Discussion:
Intel microcode update
(too old to reply)
Rinaldi J. Montessi
2018-01-13 13:49:50 UTC
Permalink
Raw Message
Recently downloaded the Slackbuilds tools for building and installing
the latest Intel microcode update (January 2018). iucode_tool and
intel-microcode.

Question is, should I go ahead and install this update or wait for the
package to be provided in an official update? Or none of the above?
Not sure of the risks involved in fiddling with microcode.

Rinaldi
--
Bipolar, adj.:
Refers to someone who has homes in Nome, Alaska, and Buffalo,
New York
King Beowulf
2018-01-14 20:57:45 UTC
Permalink
Raw Message
Post by Rinaldi J. Montessi
Recently downloaded the Slackbuilds tools for building and installing
the latest Intel microcode update (January 2018). iucode_tool and
intel-microcode.
Question is, should I go ahead and install this update or wait for the
package to be provided in an official update? Or none of the above? Not
sure of the risks involved in fiddling with microcode.
Rinaldi
For motherboards that are now "legacy" - my x99 last UEFI/BIOS update was
in 2016 - your only recourse is to load new microcode on boot along with
a patched kernel. Doing one or the other is only half the fun. If
possible, its best do load microcode as early as possible before the
kernel actually loads as any exploit needs to be already in memory to
take advantage of the CPU hardware bugs.

[rant]

I'm not going to stress over Spectre and Meltdown, as its not directly
exploitable remotely, and wait for Slackware 15. I have my email client
set set to text only, and the browser set up with NoScript and Adblock.
That will take care of any drive-by javascript, etc. I don't download
random binaries. Anything else will require the "hacker" to enter my
home, sit at my desk, and log into my computer. This issue is of serious
concern, yes, but I am no longer surprised at the depths of stupidity our
species' achieves in the quest for profit (greed) and convenience
(sloth).

My advice? DON'T PANIC. Take the same online precautions that you should
have been doing since...forever. Learn to love plain text (USENET FTW!)
Lose the online fetish. Use a phone as a phone and not as an
entertainment device because you get bored standing in line for 5 minutes
or walking down the street. Go to a brick and mortar store and use cash
more often. Go to the physical bank.

See also,
https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre

[/rant]
Eef Hartman
2018-01-23 13:20:23 UTC
Permalink
Raw Message
Post by Rinaldi J. Montessi
Question is, should I go ahead and install this update or wait for the
package to be provided in an official update? Or none of the above?
Not sure of the risks involved in fiddling with microcode.
It certainly depends on the exact model of CPU you've got. Some of the
microcode updates have recently been retracted again, see i.e:
https://www.cnet.com/news/intel-stops-some-chip-patches-unexpected-reboot-meltdown-spectre/
so people with Haswell or Broadwell (or newer) processors should wait
for the next release of firmware updates.
Jerry Peters
2018-01-23 21:10:41 UTC
Permalink
Raw Message
Post by Eef Hartman
Post by Rinaldi J. Montessi
Question is, should I go ahead and install this update or wait for the
package to be provided in an official update? Or none of the above?
Not sure of the risks involved in fiddling with microcode.
It certainly depends on the exact model of CPU you've got. Some of the
https://www.cnet.com/news/intel-stops-some-chip-patches-unexpected-reboot-meltdown-spectre/
so people with Haswell or Broadwell (or newer) processors should wait
for the next release of firmware updates.
I updated the firmware about a week or so ago, so far no problems on
a Xeon and a core-2 duo. Also using fairly recent stable kernels with
the pti patches.
Eef Hartman
2018-01-24 02:51:37 UTC
Permalink
Raw Message
Post by Jerry Peters
a Xeon and a core-2 duo.
As I said, it depends on the exact model of CPU, there are lots of
different "Xeon"s cq "Core 2 Duo"s around, although most are older
than the Haswell (etc) one this specific article is about.

I.e. my cpu is a Core 2 Duo E7600, which is a Wolfdale-3M processor
(like all of the E7xxx ones, the E8xxx series are Wolfdale's with
6 MB cache).
The Xeon 3100 server series also use the Wolfdale chip, while the Xeon
L3014 and E3113 processors are Wolfdale-CL ones (identical to the
"normal" Wolfdale, but with a different LGA771 socket).

For the Core 2 line, see this page:
https://en.wikipedia.org/wiki/Intel_Core_2
while for the Xeon this page will give you an idea:
https://en.wikipedia.org/wiki/Xeon

The "rebooting problem" seems to start at the Sandy Bridge and Ivy
Bridge chips, for Xeon that is the E3-1xxx ones and later.
Eef Hartman
2018-02-04 11:52:02 UTC
Permalink
Raw Message
Post by Jerry Peters
I updated the firmware about a week or so ago, so far no problems on
a Xeon and a core-2 duo. Also using fairly recent stable kernels with
the pti patches.
New developments: Pat (in slackware current) already upgraded to
kernel 4.14.17 today, so that's THREE kernel updates in less then
three weeks.
No newer firmware, though, it still is the 20180118 one.
And there's a btrfs-progs update too: v4.15
Jerry Peters
2018-02-04 21:20:07 UTC
Permalink
Raw Message
Post by Eef Hartman
Post by Jerry Peters
I updated the firmware about a week or so ago, so far no problems on
a Xeon and a core-2 duo. Also using fairly recent stable kernels with
the pti patches.
New developments: Pat (in slackware current) already upgraded to
kernel 4.14.17 today, so that's THREE kernel updates in less then
three weeks.
No newer firmware, though, it still is the 20180118 one.
And there's a btrfs-progs update too: v4.15
I'm on a custom 4.14.15 kernel on all machines now, will probably
switch to 4.15.1 in a few days.

