|
How to load new Intel microcode
This thread started on the Latest Kernel release thread. https://www.linuxquestions.org/quest...14#post5802714 at post 505 and continues through post 518. To avoid duplication of helpful comments please read that thread at least for the posts listed.
NOTE this only address the microcode loading issue and not the full mitigation for Meltdown or Spectre threat. It is for the purpose of helping me understand how to load my older Intel Pentium D 820 processor on a no-longer support emachine t5224. The platform is a full install of Slackware 64 14.2 with multilib and FVWM as primary WM. iucode_tool version 2.2 is loaded from Slackbuilds.org. The man page is a great and required read to understand the tool. This tool was loaded to discover processors signature in hopes of seeing if Intel had new microcode to overcome the Meltdown and Spectre threats. This lead to a coversation about how Intels instructions for loading the 20171117 microcode, which does NOT have the newest microcode to address Meltdown or Spectre, but was important to read and understand what is offered, can be used to load microcode. The installation is using LVM/LUKS and therefore requires an initrd. The initrd is re-created with each new kernel upgrade. Kernel installs are updated to either Pat's latest official release or kernel.org latest release every 2 months, which ever comes first. Currently the platform is on 4.4.106 with 4.4.88 (Pat's latest official release) as the backup kernel. The iucode_tool man page indicates that much has changed with microcode loading as of Linux kernel 4.4. The driver is now always loaded due to suspend and resume. Updating microcode earlier is safer and can should only be done at boot. It requires an uncompressed intramfs image in /kernel/x86/microcode/GenuineIntel.bin and must be the first initramfs called early initramfs. Read the man page of iucode_tool for Linux Notes section to get all the requirements. What I need help understanding is how the iucode_tool inter works with the Intel Linux-microcode file. I suspect that I have to unpack the file. Then use the intel_microcode SBo package https://slackbuilds.org/repository/1...tel-microcode/ to build a microcode from the /intel-ucode tar directory. This third tool now will "2) write the microcodes to an early initramfs archive: /boot/intel-ucode.cpio" which then has to be PRE-pended to the initrd. So as Darth Vader indicated in the in the other thread a way to do that with: Quote:
Will this actually then override the obsolete microcode on the CPU or only that part which is causing threats. Until I try it I quess I won't know if it causes any other microcode changes that affect other parts of the system, like the HDD, Ethernet or the USB onboard reader to stop functioning. So this weekend I'll give it a try. OH-- how to make a backup? I would think my backbup initrd for 4.4.88 should be ok since it won't load new microcode. Right? |
intel-microcode (20171117) from slackbuilds.org puts the microcode to /boot/intel-ucode.cpio. If you use generic kernel + initrd, rename /etc/mkinitrd.conf.sample to /etc/mkinitrd.conf and uncomment line with MICROCODE_ARCH="/boot/intel-ucode.cpio". Then running mkinitrd will automatically include the microcode to the initrd. (This was added as a patch in 14.2, Jun 29 2017.)
You can make a backup lilo entry with the old initrd. (Or, if you don't use initrd, add ' initrd=/boot/intel-ucode.cpio' in lilo.conf to load the microcode directly instead of the real initrd.) Try Code:
grep microcode /proc/cpuinfoThis will not do anything to your ethernet firmware etc. |
I just usually do this:
Code:
# install iucode_tool, install/update intel-microcode packages from SBo, thenThen proceed to use the generated initrd as usual on your preferred bootloader. In my case, I automate this in /usr/libexec/slackpkg/functions.d/z-lookkernel.sh for kernel upgrades. |
A quick rundown... I posted this some time ago in another thread, I believe, but cannot find it now.
