microcode with atleast preparation and partial fixes for Meltdown and Spectre Advisory will follow There might be need for a update for additional fixes... but please start testing ... SRPM; microcode-0.20171215-1.mga5/6.nonfree.src.rpm RPM: microcode-0.20171215-1.mga5.nonfree.noarch.rpm
Whiteboard: (none) => MGA5TOO
Blocks: (none) => 22331, 22332, 22333, 22334, 22335, 22336
Mga5 32 (multi-test; microcode, kernel & broadcom wifi) # urpmi kernel-desktop-4.4.110-1.mga5 kernel-desktop-devel-4.4.110-1.mga5 kernel-desktop-latest kernel-desktop-devel-latest kernel-userspace-headers microcode installing kernel-desktop-latest-4.4.110-1.mga5.i586.rpm kernel-userspace-headers-4.4.110-1.mga5.i586.rpm kernel-desktop-devel-4.4.110-1.mga5-1-1.mga5.i586.rpm microcode-0.20171215-1.mga5.nonfree.noarch.rpm kernel-desktop-devel-latest-4.4.110-1.mga5.i586.rpm kernel-desktop-4.4.110-1.mga5-1-1.mga5.i586.rpm from /var/cache/urpmi/rpms Preparing... 1/6: microcode 2/6: kernel-userspace-headers 3/6: kernel-desktop-4.4.110-1.mga5 4/6: kernel-desktop-devel-4.4.110-1.mga5 5/6: kernel-desktop-devel-latest 6/6: kernel-desktop-latest 1/4: removing kernel-desktop-devel-latest-4.4.105-1.mga5.i586 2/4: removing microcode-0.20170707-1.mga5.nonfree.noarch 3/4: removing kernel-userspace-headers-4.4.105-1.mga5.i586 4/4: removing kernel-desktop-latest-4.4.105-1.mga5.i586 broadcom-wl (6.30.223.271-5.mga5.nonfree): Installing module. ................... ........... Cannot find a boot loader installed. Only taking care of initrd Creating: target|kernel|dracut args|basicmodules You should restart your computer for kernel-desktop-4.4.110-1.mga5 reboot to working desktop. wifi working -ok
Whiteboard: MGA5TOO => MGA5TOO|| Mga5-32-ok|CC: (none) => westel
Mga5-x86_64 (Celeron M 530) (multi-test; microcode, kernel, broadcom-wl) # urpmi microcode kernel-desktop-latest kernel-desktop-devel-latest kernel-userspace-headers To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing (distrib5)") kernel-desktop-4.4.110-1.mga5 1 1.mga5 x86_64 kernel-desktop-devel-4.4.110-> 1 1.mga5 x86_64 kernel-desktop-devel-latest 4.4.110 1.mga5 x86_64 kernel-desktop-latest 4.4.110 1.mga5 x86_64 kernel-userspace-headers 4.4.110 1.mga5 x86_64 (medium "Nonfree Updates Testing (distrib15)") microcode 0.20171215 1.mga5.nonfr> noarch 88MB of additional disk space will be used. 59MB of packages will be retrieved. Proceed with the installation of the 6 packages? (Y/n) y installing kernel-desktop-4.4.110-1.mga5-1-1.mga5.x86_64.rpm kernel-desktop-devel-latest-4.4.110-1.mga5.x86_64.rpm kernel-desktop-devel-4.4.110-1.mga5-1-1.mga5.x86_64.rpm microcode-0.20171215-1.mga5.nonfree.noarch.rpm kernel-desktop-latest-4.4.110-1.mga5.x86_64.rpm kernel-userspace-headers-4.4.110-1.mga5.x86_64.rpm from /var/cache/urpmi/rpms Preparing... 1/6: kernel-desktop-devel-4.4.110-1.mga5 2/6: kernel-desktop-4.4.110-1.mga5 3/6: kernel-desktop-latest 4/6: kernel-desktop-devel-latest 5/6: kernel-userspace-headers 6/6: microcode 1/4: removing kernel-userspace-headers-4.4.105-1.mga5.x86_64 2/4: removing kernel-desktop-latest-4.4.105-1.mga5.x86_64 3/4: removing microcode-0.20170707-1.mga5.nonfree.noarch 4/4: removing kernel-desktop-devel-latest-4.4.105-1.mga5.x86_64 broadcom-wl (6.30.223.271-5.mga5.nonfree): Installing module. ...................... .......... Cannot find a boot loader installed. Only taking care of initrd Creating: target|kernel|dracut args|basicmodules You should restart your computer for kernel-desktop-4.4.110-1.mga5 reboot to working desktop and wifi -ok
Whiteboard: MGA5TOO|| Mga5-32-ok| => MGA5TOO|| Mga5-32-ok, Mga5-64-ok
