LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-01-2018, 05:54 PM   #106
Loomx
Member
 
Registered: Sep 2012
Distribution: Slackware
Posts: 62

Rep: Reputation: Disabled

Quote:
Thankfully, with the possible exception of Skylake, Intel microcode updates are not required.
This.

After seeing how Intel have responded to recent events, I feel reassured by the fact that the mitigations can be at the software level, rather than having to rely on opaque microcode updates by Intel.
 
Old 03-02-2018, 05:02 PM   #107
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 702

Rep: Reputation: 389Reputation: 389Reputation: 389Reputation: 389
Speaking of Skylake, Intel has started to deploy the microcode update for the 6th Generation Skylake Processors thought their trusted partner Microsoft:
https://support.microsoft.com/en-us/...rocode-updates
https://www.catalog.update.microsoft...px?q=KB4090007

According to this article in German (the only one more detailed I could find ATM), the microcode update is the same as it was in the Linux Microcode Update file that Intel pulled back on the 22th of January 2018. It is written in the article that Intel only rechecked the microcode and didn't modify it:
https://www.heise.de/security/meldun...e-3985133.html
 
Old 03-14-2018, 01:22 AM   #108
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 52

Rep: Reputation: 13
What should I choose?
1. UEFI update from motherboard manufacturer (when it comes);
or
2. Linux processor microcode update from Intel
https://downloadcenter.intel.com/download/27591?v=t
 
Old 03-14-2018, 03:48 AM   #109
phenixia2003
Member
 
Registered: May 2006
Location: France
Distribution: Slackware
Posts: 821

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Hello,

Just noticed that latest intel microcode (20180312) includes an update for my "old" Xeon e3-1230 v2 (ivy-bridge) :

Code:
$ iucode_tool --scan-system --list ./microcode.dat 
iucode_tool: system has processor(s) with signature 0x000306a9
microcode bundle 1: ./microcode.dat
selected microcodes:
  001/138: sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
--
SeB
 
Old 03-14-2018, 03:54 AM   #110
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,283
Blog Entries: 4

Rep: Reputation: Disabled
teoberi, it's not important.
You can install both.
But if you have a recent kernel, you don't need any microcode update.
The fixes already in the kernel are better and they don't use the microcode stuff.
 
Old 03-14-2018, 04:51 AM   #111
GazL
Senior Member
 
Registered: May 2008
Posts: 4,754
Blog Entries: 14

Rep: Reputation: Disabled
Quote:
Originally Posted by 55020 View Post
But if you have a recent kernel, you don't need any microcode update.
The fixes already in the kernel are better and they don't use the microcode stuff.
Recent kernels do retpolines, but I thought there were some edge cases with Skylake that required the IBPB/IBRS features to be fully protected: https://lwn.net/Articles/743019/

But most of this stuff is way over my head so it's possible I missed or misunderstood something somewhere along the way.


To be honest, I'm starting to wonder whether it's worth turning off the mitigations for performance reasons since I'm not in the habit of running untrusted code anyway and outside of proof of concepts I've not seen any mention of real-world exploitation of these vulnerabilities. The only reason I haven't done so already are concerns about javascript in the browser (I disable it as a general rule, but some sites just won't work without it).
 
Old 03-14-2018, 09:40 AM   #112
kjhambrick
Senior Member
 
Registered: Jul 2005
Location: Round Rock, TX
Distribution: Slackware64 14.2 + Multilib
Posts: 1,425

Rep: Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830Reputation: 830
All --

I am with GazL on these issues ... dazed and confuzed

Is the IntelŪ Management Engine Critical Firmware Update (Intel-SA-00086) mitigated in the Kernel ?

My understanding of that particular bug is that it affects the Intel Management Engine which is 'below' the OS' in the stack and it requires a BIOS update from your MoBo Vendor ?

Or is the IME Mitigation Code included in the recent kernel-firmware Packages ?

This is a link to the Intel-SA-00086 Detection Tool Page.

Thanks !

-- kjh

These are the results of running the tool on my Work Laptop:

Code:
# ./intel_sa00086.py

INTEL-SA-00086 Detection Tool
Copyright(C) 2017-2018, Intel Corporation, All rights reserved.

Application Version: 1.1.169.0
Scan date: 2018-03-14 13:53:42 GMT

*** Host Computer Information ***
Name: kjhlt6
Manufacturer: Notebook
Model: P7xxDM(-G)
Processor Name: Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz
OS Version: Slackware  14.2  (4.4.121.kjh)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.0.0.1168
SVN: 1

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is vulnerable.
Explanation:
The detected version of the Intel(R) Management Engine firmware
  is considered vulnerable for INTEL-SA-00086.
  Contact your system manufacturer for support and remediation of this system.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support
 
Old 03-14-2018, 01:40 PM   #113
mralk3
Senior Member
 
Registered: May 2015
Location: Utah, USA
Distribution: Slackware 14.2 || Slackware-current && CentOS
Posts: 1,237

Rep: Reputation: 605Reputation: 605Reputation: 605Reputation: 605Reputation: 605Reputation: 605
This tool might give you a better understanding of what is vulnerable on your system regarding spectre and meltdown.

spectre-meltdown-checker

My system isn't vulnerable in either tool:

Code:
$ uname -pr
4.14.26 Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz

Last edited by mralk3; 03-14-2018 at 01:42 PM.
 
Old 03-14-2018, 06:46 PM   #114
Daedra
Senior Member
 
Registered: Dec 2005
Location: Springfield, MO
Distribution: Slackware64-14.2
Posts: 1,534

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
Loaded the new microcode for my x99 / Haswell-E CPU last night, but looks like Asrock rolled out new bios updates with the microcode today, so I was able to ditch the microcode initrd and just updated to the new bios. If I am reading the specter-meltdown-checker correctly it looks like I am not-vulnerable across the board?

Code:
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.4.118 #1 SMP Sun Feb 25 14:18:45 CST 2018 x86_64
CPU is Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 63 stepping 2 ucode 0x3c)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
 
Old 03-15-2018, 02:26 AM   #115
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 52

Rep: Reputation: 13
I read this morning:
https://access.redhat.com/articles/3311301

In the section "Architectural Defaults" appears
Quote:
Intel Defaults:

pti=1 ibrs=0 retp=1 ibpb=1-> fix variant#1 #2 #3 for pre-Skylake cpus
pti=1 ibrs=1 retp=0 ibpb=1-> fix variant#1 #2 #3 for Skylake cpus

pti=1 retp=1 ibrs=0 ibpb=0 -> fix variant#1 #3 (for older Intel systems with no microcode update available)

A kernel patch is comming!
https://patchwork.kernel.org/patch/10279661/

Last edited by teoberi; 03-15-2018 at 02:48 AM. Reason: Complete answer
 
Old 03-15-2018, 06:52 AM   #116
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers) / Ubuntu (workstations)
Posts: 52

Rep: Reputation: 13
It's already in the last kernel (4.14.27).
 
1 members found this post helpful.
Old 03-15-2018, 07:37 AM   #117
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 702

Rep: Reputation: 389Reputation: 389Reputation: 389Reputation: 389
Quote:
Originally Posted by kjhambrick View Post
All --

I am with GazL on these issues ... dazed and confuzed

Is the IntelŪ Management Engine Critical Firmware Update (Intel-SA-00086) mitigated in the Kernel ?

My understanding of that particular bug is that it affects the Intel Management Engine which is 'below' the OS' in the stack and it requires a BIOS update from your MoBo Vendor ?

Or is the IME Mitigation Code included in the recent kernel-firmware Packages ?

This is a link to the Intel-SA-00086 Detection Tool Page.

Thanks !

