DevHeads.net

microcode updates and spectre variant 2

Koji contains linux-firmware-20171215-82.git2451bb22.fc27 which
contains intel-ucode from 20171117. But I don't know if this firmware
contains the microcode required to completely secure from Spectre
variant 2.

<a href="https://access.redhat.com/articles/3311301" title="https://access.redhat.com/articles/3311301">https://access.redhat.com/articles/3311301</a>
"This vulnerability requires both updated microcode and kernel patches"

Intel has released microcode 20180108, but there are no builds in koji
yet for this version so I manually applied them from
<a href="https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File" title="https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File">https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcod...</a>

and also updated the initramfs with dracut -f so the change is
persistent. This does change the microcode on my laptop compared to
the Fedora supplied microcode.

Intel doesn't provide very good release notes about what the microcode
is doing. Someone asked about this on a message board regarding the
2018 release, and the response is merely "we're looking into it".

<a href="https://communities.intel.com/message/518872#518872" title="https://communities.intel.com/message/518872#518872">https://communities.intel.com/message/518872#518872</a>

Comments

Re: microcode updates and spectre variant 2

By Randy Barlow at 01/15/2018 - 11:00

On 01/12/2018 03:31 PM, Chris Murphy wrote:
I'm quite surprised that my PIII is getting a microcode update. It's 18
years old!

Re: microcode updates and spectre variant 2

By Petr Pisar at 01/16/2018 - 05:30

On 2018-01-15, Randy Barlow < ... at fedoraproject dot org> wrote:
Check the date baked into the micrcode and reported by the kernel.
In my case, Linux started to report:

$ dmesg |grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xa0b, date = 2010-09-28
[ 1.462370] microcode: sig=0x1067a, pf=0x10, revision=0xa0b
[ 1.466454] microcode: Microcode Update Driver: v2.2.

I doubt Intel fixed the Spectre bug seven years ago.

-- Petr

Re: microcode updates and spectre variant 2

By Justin M. Forbes at 01/15/2018 - 11:07

On Mon, Jan 15, 2018 at 9:00 AM, Randy Barlow
< ... at fedoraproject dot org> wrote:
Justin

Re: microcode updates and spectre variant 2

By Michael Cronenworth at 01/15/2018 - 11:04

On 01/15/2018 09:00 AM, Randy Barlow wrote:
On the flip side: One of my systems has an i3-3225 (Ivy Bridge) that has not
received an update.

Re: microcode updates and spectre variant 2

By Justin M. Forbes at 01/15/2018 - 11:09

On Mon, Jan 15, 2018 at 9:04 AM, Michael Cronenworth < ... at cchtml dot com> wrote:

Re: microcode updates and spectre variant 2

By Tomasz Torcz at 01/12/2018 - 17:00

On Fri, Jan 12, 2018 at 01:31:25PM -0700, Chris Murphy wrote:
Uhm, there are:
<a href="https://koji.fedoraproject.org/koji/packageinfo?packageID=644" title="https://koji.fedoraproject.org/koji/packageinfo?packageID=644">https://koji.fedoraproject.org/koji/packageinfo?packageID=644</a>

* Tue Jan 09 2018 Anton Arapov < ... at redhat dot com> 2:2.1-20
- Update to upstream 2.1-15. 20180108

Intel µcode is traditionally shipped in microcode_ctl.

Re: microcode updates and spectre variant 2

By Josh Boyer at 01/12/2018 - 17:00

On Fri, Jan 12, 2018 at 3:31 PM, Chris Murphy < ... at colorremedies dot com> wrote:
Intel CPU microcode is not provided by the linux-firmware package. It
is shipped in the microcode_ctl package.

Did you actually find intel-ucode in linux-firmware or were you just
assuming that is where it was coming from? I'm asking to make sure it
was a misunderstanding because others might make the same mistake.

<a href="https://bodhi.fedoraproject.org/updates/FEDORA-2018-7e17849364" title="https://bodhi.fedoraproject.org/updates/FEDORA-2018-7e17849364">https://bodhi.fedoraproject.org/updates/FEDORA-2018-7e17849364</a>

josh

Re: microcode updates and spectre variant 2

By Chris Murphy at 01/12/2018 - 17:28

On Fri, Jan 12, 2018 at 2:00 PM, Josh Boyer < ... at fedoraproject dot org> wrote:
Huh. So I have updates-testing enabled but I have
microcode_ctl-2.1-19.fc27 still. And microcode_ctl-2.1-20.fc27 is
stable.

I have no idea why I thought it was in linux-firmware.

Re: microcode updates and spectre variant 2

By Chris Murphy at 01/15/2018 - 13:58

On Fri, Jan 12, 2018 at 2:28 PM, Chris Murphy < ... at colorremedies dot com> wrote:
This showed up in today's batch of updates in GNOME Software, but I
did not get a notification for it. In fact I haven't received a
notification for software updates in probably two weeks. I'd like to
think this particular microcode update would be tagged as an urgent
update.

If microcode is updated, but the initramfs isn't regenerated, so the
newer microcode get loaded later in the boot process once available?
Or does it have to be in the initramfs?

Re: microcode updates and spectre variant 2

By Josh Boyer at 01/16/2018 - 07:54

On Mon, Jan 15, 2018 at 12:58 PM, Chris Murphy < ... at colorremedies dot com> wrote:
I can't remember if systemd does this now by default or not. The best
option is to regen the initramfs.

josh

Re: microcode updates and spectre variant 2

By Zbigniew =?utf-... at 01/16/2018 - 16:36

On Tue, Jan 16, 2018 at 06:54:36AM -0500, Josh Boyer wrote:
systemd does not regenerate the initramfs, and never did. I think this is
only done automatically upon kernel upgrade.

Zbyszek

Re: microcode updates and spectre variant 2

By Josh Boyer at 01/16/2018 - 16:42

On Tue, Jan 16, 2018 at 3:36 PM, Zbigniew Jędrzejewski-Szmek
< ... at in dot waw.pl> wrote:
Sorry, I was unclear. I meant I don't know if systemd has a service
to reload microcode later during the boot.

josh

Re: microcode updates and spectre variant 2

By Zbigniew =?utf-... at 01/16/2018 - 17:06

On Tue, Jan 16, 2018 at 03:42:42PM -0500, Josh Boyer wrote:
Oh, afaik it has to be loaded very early. early-microcode cpio image is
generated and used when the kernel is starting. I don't think we can
load microcode later.

Zbyszek

Re: microcode updates and spectre variant 2

By Josh Boyer at 01/16/2018 - 22:48

On Tue, Jan 16, 2018 at 4:06 PM, Zbigniew Jędrzejewski-Szmek
< ... at in dot waw.pl> wrote:
I got irritated at myself for not remembering, so I looked at the code.

There is a mechanism in the kernel to support loading microcode later
in the boot. It can be done through
/sys/devices/system/cpu/microcode/reload. However, nothing in Fedora
leverages this and it is really dependent on the class of problem and
how the microcode fixes it.

All that to say, rebuild the initramfs. It's the safest way to fix
ucode issues.

josh

Re: microcode updates and spectre variant 2

By Chris Murphy at 01/20/2018 - 16:03

$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full
generic retpoline

All of my machines show this same information. My understanding is
spectre variant 2 requires both microcode and kernel patches, but
variant 1 (CVE-2017-5753) requires only kernel patches. Why is a
vulnerability still shown here?

kernel-4.14.14-300.fc27.x86_64
microcode_ctl-2.1-20.fc27.x86_64

dnf info microcode_ctl then points to <a href="https://pagure.io/microcode_ctl" title="https://pagure.io/microcode_ctl">https://pagure.io/microcode_ctl</a>
where I find the note that this version contains:
Intel CPU microcode update. 20180108

Excerpt from /proc/cpuinfo
model name : Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
microcode : 0xc2
bugs : cpu_meltdown spectre_v1 spectre_v2

The microcode was 0xbe before the microcode update.

Chris Murphy

Re: microcode updates and spectre variant 2

By Chris Murphy at 01/24/2018 - 14:13

Intel has pulled the 20180108 microcode due to some CPUs crashing
(uncommanded reboots are a crash), and they have reverted latest
recommended to 20171117. And they appear to be recommending no longer
deploying the 20180108 microcode, but I can't tell if they are
directing this to firmware oems or OS deployment.

<a href="https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/" title="https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/">https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-up...</a>
<a href="https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t" title="https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?v=t">https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcod...</a>

Re: microcode updates and spectre variant 2

By Justin M. Forbes at 01/24/2018 - 18:59

On Wed, Jan 24, 2018 at 12:13 PM, Chris Murphy < ... at colorremedies dot com> wrote:
Justin