Mga5_64 on old intel machine (ThinkPad SL510) [root@Mga5_64bit marja]# rpm -qa --last | grep microcode microcode-0.20171215-1.mga5.nonfree.noarch Sun 07 Jan 2018 06:23:50 CET microcode_ctl-2.1-4.mga5.x86_64 Mon 27 Jul 2015 14:22:43 CEST [root@Mga5_64bit marja]# [root@Mga5_64bit marja]# journalctl -b | grep microcode Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 microcode updated early to revision 0xa0b, date = 2010-09-28 Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU1 microcode updated early to revision 0xa0b, date = 2010-09-28 Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 sig=0x1067a, pf=0x80, revision=0xa0b Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU1 sig=0x1067a, pf=0x80, revision=0xa0b Jan 07 08:06:18 Mga5_64bit kernel: microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba [root@Mga5_64bit marja]# @ Thomas The description of microcode says: > The microcode update is volatile and needs to be uploaded on each system > boot. I.e. it doesn't reflash your cpu permanently. > Reboot and it reverts back to the old microcode. I can't tell from the journal lines that new microcode was indeed uploaded during boot. The revision date looks rather old!!
CC: (none) => marja11, tmb
On mga5-64 $ uname -r 4.4.105-desktop-1.mga5 $ grep name /proc/cpuinfo | sort -u model name : Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz Before updating: $ grep 'microcode' /proc/cpuinfo microcode : 0xba $ dmesg | grep microcode [ 0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09 Package installed cleanly: - microcode-0.20171215-1.mga5.nonfree.noarch as root, executed dracut -f and rebooted: $ grep 'microcode' /proc/cpuinfo microcode : 0xba $ dmesg | grep microcode [ 0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09 Which seem to be identical to the results before updating. Is there some way to confirm that the new microcode is being used?
CC: (none) => jim
(In reply to Marja van Waes from comment #3) > [root@Mga5_64bit marja]# journalctl -b | grep microcode > Jan 07 08:06:18 Mga5_64bit kernel: microcode: CPU0 microcode updated early > @ Thomas > > The description of microcode says: > > > The microcode update is volatile and needs to be uploaded on each system > > boot. I.e. it doesn't reflash your cpu permanently. > > Reboot and it reverts back to the old microcode. > > I can't tell from the journal lines that new microcode was indeed uploaded > during boot. The revision date looks rather old!! It updated to what was available, hence the "microcode updated early" I dont know for wich ones Intel intend to release updated firmware for.. hence the "There might be need for a update for additional fixes.." in initial comment
(In reply to Thomas Backlund from comment #5) > (In reply to Marja van Waes from comment #3) > > > It updated to what was available, hence the "microcode updated early" > > I dont know for wich ones Intel intend to release updated firmware for.. > Then the result that I reported in comment#4 means simply that there was no new microcode for my CPU confirming that this update is OK for mga5-64
Yeah, we are still waiting for confirmation / official release from Intel about this.. And I see SuSe has an firmware update for Zen platform citing CVE-2017-5715, even if AMD says not vulnerable... so this forced early release before the embargo date on Jan 8th has messed all up... I hope we get clarification/updates soon-ish
Intel lists: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Intel® Core™ i3 processor (45nm and 32nm) Intel® Core™ i5 processor (45nm and 32nm) Intel® Core™ i7 processor (45nm and 32nm) Intel® Core™ M processor family (45nm and 32nm) 2nd generation Intel® Core™ processors 3rd generation Intel® Core™ processors 4th generation Intel® Core™ processors 5th generation Intel® Core™ processors 6th generation Intel® Core™ processors 7th generation Intel® Core™ processors 8th generation Intel® Core™ processors Intel® Core™ X-series Processor Family for Intel® X99 platforms Intel® Core™ X-series Processor Family for Intel® X299 