-- kjh
AFAIK the Intel AMT (ME) update operations are not supported under Linux (Slackware) and its firmware can only be updated either through the vendor's BIOS releases, for older systems/architectures or, more recently, through the vendor's Windows "chipset firmware" updates.
It has got even worse, since you can get these vendor's "firmware" update only under Windows 10 - I have a laptop that came with Win7 and on the support site I only get a Intel AMT patch (firmware update) that was designed/is working only under Win10

Check this for references and some useful links:
https://www.linuxquestions.org/quest...00/page48.html
This looks to be a useful HowTo for updating the firmware (haven't tested it yet):
https://www.flamingspork.com/blog/20...ndows-install/
Some info on the HW & firmware:
https://en.wikipedia.org/wiki/Intel_...ngine#Hardware
 
1 members found this post helpful.
Old 03-15-2018, 07:47 AM   #118
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-14.2 (4.18.15) UEFI enabled
Posts: 500

Rep: Reputation: 171Reputation: 171
For any interested
This update in BLFS_SVN this morning
Quote:
Changelog Entries:

March 15th, 2018

[ken] - Update intel microcode to 20180312 (spectre v2 mitigation for SandyBridge and later). Please note that for some models, particularly Skylake, currently-available kernels may disregard the mitigation because of issues with the previous (now withdrawn) version. That will hopefully be fixed in a few days, but wil then require a kernel upgrade. Fixes #10300.
Released by Beyond Linux from Scratch changelog.
john
 
1 members found this post helpful.
Old 03-15-2018, 10:08 AM   #119
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 Multilib
Posts: 544

Original Poster
Rep: Reputation: 146Reputation: 146
SO I'm checking it now. According to the search function on Intel.com there is an update for my Smithfield xof47 processor. I'll report back after I have it loaded and testing for a while.

https://downloadcenter.intel.com/dow...?product=27512

For IntelŪ PentiumŪ D Processor 820 (2M Cache, 2.80 GHz, 800 MHz FSB)
Linux* Processor Microcode Data File
Version: 20180312 (Latest) Date: 3/12/2018
 
1 members found this post helpful.
Old 03-15-2018, 10:28 AM   #120
Skaendo
Member
 
Registered: Dec 2014
Location: West Texas, USA
Distribution: Slackware64-14.2
Posts: 753

Rep: Reputation: Disabled
Quote:
Originally Posted by bamunds View Post
SO I'm checking it now. According to the search function on Intel.com there is an update for my Smithfield xof47 processor. I'll report back after I have it loaded and testing for a while.

https://downloadcenter.intel.com/dow...?product=27512

For IntelŪ PentiumŪ D Processor 820 (2M Cache, 2.80 GHz, 800 MHz FSB)
Linux* Processor Microcode Data File
Version: 20180312 (Latest) Date: 3/12/2018
Not to say that there is not an update for your specific processor, but the Intel microcode download lists virtually every processor that they have ever made. Just because your processor is listed does not mean that there is a microcode update for your specific processor.

Just for example, I have many Intel processors and they are all listed in there and there are microcode updates for them but the microcode update for my processors are quite old and haven't been updated recently.

The only way to know if your specific processor has had a microcode update is to
Code:
dmesg -t |grep -i microcode
like kjhambrick says in the next post and check the date.

I highly doubt that the Pentium D 820's have gotten an update since the previous release.

Last edited by Skaendo; 03-15-2018 at 10:55 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Is it possible to update intel microcode using kernel-huge and grub2, without initrd? lagavulin16 Slackware 5 01-03-2018 09:27 AM
intel-microcode-20170707 kjhambrick Slackware 1 07-15-2017 08:04 AM
Lenovo Thinkpad x220 - Proprietary Driver for Microcode for Intel processor? wh33t Linux - Hardware 2 06-15-2016 11:41 AM
intel-microcode error Soapm Linux - Newbie 3 06-25-2015 01:37 AM
Intel IA32 CPU microcode...What is it Jester888 Linux - General 1 02-08-2007 11:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration