Thor Lancelot Simon <tls@rek.tjls.com> writes:
> Um, because it's almost impossible to do it securely any other way?

uh...  so, install them early on in the boot sequence.

if you're truly scared of that:

* you should be more scared of the other possibilities for
  insecurity ("hey, i just replaced all of /bin!"), or

* if you've taken the appropriate steps to lock those things
  down (i.e., chflags etc.) then you know and can do the identical set
  of operations for microcode loaders and files.


cgd