platforms Intel® Xeon® processor 3400 series Intel® Xeon® processor 3600 series Intel® Xeon® processor 5500 series Intel® Xeon® processor 5600 series Intel® Xeon® processor 6500 series Intel® Xeon® processor 7500 series Intel® Xeon® Processor E3 Family Intel® Xeon® Processor E3 v2 Family Intel® Xeon® Processor E3 v3 Family Intel® Xeon® Processor E3 v4 Family Intel® Xeon® Processor E3 v5 Family Intel® Xeon® Processor E3 v6 Family Intel® Xeon® Processor E5 Family Intel® Xeon® Processor E5 v2 Family Intel® Xeon® Processor E5 v3 Family Intel® Xeon® Processor E5 v4 Family Intel® Xeon® Processor E7 Family Intel® Xeon® Processor E7 v2 Family Intel® Xeon® Processor E7 v3 Family Intel® Xeon® Processor E7 v4 Family Intel® Xeon® Processor Scalable Family Intel® Xeon Phi™ Processor 3200, 5200, 7200 Series Intel® Atom™ Processor C Series Intel® Atom™ Processor E Series Intel® Atom™ Processor A Series Intel® Atom™ Processor x3 Series Intel® Atom™ Processor Z Series Intel® Celeron® Processor J Series Intel® Celeron® Processor N Series Intel® Pentium® Processor J Series Intel® Pentium® Processor N Series
So unless They revise that list, the older Intel are either not vulnerable, or Intel will ignore them... Come to think of it... I dont remember what/if older systems even support runtime microcode updating
(In reply to Thomas Backlund from comment #7) > Yeah, we are still waiting for confirmation / official release from Intel > about this.. > > And I see SuSe has an firmware update for Zen platform citing CVE-2017-5715, > even if AMD says not vulnerable... so this forced early release before the > embargo date on Jan 8th has messed all up... > Ah, 5715 is according to amd: Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date. but they still released updated firmware anyway, so new microcode package will be needed to update this.. I have alredy tested/confirmed it loads on Ryzen and ThreadRipper without issues so far...
Intel Reference: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr Amd reference: http://www.amd.com/en/corporate/speculative-execution Google project Zero: https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html
Red Hat released an updated dracut for RHEL7 that looked like it was intended to make sure that the microcode was loaded at the right stage of the boot process. Do we need to do anything like that?
We already do early firmware loading, but I see they added a fix for fam22, but not fam23 that is Zen... Will look on it and test here... thanks for pointing it out
Do we have to update the kernel-firmware package too? RedHat update a linux-firmware package (I'm not sure if that's the same thing). microcode_ctl: https://access.redhat.com/errata/RHSA-2018:0012 dracut: https://access.redhat.com/errata/RHBA-2018:0042 linux-firmware: https://access.redhat.com/errata/RHSA-2018:0014
(In reply to David Walser from comment #14) > Do we have to update the kernel-firmware package too? RedHat update a > linux-firmware package (I'm not sure if that's the same thing). > > microcode_ctl: > https://access.redhat.com/errata/RHSA-2018:0012 > > dracut: > https://access.redhat.com/errata/RHBA-2018:0042 > > linux-firmware: > https://access.redhat.com/errata/RHSA-2018:0014 Nope, they just have a split packaging... inntel cpu microcode in microcode_ctl, and cpu microcode in linux-firmware
Don't forget to add dracut-038-21.2.mga5 to the advisory. Speaking of dracut advisories, here's Fedora's: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GAKRHN53H5G3JOY7AVSBTQIHZFWJW53O/
the kernels will enforce the new dracut, so I'll add it there
According to this: https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/ Intel is only focusing on firmwares for cpus released in the last five years ... so there will probably be more microcode updates later on...
But testing M5/64 anyway: microcode-0.20171215-2.mga5.nonfree System: real EFI box with AMD processor, AMD/ATI/Radeon graphics. I have been running with this update a few days, no perceivable problmes. As it stands, it is OK for me.
Yeah, when the kernels are ok, wee will push whatever microcode we have so far... Fixing fallouts of this will take months/years depending on what is found...
For what it is worth the microcode has been installed on several partitions here spread over four machines and the two releases, mga5 and mga6. No obvious problems in the last two days.
CC: (none) => tarazed25
So Intel finally released their first official microcode batch: -- Updated platform -- IVT C0 (06-3e-04:ed) 428->42a SKL-U/Y D0 (06-4e-03:c0) ba->c2 BDW-U/Y E/F (06-3d-04:c0) 25->28 HSW-ULT Cx/Dx (06-45-01:72) 20->21 Crystalwell Cx (06-46-01:32) 17->18 BDW-H E/G (06-47-01:22) 17->1b HSX-EX E0 (06-3f-04:80) 0f->10 SKL-H/S R0 (06-5e-03:36) ba->c2 HSW Cx/Dx (06-3c-03:32) 22->23 HSX C0 (06-3f-02:6f) 3a->3b BDX-DE V0/V1 (06-56-02:10) 0f->14 BDX-DE V2 (06-56-03:10) 700000d->7000011 KBL-U/Y H0 (06-8e-09:c0) 62->80 KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80 KBL-H/S B0 (06-9e-09:2a) 5e->80 -- New Platforms -- CFL U0 (06-9e-0a:22) 80 CFL B0 (06-9e-0b:2) 80 SKX H0 (06-55-04:b7) 200003c GLK B0 (06-7a-01:1) 22 APL Bx (06-5c-09:3) 2c So that is: Haswell, Broadwell, Skylake, KabyLake, Coffee Lake, Gemini Lake, Apollo Lake, Crystal Well and IVT ... The older ones will have to wait longer.. and the new (s)rpm are now: microcode-0.20180108-1.mga5/6.nonfree
Whiteboard: MGA5TOO|| Mga5-32-ok, Mga5-64-ok => MGA5TOO
works on Intel i7-7500U, Amd Ryzen and ThreadRipper
System: Host: markab Kernel: 4.14.10-tmb-desktop-1.mga6 x86_64 CPU: Quad core Intel Core i7-5700HQ (-HT-MCP-) Everything working normally after update and reboot. $ rpm -qa | grep microcode microcode_ctl-2.1-7.mga6 microcode-0.20180108-1.mga6.nonfree $ su # journalctl -b | grep microcode Jan 10 18:57:40 markab kernel: microcode: microcode updated early to revision 0x17, date = 2017-01-27 Jan 10 18:57:40 markab kernel: microcode: sig=0x40671, pf=0x20, revision=0x17 Jan 10 18:57:40 markab kernel: microcode: Microcode Update Driver: v2.2. Thanks Marja. Not sure what to make of that - guess it has not "taken". Shall try the kernel update next and check again.
