LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   How to load new Intel microcode (https://www.linuxquestions.org/questions/slackware-14/how-to-load-new-intel-microcode-4175621053/)

bamunds 01-08-2018 10:28 AM

@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/

It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.

PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.

keefaz 01-08-2018 11:33 AM

Using debian archive, I created quickly initrd with simple procedure:
Code:

cd intel-microcode-3.20171215.1
mkdir tmp
# my processor is i5-4570, signature 0x306c3
iucode_tool -Ktmp tmp supplementary-ucode-CVE-2017-5715.d/s000306C3_m00000032_r00000023.fw
cd tmp
iucode_tool --write-earlyfw=intel-ucode.cpio 06-3c-03
cp intel-ucode.cpio /boot/efi/EFI/Slackware/

Then I edited elilo.conf and added the initrd line, rebooted
now microcode is updated to 0x23 version
Code:

[    0.000000] microcode: CPU0 microcode updated early to revision 0x23, date = 2017-11-20
...
...

But it seems the processor is still vulnerable to spectre, using the c programm floating around I get
Code:

Reading 40 bytes:
Reading at malicious_x = 0xffffffffffdfec80... Success: 0x54='T' score=2
Reading at malicious_x = 0xffffffffffdfec81... Success: 0x68='h' score=2
Reading at malicious_x = 0xffffffffffdfec82... Success: 0x65='e' score=2
...


BratPit 01-08-2018 12:31 PM

Try this tool

https://raw.githubusercontent.com/sp...own-checker.sh

Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.


Quote:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
> STATUS: UNKNOWN

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: UNKNOWN (couldn't find your kernel image)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
I do not know why not see my /boot/vmlinuz in variant 1 check ?

keefaz 01-08-2018 01:36 PM

Quote:

Originally Posted by BratPit (Post 5803696)
Try this tool

https://raw.githubusercontent.com/sp...own-checker.sh

Your microcode only does Mitigation 1 from CVE-2017-5715.
The rest is open.




I do not know why not see my /boot/vmlinuz in variant 1 check ?

Thanks, after a slight modification in script, I got:
Code:

Spectre and Meltdown mitigation detection tool v0.16

Checking vulnerabilities against Linux 4.4.110 #1 SMP Fri Jan 5 22:17:16 CET 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 53 opcodes found, should be >= 70)
> STATUS:  VULNERABLE

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*  Hardware (CPU microcode) support for mitigation:  YES
*  Kernel support for IBRS:  NO
*  IBRS enabled for Kernel space:  NO
*  IBRS enabled for User space:  NO
* Mitigation 2
*  Kernel compiled with retpoline option:  NO
*  Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Script modification (added XXX to temp file template name)
Code:

--- spectre-meltdown-checker.sh    2018-01-08 20:18:36.836828923 +0100
+++ spectre-meltdown-checker.new.sh    2018-01-08 20:27:48.534863440 +0100
@@ -64,7 +64,7 @@
 {
    [ -n "$1" ] || return 1
    # Prepare temp files:
-    vmlinuxtmp="$(mktemp /tmp/vmlinux-XXX)"
+    vmlinuxtmp="$(mktemp /tmp/vmlinux-XXXXXX)"
 
    # Initial attempt for uncompressed images or objects:
    if check_vmlinux "$1"; then


Emerson 01-08-2018 01:44 PM

Why not build the microcode into kernel? Simple, works for me. Or this would not be the Slackware way? Just curious.

BratPit 01-08-2018 01:48 PM

Quote:

Originally Posted by keefaz (Post 5803719)
Thanks, after a slight modification in script, I got:
Code:



Which does not change the fact that this mitigation microcode does not prevent spectre PoC :(

kjhambrick 01-08-2018 01:57 PM

Quote:

Originally Posted by bamunds (Post 5803649)
@Kjhambrick, I ran across your summer 2017 thread which has examples of how-to upgrade microcode and the patch resulting to allow an easy upgrade. Linking here for more insight and examples for those looking to update their microcode. Also thanks to phenexia2003 for the patch that allows a flag to mkinitrd which simplifies this. https://www.linuxquestions.org/quest...rs-4175608636/

It would be really great to see a docs.slackware.com article on "How to Update Intel Microcode" which captures all these ideas and suggestions but written by a senior Slackware member who really understands the different options and can describe the different paths for those using LTS kernels.

