LinuxQuestions.org - Spectre & Meltdown

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - Spectre & Meltdown - Intel Microcode (https://www.linuxquestions.org/questions/slackware-14/spectre-and-meltdown-intel-microcode-4175630984/)

Spectre & Meltdown - Intel Microcode

Dear all,

We all know about the spectre & meltdown issues.
I used an online tool to check if my system was secure.
As expected it claimed that I needed a new version of Intel microcode.
Around that time, this SlackBuilds appeared.

My question is, with the latest update to Slackware64 14.2 (with a new version of firmware) is my system secured? Or I should keep the Intel microcode from SlackBuilds?

Does Slackware even ship any intel firmware?

No, the intel microcode is not part of linux-firmware. You still need to add it separately.

mlpa --

EDIT: Oops, too slow ... GazL beat me to the Answer :)

Answer: The intel-microcode is only available as an SBo SlackBuild.

Maybe more than you need to know follows. :)

There are a few threads and quite a few posts here on LQ about the iucode_tool + intel-microcode SlackBuilds.

In a nutshell, the intel-microcode is not included in Slackware 14.2 -- you'll have to install the SlackBuilds.

And then if you want to invoke 'early microcode loading' you'll need an initrd file with the intel ucode.

In a nutshell:

Code:

  1. Download the iucode_tool and intel-microcode SBo Packages.

  2. Read the README Files

  3. Read the Threads here on LQ

  4. Read the README Files again :)

  5. Build and installpkg iucode_tool

  6. Build and installpkg intel-microcode

  7. Create (an) additional initrd file(s) for the Kernel(s) in /etc/lilo.conf

  8. Run lilo

  9. Reboot

If you invoke the SlackBuilds and run installpkg in the order above, then your new intel-microcode-20180312-noarch-1_SBo.tgz Package will include /boot/intel-ucode.cpio

The /boot/intel-ucode.cpio file can be used as an initrd for the Slackware HUGE Kernels ( as you probably know, a HUGE Kernel does not normally need an initrd file ).

If you run a GENERIC with an initrd file. then the /boot/intel-ucode.cpio file can be PREPENDED to a copy of your existing initrd.

Once you've got your new initrd, adjust /etc/lilo.conf accordingly and run lilo and reboot.

One note. the intel-microcode.SlackBuild is one revision behind Intel's latest release.

And Intel changed the Packaging in their latest release so that the existing intel-microcode.SlackBuild does not work out-of-the-box.

In practical terms, very few users need the very latest version because it is mostly a bug fix for a couple specific Processors:

Code:

== 20180425 Release ==

-- Updates upon 20180312 release --

Processor            Identifier    Version      Products

Model        Stepping F-MO-S/PI      Old->New

---- updated platforms ------------------------------------

GLK          B0      6-7a-1/01 0000001e->00000022 Pentium Silver N/J5xxx, Celeron N/J4xxx

---- removed platforms ------------------------------------

BDX-ML      B/M/R0  6-4f-1/ef 0b000021          Xeon E5/E7 v4; Core i7-69xx/68xx



-- Special release with caveats --

BDX-ML      B/M/R0  6-4f-1/ef          0b00002c Xeon E5/E7 v4; Core i7-69xx/68xx

If this affects you and yours, I posted a modified intel-microcode.SlackBuild here on LQ to handle Intel's new packaging.

Finally, this may sound daunting but due to all the excellent work upstream and among our very owb SBo developers, it is really pretty simple to pull off and once your CPU is 'fixed' you probably won't need to do it ever again ( other than to include the /boot/intel-ucode.cpio file in your initrd ).

HTH.

-- kjh

Note: After booting, you can see whether you've got the intel microcode like so:

Code:

# dmesg -t |grep microcode



microcode: CPU0 microcode updated early to revision 0xc2, date = 2017-11-16

microcode: CPU1 microcode updated early to revision 0xc2, date = 2017-11-16

microcode: CPU2 microcode updated early to revision 0xc2, date = 2017-11-16

microcode: CPU3 microcode updated early to revision 0xc2, date = 2017-11-16

microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU1 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU2 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU3 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU4 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU5 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU6 sig=0x506e3, pf=0x2, revision=0xc2

microcode: CPU7 sig=0x506e3, pf=0x2, revision=0xc2

microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Konrad, is the microcode needed for all processors or for only a particular sub-set? I am asking because at the time this stuff happened I checked and thought that my newish i7-7700 did not fitted the bill. But I might be wrong...

Quote:

Originally Posted by brobr (Post 5862996)

Most Intel CPU's have microcode updates. It's probably a good idea to check which version you are running, then build and load the new microcode and compare. You will likely see a difference in the revision.