Intel Core i7-5700HQ After the update to kernel-desktop-4.14.13 $ grep microcode /proc/cpuinfo | uniq microcode : 0x1b # journalctl -b | grep microcode Jan 10 23:20:44 markab kernel: microcode: microcode updated early to revision 0x1b, date = 2017-11-17 Jan 10 23:20:44 markab kernel: microcode: sig=0x40671, pf=0x20, revision=0x1b Jan 10 23:20:44 markab kernel: microcode: Microcode Update Driver: v2.2.
on mga5-64 $ grep name /proc/cpuinfo | sort -u model name : Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz Before updating: $ dmesg | grep microcode [ 0.000000] microcode: CPU0 microcode updated early to revision 0xba, date = 2017-04-09 ... [ 0.488953] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xba ... [ 0.489378] microcode: Microcode Update Driver: v2.01 package installed: - microcode-0.20180108-1.mga5.nonfree.noarch after updating kernel etc: $ dmesg | grep microcode [ 0.000000] microcode: CPU0 microcode updated early to revision 0xc2, date = 2017-11-16 ... [ 0.490640] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xc2 ... [ 0.491113] microcode: Microcode Update Driver: v2.01 looks OK for mga5-64
Installed and tested with issues. After one day of normal usage, no regressions were noticed. The CPU on this system seems to be using an older microcode version, dated 2010-09-28. $ cat /proc/cpuinfo | egrep 'name|microcode' | sort -u microcode : 0xa0b model name : Intel(R) Core(TM)2 Quad CPU Q9400 @ 2.66GHz $ uname -a Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ journalctl -b | grep -io microcode.* microcode: microcode updated early to revision 0xa0b, date = 2010-09-28 microcode: sig=0x1067a, pf=0x10, revision=0xa0b microcode: Microcode Update Driver: v2.2.
CC: (none) => mageia
MGA5-32 on Dell Latitude D600 Xfce microcode_ctl was already installed by kernel test, added microcode-0.20180108-1 and did then a cold reboot. No problems seen.
CC: (none) => herman.viaene
(In reply to PC LX from comment #27) Intel hasn't updated all the microcode files yet. They 'started' with the younger CPUs (last 5 years) first and it is unclear what CPUs will receive updates at all. That said, there is a new update package microcode-20180108.tgz available from Intel which adds a number of microcode updates not present in Mageia. Unless Spectre is not considered a 'problem' on Mageia Systems, it would be advisable to update to the latest microcode and kernels. Best, Herbert
CC: (none) => herbert
(In reply to Herbert Poetzl from comment #29) > (In reply to PC LX from comment #27) > > Intel hasn't updated all the microcode files yet. > They 'started' with the younger CPUs (last 5 years) first and it is unclear > what CPUs will receive updates at all. > > That said, there is a new update package microcode-20180108.tgz available > from Intel which adds a number of microcode updates not present in Mageia. > > Unless Spectre is not considered a 'problem' on Mageia Systems, it would be > advisable to update to the latest microcode and kernels. > We know... as pointed out in comment 22, its the 20180108 set of microcodes we will flush out at this point
Advisory, added to svn: type: security subject: Updated microcode packages fix security vulnerabilities CVE: - CVE 2017-5715 - CVE 2017-5753 - CVE-2017-5754 src: 5: nonfree: - microcode-0.20180108-1.mga5.nonfree 6: nonfree: - microcode-0.20180108-1.mga6.nonfree description: | This update provides microcode fixes and mitigations for Spectre (CVE 2017-5715) for many Intel CPUs produced in the last 5 years. So far the Intel microcode updates are for several processors from the Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake, Gemini Lake, Apollo Lake, Crystal Well and IVT platforms We also have added the latest known microcode for Amd family 17 (Zen) processors. We will provide more microcode updates when they are made available by Intel and Amd. We also suggest that you check if there is updated BIOS and EFI firmwares from your hardware vendor. references: - https://bugs.mageia.org/show_bug.cgi?id=22337 - https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr - https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=52214 - http://www.amd.com/en/corporate/speculative-execution - https://meltdownattack.com/ - https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
Keywords: (none) => advisory
MGA6-64 on Lenovo B50 Plasma microcode_ctl was already installed by kernel test, added microcode-0.20180108-1 and did then a cold reboot. No problems seen.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO => MGA5TOO, MGA6-64-OK, MGA6-32-OK, MGA5-64-OK, MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0079.html
Status: NEW => RESOLVEDResolution: (none) => FIXED