> But if you have a way to pop the machine into redstate you can exfiltrate the secret key and actually sign microcode changes that will be accepted as legit.
No. The article mentions that the key required to decrypt microcode updates can be extracted. http://inertiawar.com/microcode/ indicates that the encrypted microcode image is also signed, and being able to decrypt the image doesn't mean you can also generate an appropriate signature.
No. The article mentions that the key required to decrypt microcode updates can be extracted. http://inertiawar.com/microcode/ indicates that the encrypted microcode image is also signed, and being able to decrypt the image doesn't mean you can also generate an appropriate signature.