Edit:
Kaby Lake's do have microcode updates.

i7-7700* looks to be Kaby Lake H/S/X/G and mitigated according to the latest (couldn't find any newer revision) "Microcode Update Guidance" (page 11):
https://newsroom.intel.com/wp-conten...e-guidance.pdf

There might be a possibility to check if the microcode tarball contains microcode for your CPU by first identifying your CPU details according to the "== About Processor Signature, Family, Model, Stepping and Platform ID ==" section from the Detailed Description and then look after a match in the intel-ucode/list file from within the archive:
https://downloadcenter.intel.com/dow...code-Data-File

Hi Skaendo and abga; you beat me to it ;-) My processor is kaby lake and it is listed in the list at the bottom of abga's second link: /Linux-Processor-Microcode-Data-File

So I better get that implemented....

Thanks,

rob

I don't think that the newest microcode works with the SlackBuild on SBo.

See this post for a fix: https://www.linuxquestions.org/quest...ml#post5851373

Thanks, Skaendo, I followed Konrad's advice, searched the forum and found his SlackBuilds at that link.... At least I know I am on the right track to use the up-to-date stuff ;-)

Quote:

Originally Posted by brobr (Post 5863058)

At least I know I am on the right track to use the up-to-date stuff ;-)

Keep the notes/tools available because soon you'll need to do the update again just in order to stay "up-to-date" ;)
https://www.linuxquestions.org/quest...ml#post5857751
Subvariant 3a (CVE-2018-3640)
Variant 4 (CVE-2018-3639)

Well, that was fun, my revision 'reversed' (:

Code:



bash-4.4# less /var/log/messages | grep -i microcode

..

May 25 00:11:02 knotsUL kernel: [    5.085009] microcode: sig=0x906e9, pf=0x20, revision=0x48

May 29 12:00:46 knotsUL kernel: [    5.071634] microcode: Microcode Update Driver: v2.2.

Jun  1 16:24:31 knotsUL kernel: [    5.086205] microcode: sig=0x906e9, pf=0x20, revision=0x48

Jun  1 16:24:31 knotsUL kernel: [    5.087017] microcode: Microcode Update Driver: v2.2.

Jun  3 21:45:43 knotsUL kernel: [    0.000000] microcode: microcode updated early to revision 0x84, date = 2018-01-21

Jun  3 21:45:43 knotsUL kernel: [    5.085772] microcode: sig=0x906e9, pf=0x20, revision=0x84

Jun  3 21:45:43 knotsUL kernel: [    5.086558] microcode: Microcode Update Driver: v2.2.



bash-4.4$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1

Mitigation: __user pointer sanitization

bash-4.4$ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2

Mitigation: Full generic retpoline, IBPB, IBRS_FW

Thanks all for the pointers that made this work.

PS there is a nice option in /etc/mkinitrd.conf to get the intel-ucode.cpio (or intel-ucode-mycpu.cpio) autromatically included in the initrd.gz.

Still little information, but sounds like there's something in the wind again:
https://www.theregister.co.uk/2018/0...yperthreading/

Quote:

Originally Posted by Petri Kaukasoina (Post 5879695)

Latest microcode-20180703 https://downloadcenter.intel.com/dow...le?product=873

I'm using it here with some modifications to SBo's SlackBuild

Code:

diff -Naur intel-microcode.orig/LICENSE intel-microcode/LICENSE

--- intel-microcode.orig/LICENSE        1970-01-01 01:00:00.000000000 +0100

+++ intel-microcode/LICENSE        2018-07-11 16:34:19.572948000 +0200

@@ -0,0 +1,123 @@

+INTEL SOFTWARE LICENSE AGREEMENT

+

+IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING.

+Do not use or load this software and any associated materials (collectively,

+the "Software") until you have carefully read the following terms and

+conditions. By loading or using the Software, you agree to the terms of this

+Agreement. If you do not wish to so agree, do not install or use the Software.

+

+LICENSES: Please Note:

+- If you are a network administrator, the "Site License" below shall

+apply to you.

+- If you are an end user, the "Single User License" shall apply to you.

+- If you are an original equipment manufacturer (OEM), the "OEM License"

+shall apply to you.

+

+SITE LICENSE. You may copy the Software onto your organization's computers

+for your organization's use, and you may make a reasonable number of

+back-up copies of the Software, subject to these conditions:

+

+1. This Software is licensed for use only in conjunction with Intel

+component products. Use of the Software in conjunction with non-Intel

+component products is not licensed hereunder.

+2. You may not copy, modify, rent, sell, distribute or transfer any part

+of the Software except as provided in this Agreement, and you agree to

+prevent unauthorized copying of the Software.

+3. You may not reverse engineer, decompile, or disassemble the Software.

