Intel-microcode update ?

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
ronsmeyer
Level 1
Level 1
Posts: 42
Joined: Thu Aug 13, 2015 5:28 pm

Intel-microcode update ?

Post by ronsmeyer »

So if I install this Intel-microcode update that is in update manager today, is my computer going to start running like a turtle?
User avatar
NoahsArk
Level 1
Level 1
Posts: 42
Joined: Tue Mar 07, 2017 7:11 pm
Location: North West England

Re: Intel-microcode update ?

Post by NoahsArk »

I installed it a couple of hours ago using the Update Manager and it seems fine or rather I can't tell any difference.

Running i7-4700

At first it didn't want to install so I rebooted and tried it again and it worked.

Information Here.

https://downloadcenter.intel.com/downlo ... roduct=873

:D
Linux - Il est interdit d' interdire
User avatar
Pepi
Level 6
Level 6
Posts: 1024
Joined: Wed Nov 18, 2009 7:47 pm

Re: Intel-microcode update ?

Post by Pepi »

I've seen no difference on my two computers
User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: Intel-microcode update ?

Post by michael louwe »

@ ronsmeyer, .......
ronsmeyer wrote:So if I install this Intel-microcode update that is in update manager today, is my computer going to start running like a turtle?
.
To fully mitigate against Spectre2(CVE-2017-5715), both the OS and CPU have to be patched. AFAIK, Ubuntu and Ubuntu-based distros have not been patched. Windows has been patched. Red Hat Ent and Suse Ent have been patched. Please run the Linux Vulnerability Detection tool.

Performance hit depends on the workload. Heavy multi-tasking will be significantly affected.

Bear in mind that the Intel microcode update only applies to 3rd-gen Haswell processors(= 2012) or newer.
User avatar
catweazel
Level 19
Level 19
Posts: 9884
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Intel-microcode update ?

Post by catweazel »

michael louwe wrote:Please run the Linux Vulnerability Detection tool.
The what?
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
Faust
Level 5
Level 5
Posts: 500
Joined: Thu Jul 14, 2016 3:40 am

Re: Intel-microcode update ?

Post by Faust »

catweazel wrote:
michael louwe wrote:Please run the Linux Vulnerability Detection tool.
The what?
It does actually exist .
But it was so interesting that I couldn't even be bothered to bookmark it ..... :)
.... it's somewhere on Intel's site , IIRC .

These types of tool seem to be becoming more popular with the tools who work at Intel .
There was one a few months back to detect if IME ( or Minix , or whatever was running on a system )
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .
User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: Intel-microcode update ?

Post by michael louwe »

@ Faust, .......
Faust wrote:...
.
No, I was referring to the Linux Meltdown & Spectre Vulnerability Detection tool which is also available at ... https://www.ghacks.net/2018/01/11/check ... erability/ .(original source is from github)
User avatar
Pepi
Level 6
Level 6
Posts: 1024
Joined: Wed Nov 18, 2009 7:47 pm

Re: Intel-microcode update ?

Post by Pepi »

User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: Intel-microcode update ?

Post by michael louwe »

Just to clarify;

the Intel ME or AMT or vPro Vulnerability Detection tool from intel.com is different from the Linux Meltdown & Spectre Vulnerability Detection tool from github. There is also a Windows Meltdown & Spectre Vulnerability Detection tool.
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: Intel-microcode update ?

Post by Sir Charles »

michael louwe wrote:Just to clarify;

the Intel ME or AMT or vPro Vulnerability Detection tool from intel.com is different from the Linux Meltdown & Spectre Vulnerability Detection tool from github. There is also a Windows Meltdown & Spectre Vulnerability Detection tool.
I did update the microcode from the Update Manager. Would you advise on running the tool from github?
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: Intel-microcode update ?

Post by michael louwe »

@ Marziano, .......
Marziano wrote:...
.
I ran it from the ghacks.net link by just entering the commands in Terminal.
User avatar
Sir Charles
Level 7
Level 7
Posts: 1895
Joined: Thu Jan 04, 2018 1:00 pm

Re: Intel-microcode update ?

Post by Sir Charles »

Thanks michael louwe!
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.
grizzler
Level 5
Level 5
Posts: 652
Joined: Wed Jun 15, 2011 5:19 pm
Location: The Hague, NL

Re: Intel-microcode update ?

Post by grizzler »

michael louwe wrote:Bear in mind that the Intel microcode update only applies to 3rd-gen Haswell processors(= 2012) or newer.
Just for the record, Haswell is fourth generation and from 2013. As far as I'm aware, there are no microcode updates yet for third generation (Ivy Bridge) or older.
curtvaughan
Level 3
Level 3
Posts: 163
Joined: Sun Dec 21, 2014 5:54 pm
Location: Austin, Tx

Re: Intel-microcode update ?

