computer."

Unless I'm reading that wrong they are saying you'll be able to apply a bios while the computer is running.
 
kac77 said:
The scary part:
"Under the PFRUT driver set, the update is handled entirely by the operating system, without restarting the computer."

Unless I'm reading that wrong they are saying you'll be able to apply a bios while the computer is running.
Click to expand...
oh, in os?! missed that part, yeah that could be scary...
 
You can also do this with IPMI (or SSM) on Supermicro stuff without rebooting on any OS, and IIRC there is also a command line loader for Linux?
 
Well, for my personal builds, I always update my bios inside the bios, from a flash drive. Flashing from within an OS is a crapshoot and something I will not do, unless it is the only way to do it. (HP and Dell, I am looking at you.)
 
doesn't a bios update usually set the settings back to default, sounds like it could be a problem for some users their bios settings suddenly changing.
 
dangerouseddy said:
doesn't a bios update usually set the settings back to default, sounds like it could be a problem for some users their bios settings suddenly changing.
Click to expand...
sometime, sometimes not, i always reset anyways. after my last update on my sig system it even told me that my saved profiles were no longer compatible.
 
Seem to make sense for server and things that 24/24 has value, I do not imagine it will be enabled and used by PC users (for a while).
 
bigddybn said:
Nice! A 24/7/365 always on security hole to save a single 20 second reboot for a task that happens maybe once a year! WTG INTEL!!
Click to expand...
Yeah, not jealous at all here. Some things need to stay outside of the OS. Linux's "kitchen sink" approach is going to bite back hard some day.
 
Dan_D said:
HP servers are the same way.
Click to expand...
did not know that but kinda figured thered be others doing it, at least in enterprise or business class stuff. ive only delt with the dell stuff recently. their way does seem safer than what this is proposing, i think, i guess either could end up being exploited somehow someday...
 
pendragon1 said:
did not know that but kinda figured thered be others doing it, at least in enterprise or business class stuff. ive only delt with the dell stuff recently. their way does seem safer than what this is proposing, i think, i guess either could end up being exploited somehow someday...
Click to expand...
I've dealt with a bunch of Dell and HP servers over the course of my very long career in IT.
 
2022 will be the year of Linux! ... checks list ... needs one less reboot per year!
 
This is actually going to be really good for my day job. While we have tons of redundancy and capacity to manage the (currently needed) reboots, it'll still be nice to be able to hot update BIOS/UEFI.

I couldn't care less on home desktop. That really isn't the target here, either, though I'm sure it'll end up there.
 
I regularly reboot and shut down my Windows computer so no not making me jealous to have to do it for a BIOS update. I also imagine the vast majority of windows users have never even considered doing a BIOS update.

Gotta make those outrageous headlines for the clicks I suppose.
 
Malware can be applied whether the UEFI update is applied on boot or while the system is running, that's the problem with UEFI in general. Furthermore, this is only for servers at this stage, not desktop Linux.
 
TheGardenTool said:
I regularly reboot and shut down my Windows computer so no not making me jealous to have to do it for a BIOS update. I also imagine the vast majority of windows users have never even considered doing a BIOS update.

Gotta make those outrageous headlines for the clicks I suppose.
Click to expand...
I am going to see if this is available for my VMWare systems. Those take their sweet time rebooting upwards of 45 min in some cases and the process of initiating a failover so the secondary host takes over causes it’s own set of interruptions so the ability to do firmware updates to those with no reboots required would be a nice thing. It seems that one controller or another needs one of those and a reboot every other week so this is a monthly occurrence for me.
 
ElementDave said:
More hardware and software complexity to solve a non-existent problem.
Click to expand...
at an Enterprise level it can exist, how do you flash the bios of 100's of remote laptops ?

I know depending on what level of management you have over those devices you can find tools from the OEM's to do it, but for many you can not, so it is all done via SCCM and via windows with a reboot completing the actual upgrade..
 
First, this is a server-only feature and is very useful. Servers are expected to have zero downtime AND also be secure. With this you can apply the latest security updates immediately without affecting your business.

Or if you're an administrator, you could do the update yourself remotely (or automate it) on hundreds or thousands on machines depending on your use case. This is huge.
 
cybereality said:
First, this is a server-only feature and is very useful. Servers are expected to have zero downtime AND also be secure. With this you can apply the latest security updates immediately without affecting your business.

