Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643794 - <sys-firmware/intel-microcode-20180108: Add additional microcodes
Summary: <sys-firmware/intel-microcode-20180108: Add additional microcodes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2017-5715
  Show dependency tree
 
Reported: 2018-01-07 16:17 UTC by Oliver Freyermuth
Modified: 2018-08-08 19:11 UTC (History)
7 users (show)

See Also:
Package list:
sys-firmware/intel-microcode-20180108
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Freyermuth 2018-01-07 16:17:42 UTC
According to:
https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre
the =sys-firmware/intel-microcode-20171117_p20171215 package should contain updated microcode for Haswell, updating to 0x23. 

However, after installing:

$ iucode_tool -S -l /lib/firmware/intel-ucode/*
selected microcodes:
  049/001: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528

which is still rev. 0x22 and not 0x23. 
I observe the same when actually loading the microcode early:
[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27

Is the wiki wrong (i.e. 0x23 has not been released yet - will it be a future update), or is the package missing some updates?
Comment 1 Oliver Freyermuth 2018-01-07 16:25:58 UTC
Fetching intel-microcode-3.20171215.1 from Debian sid, extracting it and running iucode-tool reveals:

selected microcodes:
  024/001: sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552

So it appears that =sys-firmware/intel-microcode-20171117_p20171215 is missing the necessary microcode blob updates, but they have in fact be released.
Comment 2 Oliver Freyermuth 2018-01-07 17:29:59 UTC
Doing a short survey, I found:

Gentoo: 0x22
Debian sid: 0x23 ( https://packages.debian.org/sid/intel-microcode )
CentOS 7: 0x22 ( http://mirror.centos.org/centos/7.4.1708/updates/x86_64/Packages/microcode_ctl-2.1-22.2.el7.x86_64.rpm )
Ubuntu bionic: 0x22 ( https://packages.ubuntu.com/de/bionic/amd64/intel-microcode/download )

So it seems only Debian has received those updated microcodes as of yet (and maybe RHEL and other commercial distros). 

Debian also mentions that in their changelog:
http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/intel-microcode_3.20171215.1_changelog

Apparently, this is not officially out yet:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886367
Comment 3 Larry the Git Cow gentoo-dev 2018-01-07 20:48:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e

commit fe65cc7bc14f41f05bb9c41f7318f280a1a31b5e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-07 20:48:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-07 20:48:23 +0000

    sys-firmware/intel-microcode: Bump to add additional microcode updates
    
    Added:
    (06-3c-03): 0x0022 -> 0x0023
    (06-3d-04): 0x0025 -> 0x0028
    (06-45-01): 0x0020 -> 0x0021
    (06-4e-03): 0x00ba -> 0x00c2
    (06-5c-09): 0x002c -> 0x002e
    (06-8e-09): 0x0062 -> 0x007c
    (06-9e-09): 0x005e -> 0x007c
    
    Bug: https://bugs.gentoo.org/643794
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 sys-firmware/intel-microcode/Manifest              |  1 +
 .../intel-microcode-20171117_p20171215-r1.ebuild   | 39 ++++++++++++++++++++++
 2 files changed, 40 insertions(+)}
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-01-07 20:51:11 UTC
@ Arches,

please test and mark stable: =sys-firmware/intel-microcode-20171117_p20171215-r1
Comment 5 Agostino Sarubbo gentoo-dev 2018-01-07 21:41:43 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2018-01-07 21:42:08 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-01-10 00:48:56 UTC
Bumped to =sys-firmware/intel-microcode-20180108 and stabilized.

Do not cleanup yet.
Comment 8 spargeltarzan 2018-01-10 12:39:33 UTC
I upgraded intel-microcode to 20180108 and face the issues as commented above, my microcodes are still from 2017-11-16

[    0.000000] microcode: microcode updated early to revision 0xc2, date = 2017-11-16
[    0.539634] microcode: sig=0x406e3, pf=0x80, revision=0xc2
[    0.539758] microcode: Microcode Update Driver: v2.2.

All files from /lib64/firmware/intel-ucode/* are from 2018-01-10, I used iucode_tool to create the .cpio in /boot/ and the early_ucode.cpio is also as of today.

Is it still a bug in 20180108? Or are we doing something wrong?
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2018-01-10 23:23:32 UTC
(In reply to spargeltarzan from comment #8)
> I upgraded intel-microcode to 20180108 and face the issues as commented
> above, my microcodes are still from 2017-11-16
> 
> [    0.000000] microcode: microcode updated early to revision 0xc2, date =
> 2017-11-16
> [    0.539634] microcode: sig=0x406e3, pf=0x80, revision=0xc2
> [    0.539758] microcode: Microcode Update Driver: v2.2.
> 
> All files from /lib64/firmware/intel-ucode/* are from 2018-01-10, I used
> iucode_tool to create the .cpio in /boot/ and the early_ucode.cpio is also
> as of today.
> 
> Is it still a bug in 20180108? Or are we doing something wrong?
No, you're confusing the date stamps.

For your CPU, 20171117 release had:
sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
The 20180108 release had:
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328


Here's a comparision of the microcodes shipped in 20171117.ebuild vs 20180108.ebuild:
- sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
- sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
- sig 0x000306e4, pf_mask 0xed, 2014-05-29, rev 0x0428, size 13312
+ sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
- sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
- sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384
+ sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
- sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
- sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576
+ sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
- sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264
+ sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
- sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
- sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624
+ sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
- sig 0x00050662, pf_mask 0x10, 2015-12-12, rev 0x000f, size 28672
+ sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
- sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480
+ sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
- sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
- sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
- sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
- sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
- sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
- sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232
+ sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
- sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280
+ sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
Comment 10 Harris Landgarten 2018-01-13 22:40:46 UTC
this is from cat /proc/cpuinfo:

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 44
model name	: Intel(R) Core(TM) i7 CPU         970  @ 3.20GHz
stepping	: 2
microcode	: 0x1a
cpu MHz		: 3193.000
cache size	: 12288 KB
physical id	: 0
siblings	: 12
core id		: 0
cpu cores	: 6
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 popcnt aes lahf_lm pti tpr_shadow vnmi flexpriority ept vpid dtherm ida arat
bugs		: cpu_insecure
bogomips	: 6400.56
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual

Intel shows the latest microcode supports this cpu on its Download page

When I run:
# iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x000206c2
iucode_tool: No valid microcodes were selected, nothing to do...
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-01-13 23:48:41 UTC
Your processor is using microcodes from 2013-06-17.

Latest available microcodes for your processor is rev 0x1d from 2015-08-04 (no Spectre update yet). However, like you have noticed, microcodes for your processor are currently not part of Intel's latest official tarball.

Like said in another bug 644100, Intel sometimes drop microcodes for no reason.

We will really have to index previous releases and maintain an own tarball.
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-08-08 19:11:15 UTC
GLSA Vote: No!

There's no point in issuing a GLSA here as it heavily depends on the processor your are using. I.e. there are still a lot of processors which don't have received a microcode update yet and we are already talking about Spectre NG :>

All done, closing.