Post by curtvaughan »

michael louwe wrote:Just to clarify;

the Intel ME or AMT or vPro Vulnerability Detection tool from intel.com is different from the Linux Meltdown & Spectre Vulnerability Detection tool from github. There is also a Windows Meltdown & Spectre Vulnerability Detection tool.
Indeed they are different. I first ran the tool from github, which reported my system as vulnerable. I then ran then Intel Vulnerability Detection tool, and it pronounced the system as okay. Here's the session (running LMDE 2):

Code: Select all

curt@lmde2-linux /tmp $ cd /tmp/
curt@lmde2-linux /tmp $ ls
mintUpdate  pulse-PKdhtXMmr18n  spectre-meltdown-checker.sh  ssh-MY58Jdbzn7O9
curt@lmde2-linux /tmp $ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64
CPU is Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
curt@lmde2-linux /tmp $ cd
curt@lmde2-linux ~ $ pwd
/home/curt
curt@lmde2-linux ~ $ cd Programming
curt@lmde2-linux ~/Programming $ ls
C  intel-diagnostic  keepassx-2.0.3
curt@lmde2-linux ~/Programming $ cd intel-diagnostic/
curt@lmde2-linux ~/Programming/intel-diagnostic $ ls
common     intel_sa00086.py      SA-00086-lmde2-linux-2018-01-13-17-25-27.log
documents  mei                   SA-00086-lmde2-linux-2018-01-13-17-25-28.xml
fmt        SA00086_Linux.tar.gz
curt@lmde2-linux ~/Programming/intel-diagnostic $ sudo ./intel_sa00086.py 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-13 17:29:37 GMT

*** Host Computer Information ***
Name: lmde2-linux
Manufacturer: Dell Inc.
Model: Inspiron 5547
Processor Name: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz
OS Version: LinuxMint 2 betsy (3.16.0-5-amd64)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 9.5.30.1808
SVN: 0

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

curt@lmde2-linux ~/Programming/intel-diagnostic $
Dell has not yet supplied a BIOS patch for this laptop. Here is the kernel info:

Code: Select all

curt@lmde2-linux ~ $ inxi -S
System:    Host: lmde2-linux Kernel: 3.16.0-5-amd64 x86_64 (64 bit) 
           Desktop: MATE 1.18.0  Distro: LinuxMint 2 betsy 
curt@lmde2-linux ~ $ 

I have a Dell XPS13 for which Dell HAS supplied a BIOS update for this issue, and I've also applied kernel patches for its three systems: Ubuntu 16.04, Linuxmint 18.3 Cinnamon, and Antergos (Arch based). I plan to run both of these diagnostics on that laptop to compare results. This is rather a mess!
Move from rim to hub: know the wheel.

Image
curtvaughan
Level 3
Level 3
Posts: 163
Joined: Sun Dec 21, 2014 5:54 pm
Location: Austin, Tx

Re: Intel-microcode update ?

Post by curtvaughan »

Finally, test results from the Dell XPS13 laptop - the excerpts are illuminating. First, the Intel vulnerability test:

Code: Select all

curt@curt-linux-mint ~ $ inxi -S
System:    Host: curt-linux-mint Kernel: 4.10.0-42-generic x86_64 (64 bit)
           Desktop: Cinnamon 3.6.7  Distro: Linux Mint 18.3 Sylvia
curt@curt-linux-mint ~ $ inxi -C
CPU:       Dual core Intel Core i7-7500U (-HT-MCP-) cache: 4096 KB 
           clock speeds: max: 3500 MHz 1: 799 MHz 2: 895 MHz 3: 799 MHz
           4: 815 MHz
curt@curt-linux-mint ~ $ cd Downloads
curt@curt-linux-mint ~/Downloads $ ls
Anaconda2-5.0.1-Linux-x86_64 (1).sh  intel-flaw-diag
curt@curt-linux-mint ~/Downloads $ cd intel-flaw-diag/
curt@curt-linux-mint ~/Downloads/intel-flaw-diag $ ls
common
documents
fmt
intel_sa00086.py
mei
SA-00086-curt-linux-mint-2018-01-13-16-50-02.log
SA-00086-curt-linux-mint-2018-01-13-16-50-02.xml
SA-00086-curt-XPS-13-9360-2018-01-13-16-36-52.log
SA-00086-curt-XPS-13-9360-2018-01-13-16-36-52.xml
SA-00086-curt-XPS-13-9360-2018-01-13-16-38-06.log
SA-00086-curt-XPS-13-9360-2018-01-13-16-38-06.xml
curt@curt-linux-mint ~/Downloads/intel-flaw-diag $ sudo ./intel_sa00086.py 
[sudo] password for curt: 
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved

Application Version: 1.0.0.152
Scan date: 2018-01-13 18:56:56 GMT

*** Host Computer Information ***
Name: curt-linux-mint
Manufacturer: Dell Inc.
Model: XPS 13 9360
Processor Name: Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz
OS Version: LinuxMint 18.3 sylvia (4.10.0-42-generic)

*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 11.8.50.3426
SVN: 3

*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable. It has already been patched.

For more information refer to the INTEL-SA-00086 Detection Tool Guide or the
  Intel Security Advisory Intel-SA-00086 at the following link:
  https://www.intel.com/sa-00086-support

curt@curt-linux-mint ~/Downloads/intel-flaw-diag $ 
Second, the github test:

Code: Select all

curt@curt-linux-mint ~ $ cd /tmp
curt@curt-linux-mint /tmp $ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
--2018-01-13 13:02:50--  https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.48.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.48.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32196 (31K) [text/plain]
Saving to: ‘spectre-meltdown-checker.sh’

spectre-meltdown-ch 100%[===================>]  31.44K  --.-KB/s    in 0.05s   

2018-01-13 13:02:50 (671 KB/s) - ‘spectre-meltdown-checker.sh’ saved [32196/32196]

curt@curt-linux-mint /tmp $ ls
config-err-2e2H46
mintUpdate
spectre-meltdown-checker.sh
ssh-Y25LPboWnzx3
systemd-private-9b52828e928e4e7795c2eecece23119b-colord.service-zTNVWR
systemd-private-9b52828e928e4e7795c2eecece23119b-rtkit-daemon.service-spdtdx
curt@curt-linux-mint /tmp $ sudo sh spectre-meltdown-checker.sh 
[sudo] password for curt: 
Spectre and Meltdown mitigation detection tool v0.29

Checking for vulnerabilities against running kernel Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 31 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
curt@curt-linux-mint /tmp $ 
This machine, to which I applied the latest Dell BIOS patch two days ago, is said to be vulnerable on all three tests with the github script. Still not out of the woods with this stuff.
Move from rim to hub: know the wheel.

Image
Dave B
Level 4
Level 4
Posts: 391
Joined: Thu Jan 08, 2015 10:49 pm
Location: UK

Re: Intel-microcode update ?

Post by Dave B »

grizzler wrote:...As far as I'm aware, there are no microcode updates yet for third generation (Ivy Bridge) or older.
Yesterday, installed microcode on both Sandy Bridge and Ivy Bridge PCs. :)
User avatar
michael louwe
Level 10
Level 10
Posts: 3295
Joined: Sun Sep 11, 2016 11:18 pm

Re: Intel-microcode update ?

Post by michael louwe »

@ curtvaughan, .......
curtvaughan wrote:kernel 4.10.0-42...
.
The output for the Linux tool is correct.

Your Dell XPS 13's kernel 4.10.42 does not have the Meltdown/kpti patch(Variant 3; CVE-2017-5754). Kernel 4.13.26 has that patch.

The mitigation for the Spectre 2 Vulnerability(Variant 2; CVE-2017-5715) requires both the kernel AND microcode/BIOS-firmware patches. There are yet no kernel patch for Spectre 2 from Ubuntu, ie the ibrs and ibpb features. Windows has.
... Your Intel 7th-gen Kabylake processor has been patched for Spectre 2 through the BIOS firmware update. Your computer will also need the kernel to be patched, in order to be not vulnerable to Spectre 2.

The mitigation for Spectre 1(CVE-2017-5753) requires both kernel AND app/program(eg browsers) patches. There are yet no kernel patch for Spectre 1 from Ubuntu, ie the binary compiler feature. Windows has. Most browsers have been patched. There is an online Browser Spectre Vulnerability Detection tool from Tencent.
.
.
P S - For Windows, patching the CPU usually requires BIOS firmware updates. Intel/AMD send the updates to the OEMs like Apple, Dell and Lenovo, who in turn supply BIOS firmware updates for Windows(at the OEM website) and MacOS.
... For Linux, Intel/AMD supply microcode updates at their website. From there, Linux distros then send the update to their users. Microcode updates are OS or software updates, ie not BIOS firmware updates. If the computer has received the latest BIOS firmware update through Windows, it does not need the Linux microcode update, eg for a dual-boot system. ... https://wiki.debian.org/Microcode
Post Reply

Return to “Installation & Boot”