EDIT: IMPORTANT: You must install iucode_tool from SBo, and immediately after you install that, install intel-microcode. If you do not first do this, then /boot/intel-ucode.cpio will not be present, and the following directions do not work. Here is what my mkinitrd.conf looks like with the intel microcode in use: Code:
#Code:
image = /boot/vmlinuz-genericCode:
mkinitrd -F -c && lilo -vTo check if everything is working, a reboot is necessary, and then: Code:
root@localhost:~# grep microcode /var/log/dmesg This is my processor: Code:
root@localhost:~# lscpu | grep "Model name" |
Quote:
To clarify you are referring to mkinitrd-1.4.10_x86_64-1_slack14.2 was patched, or at least that is where I found the patch in the changelog. It appears from ls /var/log/packages, that I did install that update. So next is to read the man page. I'm not clear why you qualified this for "generic kernel", wouldn't it work with any kernel referenced in the .conf file? Also what is the effect if using the mkinitrd_command_generator.sh? From reading the shell script still I think it use mkinitrd to generate the output, but I want to verify that it isn't going to bypass the /boot/intel-cpio if one is also using a mkinitrd.conf with that setting set? Quote:
Quote:
Thanks for the hints to make this easier going forward. |
Look, if you concatenate several initrds, the kernel is smart enough to find out every one and load them.
/boot/intel-ucode.cpio is just an initrd which contains these Intel firmware. So, you concatenate it to your own initrd, then on final, the kernel will find them properly. |
Quote:
Quote:
Quote:
Quote:
Here are my current microcode results. Code:
root@Hicrest1:~# lscpu | grep "Model name"Ultimately my understanding is that both microcode and kernel code need to be upgraded to resolve both the Meltdown and maybe Spectre threats. SO I'm waiting on the kernel correction for 4.4 line and will probably have to wait for the microcode too, if Intel even goes back to my older CPU. For now simply working to get this all work out and understood. Which is exactly what all the responses are helping me do. Thanks everyone, I keep learning and learning. More suggestions or corrections to my understanding are appreciated. |
Quote:
Quote:
Code:
# cat /boot/intel-ucode.cpio /boot/initrd-kernelxxxxx.gz > /boot/initrd.gz |
From the lilo POV, that /boot/initrd.gz file is just an initrd (it have no clue about content), which it will map to kernel, when it is properly specified.
Right this concatenated file which contains the both initrd, you should specify to lilo. And yes, the kernel will find and load first the firmware one. BTW, SYSLINUX is smarter than LILO, on this aspect, because you can specify multiple initrd files. ;) PS. And please forgive my English, I am not native speaker. |
@kjhambrick
Thanks again for your comments and example output in the Latest Kernel thread. Can you tell me which method of microcode updating you used and if you are using an initrd or not, per my question in #518? You examples of how dmesg will display the updated code are very helpful in your #517 post on the other thread. I hope to use the latest kernel 4.4.110, which implements some Kaiser solutions, along with the latest 20171117 microcode and now I'll know what to pull from dmesg and what result to check to verify the task completed correctly. |
Quote:
Quote:
I use the iucode_tool and the /boot/intel-ucode.cpio initrd file. So that I don't bork things when I install a new kernel, I wrote a little wrapper script to write a script that invokes Alien Bob's /usr/share/mkinitrd/mkinitrd_command_generator.sh and then prepends the /boot/intel-ucode.cpio initrd file into the resulting initrd for the Generic Kernel. The script and a typical session is below my .sig if you want it ( the script is .do-mkinitrd_command_generator.sh ). When all is said and done, I end up with two initrd files, one for Generic Kernel without the intel-ucode.cpio file and one with the intel-ucode file. Note that I 'defanged' the install step -- .do-mkinitrd_command_generator.sh prints the cp command but does not execute it. I always cut-n-paste the cp command after I look at the output ... Note that the OutDir Varb should be edited for your tastes and system, Anyhow ... Don't forget to edit /etc/lilo.conf ( or elilo or grub ) after installing the new initrd file in /boot/ ! These are the stanzas for the 4.4.110 Generic and Huge Kernels along with a reminder for me. Code:
#However it does need one to load the intel microcode. HTH. -- kjh I name my some of my scripts with a leading dot so that I can clean the directory with an `rm *` but not touch the scripts and configs. .do-mkinitrd_command_generator.sh is one such script because I configured it to write the new initrd files in the `dirname $0` directory. This is .do-mkinitrd_command_generator.sh Code:
#!/bin/shMy newest kernel is 4.4.110.kjh ... Here is a session. Code:
cd /root/tmp/update-logs/initrd1. a Generic initrd that does not include the intel-ucode.cpio file 2. an initrd that includes the intel-ucode.cpio file and the Generic initrd ( #1 ) The generated script ( do-mkinitrd-4.4.110.kjh.sh ) is below ... Continuing ... run the generated script ... Code:
# sh do-mkinitrd-4.4.110.kjh.shDon't forget to install your initrd files before you run lilo ! this is the generated script that actually makes the two initrd files: Code:
#Code:
# ls -la |
I just want to clarify (or correct) an impression that I have. If one sets up a mkinitrd.conf file which has an entry for MICROCODE_ARCH, I'm assuming that the output of mkinitrd -F will be what is to be specified in the lilo initrd entry (say for a standard Slackware 'generic' kernel).
For example, if there are entries OUTPUT_IMAGE="/boot/initrd.gz" and MICROCODE_ARCH="/boot/intel-ucode.cpio" I'm assuming that conceptually cat /boot/intel-ucode.cpio {an internal form of initrd.gz} > /boot/initrd.gz Well, (slight embarrassment); I actually decided to read the mkinitrd script, and my impressions is correct. But I figured I'd post this here in case anyone else was unclear about it. |
@kjhambrick, thank you for the great write-up and examples. I wasn't aware the huge kernel didn't need an initrd. I'm studying your script to see where I need to change it to allow me to use it every couple of months with the latest 4.4.x kernel, rather than with Pat's latest official release. I like the idea of scripts! Although I'm not a programmer I seem to be able to read and understand the logic of them, although the variables sometimes confuse me. Is there a reason you haven't used a mkinitrd.conf for some of the variables? Darth Vader suggested modifying that file to assure the intel-ucode.cpio is actually included in the initrd, which makes sense. I'll be working on this more tomorrow. Again thanks. Cheers
|
Quote:
The HUGE Kernel does not need an initrd UNLESS you need to load the intel-ucode.cpio file or maybe some module that Pat did not compile into HUGE ... I used to run HUGE because I was lazy ( no need for an initrd ) and because I was old and set in my ways :) But since the Intel ME Bug and now that I need to load intel-ucode.cpio, I no longer run HUGE, I've gone GENERIC. Quote:
Sometimes I clean them up a little and add variables or flags but quite often they're just the working sequence of commands in a text file. I like scripts in these cases so I don't forget steps or mis-type a command ... Quote:
But the scripts work for me and being old and set in my ways, I'll keep doing it the way I do it until it breaks :) :) HTH -- kjh |
Quote:
Recompile with this options /change to your firmware module name/ Quote:
Quote:
I do not know if this option is in 4.4 kernel but in 4.9 is and work. |
@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/
It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels. PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown. |
Using debian archive, I created quickly initrd with simple procedure:
Code:
cd intel-microcode-3.20171215.1now microcode is updated to 0x23 version Code:
[ 0.000000] microcode: CPU0 microcode updated early to revision 0x23, date = 2017-11-20Code:
Reading 40 bytes: |
Try this tool
https://raw.githubusercontent.com/sp...own-checker.sh Your microcode only does Mitigation 1 from CVE-2017-5715. The rest is open. Quote:
|
Quote:
Code:
Spectre and Meltdown mitigation detection tool v0.16Code:
--- spectre-meltdown-checker.sh 2018-01-08 20:18:36.836828923 +0100 |
Why not build the microcode into kernel? Simple, works for me. Or this would not be the Slackware way? Just curious.