PS I read Greg K-H's Meltdown article last night and it appears that Meltdown and Spectre are only going to be addressed only on LTS kernels 4.4, 4.9, 4.14, although 4.15 is not yet LTS it is being worked on for Meltdown.

Yikes !

Not only am I old and set in my ways, but I am old and forgetful too !

I honestly forgot all about that thread.

Thanks for bringing it up ... it was a good one :)

-- kjh

Darth Vader 01-08-2018 01:59 PM

Quote:

Originally Posted by Emerson (Post 5803724)
Why not build the microcode into kernel? Simple, works for me. Or this would not be the Slackware way? Just curious.

Because not all people use the overpriced Intellicrap?

bassmadrigal 01-08-2018 02:24 PM

Quote:

Originally Posted by bamunds (Post 5803649)
although 4.15 is not yet LTS it is being worked on for Meltdown.

4.15 won't be an LTS kernel. It will become the latest stable, but that will be supplanted by 4.16 and then 4.17 and on. Non-LTS kernels are usually only supported for around 3 months before they EOL them and expect users to move to the next stable kernel.

LTS kernels are specifically selected to have a longer than normal life of updates -- now up to six years of updates, but only 4.4 and 4.14 will have that 6 years. 4.9 was stuck with the old LTS policy of updates for 2 years. We don't know what kernels will be LTS kernels until it is announced by a kernel developer, usually Greg Kroah-Hartman.

I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.

kjhambrick 01-08-2018 02:33 PM

Quote:

Originally Posted by bassmadrigal (Post 5803750)

<<snip>> ...

I'm actually kinda surprised that 4.1 isn't getting the updates (or maybe it is and I'm just not aware of it), because it won't be EOL until May 2018. Other than that, 4.4, 4.9, 4.14, and 4.15 are the only maintained kernels by kernel developers. All other kernels versions have been EOLed and probably won't see official updates for these vulnerabilities.

bassmadrigal --

The 4.1 Kernel is maintained by Sasha Levin and maybe there is more foundation code to back-port into 4.1 than 4.4, etc ???

Just guessing ...

-- kjh

From the 4.1.48 ChangeLog:

Code:

commit 0199619b21f7320482e8a2db14cf8bc974a7766a
Author: Sasha Levin <alexander.levin@verizon.com>
Date:  Tue Dec 12 10:21:44 2017 -0500

    Linux 4.1.48
   
    Signed-off-by: Sasha Levin <alexander.levin@verizon.com>


Emerson 01-08-2018 02:37 PM

Quote:

Originally Posted by Darth Vader (Post 5803736)
Because not all people use the overpriced Intellicrap?

So you build only AMD microcode into kernel?

Darth Vader 01-08-2018 02:51 PM

Quote:

Originally Posted by Emerson (Post 5803757)
So you build only AMD microcode into kernel?

Neither. The AMD microcodes could be loaded well from a running system.

abga 01-08-2018 03:02 PM

Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.

bamunds 01-08-2018 03:33 PM

@keefaz I've tried to use that script and the first test is always failing as "couldn't find your kernel image in /boot,.."
My kernel responds to uname -r as '4.4.106-ba'. I saw where you suggested modifying line 113 of the script, but I've tried that and actually gone to a full 10 X's and it still doesn't recognize the kernel. The /boot/vmlinuz is a symlink to vmlinuz-custom-4.4.106 image on my machine. Any suggestions? Thanks

bamunds 01-08-2018 03:36 PM

Quote:

Originally Posted by abga (Post 5803771)
Wouldn't it be neat to have all this knowledge packed in AlienBoB's Live Slackware image? Obviously, approved from "above". It'll help a lot of people and will definitely make Slackware more popular. Just a tough.

Actually it would be great to have this on the docs.slackware.com page as "How to upgrade Intel microcode". Then future questions on LQ could be referenced to that article. I know @AlienBob also has a blog and he too has some nice write-ups but I believe this subject to be outside just the LiveSlak interest group.

Since the intent of this article was to guide me on how to properly upgrade Intel microcode, please move issues of latest kernel to that thread and issues of how to address Meltdown or Spectre to the Slackware security thread. Sorry about hi-jacking my own thread with the earlyier "PS about LTS support for Meltdown and Spectre" ouch. Maybe the test script suggestion could also be moved there please!


All times are GMT -5. The time now is 12:06 AM.