Announcement

Collapse
No announcement yet.

Intel Posts Updated Microcode Files For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by garegin View Post
    The microcode updates in software are the same as microcode updates through BIOS, right?
    also does windows get them through software?
    TLDR: microcode updates are non-persistent, no they're not the same but they can provide the same protection.

    Literally the BIOS is software but no they are not the same because the timing is different. If you are booting from the network then if the microcode updates are in the boot firmware you will be protected before interacting with the network.

    Also if the microcode is in firmware then you are protected even if you boot an OS image that lacks the firmware update.

    In Linux, microcode updates are loaded by the kernel early in the boot process, in the initrd, long before networking is started unless you are booting from the network.

    In Windows, I assume it is also loaded very early so it can amend errata that could prevent the Kernel from correctly booting... that would be a design goal.


    Issue Report Feature Request Environment What hardware/cloud provider/hypervisor is being used to run Container Linux? Bare metal Desired Feature Apply CPU microcode updates at boot. Other Informat...
    Last edited by linuxgeex; 10 January 2018, 11:07 AM.

    Comment


    • #12
      The question is does windows get microcode updates?

      Comment


      • #13
        Intel should have to post on each processor specification page and document what ailments the processor is effected by and how to mitigate the them. At the moment, none of Intel's information even state what issues that are inherent within their own products. So far it has just been PR and white papers.

        No different than a car manufactures having to list their defects / recalls.

        Comment


        • #14
          Originally posted by entropy View Post

          On top, the state of the whole case is *extremely* confusing for me.
          • Which products will get microcode updates addressing Meltdown.
          • How effective are those and what are they targetting?
            • This might differ significantly between CPU microarchitectures/families/steppings
          • Which kernels get fixes and how effective are they?
          E.g. if you have RHEL/CentOS{6,7} systems, you might be in trouble.

          RHEL7 is based on a heavily patched 3.10.x kernel, while RHEL6 is 2.6.32.
          According to this source



          All (K)PTI patches floating around for kernels older than 4.14 are *different* - in the sense that they are based
          on much older KAISER patches which comes with a load of issues.

          Is there any official (or even unofficial) statement by Red Hat/CentOS available on that matter?

          There are 3 different vulnerabilities: Meltdown, Spectre variant 1 and Spectre variant 2. They are all related, but they are distinct separate bugs.

          Meltdown only works on intel processors. It cannot be fixed via microcode. Instead there have been patches for linux, windows and macos to work around the bug. In linux the patch is KTPI, and it is the patch that has the worst performance impact on some workloads. With the patch the bug is still there, but the kernels stays out of reach so the bug cannot be used to read kernel data. Meltdown is by far the most severe bug, it is trivial to exploit, and serious consequences. Without the patches, any application can read anything in the kernel including secret keys.

          Spectre v1 and v2 work Intel, ARM and AMD processors. They are much harder to exploit, but they are also much harder to work around. There are patches for gcc and kernel to mitigate these issues. These microcode appear to help mitigate the risk of Spectre v1 and v2, but do not help at all for Meltdown.

          Comment


          • #15
            off-topic:
            I installed the testing "intel-ucode" arch package
            I still don't new microcode take effect on boot even though Intel's link says it applies to this hardware. Any ideas ?
            Hardware=core-i3 2330M

            Comment


            • #16
              Originally posted by sarfarazahmad View Post
              off-topic:
              I installed the testing "intel-ucode" arch package
              I still don't new microcode take effect on boot even though Intel's link says it applies to this hardware. Any ideas ?
              Hardware=core-i3 2330M
              Did you try force reloading the microcode via sysfs?
              Michael Larabel
              https://www.michaellarabel.com/

              Comment


              • #17
                Originally posted by Michael View Post

                Did you try force reloading the microcode via sysfs?
                That's an intriguing idea. Though I just rebooted the box. Intel's notes say that it does contain the microcode update for that hardware. But It looks like it doesn't. I don't think it contains updated microcodes for all the CPUs listed in there.


                Here :
                HTML Code:
                 # bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -ls0x206a7 - microcode bundle 1: (stdin) selected microcodes:   001/136: sig 0x000206a7, pf_mask 0x12, 2013-06-12, rev 0x0029, size 10240
                PHP Code:
                  #    bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -l --date-after=2017-11-17 - selected microcodes: 001: sig 0x000306c3, pf mask 0x32, 2017-11-20, rev 0x0023, size 23552 002: sig 0x000306e4, pf mask 0xed, 2017-12-01, rev 0x042a, size 15360 003: sig 0x00040651, pf mask 0x72, 2017-11-20, rev 0x0021, size 22528 004: sig 0x00040661, pf mask 0x32, 2017-11-20, rev 0x0018, size 25600 005: sig 0x00050654, pf mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 006: sig 0x00050662, pf mask 0x10, 2017-12-16, rev 0x0014, size 31744 007: sig 0x00050663, pf mask 0x10, 2017-12-16, rev 0x7000011, size 22528 008: sig 0x000706a1, pf mask 0x01, 2017-12-26, rev 0x0022, size 73728 009: sig 0x000806e9, pf mask 0xc0, 2018-01-04, rev 0x0080, size 98304 010: sig 0x000806ea, pf mask 0xc0, 2018-01-04, rev 0x0080, size 98304 011: sig 0x000906e9, pf mask 0x2a, 2018-01-04, rev 0x0080, size 98304 012: sig 0x000906ea, pf mask 0x22, 2018-01-04, rev 0x0080, size 97280 013: sig 0x000906eb, pf mask 0x02, 2018-01-04, rev 0x0080, size 98304 
                Is there a better way to post command outputs here ?
                Last edited by sarfarazahmad; 10 January 2018, 02:55 PM.

                Comment


                • #18
                  Interesting I already had the microcode update on dec 31st with the
                  XPS 13 9350 1.6.1 BIOS on my laptop.

                  Comment


                  • #19
                    Originally posted by fguerraz View Post
                    Interesting I already had the microcode update on dec 31st with the
                    XPS 13 9350 1.6.1 BIOS on my laptop.
                    Same CPU ? Core i3-2330M ?

                    Comment


                    • #20
                      Originally posted by garegin View Post
                      The question is does windows get microcode updates?
                      yeah they do. I can't speak for this vulnerability specifically, but Windows updates deliver also microcode updates. If the vendors send them stuff they can deliver it with WUpdate.

                      Comment

                      Working...
                      X