|
Quote:
|
Quote:
Not only am I old and set in my ways, but I am old and forgetful too ! I honestly forgot all about that thread. Thanks for bringing it up ... it was a good one :) -- kjh |
Quote:
|
Quote:
LTS kernels are specifically selected to have a longer than normal life of updates -- now up to six years of updates, but only 4.4 and 4.14 will have that 6 years. 4.9 was stuck with the old LTS policy of updates for 2 years. We don't know what kernels will be LTS kernels until it is announced by a kernel developer, usually Greg Kroah-Hartman. I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities. |
Quote:
The 4.1 Kernel is maintained by Sasha Levin and maybe there is more foundation code to back-port into 4.1 than 4.4, etc ??? Just guessing ... -- kjh From the 4.1.48 ChangeLog: Code:
commit 0199619b21f7320482e8a2db14cf8bc974a7766a |
Quote:
|
Quote:
|
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.
|
@keefaz I've tried to use that script and the first test is always failing as "couldn't find your kernel image in /boot,.."
My kernel responds to uname -r as '4.4.106-ba'. I saw where you suggested modifying line 113 of the script, but I've tried that and actually gone to a full 10 X's and it still doesn't recognize the kernel. The /boot/vmlinuz is a symlink to vmlinuz-custom-4.4.106 image on my machine. Any suggestions? Thanks |
Quote:
Since the intent of this article was to guide me on how to properly upgrade Intel microcode, please move issues of latest kernel to that thread and issues of how to address Meltdown or Spectre to the Slackware security thread. Sorry about hi-jacking my own thread with the earlyier "PS about LTS support for Meltdown and Spectre" ouch. Maybe the test script suggestion could also be moved there please! |
Quote:
Code:
Code:
[ -e /boot/vmlinuz-linux ] && img=/boot/vmlinuz-linux |
Quote:
|
Quote:
|
Hmm, Intel's latest microcode available is dated 20180108. Pulled it from their download site earlier linked in this thread. I then modified the intel-microcode.SlackBuild to reference the new file and executed the SlackBuild. That placed a new intel-ucode.cpio in /boot and built a package which was then installed. Then issued
Code:
#cat /boot/intel-ucode.cpio /boot/initrd-custom-4.4.110.gz > /boot/initrd-custom-4.4.110_ucode.gzAppears nothing new is loading at this time. Expected to see results with microcode date of 01/08/2018. The Intel releasenote mention resetting the reload, which the intel-microcode slackbuild does NOT mentioin. Did I miss a step? Or will results only appear if new microcode is actually changed? Trouble shooting advice appreciated. Cheers |
official Intel microcode update: https://downloadcenter.intel.com/dow...e-20180108.tgz
|
Thanks for the head's up bamunds and nobodino
I've built and installed 2018-01-08 but I'm still building 4.4.111 so I'll boot it later. This is my current running intel-ucode version from 2017-11-17: Code:
# dmesg -t |grep -m1 microcodeMy new kernel is ready to install so here we go ... will report back. EDIT: Back on the air with 4.4.111 + intel-microcode 2018-01-08 and the NVIDIA-Linux-x86_64-384.98.run blob. My intel-ucode revision is now: Code:
# dmesg -t |grep -m1 microcode Code:
# cat releasenote |
Quote:
|
Quote:
I wonder what your CPU Family, Model, Stepping is ? And is there a new file for that set of CPU Parameters in /lib/firmware/intel-ucode/ which was installed with your modified intel-microcode.SlackBuild ? This is the file for my CPU ( i7 6700K ): Code:
# ls -la /lib/firmware/intel-ucode/`./.get-my-cpu-f-m-s.sh`The script is below my sig. This is the output for my CPU: Code:
# ./.get-my-cpu-f-m-s.sh-- kjh This is .get-my-cpu-f-m-s.sh ... it lives in my intel-microcode SlackBuild Directory: Not much to it and my `gawk` programming style annoys purists, the fanciest thing it does is print the /proc/cpuinfo Family, Model, Stepping data as Hex. Code:
!/bin/sh |
Quote:
Code:
dmesg | grep microcodePosted before reading kjhambrick reply :) |
Quote:
|
Quote:
For example this is the output when I applied the latest Intel microcode (20180108): Code:
% sudo dmesg | grep microcode |
Quote:
Does not work at all for me. The output listed Code:
[root@darkstar:~] # dd if=microcode.dat of=/dev/cpu/microcode bs=1MDoes work for me, but it reverts after reboot. The output listed Code:
[root@darkstar:~] # dmesg | grep microcodeCode:
append="vt.default_utf8=1" |
PROBLEMCHYLD --
I posted the releasenote only to show which processors were updated. I suppose you can make things work following Intel's generic instructions ... However, for Slackware users, Alexander Verbovetsky ( iucode_tool ) and Andrzej Telszewski ( intel_microcode ) have made it easy-peasy ! Download these two SlackBuilds from SBo: 1. System/iucode_tool 2. System/intel-microcode Read the README Files ! Then build and install them in this order: 1. iucode_tool 2. intel-microcode At this point you'll have a /boot/intel-ucode.cpio initrd file, something like this: Code:
# ls -la /boot/intel-ucode.cpioI am not exactly sure what you're doing in the first stanza of your lilo.conf ( your default ), but the 2nd entry looks familiar. And to be safe, rather than replace you existing initrd file and lilo stanza, I would hedge my bets and make a new initrd for the one in your 2nd stanza: Code:
# cat /boot/intel-ucode.cpio /boot/initrd_4.14.12-smp.gz > /boot/initrd_4.14.12-smp-ucode.gzCode:
image=/boot/vmlinuz-generic-smp-4.14.12-smpThat outta do it ! HTH. -- kjh |
The simplest way to append the microcode to an initrd is to use the /etc/mkinitrd.conf. My previous post, (post #4 of this thread) simplifies the process by far. I think that this method should be the recommended way to apply the microcode to a initrd because its the simplest and most fool proof method for newbies and advanced users alike. However, I do realize everyone has their own way of doing things but something is getting lost in translation. Remember, K.I.S.S. principle.
Using the 'cat' command isn't necessary to do any of this. Pat and team simplified the process for us with the mkinitrd.conf. A wrapper script for mkinitrd_command_generator.sh isn't necessary either if you use the mkinitrd.conf. |
Quote:
iucode_tool has to be installed from sbo / Slackbuilds Then, infos from /proc/cpuinfo will give you the correct microcode filename (see awk code above) Once you know the correct microcode file, the easiest way to make the ramfs image is: Code:
iucode_tool --write-earlyfw=/boot/intel-ucode.cpio /path/to/microcode_fileCode:
cd /bootEdit: Wow posted too late again :/ |
Quote:
I set all this up before phenexia submitted the mkinitrd -P arg patch https://www.linuxquestions.org/quest...6/#post5727883 and before it was released for Slackware 14.2. And then I wasn't aware of the /etc/mkinitrd.conf file. It's time for me to retire the old scripts I wrote and get with the program ( or at least keep them to myself :) ). Thanks ! -- kjh |
Quote:
I would also like to point out that SBo has pushed an update out for this week early which includes the latest intel microcode: https://git.slackbuilds.org/slackbui...74064919242c48 |
Quote:
Code:
[root@darkstar:~] # ls -la /boot/intel-ucode.cpio |
Quote:
What do you see if you type the following command ? Code:
# ls -lartd /var/log/packages/{iucode_tool,intel-microcode}*Here's mine: Code:
# ls -lartd /var/log/packages/{iucode_tool,intel-microcode}* |
Quote:
The relevant part in the intel-microcode SlackBuild is: Code:
mkdir -p $PKG/lib/firmware |
| All times are GMT -5. The time now is 10:09 AM. |