Or if you're an administrator, you could do the update yourself remotely (or automate it) on hundreds or thousands on machines depending on your use case. This is huge.
Click to expand...
There is always something else that will need a restart and patches are applied in bulk during maintenance windows so it’s not like a single update is going to change something. It’s an interesting feature but not one that solves any real world problem while introducing another attack vector.
 
bigddybn said:
There is always something else that will need a restart and patches are applied in bulk during maintenance windows so it’s not like a single update is going to change something. It’s an interesting feature but not one that solves any real world problem while introducing another attack vector.
Click to expand...
It absolutely solves a problem for my company. And not a trivial one, considering the 10's of thousands of servers we have out there. We've already automated pretty much all other updates and made them non-impactful, so not having to reboot for this is really good for us. Please don't assume you know what's best for everyone, or how meaningful stuff like this for truly massive scale places.
 
Eulogy said:
It absolutely solves a problem for my company. And not a trivial one, considering the 10's of thousands of servers we have out there. We've already automated pretty much all other updates and made them non-impactful, so not having to reboot for this is really good for us. Please don't assume you know what's best for everyone, or how meaningful stuff like this for truly massive scale places.
Click to expand...
As someone who worked for OEMs in the enterprise space, and now works for a major SI in the same space - doing this without the same change control window you'd normally have for a reboot anyway is probably not a good idea. That would terrify me. At least for the first few years.

Way better a planned reboot than an unplanned "that crashed... and didn't come back."
 
lopoetve said:
As someone who worked for OEMs in the enterprise space, and now works for a major SI in the same space - doing this without the same change control window you'd normally have for a reboot anyway is probably not a good idea. That would terrify me. At least for the first few years.

Way better a planned reboot than an unplanned "that crashed... and didn't come back."
Click to expand...
It's always during planned maintenance windows, and as I previously said, we have redundancy and capacity already baked in for reboots and failures. But now we'll be able to do things quicker and more often (though, honestly, how often do new BIOS/UEFI come out? Maybe quarterly?). We can lose 3-4 racks in any row without anyone even noticing - we don't even page out for that small of a failure, currently :)
 
bigddybn said:
There is always something else that will need a restart and patches are applied in bulk during maintenance windows so it’s not like a single update is going to change something. It’s an interesting feature but not one that solves any real world problem while introducing another attack vector.
Click to expand...
With live kernel update and live bios update... most reasons you NEED to reboot are covered. Will you may still have to restart specific software... and in many cases perhaps a reboot makes sense anyway. This however is a good solution for a handful of large specific single purpose machines where 30 min maintenance means down time during in use hours, or having someone working in the middle of the night. lol
 
Also, people may be looking at this from a Windows perspective. On Linux you rarely, if ever, actually need to reboot. I upgraded from Ubuntu 20.04 to 21.10 (the next major release, like going from Windows 10 to Windows 11) and I didn't even need to reboot my system.
 
This feature doesn't entirely eliminate the need to reboot to complete a firmware update, where the term update is used to include the activation of said firmware. The article is misleading. It will allow the update of "certain pieces of the platform firmware" at runtime, but it's not clear (to me) what those pieces are going to be. I'd assume more details will be available with the upcoming release of Sapphire Rapids.

Kernel support for PFRUT is available right now. The patches apply to any recent kernel and are enabled by CONFIG_ACPI_PFRUT, but will of course require hardware and vendor support to become useful.
 
Last edited:
From what I understand it's already in the UEFI spec and might already be available in hardware but maybe I misunderstood the article.
 
Like the malware argument, it doesn't matter if you have a failed flash while running or a failed flash while booting...Either way, that machine ain't booting again until the flash issue is resolved.

All you need to to is plan the reboot at the same time you normally perform planned maintenance. Better yet, don't reboot.
 
pendragon1 said:
dells have had this for a few years now and it works fine. the bios updates come down with windows update and are applied during reboot.
Click to expand...
This is how my ants laptop became a brick when it was doing a bios update that failed. Bios updates isn't something you do while using the laptop, and if the user doesn't know it's happening then it could brick the device. Funny enough, I put Linux Mint on her laptop to prevent this and then made it look like Windows. She had no idea.
 
cybereality said:
From what I understand it's already in the UEFI spec and might already be available in hardware but maybe I misunderstood the article.
Click to expand...
The EFI/UEFI spec has changed a lot since Intel first launched it back with their Itanium systems back in the 90’s. Lots of different versions of it and lots of different implementations so it’s vendor specific on what parts of it they implemented and I’m pretty sure this one is optional. It’s probably available in their server class hardware for the last generation or two but consumer parts I would be shocked to find it there. It’s too big a security hole to place there, server environments it would be a non issue, any bad actor who has the ability to run an executable with root credentials and has enough info about your environment to tailor fit a bios module for your servers has you dead to rights. But in the consumer market they could just target the top 5 selling laptops/desktop models from the top 5 OEM’s and score most of them with the standard fishing methods already in use.
 
You must log in or register to reply here.
Back
Top