Updated to the latest Intel microcode, but still vulnerable to one variant.
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Updated to the latest Intel microcode, but still vulnerable to one variant.
Hi, I'm running Slackware 14.2. I've upgraded my kernel to 4.4.144, updated the SBo package for `intel-ucode` to the latest version, regenerated my initrd with MICROCODE_ARCH="/boot/intel-ucode.cpio", and updated my ELILO conf. But it seems I am still vulnerable to `spec_store_bypass`? What am I missing?
Hi, I'm running Slackware 14.2. I've upgraded my kernel to 4.4.144, updated the SBo package for `intel-ucode` to the latest version, regenerated my initrd with MICROCODE_ARCH="/boot/intel-ucode.cpio", and updated my ELILO conf. But it seems I am still vulnerable to `spec_store_bypass`? What am I missing?
Additionally, your CPU microcode doesn't look updated. According to (page 10): https://www.intel.com/content/dam/ww...e-guidance.pdf
Your CPU (IvyBridge Core(TM) i5-3210M) microcode revision should be on:
revision=0x20 and not on revision=0x1f
Try applying this patch for the latest microcode update package from Intel ( Version: 20180703 (Latest) Date: 7/3/2018 ): https://www.linuxquestions.org/quest...4/#post5879706
Even if the latest microcode revision is 0x20 in Intel's Microcode Update Guide, there's still a chance it didn't make it in the published microcode package, but only distributed to the OEM partners.
I'm also in the same boat with my laptop. I updated the microcode on my workstation and laptop today; my workstation has a Xeon E5-1650v2, and my laptop has a Core i5 4250U. I updated my workstation using the Slackbuild and rebuilt my initrd, rebooted and it updates the microcode correctly. On my laptop now, I perform the same steps to update it as I did my workstation, however the microcode never updates beyond 0x23, where Intel lists it should be on 24 now. I checked the dmesg, and on my laptop it never lists anything about the microcode updating as it does on my workstation.
I did notice in the releasenotes for the microcode, it only lists a few processor families, and nothing about Haswell. Is this the reason why my laptop isn't using 0x24. Also, if that's the case, is it normal for it to not be listing that it's using an updated microcode in dmesg, or should it still be saying something?
I did notice in the releasenotes for the microcode, it only lists a few processor families, and nothing about Haswell. Is this the reason why my laptop isn't using 0x24. Also, if that's the case, is it normal for it to not be listing that it's using an updated microcode in dmesg, or should it still be saying something?
I own a DELL i3 Haswell ULT laptop and yesterday DELL releasde a new BIOS for it, flashed it and now I finally have the microcode 0x24 on it. https://www.intel.com/content/dam/ww...e-guidance.pdf
Page 9 Haswell U - New Production MCU Rev 0x24
By using the latest Intel microcode package - Version: 20180703 (Latest) Date: 7/3/2018 I was still on 0x23:
kernel: [ 3.679031] microcode: CPU0 sig=0x40651, pf=0x40, revision=0x23
kernel: [ 3.679173] microcode: CPU1 sig=0x40651, pf=0x40, revision=0x23
Intel is sending the latest microcode updates to its OEM partners first and only after that releasing the updated downloadable package.
That microcode guide they're publishing is good for orientation/expectation only, the release notes that come with the microcode downloadable package are the ones that actually matter.
Additionally, your CPU microcode doesn't look updated. According to (page 10): https://www.intel.com/content/dam/ww...e-guidance.pdf
Your CPU (IvyBridge Core(TM) i5-3210M) microcode revision should be on:
revision=0x20 and not on revision=0x1f
Try applying this patch for the latest microcode update package from Intel ( Version: 20180703 (Latest) Date: 7/3/2018 ): https://www.linuxquestions.org/quest...4/#post5879706
Even if the latest microcode revision is 0x20 in Intel's Microcode Update Guide, there's still a chance it didn't make it in the published microcode package, but only distributed to the OEM partners.
Adding:
Code:
spec_store_bypass_disable=on
was what I was missing. Adding this to Grub (and I'm sure LILO) finally made the spectre script happy for the last variant. My machines are now NOT vulnerable for any of the vulnerabilities.
#!/bin/sh
gawk '
BEGIN {
Fmt = "%-20s %s\n"
}
# main
{
N = split( FILENAME, A, "/" ) # Array A for a poor-mans basename
M = $0 # M is the "mitigation"
gsub( /:/, " = ", M )
printf( Fmt, A[N] ":", M )
}' /sys/devices/system/cpu/vulnerabilities/*
Last edited by kjhambrick; 08-08-2018 at 02:10 PM.
I don't know why I only could find that suse article in the first place and not the more detailed RedHat one: https://access.redhat.com/security/vulnerabilities/ssbd
- Overview Tab - the technical details
- Resolve Tab - go down the page until you reach the Mitigation section
As I understand it, you'll need both microcode update and kernel patch to fully mitigate CVE-2018-3639 and the more appropriate option should be: spec_store_bypass_disable=auto
I run a Lynnfield Xeon x3450 released in 2009. The new microcode-20180807 finally has a Lynnfield ucode 0xa update. The previous ucode was 0x7. The SlackBuild for intel-microcode was used (editing the version in the SlackBuild file) without any problem to install microcode-20180807.
For Lynnfield users, it appears that ucode 0xa adds CPU features for "Speculative Execution Side Channel Mitigations":
* SSBD, Speculative Store Bypass Disable
* IBRS, Indirect Branch Restricted Speculation
* IBPB, Indirect Branch Prediction Barrier
* STIBP, Single Thread Indirect Branch Predictors
I run the latest 4.4.146 kernel on slackware64-14.2. As a result, I have all of the current mitigations (cat /sys/devices/system/cpu/vulnerabilities/*):
meltdown: Mitigation: PTI
spec_store_bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1: Mitigation: __user pointer sanitization
spectre_v2: Mitigation: Full generic retpoline, IBPB, IBRS_FW
Looks good. Now, I'll have to see the performance hit, and see if my system is still stable!
On my machines, I did not need to append spec_store_bypass_disable=auto to my lilo.conf (nor my elilo.conf). I think "auto" is the default. Once I updated my machines to the latest intel microcode (and the latest kernels), the spec_store_bypass mitigation shows as being "Speculative Store Bypass disabled via prctl and seccomp." No need to append anything in lilo.conf (or elilo.conf).
On my machines, I did not need to append spec_store_bypass_disable=auto to my lilo.conf (nor my elilo.conf). I think "auto" is the default. Once I updated my machines to the latest intel microcode (and the latest kernels), the spec_store_bypass mitigation shows as being "Speculative Store Bypass disabled via prctl and seccomp." No need to append anything in lilo.conf (or elilo.conf).
Best,
Lumpy
I am waiting to see if this is the case on my Fedora machine. Eagerly awaiting the latest microcode update.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.