Mga5 32

(multi-test; microcode, kernel & broadcom wifi)

# urpmi kernel-desktop-4.4.110-1.mga5 kernel-desktop-devel-4.4.110-1.mga5 kernel-desktop-latest kernel-desktop-devel-latest kernel-userspace-headers microcode

installing 

kernel-desktop-latest-4.4.110-1.mga5.i586.rpm 
kernel-userspace-headers-4.4.110-1.mga5.i586.rpm 
kernel-desktop-devel-4.4.110-1.mga5-1-1.mga5.i586.rpm 
microcode-0.20171215-1.mga5.nonfree.noarch.rpm 
kernel-desktop-devel-latest-4.4.110-1.mga5.i586.rpm 
kernel-desktop-4.4.110-1.mga5-1-1.mga5.i586.rpm from /var/cache/urpmi/rpms

Preparing...

      1/6: microcode             
      2/6: kernel-userspace-headers
      3/6: kernel-desktop-4.4.110-1.mga5
      4/6: kernel-desktop-devel-4.4.110-1.mga5
      5/6: kernel-desktop-devel-latest
      6/6: kernel-desktop-latest 
      1/4: removing kernel-desktop-devel-latest-4.4.105-1.mga5.i586
      2/4: removing microcode-0.20170707-1.mga5.nonfree.noarch
      3/4: removing kernel-userspace-headers-4.4.105-1.mga5.i586
      4/4: removing kernel-desktop-latest-4.4.105-1.mga5.i586
                                 

broadcom-wl (6.30.223.271-5.mga5.nonfree): Installing module.
...................
...........
Cannot find a boot loader installed. Only taking care of initrd
Creating: target|kernel|dracut args|basicmodules 
You should restart your computer for kernel-desktop-4.4.110-1.mga5

reboot to working desktop. wifi working -ok

Whiteboard: MGA5TOO => MGA5TOO|| Mga5-32-ok|
CC: (none) => westel

Mga5-x86_64 (Celeron M 530)

(multi-test; microcode, kernel, broadcom-wl)

 
# urpmi microcode kernel-desktop-latest kernel-desktop-devel-latest kernel-userspace-headers 

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing (distrib5)")
  kernel-desktop-4.4.110-1.mga5  1            1.mga5        x86_64  
  kernel-desktop-devel-4.4.110-> 1            1.mga5        x86_64  
  kernel-desktop-devel-latest    4.4.110      1.mga5        x86_64  
  kernel-desktop-latest          4.4.110      1.mga5        x86_64  
  kernel-userspace-headers       4.4.110      1.mga5        x86_64  
(medium "Nonfree Updates Testing (distrib15)")
  microcode                      0.20171215   1.mga5.nonfr> noarch  
88MB of additional disk space will be used.
59MB of packages will be retrieved.
Proceed with the installation of the 6 packages? (Y/n) y

installing kernel-desktop-4.4.110-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-latest-4.4.110-1.mga5.x86_64.rpm kernel-desktop-devel-4.4.110-1.mga5-1-1.mga5.x86_64.rpm microcode-0.20171215-1.mga5.nonfree.noarch.rpm kernel-desktop-latest-4.4.110-1.mga5.x86_64.rpm kernel-userspace-headers-4.4.110-1.mga5.x86_64.rpm from /var/cache/urpmi/rpms
Preparing...  

1/6: kernel-desktop-devel-4.4.110-1.mga5
      2/6: kernel-desktop-4.4.110-1.mga5
      3/6: kernel-desktop-latest
      4/6: kernel-desktop-devel-latest
      5/6: kernel-userspace-headers
      6/6: microcode   
      1/4: removing kernel-userspace-headers-4.4.105-1.mga5.x86_64 
      2/4: removing kernel-desktop-latest-4.4.105-1.mga5.x86_64
      3/4: removing microcode-0.20170707-1.mga5.nonfree.noarch
      4/4: removing kernel-desktop-devel-latest-4.4.105-1.mga5.x86_64
      
broadcom-wl (6.30.223.271-5.mga5.nonfree): Installing module.
......................
..........
Cannot find a boot loader installed. Only taking care of initrd
Creating: target|kernel|dracut args|basicmodules 
You should restart your computer for kernel-desktop-4.4.110-1.mga5

reboot to working desktop and wifi -ok

Whiteboard: MGA5TOO|| Mga5-32-ok| => MGA5TOO|| Mga5-32-ok, Mga5-64-ok

Mga5_64 on old intel machine (ThinkPad SL510)

