LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 05-18-2019, 11:28 AM   #1
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
How to set up early load of Intel firmware


I've just downloaded an updated version of my cpu firmware that is supposed to deal with the Zombiload exploit. I've installed it in LFS using the instructions given in BLFS. Basically you put it in a cpio archive and set this to be your initrd.

I now want to do the same in Slackware. But my Slackware installation already has an initrd that I made to go with the generic kernel. The BLFS book says you can specify two initrds if you put the uncompressed one with the kernel firmware first, but they are talking about GRUB and I don't know if the same applies in lilo/elilo. Can I do this in elilo.conf? Or should I put the kernel/x86/microcode tree which contains the firmware into the initrd tree and remake initrd.gz?
 
Old 05-18-2019, 11:56 AM   #2
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 615

Rep: Reputation: 404Reputation: 404Reputation: 404Reputation: 404Reputation: 404
man mkinitrd...
Code:
       -P microcode_archive
              This  option  specifies  a  cpio  archive   containing   updated
              microcode  for your CPU.  CPU manufacturers occasionally release
              such updates to fix bugs in the microcode currently embedded  in
              the  CPU.  The microcode archive will be prepended to the output
              initrd, where the kernel will find it for early patching:

                -P /boot/intel-ucode.cpio
 
1 members found this post helpful.
Old 05-18-2019, 12:14 PM   #3
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Perfect! Thanks a lot.
 
Old 05-18-2019, 01:13 PM   #4
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
I found a Slackbuild for this here:

https://slackbuilds.org/repository/1...tel-microcode/

For my own reference, would installing this be sufficient [and its depend?]
 
Old 05-18-2019, 02:18 PM   #5
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Interesting but the build has another dependency (iucode_tool). It's simpler just to copy over and use the cpio file I already have. Especially as the mkinitrd script has a specific option for doing that. Just one of the nice friendly little touches I've noticed in Slackware since I started using it. Everything seems to be crafted to give you smooth working.
 
1 members found this post helpful.
Old 05-18-2019, 02:20 PM   #6
Chuck56
Member
 
Registered: Dec 2006
Location: Colorado, USA
Distribution: Slackware
Posts: 727

Rep: Reputation: 286Reputation: 286Reputation: 286
Quote:
Originally Posted by Lysander666 View Post
I found a Slackbuild for this here:

https://slackbuilds.org/repository/1...tel-microcode/

For my own reference, would installing this be sufficient [and its depend?]
It would be a good start but it wouldn't finish the job. Before you make the changes check /var/log/dmesg (1st line best indicator).

BEFORE:
Code:
root@XXXX:/var/log# grep microcode dmesg
[    0.000000] microcode: microcode updated early to revision 0x2b, date = 2018-03-22
[    0.277311] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    3.943957] microcode: sig=0x306d4, pf=0x40, revision=0x2b
[    3.944093] microcode: Microcode Update Driver: v2.2.
If you use an initrd, create a new initrd with the "-P /boot/intel-ucode.cpio" option.

If you use lilo then reboot and check dmesg again.

If you use EFI then copy the new intrd over to the efi partition before reboot and check dmesg again.

If you use grub, oh well, not my jam but you get the idea what needs to be done.

AFTER:
Code:
root@XXXX:/var/log# grep microcode dmesg
[    0.000000] microcode: microcode updated early to revision 0x2d, date = 2019-03-07
[    3.951274] microcode: sig=0x306d4, pf=0x40, revision=0x2d
[    3.951425] microcode: Microcode Update Driver: v2.2.
Enjoy!
 
Old 05-18-2019, 03:53 PM   #7
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by Lysander666 View Post
I found a Slackbuild for this here:

https://slackbuilds.org/repository/1...tel-microcode/

For my own reference, would installing this be sufficient [and its depend?]
Just installing it, will create /boot/intel-ucode.cpio and I just reported here that it doesn't always work (depends on CPU):
https://www.linuxquestions.org/quest...ml#post5995482

Even if I don't use initrd (at all) in my lilo configuration, as per Petri Kaukasoina's advice, I had to add initrd=/boot/intel-ucode.cpio on its own in /etc/lilo.conf and update lilo (run lilo).
Reported the success here:
https://www.linuxquestions.org/quest...ml#post5996246

Obviously, if you already use initrd, then you need to merge your initrd image with the intel-ucode.cpio
 
1 members found this post helpful.
Old 05-19-2019, 11:11 AM   #8
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
I wish I could add another 'solved' to this but it appears to have worked on my Skylake.

This was the situation before:

Code:
root@lysultra-vi:/var/log# grep microcode dmesg
[    0.040219] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0xb2 (or later)
[    0.258168] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    4.346184] microcode: sig=0x406e3, pf=0x80, revision=0x9e
[    4.346426] microcode: Microcode Update Driver: v2.2.

this is it now:

Code:
root@lysultra-vi:/var/log# grep microcode dmesg
[    0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[    4.346985] microcode: sig=0x406e3, pf=0x80, revision=0xcc
[    4.347211] microcode: Microcode Update Driver: v2.2.

and for the first time I have mitigation on spec_store_bypass:

Code:
lysander@lysultra-vi:~$ gawk '{ print FILENAME ":\t" $0 }' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:	Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:	Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:	Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:	Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:	Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:	Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
This was using a combination of the microcode Slackbuild and [mostly] Chuck's simple advice.

Last edited by Lysander666; 05-19-2019 at 11:15 AM.
 
