Rizwan Qureshi has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/27369 )

Change subject: soc/intel/basecode: Add support for updating ucode loaded via FIT ......................................................................

Patch Set 33:

(2 comments)

Patch Set 33:

(1 comment)

The more I'm thinking about this the more I realize that I don't understand the purpose of this update mechanism.

For being able to perform the update, you already need a RO MCU that works good enough to get you to ramstage. At this point, you can already apply additional MCUs from any RW partition. So what kind of issue would have to be fixed by an update that makes use of this mechanism?

In other words, what problem can this new update mechanism fix, that current mechanisms can't? And is it worth the added complexity and accompanying security degradation (more code is always more error- prone)?

Microcode patch contains patch for Punit as well, and that has to be applied prior to reset. Hence the effort to load the updated microcode via FIT.

https://review.coreboot.org/#/c/27369/30//COMMIT_MSG Commit Message:

https://review.coreboot.org/#/c/27369/30//COMMIT_MSG@10 PS30, Line 10: them

microcode updates.

Done

https://review.coreboot.org/#/c/27369/30//COMMIT_MSG@22 PS30, Line 22: I

Added an option to cbfs tool to do that. […]

Done