[root@Mga5_64bit marja]# rpm -qa --last | grep microcode
microcode-0.20171215-1.mga5.nonfree.noarch    Sun 07 Jan 2018 06:23:50 CET
microcode_ctl-2.1-4.mga5.x86_64               Mon 27 Jul 2015 14:22:43 CEST
[root@Mga5_64bit marja]#

[root@Mga5_64bit marja]# journalctl -b | grep microcode
Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 microcode updated early to revision 0xa0b, date = 2010-09-28
Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU1 microcode updated early to revision 0xa0b, date = 2010-09-28
Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 sig=0x1067a, pf=0x80, revision=0xa0b
Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU1 sig=0x1067a, pf=0x80, revision=0xa0b
Jan 07 08:06:18 Mga5_64bit kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[root@Mga5_64bit marja]# 

@ Thomas

The description of microcode says:

> The microcode update is volatile and needs to be uploaded on each system
> boot. I.e. it doesn't reflash your cpu permanently.
> Reboot and it reverts back to the old microcode.

I can't tell from the journal lines that new microcode was indeed uploaded during boot. The revision date looks rather old!!

CC: (none) => marja11, tmb

On mga5-64

$ uname -r
4.4.105-desktop-1.mga5

$ grep name /proc/cpuinfo | sort -u
model name      : Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

Before updating:

$ grep 'microcode' /proc/cpuinfo
microcode       : 0xba

$ dmesg | grep microcode
[    0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09

Package installed cleanly:

- microcode-0.20171215-1.mga5.nonfree.noarch

as root, executed dracut -f and rebooted:

$ grep 'microcode' /proc/cpuinfo
microcode       : 0xba

$ dmesg | grep microcode
[    0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09

Which seem to be identical to the results before updating. 
Is there some way to confirm that the new microcode is being used?

CC: (none) => jim

(In reply to Marja van Waes from comment #3)


> [root@Mga5_64bit marja]# journalctl -b | grep microcode
> Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 microcode updated early


> @ Thomas
> 
> The description of microcode says:
> 
> > The microcode update is volatile and needs to be uploaded on each system
> > boot. I.e. it doesn't reflash your cpu permanently.
> > Reboot and it reverts back to the old microcode.
> 
> I can't tell from the journal lines that new microcode was indeed uploaded
> during boot. The revision date looks rather old!!

It updated to what was available, hence the "microcode updated early"

I dont know for wich ones Intel intend to release updated firmware for..

hence the "There might be need for a update for additional fixes.." in initial comment

(In reply to Thomas Backlund from comment #5)
> (In reply to Marja van Waes from comment #3)
> 
> 
> It updated to what was available, hence the "microcode updated early"
> 
> I dont know for wich ones Intel intend to release updated firmware for..
> 

Then the result that I reported in comment#4 means simply that there was no new microcode for my CPU confirming that this update is OK for mga5-64

Yeah, we are still waiting for confirmation / official release from Intel about this..

And I see SuSe has an firmware update for Zen platform citing CVE-2017-5715, even if AMD says not vulnerable... so this forced early release before the embargo date on Jan 8th has messed all up...

I hope we get clarification/updates soon-ish

Intel lists:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

    Intel® Core™ i3 processor (45nm and 32nm)
    Intel® Core™ i5 processor (45nm and 32nm)
    Intel® Core™ i7 processor (45nm and 32nm)
    Intel® Core™ M processor family (45nm and 32nm)
    2nd generation Intel® Core™ processors
    3rd generation Intel® Core™ processors
    4th generation Intel® Core™ processors
    5th generation Intel® Core™ processors
    6th generation Intel® Core™ processors
    7th generation Intel® Core™ processors
    8th generation Intel® Core™ processors
    Intel® Core™ X-series Processor Family for Intel® X99 platforms
    Intel® Core™ X-series Processor Family for Intel® X299 platforms
    Intel® Xeon® processor 3400 series
    Intel® Xeon® processor 3600 series
    Intel® Xeon® processor 5500 series
    Intel® Xeon® processor 5600 series
    Intel® Xeon® processor 6500 series
    Intel® Xeon® processor 7500 series
    Intel® Xeon® Processor E3 Family
    Intel® Xeon® Processor E3 v2 Family
    Intel® Xeon® Processor E3 v3 Family
    Intel® Xeon® Processor E3 v4 Family
    Intel® Xeon® Processor E3 v5 Family
    Intel® Xeon® Processor E3 v6 Family
    Intel® Xeon® Processor E5 Family
    Intel® Xeon® Processor E5 v2 Family
    Intel® Xeon® Processor E5 v3 Family
    Intel® Xeon® Processor E5 v4 Family
    Intel® Xeon® Processor E7 Family
    Intel® Xeon® Processor E7 v2 Family
    Intel® Xeon® Processor E7 v3 Family
    Intel® Xeon® Processor E7 v4 Family
    Intel® Xeon® Processor Scalable Family
    Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series
    Intel® Atom™ Processor C Series
    Intel® Atom™ Processor E Series
    Intel® Atom™ Processor A Series
    Intel® Atom™ Processor x3 Series
    Intel® Atom™ Processor Z Series
    Intel® Celeron® Processor J Series
    Intel® Celeron® Processor N Series
    Intel® Pentium® Processor J Series
    Intel® Pentium® Processor N Series

So unless They revise that list, the older Intel are either not vulnerable, or Intel will ignore them...
Come to think of it... I dont remember what/if older systems even support runtime microcode updating

(In reply to Thomas Backlund from comment #7)
> Yeah, we are still waiting for confirmation / official release from Intel
> about this..
> 
> And I see SuSe has an firmware update for Zen platform citing CVE-2017-5715,
> even if AMD says not vulnerable... so this forced early release before the
> embargo date on Jan 8th has messed all up...
> 


Ah, 5715 is according to amd:
Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.

but they still released updated firmware anyway, so new microcode package will be needed to update this.. I have alredy tested/confirmed it loads on Ryzen and ThreadRipper without issues so far...

Intel Reference:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Amd reference:
http://www.amd.com/en/corporate/speculative-execution

Google project Zero:
https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html

Red Hat released an updated dracut for RHEL7 that looked like it was intended to make sure that the microcode was loaded at the right stage of the boot process.  Do we need to do anything like that?

We already do early firmware loading, but I see they added a fix for fam22, but not fam23 that is Zen...

Will look on it and test here... 

thanks for pointing it out

Do we have to update the kernel-firmware package too?  RedHat update a linux-firmware package (I'm not sure if that's the same thing).

microcode_ctl:
https://access.redhat.com/errata/RHSA-2018:0012

dracut:
https://access.redhat.com/errata/RHBA-2018:0042

linux-firmware:
https://access.redhat.com/errata/RHSA-2018:0014

(In reply to David Walser from comment #14)
> Do we have to update the kernel-firmware package too?  RedHat update a
> linux-firmware package (I'm not sure if that's the same thing).
> 
> microcode_ctl:
> https://access.redhat.com/errata/RHSA-2018:0012
> 
> dracut:
> https://access.redhat.com/errata/RHBA-2018:0042
> 
> linux-firmware:
> https://access.redhat.com/errata/RHSA-2018:0014

Nope, they just have a split packaging...

inntel cpu microcode in microcode_ctl, and cpu microcode in linux-firmware

Don't forget to add dracut-038-21.2.mga5 to the advisory.