+4. You may not sublicense or permit simultaneous use of the Software by

+more than one user.

+5. The Software may include portions offered on terms in addition to those

+set out here, as set out in a license accompanying those portions.

+

+SINGLE USER LICENSE. You may copy the Software onto a single computer for

+your personal, noncommercial use, and you may make one back-up copy of the

+Software, subject to these conditions:

+

+1. This Software is licensed for use only in conjunction with Intel

+component products. Use of the Software in conjunction with non-Intel

+component products is not licensed hereunder.

+2. You may not copy, modify, rent, sell, distribute or transfer any part

+of the Software except as provided in this Agreement, and you agree to

+prevent unauthorized copying of the Software.

+3. You may not reverse engineer, decompile, or disassemble the Software.

+4. You may not sublicense or permit simultaneous use of the Software by

+more than one user.

+5. The Software may include portions offered on terms in addition to those

+set out here, as set out in a license accompanying those portions.

+

+OEM LICENSE: You may reproduce and distribute the Software only as an

+integral part of or incorporated in Your product or as a standalone

+Software maintenance update for existing end users of Your products,

+excluding any other standalone products, subject to these conditions:

+

+1. This Software is licensed for use only in conjunction with Intel

+component products. Use of the Software in conjunction with non-Intel

+component products is not licensed hereunder.

+2. You may not copy, modify, rent, sell, distribute or transfer any part

+of the Software except as provided in this Agreement, and you agree to

+prevent unauthorized copying of the Software.

+3. You may not reverse engineer, decompile, or disassemble the Software.

+4. You may only distribute the Software to your customers pursuant to a

+written license agreement. Such license agreement may be a "break-the-

+seal" license agreement. At a minimum such license shall safeguard

+Intel's ownership rights to the Software.

+5. The Software may include portions offered on terms in addition to those

+set out here, as set out in a license accompanying those portions.

+

+NO OTHER RIGHTS. No rights or licenses are granted by Intel to You, expressly

+or by implication, with respect to any proprietary information or patent,

+copyright, mask work, trademark, trade secret, or other intellectual property

+right owned or controlled by Intel, except as expressly provided in this

+Agreement.

+

+OWNERSHIP OF SOFTWARE AND COPYRIGHTS. Title to all copies of the Software

+remains with Intel or its suppliers. The Software is copyrighted and

+protected by the laws of the United States and other countries, and

+international treaty provisions. You may not remove any copyright notices

+from the Software. Intel may make changes to the Software, or to items

+referenced therein, at any time without notice, but is not obligated to

+support or update the Software. Except as otherwise expressly provided, Intel

+grants no express or implied right under Intel patents, copyrights,

+trademarks, or other intellectual property rights. You may transfer the

+Software only if the recipient agrees to be fully bound by these terms and if

+you retain no copies of the Software.

+

+LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on

+physical media, Intel warrants the media to be free from material physical

+defects for a period of ninety days after delivery by Intel. If such a defect

+is found, return the media to Intel for replacement or alternate delivery of

+the Software as Intel may select.

+

+EXCLUSION OF OTHER WARRANTIES. EXCEPT AS PROVIDED ABOVE, THE SOFTWARE IS

+PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND

+INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A

+PARTICULAR PURPOSE. Intel does not warrant or assume responsibility for the

+accuracy or completeness of any information, text, graphics, links or other

+items contained within the Software.

+

+LIMITATION OF LIABILITY. IN NO EVENT SHALL INTEL OR ITS SUPPLIERS BE LIABLE

+FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,

+BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR

+INABILITY TO USE THE SOFTWARE, EVEN IF INTEL HAS BEEN ADVISED OF THE

+POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR

+LIMITATION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL

+DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE

+OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION.

+

+TERMINATION OF THIS AGREEMENT. Intel may terminate this Agreement at any time

+if you violate its terms. Upon termination, you will immediately destroy the

+Software or return all copies of the Software to Intel.

+

+APPLICABLE LAWS. Claims arising under this Agreement shall be governed by the

+laws of California, excluding its principles of conflict of laws and the

+United Nations Convention on Contracts for the Sale of Goods. You may not

+export the Software in violation of applicable export laws and regulations.

+Intel is not obligated under any other agreements unless they are in writing

+and signed by an authorized representative of Intel.

+

+GOVERNMENT RESTRICTED RIGHTS. The Software is provided with "RESTRICTED

+RIGHTS." Use, duplication, or disclosure by the Government is subject to

+restrictions as set forth in FAR52.227-14 and DFAR252.227-7013 et seq. or its

+successor. Use of the Software by the Government constitutes acknowledgment

+of Intel's proprietary rights therein. Contractor or Manufacturer is Intel

+2200 Mission College Blvd., Santa Clara, CA 95052. 

diff -Naur intel-microcode.orig/README intel-microcode/README

--- intel-microcode.orig/README        2018-07-14 18:55:23.824948000 +0200

+++ intel-microcode/README        2018-07-11 16:44:33.383948000 +0200

@@ -9,12 +9,7 @@

 

 This SlackBuild repackages the official Intel microcode archive.

 

-The "microcode.dat" file is placed under /lib/firmware/microcode.dat and can be

-later uploaded using microcode_ctl utility (available from SlackBuilds.org).

-This approach (microcode.dat + microcode_ctl) is kept for compatibility reasons

-and should be avoided whenever possible. * Use the solution described below. *

-

-If the iucode_tool (available from SlackBuilds.org) is installed on the system,

+With the iucode_tool (available from SlackBuilds.org) installed on the system,

 this SlackBuild will:

 

 1) write the microcodes with the file names as expected by the Linux kernel

diff -Naur intel-microcode.orig/intel-microcode.SlackBuild intel-microcode/intel-microcode.SlackBuild

--- intel-microcode.orig/intel-microcode.SlackBuild        2018-07-14 18:55:23.825948000 +0200

+++ intel-microcode/intel-microcode.SlackBuild        2018-07-11 16:44:55.451948000 +0200

@@ -24,7 +24,7 @@

 

 PRGNAM=intel-microcode

 SRCNAM=microcode

-VERSION=${VERSION:-20180312}

+VERSION=${VERSION:-20180703}

 BUILD=${BUILD:-1}

 TAG=${TAG:-_SBo}

 ARCH=noarch

@@ -44,22 +44,17 @@

 mkdir $SRCNAM-$VERSION

 tar xvf $CWD/$SRCNAM-$VERSION.tgz -C $SRCNAM-$VERSION

 cd $SRCNAM-$VERSION

-chown root:root microcode.dat

-chmod 0644      microcode.dat

 

-mkdir -p $PKG/lib/firmware

-cp -a microcode.dat $PKG/lib/firmware

-

-if [ -x /usr/sbin/iucode_tool ]; then

-  mkdir -p $PKG/lib/firmware/intel-ucode

-  /usr/sbin/iucode_tool -v --list-all -K$PKG/lib/firmware/intel-ucode microcode.dat

-  mkdir -p $PKG/boot

-  /usr/sbin/iucode_tool -v --write-earlyfw=$PKG/boot/intel-ucode.cpio microcode.dat

-fi

+rm -f intel-ucode{,-with-caveats}/list

+mkdir -p kernel/x86/microcode $PKG/lib/firmware

+iucode_tool -w kernel/x86/microcode/GenuineIntel.bin intel-ucode{,-with-caveats}/

+echo kernel/x86/microcode/GenuineIntel.bin | bsdcpio -o -H newc -R 0:0 > intel-ucode.cpio

+cp -R intel-ucode intel-ucode-with-caveats $PKG/lib/firmware/

+install -D -m0644 intel-ucode.cpio $PKG/boot/intel-ucode.cpio

 

 mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION

 cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild

-cat releasenote > $PKG/usr/doc/$PRGNAM-$VERSION/RELEASE_NOTE

+cp releasenote $CWD/LICENSE $PKG/usr/doc/$PRGNAM-$VERSION/

 

 mkdir -p $PKG/install

 cat $CWD/slack-desc > $PKG/install/slack-desc

diff -Naur intel-microcode.orig/intel-microcode.info intel-microcode/intel-microcode.info

--- intel-microcode.orig/intel-microcode.info        2018-07-14 18:55:23.825948000 +0200

+++ intel-microcode/intel-microcode.info        2018-07-16 14:18:10.666948000 +0200

@@ -1,10 +1,10 @@

 PRGNAM="intel-microcode"

-VERSION="20180312"

+VERSION="20180703"

 HOMEPAGE="https://downloadcenter.intel.com/"

-DOWNLOAD="https://downloadmirror.intel.com/27591/eng/microcode-20180312.tgz"

-MD5SUM="be315cd99a7ca392a2f917ceacbe14f2"

+DOWNLOAD="https://downloadmirror.intel.com/27945/eng/microcode-20180703.tgz"

+MD5SUM="873f2bdd7c0edf317f416f54fee74b42"

 DOWNLOAD_x86_64=""

 MD5SUM_x86_64=""

-REQUIRES=""

+REQUIRES="iucode_tool"

 MAINTAINER="Andrzej Telszewski"

 EMAIL="atelszewski@gmail.com"

Very Nice ponce !

I am going to try it out when 4.4.141 is released.

-- kjh