|Summary:||<sys-firmware/intel-microcode-20171117_p20171215: Microcode updates to report both branch prediction control via CPUID|
|Product:||Gentoo Security||Reporter:||GLSAMaker/CVETool Bot <glsamaker>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||base-system, bugs.gentoo.org, ct, ecyoung, gentoo, krinpaus, Ma3oxuct, pacho, peter.volkov, rzubaly, tb, z23|
|Runtime testing required:||---|
|Bug Depends on:|
Description GLSAMaker/CVETool Bot 2018-01-04 16:18:13 UTC
Comment 1 Thomas Deutschmann 2018-01-04 16:23:07 UTC
The CPU microcode for Intel Haswell-X, Skylake-X and Broadwell-X chipsets was updated to report both branch prediction control via CPUID flag and ability to control branch prediction via an MSR register. Required for kernel mitigation against CVE-2017-5715 (bug 643342).
Comment 2 Larry the Git Cow 2018-01-04 16:25:02 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e6ea9dcb23142a268cef722793a408071677d6b1 commit e6ea9dcb23142a268cef722793a408071677d6b1 Author: Thomas Deutschmann <firstname.lastname@example.org> AuthorDate: 2018-01-04 16:24:38 +0000 Commit: Thomas Deutschmann <email@example.com> CommitDate: 2018-01-04 16:24:55 +0000 sys-firmware/intel-microcode: Rev bump for CVE-2017-5715 mitigation The CPU microcode for Intel Haswell-X, Skylake-X and Broadwell-X chipsets was updated to report both branch prediction control via CPUID flag and ability to control branch prediction via an MSR register. Required for kernel mitigation against CVE-2017-5715. Bug: https://bugs.gentoo.org/643430 Package-Manager: Portage-2.3.19, Repoman-2.3.6 sys-firmware/intel-microcode/Manifest | 1 + .../intel-microcode-20171117_p20171215.ebuild | 39 ++++++++++++++++++++++ 2 files changed, 40 insertions(+)}
Comment 3 Thomas Deutschmann 2018-01-04 16:26:44 UTC
@ Arches, please test and mark stable: =sys-firmware/intel-microcode-20171117_p20171215
Comment 4 Hanno Böck 2018-01-05 19:29:46 UTC
The updated ebuild removes the option to have a microcode.dat file which can be loaded with microcode-ctl. I was unable to figure out how I'm supposed to load that. Can we have some einfo what people should do instead? Also I wonder if it's wise to do such a change combined with a security update.
Comment 5 Carter Young 2018-01-05 21:17:25 UTC
(In reply to Hanno Boeck from comment #4) > The updated ebuild removes the option to have a microcode.dat file which can > be loaded with microcode-ctl. > > I was unable to figure out how I'm supposed to load that. Can we have some > einfo what people should do instead? > > Also I wonder if it's wise to do such a change combined with a security > update. See the relevant section of: https://wiki.gentoo.org/wiki/Intel_microcode Use Section 5, to embed the firmware into the kernel and note the introductory NOTE
Comment 6 Thomas Deutschmann 2018-01-05 21:30:50 UTC
(In reply to Hanno Boeck from comment #4) > The updated ebuild removes the option to have a microcode.dat file which can > be loaded with microcode-ctl. > > I was unable to figure out how I'm supposed to load that. Can we have some > einfo what people should do instead? > > Also I wonder if it's wise to do such a change combined with a security > update. microcode-ctl is deprecated and doesn't work for recent processors (that's why we already removed the runscript). We will p.mask soon. Using kernel's CPU microcode loading support is the recommended way (some systems with outdated firmware may even require loading before initramfs/kernel). Because Intel didn't provide us with an updated *.dat file we were forced to remove this option with this update to make sure ucodes are getting used. Otherwise you would keep using *.dat file and won't see the updated ucodes.
Comment 7 Thomas Deutschmann 2018-01-06 05:25:31 UTC
Comment 8 Agostino Sarubbo 2018-01-06 17:54:05 UTC
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
Comment 9 Oliver Freyermuth 2018-01-07 16:32:22 UTC
Sorry for commenting here, but this package does not seem to actually contain all microcode updates (see 643794 ). In short, after installing =sys-firmware/intel-microcode-20171117_p20171215 $ iucode_tool -l /lib/firmware/intel-ucode/* | grep 306c3 049/001: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 Running the same on the extracted intel-microcode package from Debian: 024/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 According to https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre 0x0023 is needed on 0x000306c3 . I've opened 643794 on this, but likely it affects other CPUs, too.
Comment 10 Thomas Deutschmann 2018-01-07 19:33:05 UTC
Yes, this was only the microcode update for -X series because when we published no other microcode was available and we didn't want to hold back the one we received. Expect multiple rev bumps in the next days/weeks.
Comment 11 Leith Bade 2018-01-10 05:26:20 UTC
The official files are now up on the Intel website at https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?v=t
Comment 12 Thomas Deutschmann 2018-08-08 19:12:26 UTC
GLSA Vote: No! There's no point in issuing a GLSA here as it heavily depends on the processor your are using. I.e. there are still a lot of processors which don't have received a microcode update yet and we are already talking about Spectre NG :> All done, closing.