Speaking of dracut advisories, here's Fedora's:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GAKRHN53H5G3JOY7AVSBTQIHZFWJW53O/

the kernels will enforce the new dracut, so I'll add it there

According to this:
https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/

Intel is only focusing on firmwares for cpus released in the last five years ...

so there will probably be more microcode updates later on...

But testing M5/64 anyway: microcode-0.20171215-2.mga5.nonfree

System: real EFI box with AMD processor, AMD/ATI/Radeon graphics.
I have been running with this update a few days, no perceivable problmes. As it stands, it is OK for me.

Yeah, when the kernels are ok, wee will push whatever microcode we have so far...

Fixing fallouts of this will take months/years depending on what is found...

For what it is worth the microcode has been installed on several partitions here spread over four machines and the two releases, mga5 and mga6.  No obvious problems in the last two days.

CC: (none) => tarazed25

So Intel finally released their first official microcode batch:

-- Updated platform --
IVT C0          (06-3e-04:ed) 428->42a
SKL-U/Y D0      (06-4e-03:c0) ba->c2
BDW-U/Y E/F     (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx   (06-45-01:72) 20->21
Crystalwell Cx  (06-46-01:32) 17->18
BDW-H E/G       (06-47-01:22) 17->1b
HSX-EX E0       (06-3f-04:80) 0f->10
SKL-H/S R0      (06-5e-03:36) ba->c2
HSW Cx/Dx       (06-3c-03:32) 22->23
HSX C0          (06-3f-02:6f) 3a->3b
BDX-DE V0/V1    (06-56-02:10) 0f->14
BDX-DE V2       (06-56-03:10) 700000d->7000011
KBL-U/Y H0      (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0      (06-9e-09:2a) 5e->80

-- New Platforms --
CFL U0 (06-9e-0a:22) 80
CFL B0 (06-9e-0b:2) 80
SKX H0 (06-55-04:b7) 200003c
GLK B0 (06-7a-01:1) 22
APL Bx (06-5c-09:3) 2c

So that is: Haswell, Broadwell, Skylake, KabyLake, Coffee Lake, Gemini Lake, Apollo Lake, Crystal Well and IVT ...

The older ones will have to wait longer..


and the new (s)rpm are now:

microcode-0.20180108-1.mga5/6.nonfree

Whiteboard: MGA5TOO|| Mga5-32-ok, Mga5-64-ok => MGA5TOO

works on Intel i7-7500U, Amd Ryzen and ThreadRipper

System:    Host: markab Kernel: 4.14.10-tmb-desktop-1.mga6 x86_64
CPU:       Quad core Intel Core i7-5700HQ (-HT-MCP-)

Everything working normally after update and reboot.

$ rpm -qa | grep microcode
microcode_ctl-2.1-7.mga6
microcode-0.20180108-1.mga6.nonfree
$ su
# journalctl -b | grep microcode
Jan 10 18:57:40 markab kernel: microcode: microcode updated early to revision 0x17, date = 2017-01-27
Jan 10 18:57:40 markab kernel: microcode: sig=0x40671, pf=0x20, revision=0x17
Jan 10 18:57:40 markab kernel: microcode: Microcode Update Driver: v2.2.

Thanks Marja.

Not sure what to make of that - guess it has not "taken".
Shall try the kernel update next and check again.

