Gábor Boskovits <boskovits@gmail.com> writes:

> The second thing that comes to my mind is to have a free tool to perform
> the microcode update, so that we can inspect, that nothing else on the
> system gets modified.

FWIW there is a tool that does this in Guix already: "iucode-tool".

Here is the latest microcode from Intel:

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File

Unfortunately it does not contain any updates for my two Sandy Bridge
systems.  So while this discussion is very interesting (and important),
there doesn't seem to be any remediation for systems older than 3-4
years, leaving pretty much all Libreboot systems in the dirt.