Intel's removed the 2018 firmware leaving the November 2017 firmware
as current. In my case, only the TS140 with a Xeon had any new
firmware in the 2018 release and it's still running fine with it.

For Sprectre mitigation a new (very new) version of gcc is necessary
to compile the kernel.
Sylvain Robitaille
2018-02-05 17:09:24 UTC
Permalink
Raw Message
For Spectre mitigation a new (very new) version of gcc is necessary
to compile the kernel.
I'd be interested in a pointer (or a few) to further information
regarding that. I was under the impression that the page-table
isolation patch by itself was reasonable mitigation.
--
----------------------------------------------------------------------
Sylvain Robitaille ***@encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
Jerry Peters
2018-02-05 21:18:59 UTC
Permalink
Raw Message
Post by Sylvain Robitaille
For Spectre mitigation a new (very new) version of gcc is necessary
to compile the kernel.
I'd be interested in a pointer (or a few) to further information
regarding that. I was under the impression that the page-table
isolation patch by itself was reasonable mitigation.
No, kpti mitigates Meltdown, Spectre has to do with branch
prediction/mis-prediction as an information leak.

The kernel fixes for Spectre only fix asm code, the latest gcc
includes some features that allow the kernel to fix c code also.

LWN is probably your best source. I've been keeping up with the LKM
threads on the subject.
Sylvain Robitaille
2018-02-06 15:29:54 UTC
Permalink
Raw Message
Post by Jerry Peters
No, kpti mitigates Meltdown, Spectre has to do with branch
prediction/mis-prediction as an information leak.
Hrmmm ... true ...
Post by Jerry Peters
The kernel fixes for Spectre only fix asm code, the latest gcc
includes some features that allow the kernel to fix c code also.
Thanks for that. I'll keep an eye on it ...
--
----------------------------------------------------------------------
Sylvain Robitaille ***@encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
Eef Hartman
2018-02-08 09:42:53 UTC
Permalink
Raw Message
Post by Eef Hartman
New developments: Pat (in slackware current) already upgraded to
kernel 4.14.17 today, so that's THREE kernel updates in less then
three weeks.
And now on kernel.org there's a 4.14.18 update (and a 4.15.2 one)
_with_ newer firmware (firmware-20180201_2aa2ac2), so anyone trying to
keep up-to-date is working against a swiftly moving target.

BTW: Pat did update the 4.4 kernel and the gcc suite for Slackware
14.2, there we're now at 4.4.115, with full RETPOLINE options.
Eef Hartman
2018-02-09 09:36:27 UTC
Permalink
Raw Message
Post by Eef Hartman
And now on kernel.org there's a 4.14.18 update (and a 4.15.2 one)
Now also 4.14.18 in slackware-current, so in just a month (since Jan 9)
-current went from 4.14.12 to .18 (and 4.14.11 was less then a week
earlier). So that's 8 kernel upgrades already this year!

Ars Ivci
2018-01-24 12:32:34 UTC
Permalink
Raw Message
On Sat, 13 Jan 2018 07:49:50 -0600
Post by Rinaldi J. Montessi
Recently downloaded the Slackbuilds tools for building and installing
the latest Intel microcode update (January 2018). iucode_tool and
intel-microcode.
Question is, should I go ahead and install this update or wait for
the package to be provided in an official update? Or none of the
above? Not sure of the risks involved in fiddling with microcode.
Rinaldi
This seems like an exhaustive list:
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/

As far as I can see through the dust and smoke, you should upgrade asap
anything running in the cloud. For PCs and such, I'd wait as the whole
patch and re-patch thing looks more like a trial and error process.

peace,
--
Ars Ivci
root
2018-01-24 13:00:33 UTC
Permalink
Raw Message
Post by Ars Ivci
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/
My cpu is a Skylake i7-6700K which is not on the above list,
but there are other Skylake i7-67xxYY processors. Just how
specific is the problem?
Eef Hartman
2018-01-24 13:14:16 UTC
Permalink
Raw Message
Post by root
My cpu is a Skylake i7-6700K which is not on the above list,
but there are other Skylake i7-67xxYY processors. Just how
specific is the problem?
In a blog post, Intel VP Navin Shenoy said firmware-updated PCs
with Ivy Bridge, Sandy Bridge, Skylake, and even Intel's most
recent Kaby Lake processors are all affected.
The patches can also impact performance, with Intel saying that data
center tests simulating a stock exchange interaction and online
transaction showed a 4 percent slowdown. Other testing of various
server workloads showed a slowdown of as much as 25 percent.
(this will be much less on desktop's, they normally don't run that
heavy a load).

So it might be wise when your machine is heavily firewalled NOT to
install the firmware updates yet.
Of course that will leave you open to attacks, but for almost all of
those attacks they DO need access to your machine first (through
JavaScript or remote access - like a local web server).
But
Post by root
The Meltdown and Spectre security flaws affect nearly every
computing device made in the past two decades.
So when your machine is from THIS century (and a Skylake processor
most certainly is) it IS vulnerable to these attacks.
Ars Ivci
2018-01-24 13:16:27 UTC
Permalink
Raw Message
On Wed, 24 Jan 2018 13:00:33 +0000 (UTC)
Post by root
Post by Ars Ivci
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/
My cpu is a Skylake i7-6700K which is not on the above list,
but there are other Skylake i7-67xxYY processors. Just how
specific is the problem
The list is for CPUs that are affected by all variants of the bug(s), I
believe. Intel released some benchmark tests for i7-6700k (last column):
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/Blog-Benchmark-Table.pdf

Apparently 6700k is affected but how and to what extent I do not know.
This whole thing is like voodoo to me.

peace,
--
Ars Ivci
root
2018-01-24 15:47:14 UTC
Permalink
Raw Message
Post by root
Post by Ars Ivci
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/6/
My cpu is a Skylake i7-6700K which is not on the above list,
but there are other Skylake i7-67xxYY processors. Just how
specific is the problem?
I found the 6700K on a different list:
https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/5/
noel
2018-01-25 22:51:05 UTC
Permalink
Raw Message
Post by Ars Ivci
As far as I can see through the dust and smoke, you should upgrade asap
anything running in the cloud. For PCs and such, I'd wait as the whole
patch and re-patch thing looks more like a trial and error process.
peace,
RedHat has pulled the kernel microcode changes and reverted the patches
they issued last weekend, the patches are bricking more systems than
protecting..

Thoough technically they are doing there job, hard to fuck over a machine
which wont boot up :)
John McCue
2018-01-26 01:01:45 UTC
Permalink
Raw Message
<snip>
Post by noel
RedHat has pulled the kernel microcode changes and reverted the patches
they issued last weekend, the patches are bricking more systems than
protecting..
Thoough technically they are doing there job, hard to fuck over a machine
which wont boot up :)
Is the microcode really bricking the machine ?
Interesting, I only heard the microcode was
causing reboots or hangs. The maching could
then be powered back on.

John
Chris Vine
2018-01-27 01:30:35 UTC
Permalink
Raw Message
On Fri, 26 Jan 2018 01:01:45 -0000 (UTC)
Post by John McCue
<snip>
Post by noel
RedHat has pulled the kernel microcode changes and reverted the
patches they issued last weekend, the patches are bricking more
systems than protecting..
Thoough technically they are doing there job, hard to fuck over a
machine which wont boot up :)
Is the microcode really bricking the machine ?
Interesting, I only heard the microcode was
causing reboots or hangs. The maching could
then be powered back on.
No it doesn't brick the machine. The microcode updates via the linux
kernel are transitory and need to be applied on each boot.
Jerry Peters
2018-01-27 21:18:20 UTC
Permalink
Raw Message
Post by noel
Post by Ars Ivci
As far as I can see through the dust and smoke, you should upgrade asap
anything running in the cloud. For PCs and such, I'd wait as the whole
patch and re-patch thing looks more like a trial and error process.
peace,
RedHat has pulled the kernel microcode changes and reverted the patches
they issued last weekend, the patches are bricking more systems than
protecting..
Thoough technically they are doing there job, hard to fuck over a machine
which wont boot up :)
I was just at the Intel ucode site -- they've pulled the 2018 release,
latest is IIRC 2017-11.

The 2018 ucode adds some new instructions for managing the branch
prediction cache but due to the fact that Intel keeps finding more
ucode problems, the latest kernel patches won't use the new
instructions. So if using the new instructions causes the problems
then they shouldn't be a problem.
noel
2018-01-29 00:13:01 UTC
Permalink
Raw Message
Post by Jerry Peters
Post by noel
Post by Ars Ivci
As far as I can see through the dust and smoke, you should upgrade
asap anything running in the cloud. For PCs and such, I'd wait as the
whole patch and re-patch thing looks more like a trial and error
process.
peace,
RedHat has pulled the kernel microcode changes and reverted the patches
they issued last weekend, the patches are bricking more systems than
protecting..
Thoough technically they are doing there job, hard to fuck over a
machine which wont boot up :)
I was just at the Intel ucode site -- they've pulled the 2018 release,
latest is IIRC 2017-11.
The 2018 ucode adds some new instructions for managing the branch
prediction cache but due to the fact that Intel keeps finding more ucode
problems, the latest kernel patches won't use the new instructions. So
if using the new instructions causes the problems then they shouldn't be
a problem.
Spectre Variant 2 patch is the problem, RH, Dell, HP, and as of the
weekend Microsoft (https://www.bleepingcomputer.com/news/microsoft/
microsoft-issues-windows-out-of-band-update-that-disables-spectre-
mitigations/) have reverted
Loading...