Intel Core i7-5700HQ

After the update to kernel-desktop-4.14.13

$ grep microcode /proc/cpuinfo | uniq
microcode	: 0x1b
# journalctl -b | grep microcode
Jan 10 23:20:44 markab kernel: microcode: microcode updated early to revision 0x1b, date = 2017-11-17
Jan 10 23:20:44 markab kernel: microcode: sig=0x40671, pf=0x20, revision=0x1b
Jan 10 23:20:44 markab kernel: microcode: Microcode Update Driver: v2.2.

on mga5-64

$ grep name /proc/cpuinfo | sort -u
model name      : Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

Before updating:
$ dmesg | grep microcode
[    0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09
...
[    0.488953] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xba
...
[    0.489378] microcode: Microcode Update Driver: v2.01 

package installed:
- microcode-0.20180108-1.mga5.nonfree.noarch

after updating kernel etc:

$ dmesg | grep microcode
[    0.000000] microcode: CPU0 microcode updated early to revision 0xc2, date = 2017-11-16
...
[    0.490640] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xc2
...
[    0.491113] microcode: Microcode Update Driver: v2.01 

looks OK for mga5-64

Installed and tested with issues.

After one day of normal usage, no regressions were noticed.

The CPU on this system seems to be using an older microcode version, dated 2010-09-28.

$ cat /proc/cpuinfo  | egrep 'name|microcode' | sort -u
microcode       : 0xa0b
model name      : Intel(R) Core(TM)2 Quad CPU    Q9400  @ 2.66GHz
$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ journalctl -b | grep -io microcode.*
microcode: microcode updated early to revision 0xa0b, date = 2010-09-28
microcode: sig=0x1067a, pf=0x10, revision=0xa0b
microcode: Microcode Update Driver: v2.2.

CC: (none) => mageia

MGA5-32 on Dell Latitude D600 Xfce
microcode_ctl was already installed by kernel test, added microcode-0.20180108-1 and did then a cold reboot.
No problems seen.

CC: (none) => herman.viaene

(In reply to PC LX from comment #27)

Intel hasn't updated all the microcode files yet.
They 'started' with the younger CPUs (last 5 years) first and it is unclear what CPUs will receive updates at all.

That said, there is a new update package microcode-20180108.tgz available from Intel which adds a number of microcode updates not present in Mageia.

Unless Spectre is not considered a 'problem' on Mageia Systems, it would be advisable to update to the latest microcode and kernels.

Best,
Herbert

CC: (none) => herbert

(In reply to Herbert Poetzl from comment #29)
> (In reply to PC LX from comment #27)
> 
> Intel hasn't updated all the microcode files yet.
> They 'started' with the younger CPUs (last 5 years) first and it is unclear
> what CPUs will receive updates at all.
> 
> That said, there is a new update package microcode-20180108.tgz available
> from Intel which adds a number of microcode updates not present in Mageia.
> 
> Unless Spectre is not considered a 'problem' on Mageia Systems, it would be
> advisable to update to the latest microcode and kernels.
> 

We know... as pointed out in comment 22, its the 20180108 set of microcodes we will flush out at this point

Advisory, added to svn:

type: security
subject: Updated microcode packages fix security vulnerabilities
CVE:
 - CVE 2017-5715
 - CVE 2017-5753
 - CVE-2017-5754
src:
  5:
   nonfree:
     - microcode-0.20180108-1.mga5.nonfree
  6:
   nonfree:
     - microcode-0.20180108-1.mga6.nonfree
description: |
  This update provides microcode fixes and mitigations for Spectre
  (CVE 2017-5715) for many Intel CPUs produced in the last 5 years.

  So far the Intel microcode updates are for several processors from the
  Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake, Gemini Lake, 
  Apollo Lake, Crystal Well and IVT platforms

  We also have added the latest known microcode for Amd family 17 (Zen)
  processors.

  We will provide more microcode updates when they are made available
  by Intel and Amd.
  
  We also suggest that you check if there is updated  BIOS and EFI
  firmwares from your hardware vendor.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=22337
 - https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
 - https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214
 - http://www.amd.com/en/corporate/speculative-execution
 - https://meltdownattack.com/
 - https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

Keywords: (none) => advisory

MGA6-64 on Lenovo B50 Plasma
microcode_ctl was already installed by kernel test, added microcode-0.20180108-1 and did then a cold reboot.
No problems seen.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0079.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED