According to: https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre the =sys-firmware/intel-microcode-20171117_p20171215 package should contain updated microcode for Haswell, updating to 0x23. However, after installing: $ iucode_tool -S -l /lib/firmware/intel-ucode/* selected microcodes: 049/001: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 which is still rev. 0x22 and not 0x23. I observe the same when actually loading the microcode early: [ 0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27 Is the wiki wrong (i.e. 0x23 has not been released yet - will it be a future update), or is the package missing some updates?
Fetching intel-microcode-3.20171215.1 from Debian sid, extracting it and running iucode-tool reveals: selected microcodes: 024/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 So it appears that =sys-firmware/intel-microcode-20171117_p20171215 is missing the necessary microcode blob updates, but they have in fact be released.
Doing a short survey, I found: Gentoo: 0x22 Debian sid: 0x23 ( https://packages.debian.org/sid/intel-microcode ) CentOS 7: 0x22 ( http://mirror.centos.org/centos/7.4.1708/updates/x86_64/Packages/microcode_ctl-2.1-22.2.el7.x86_64.rpm ) Ubuntu bionic: 0x22 ( https://packages.ubuntu.com/de/bionic/amd64/intel-microcode/download ) So it seems only Debian has received those updated microcodes as of yet (and maybe RHEL and other commercial distros). Debian also mentions that in their changelog: http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/intel-microcode_3.20171215.1_changelog Apparently, this is not officially out yet: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e commit fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-07 20:48:05 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-07 20:48:23 +0000 sys-firmware/intel-microcode: Bump to add additional microcode updates Added: (06-3c-03): 0x0022 -> 0x0023 (06-3d-04): 0x0025 -> 0x0028 (06-45-01): 0x0020 -> 0x0021 (06-4e-03): 0x00ba -> 0x00c2 (06-5c-09): 0x002c -> 0x002e (06-8e-09): 0x0062 -> 0x007c (06-9e-09): 0x005e -> 0x007c Bug: https://bugs.gentoo.org/643794 Package-Manager: Portage-2.3.19, Repoman-2.3.6 sys-firmware/intel-microcode/Manifest | 1 + .../intel-microcode-20171117_p20171215-r1.ebuild | 39 ++++++++++++++++++++++ 2 files changed, 40 insertions(+)}
@ Arches, please test and mark stable: =sys-firmware/intel-microcode-20171117_p20171215-r1
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Bumped to =sys-firmware/intel-microcode-20180108 and stabilized. Do not cleanup yet.
I upgraded intel-microcode to 20180108 and face the issues as commented above, my microcodes are still from 2017-11-16 [ 0.000000] microcode: microcode updated early to revision 0xc2, date = 2017-11-16 [ 0.539634] microcode: sig=0x406e3, pf=0x80, revision=0xc2 [ 0.539758] microcode: Microcode Update Driver: v2.2. All files from /lib64/firmware/intel-ucode/* are from 2018-01-10, I used iucode_tool to create the .cpio in /boot/ and the early_ucode.cpio is also as of today. Is it still a bug in 20180108? Or are we doing something wrong?
(In reply to spargeltarzan from comment #8) > I upgraded intel-microcode to 20180108 and face the issues as commented > above, my microcodes are still from 2017-11-16 > > [ 0.000000] microcode: microcode updated early to revision 0xc2, date = > 2017-11-16 > [ 0.539634] microcode: sig=0x406e3, pf=0x80, revision=0xc2 > [ 0.539758] microcode: Microcode Update Driver: v2.2. > > All files from /lib64/firmware/intel-ucode/* are from 2018-01-10, I used > iucode_tool to create the .cpio in /boot/ and the early_ucode.cpio is also > as of today. > > Is it still a bug in 20180108? Or are we doing something wrong? No, you're confusing the date stamps. For your CPU, 20171117 release had: sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 The 20180108 release had: sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 Here's a comparision of the microcodes shipped in 20171117.ebuild vs 20180108.ebuild: - sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 - sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 - sig 0x000306e4, pf_mask 0xed, 2014-05-29, rev 0x0428, size 13312 + sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 - sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 + sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 - sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 + sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 - sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 + sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 - sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 + sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 - sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 + sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 - sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 - sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 + sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 - sig 0x00050662, pf_mask 0x10, 2015-12-12, rev 0x000f, size 28672 + sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 - sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 + sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 - sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 - sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 - sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 + sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 - sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 + sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 - sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 - sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 + sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 - sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
this is from cat /proc/cpuinfo: processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 44 model name : Intel(R) Core(TM) i7 CPU 970 @ 3.20GHz stepping : 2 microcode : 0x1a cpu MHz : 3193.000 cache size : 12288 KB physical id : 0 siblings : 12 core id : 0 cpu cores : 6 apicid : 0 initial apicid : 0 fpu : yes fpu_exception : yes cpuid level : 11 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 popcnt aes lahf_lm pti tpr_shadow vnmi flexpriority ept vpid dtherm ida arat bugs : cpu_insecure bogomips : 6400.56 clflush size : 64 cache_alignment : 64 address sizes : 36 bits physical, 48 bits virtual Intel shows the latest microcode supports this cpu on its Download page When I run: # iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/* iucode_tool: system has processor(s) with signature 0x000206c2 iucode_tool: No valid microcodes were selected, nothing to do...
Your processor is using microcodes from 2013-06-17. Latest available microcodes for your processor is rev 0x1d from 2015-08-04 (no Spectre update yet). However, like you have noticed, microcodes for your processor are currently not part of Intel's latest official tarball. Like said in another bug 644100, Intel sometimes drop microcodes for no reason. We will really have to index previous releases and maintain an own tarball.
GLSA Vote: No! There's no point in issuing a GLSA here as it heavily depends on the processor your are using. I.e. there are still a lot of processors which don't have received a microcode update yet and we are already talking about Spectre NG :> All done, closing.
