| Summary: | dracut always disable early microcode on kernels 6.6+ | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, fri, ghibomgx, mageia, marja11, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.qubes-os.org/news/2023/12/15/qsb-098/ https://github.com/dracutdevs/dracut/commit/6c80408c8644a0add1907b0593eb83f90d6247b1 | ||
| Whiteboard: | MGA9-64-OK MGA9-32-OK | ||
| Source RPM: | dracut-057-4.mga9.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 32786, 32792 | ||
|
Description
Nicolas Salguero
2024-01-30 14:46:15 CET
Nicolas Salguero
2024-01-30 14:46:56 CET
Whiteboard:
(none) =>
MGA9TOO Suggested advisory: ======================== The updated package fixes enabling early microcode on kernels 6.6+. References: https://www.qubes-os.org/news/2023/12/15/qsb-098/ https://github.com/dracutdevs/dracut/commit/6c80408c8644a0add1907b0593eb83f90d6247b1 ======================== Updated package in core/updates_testing: ======================== dracut-057-4.1.mga9 from SRPM: dracut-057-4.1.mga9.src.rpm Assignee:
bugsquad =>
qa-bugs Apparently on update the microcode package is installed "before" the newer dracut, so the error message is hit. I think we should add a "Requires: dracut >= 057-4.1" to the SPEC file, so that newer dracut is installed before microcode. CC:
(none) =>
ghibomgx
Nicolas Salguero
2024-01-30 18:35:29 CET
Depends on:
32786 =>
(none)
Marja Van Waes
2024-01-30 20:32:45 CET
Blocks:
(none) =>
32792 BTW, as further info for improvement we seems we're not including the latest AMD microcode. The command "cat /proc/cpuinfo | grep -m1 microcode" shows we are using version 0xa50000d, while latest version available (at least for some fam19h) seems is 0xa50000f. There is a thread here https://lkml.org/lkml/2023/2/28/791, which might be useful, that states that latest AMD microcode is available at: https://github.com/platomav/CPUMicrocodes
Marja Van Waes
2024-01-30 21:34:40 CET
URL:
(none) =>
https://www.qubes-os.org/news/2023/12/15/qsb-098/ https://github.com/dracutdevs/dracut/commit/6c80408c8644a0add1907b0593eb83f90d6247b1
Marja Van Waes
2024-01-30 21:49:34 CET
Keywords:
(none) =>
advisory
PC LX
2024-01-30 23:40:31 CET
CC:
(none) =>
mageia (In reply to Giuseppe Ghibò from comment #2) > Apparently on update the microcode package is installed "before" the newer > dracut, so the error message is hit. I think we should add a "Requires: > dracut >= 057-4.1" to the SPEC file, so that newer dracut is installed > before microcode. I think that requirement should be in the SPEC files of the packages kernel and kernel-linus, updating the current requirement which is "dracut >= 046-2", because, even with the previous version of the package microcode, the early microcode does not work with kernels 6.6+. MGA9-64 Plasma, i5-7500, Quadro K620 graphics (using nvidia-current), kernel-desktop 6.6.14-1 currently installed. The first reference in comment 1 only mentions AMD systems in its list of affected systems. However, checking the journal on this system before the update indicates it is also affected. It was listed as vulnerable, with no microcode loaded. I updated dracut with qarepo and rebooted, but that is not enough to correct the problem on its own - dracut must be run. But, after updating the microcode from bug 32528, I get this in the journal: # journalctl -b | grep microcode Feb 02 12:36:31 localhost kernel: microcode: updated early: 0x84 -> 0xf4, date = 2023-02-23 Feb 02 12:36:31 localhost kernel: microcode: Microcode Update Driver: v2.2. So it works. Giving this an OK, and validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs Tested in real hardware mageia 9 i586 Update to this first and then update to testing microcode journalctl -xb | grep microcode feb 02 13:39:04 cefiro kernel: microcode: updated early: 0xa3 -> 0xa4, date = 2010-10-02 feb 02 13:39:04 cefiro kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode feb 02 13:39:04 cefiro kernel: microcode: Microcode Update Driver: v2.2. Whiteboard:
MGA9-64-OK =>
MGA9-64-OK MGA9-32-OK Dell Precision M6300: new dracut and microcode OK
(No adverse effect but I think this CPU is too old for microcode)
$ journalctl -xb | grep microcode
jan 30 13:57:11 M6300.tribun kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
jan 30 13:57:11 M6300.tribun kernel: microcode: Microcode Update Driver: v2.2.
$ inxi -C
CPU:
Info: dual core model: Intel Core2 Duo T7500 bits: 64 type: MCP cache:
L2: 4 MiB
Speed (MHz): avg: 999 min/max: 800/2201 cores: 1: 798 2: 1200
Asus Aspire 7: new dracut and microcode OK
$ journalctl -xb | grep microcode
feb 02 18:45:00 aspire7-kajsa kernel: microcode: updated early: 0x5e -> 0xf4, date = 2023-02-23
feb 02 18:45:00 aspire7-kajsa kernel: microcode: Microcode Update Driver: v2.2.
$ inxi -C
CPU:
Info: quad core model: Intel Core i5-7300HQ bits: 64 type: MCP cache:
L2: 1024 KiB
Speed (MHz): avg: 800 min/max: 800/3500 cores: 1: 800 2: 800 3: 800 4: 800
$ uname -a
Linux aspire7-kajsa 6.6.14-desktop-2.mga9 #1 SMP PREEMPT_DYNAMIC Tue Jan 30 15:48:16 UTC 2024 x86_64 GNU/Linux
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0025.html Status:
ASSIGNED =>
RESOLVED |