Old 05-20-2019, 05:18 AM   #9
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
So I decided to update the kernel before I went any further. The one in patches (4.4.172) is an earlier series but LTS, so paradoxically it is more recent. It's the first time I have installed a kernel in Slackware, and I was intrigued to see that the doinst.sh script only made a few useful symbolic links and did not actually change the boot process. I think I can see the philosophical rationale for that: changing the boot is hazardous, so should not be done behind the sysadmin's back.

I made the new initrd and got it right the second time (!). Now, I'm running the new kernel and I piped the intel firmware into /sys/devices to see what would happen. It seems to work OK.
Code:
[ 1728.000678] microcode: CPU0 sig=0x30678, pf=0x4, revision=0x811
[ 1728.003107] microcode: CPU0 updated to revision 0x838, date = 2019-04-22
[ 1728.003370] microcode: CPU1 sig=0x30678, pf=0x4, revision=0x811
[ 1728.005450] microcode: CPU1 updated to revision 0x838, date = 2019-04-22
[ 1728.005661] microcode: CPU2 sig=0x30678, pf=0x4, revision=0x811
[ 1728.008503] microcode: CPU2 updated to revision 0x838, date = 2019-04-22
[ 1728.008993] microcode: CPU3 sig=0x30678, pf=0x4, revision=0x811
[ 1728.011868] microcode: CPU3 updated to revision 0x838, date = 2019-04-22
Code:
 cat /sys/devices/system/cpu/vulnerabilities/*
Not affected
Mitigation: PTI
Not affected
Mitigation: __user pointer sanitization
Mitigation: Full generic retpoline
So now I'm going to make yet another initrd image with the -P option to load that stuff at boot.

Last edited by hazel; 05-20-2019 at 05:20 AM.
 
Old 05-20-2019, 05:35 AM   #10
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
You may not get full mitigation on 14.2 since the last stable, as you know, is 4.4.172 which was released in late Jan. Pat needs to at least release 4.4.180 for stable which has the necessary patches for ZombieLoad.

Mind you, I don't know which CPU you're running. It looks like an older one so maybe you're affected by ZL anyway?

Last edited by Lysander666; 05-20-2019 at 05:38 AM.
 
Old 05-20-2019, 05:40 AM   #11
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Apparently it's a Bay Trail Pentium JS209. But bear in mind that I know damn-all about hardware. The point is that I'm not getting any report of vulnerabilities.
 
Old 05-20-2019, 06:42 AM   #12
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Ubuntu, Debian, Slackware
Posts: 2,146
Blog Entries: 6

Rep: Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414Reputation: 2414
You can also run this script, it's a lot more thorough:

https://github.com/speed47/spectre-meltdown-checker

Quote:
Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability/mitigation checker for Linux & BSD
 
Old 05-20-2019, 07:30 AM   #13
hazel
LQ Guru
 
Registered: Mar 2016
Location: Harrow, UK
Distribution: LFS, AntiX, Slackware
Posts: 5,315

Original Poster
Blog Entries: 15

Rep: Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107Reputation: 3107
Here's a summary of what I got.
Code:
CVE-2017-5753 Spectre 1: Mitigated, not vulnerable
CVE-2017-7515 Spectre 2: Mitigated, not vulnerable but should enable IBBP
CVE-2017-5754 Meltdown: Mitigated, not vulnerable
CVE-2018-3640 Variant 3A: Vulnerable. More up-to-date firmware required.
CVE-2018-12126 Fallout: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2018-12130 Zombieload: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2018-12127 RIDL: Vulnerable. Microcode supports mitigation but kernel does not.
CVE-2019-11091 RIDL: Vulnerable. Microcode supports mitigation but kernel does not.
Looks like that new kernel isn't good enough. Is there a later one in current? I'll go check. Now I've installed one, it should be easy to do another.

Just checked: current has 4.19.44.

btw What is IBBP? I can't find it on duckduckgo.

Last edited by hazel; 05-20-2019 at 09:53 AM. Reason: Added postscript
 
Old 05-20-2019, 01:17 PM   #14
abga
Senior Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware
Posts: 1,633

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by hazel View Post

btw What is IBBP? I can't find it on duckduckgo.
Looks like a typo, should be IBPB - Indirect Branch Prediction Barrier
https://access.redhat.com/articles/3...rriers-ibpb-10
https://lwn.net/Articles/764209/
 
1 members found this post helpful.
Old 05-21-2019, 03:06 AM   #15
FlinchX
Member
 
Registered: Nov 2017
Distribution: Slackware Linux
Posts: 571

Rep: Reputation: Disabled
Quote:
Originally Posted by Chuck56 View Post
If you use an initrd, create a new initrd with the "-P /boot/intel-ucode.cpio" option.
The legacy approach works as well:

Code:
cp /boot/initrd.gz /tmp
cat /boot/intel-ucode.cpio /tmp/initrd.gz > /boot/initrd.gz
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
'Cognitive performance may peak in late summer and early fall and decline in late winter and early spring - at least in the Northern hemisp RandomTroll General 2 11-16-2018 03:12 AM
slackbuilds' intel-microcode will no longer load early grobber Slackware 2 08-25-2018 10:46 AM
How to load the ipw2100 (intel pro wireless) firmware on a live cd? hkl8324 Linux - Hardware 1 01-01-2009 10:58 PM
Unable to load firmware for Intel wireless card Crushing Belial *BSD 0 01-26-2007 03:29 PM
ipw2200 - Unable to load ucode, unable to load firmware blizinsk Linux - Wireless Networking 2 10-10-2004 08:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 04:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration