Installing microcode to protect against Spectre/Meltdown

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
User avatar
panorain
Level 4
Level 4
Posts: 304
Joined: Mon Dec 16, 2013 3:21 pm

Installing microcode to protect against Spectre/Meltdown

Post by panorain » Sat Jan 20, 2018 12:54 am

Hi all, I have a desktop computer that is running Linux Mint Qiana 17 64 bit with the Mate desktop installed.

my cpu is listed here with output of command

Code: Select all

inxi -C
<---the C is supposed to be CAPS but it doesn't show up that way.

CPU: Dual core Intel Core2 Duo E6550 (-MCP-) cache: 4096 KB
clock speeds: max: 2333 MHz 1: 2333 MHz 2: 2333 MHz

I have gone to this website ---> https://downloadcenter.intel.com/downlo ... duct=30783
I have verified that the Microcode download is valid for my CPU.
I have located and downloaded the file labelled -----> microcode-20180108.tgz
I have created a directory within /etc called /etc/firmware
I have unzipped the microcode-20180108.tgz file and copied it into the /etc/firmware directory.
Please see pastebin attached via this link -----> https://pastebin.com/XYpdQPTr

I believe I have done all the above correctly so that the updated microcode will active upon a reboot. The issue I have is how do I know it has worked? I previously when installing this operating system was able to update my bios within the bios itself I believe but it has been some time so I forget the exact steps I previously used. Your help would be appreciated.

Thanks for your time.
Linux Mint 17 Qiana
Linux Mint 18 Serena
Ubuntu 10.04
Always =updatedb=
GNU LINUX

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sat Jan 20, 2018 2:20 am

@ panorain, .......
panorain wrote:...
.
Please refer to ... viewtopic.php?f=58&t=260764&start=320

The Intel microcode 20180108 update does not apply to your Core2Duo processor which is more than 5 years old. You should wait for Intel to release new microcode updates.
... Similarly, LM users are still waiting for Canonical-Ubuntu to release kernel updates for the Spectre 1 & 2 vulnerabilities, and LM 32bit users are also waiting for the kernel update to patch the Meltdown vulnerability.

User avatar
panorain
Level 4
Level 4
Posts: 304
Joined: Mon Dec 16, 2013 3:21 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by panorain » Sat Jan 20, 2018 3:10 am

How can the updates not apply to my CPU because my CPU is listed on the intel website as being available for microcode update?

I do not understand that.

https://downloadcenter.intel.com/downlo ... duct=30783

Code: Select all

dmesg | grep microcode
[ 1.407247] microcode: CPU0 sig=0x6fb, pf=0x1, revision=0xba
[ 1.407256] microcode: CPU1 sig=0x6fb, pf=0x1, revision=0xba
[ 1.407299] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Here is the output of the tool provided at the Github website via this link --> https://www.ghacks.net/2018/01/11/check ... erability/

paul@Paul-Lenovo-m57p ~/Desktop/spectre-meltdown-checker-master $ sudo sh spectre-meltdown-checker.sh
[sudo] password for paul:
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.4.0-98-generic #121~14.04.1-Ubuntu SMP Wed Oct 11 11:54:55 UTC 2017 x86_64
CPU is Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 32 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
paul@Paul-Lenovo-m57p ~/Desktop/spectre-meltdown-checker-master $

Please note that an Intel microcode update appears in Synaptic on my pc listed as --> intel-microcode <-- also another file as --> iucode-tool <--. Should I not install either of them?





Thanks for your help.
Last edited by panorain on Sat Jan 20, 2018 5:55 pm, edited 1 time in total.
Linux Mint 17 Qiana
Linux Mint 18 Serena
Ubuntu 10.04
Always =updatedb=
GNU LINUX

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sat Jan 20, 2018 5:17 am

@ panorain, .......
panorain wrote:...
.
The Terminal output means your CPU's microcode has not been updated, ie it is still using the microcode stored in BIOS firmware at date-of-purchase. If the Intel microcode has been updated for the Spectre 2 vulnerability, the Terminal output will display a date later than 31 Oct 2017.

Since the Intel microcode 20180108 update does not apply to your processor, you should not install it from Synaptic Package Manager. To check whether it applies or not, click on the Intel microcode 20180108 and click Changelogs at Synaptic. The Changelogs will list the applicable processors that can be updated, which are not more than 5 years old, ie 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer(= Core i3, i5 and i7 only). 3rd-gen Ivy Bridge, 2nd-gen Sandy Bridge or older are not covered by the microcode update.

Intel microcode updates are listed for nearly all Intel processors but they usually only apply to a subset of processors, especially the newer ones. It is the users' responsibility to check whether the microcode update applies to their processor.

For more information, please read my above link from page 11 to 17.

User avatar
Pjotr
Level 20
Level 20
Posts: 10960
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Installing microcode to protect against Spectre/Meltdown

Post by Pjotr » Sat Jan 20, 2018 5:37 am

If your CPU isn't older than 10 years, it's still worthwhile to install the microcode package. Because Intel has promised to roll out microcode which is patched against Meltdown, for most CPU's up to 10 years old. In the coming months.

Which means: even if the microcode for your CPU isn't in the current Meltdown patches, for example because it's older than five years (but not older than 10 years), you should still install the microcode package. Because then you'll be notified automatically when updated microcode packages arrive, which might contain the redeeming patch for your CPU.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sat Jan 20, 2018 6:11 am

@ Pjotr, .......
Pjotr wrote:If your CPU isn't older than 10 years, it's still worthwhile to install the microcode package. Because Intel has promised to roll out microcode which is patched against Meltdown, for most CPU's up to 10 years old. In the coming months.
That's not true. The Intel microcode 20180108 update only patches for the Spectre 2(CVE-2017-5715) vulnerability, ie the IBRS and IBPB features which have to work in conjunction with OS kernel updates.
... Meltdown is solely patched by the OS kernel updates, ie the KPTI feature.

User avatar
Sir Charles
Level 7
Level 7
Posts: 1832
Joined: Thu Jan 04, 2018 1:00 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by Sir Charles » Sat Jan 20, 2018 6:15 am

Checking for vulnerabilities against running kernel Linux 4.4.0-98-generic
I don't think the kernel you are currently running is patched for Meltdown.
You should be running 4.4.0-109 to have the patch.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
Pjotr
Level 20
Level 20
Posts: 10960
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Installing microcode to protect against Spectre/Meltdown

Post by Pjotr » Sat Jan 20, 2018 6:25 am

michael louwe wrote:@ Pjotr, .......
Pjotr wrote:If your CPU isn't older than 10 years, it's still worthwhile to install the microcode package. Because Intel has promised to roll out microcode which is patched against Meltdown, for most CPU's up to 10 years old. In the coming months.
That's not true. The Intel microcode 20180108 update only patches for the Spectre 2(CVE-2017-5715) vulnerability, ie the IBRS and IBPB features which have to work in conjunction with OS kernel updates.
... Meltdown is solely patched by the OS kernel updates, ie the KPTI feature.
Correct; I wrote Meltdown as a loose denominator for the entire current hardcoded security mess. So for Meltdown in my previous message, read "Spectre / Meltdown / Spectre + Meltdown". :wink:

My point is valid: everyone with an Intel CPU that's less than 10 years old, should install the intel-microcode package. Even if it currently doesn't contain a "Spectre / Meltdown / Spectre + Meltdown" fix for his CPU.
Last edited by Pjotr on Sat Jan 20, 2018 7:57 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Installing microcode to protect against Spectre/Meltdown

Post by thx-1138 » Sat Jan 20, 2018 6:58 am

michael louwe wrote:...the Terminal output will display a date later than 31 Oct 2017
Michael, have a look here...
Ie. it appears to me that the earliest date for 'secured' microcodes most likely is 2017-11-16. Previously, I had instead assumed that it should display as a date a minimum of 2017-06-01 (since that was the date of the private disclosure - although obviously it's not that they would run to fix those the very same day)...

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sat Jan 20, 2018 8:09 am

@ Pjotr, .......
Pjotr wrote:My point is valid: everyone with an Intel CPU that's less than 10 years old, should install the intel-microcode package. Even if it currently doesn't contain a "Spectre / Meltdown / Spectre + Meltdown" fix for his CPU.
.
I don't think so. I think Linux users who have Intel processors that are more than 5 years old should wait for Intel to release the applicable microcode update, ie there is no need for them to install the non-applicable microcode 20180108 update. Also, microcode updates can bork computers = Linux users should be wary of microcode and kernel updates, even if the updates are applicable, ie wait a while until the dust has settled.

Should panorain also install all previously released Intel microcode updates listed for his/her Core2Duo processor, ie microcode 20090330 to 20171117 which are available for install at ...
....https://downloadcenter.intel.com/downlo ... roduct=873 .?

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sat Jan 20, 2018 8:14 am

@ thx-1138, .......
thx-1138 wrote:...
.
Yes, I got the rough cut-off point for the Intel microcode 20180108 update from reports of those who have applicable processors and applied the update.

User avatar
Flemur
Level 16
Level 16
Posts: 6184
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Installing microcode to protect against Spectre/Meltdown

Post by Flemur » Sat Jan 20, 2018 1:02 pm

My CPU was also listed:
1 - Their instructions didn't work.**
2 - If I hacked them into working - I think I did*** - nothing happened, and the dmesg 'microcode' output was unchanged.

**
Write microcode.dat to the file, e.g.
[sudo] dd if=microcode.dat of=/dev/cpu/microcode bs=1M
Weird errors from trying to do that (invalid parameter), and although it existed, it was "not a file" at one point...?

*** After "mv microcode microcode.save" of the "not a file", the rest of the instructions...well, they didn't seem to do anything, but also didn't give any error messages.

Edit:

Code: Select all

$ pwd
/dev/cpu
$ ls -l microcode
crw------- 1 root root 10, 184 Jan 20 07:46 microcode
$ sudo cat microcode
cat: microcode: Invalid argument
$ sudo vi microcode
...."microcode" is not a file
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 18.3 Xfce/fluxbox/pulse-less
Xubuntu 17.10/fluxbox/pulse-less

User avatar
panorain
Level 4
Level 4
Posts: 304
Joined: Mon Dec 16, 2013 3:21 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by panorain » Sat Jan 20, 2018 5:44 pm

I really appreciate all you help and responses.

The changelog is somewhat confusing to me on the intel-microcode package I have located and installed in Synaptic Package Manager.

I will uninstall the intel-microcode package on Computer 1 as suggested by michael louwe .

Computer 1:
paul@Paul-Lenovo-m57p ~ $ inxi -S
System: Host: Paul-Lenovo-m57p Kernel: 4.4.0-98-generic x86_64 (64 bit)
Desktop: MATE 1.8.1 Distro: Linux Mint 17 Qiana

paul@Paul-Lenovo-m57p ~ $ inxi -C
CPU: Dual core Intel Core2 Duo E6550 (-MCP-) cache: 4096 KB
clock speeds: max: 2333 MHz 1: 2000 MHz 2: 2000 MHz

paul@Paul-Lenovo-m57p ~ $ dmesg | grep microcode
[ 1.411262] microcode: CPU0 sig=0x6fb, pf=0x1, revision=0xba
[ 1.411272] microcode: CPU1 sig=0x6fb, pf=0x1, revision=0xba
[ 1.411310] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Computer 2:
paul@paul-Compaq-nc6400 ~ $ inxi -S
System: Host: paul-Compaq-nc6400 Kernel: 4.4.0-109-generic i686 (32 bit)
Desktop: MATE 1.16.2 Distro: Linux Mint 18.1 Serena

paul@paul-Compaq-nc6400 ~ $ inxi -C
CPU: Dual core Intel T2400 (-MCP-) cache: 2048 KB
clock speeds: max: 1833 MHz 1: 1833 MHz 2: 1833 MHz

paul@paul-Compaq-nc6400 ~ $ dmesg | grep microcode
[ 2.945260] microcode: CPU0 sig=0x6e8, pf=0x20, revision=0x39
[ 2.945270] microcode: CPU1 sig=0x6e8, pf=0x20, revision=0x39
[ 2.945353] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba



Does this all mean that my computers with the old CPU's such as I have will never be patched with microcode from Intel for Spectre 1 and 2? I believe both Computers CPU's are older than 10 years. Since I am now understanding that the Meltown situation is patched via a kernel update to --> 4.4.0-109-generic <--- which I was able to easily update with update manager on Computer 2 since It's operating Mint 18.1 Serena.

Spectre Vulnerability Check ----> located here http://xlab.tencent.com/special/spectre ... check.html reports negative on both computers.

The Spectre/Meltdown checker found here ----> https://github.com/speed47/spectre-meltdown-checker
reports slightly better on Computer 2 due to the kernel upgrade to 4.4.0-109-generic I think. Stating CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (744 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

Otherwise all other output/element of the scan are listed as vulnerable.

1. Question please What are your suggestions I do with Computer 1 which is operating Mint 17 Qiana? I would prefer to not just be told I need to update the operating system and that's my only option if at all possible. That would not help with the microcode issue either.

2. Question please How would I more easily be able to tell what age or whatnot my CPU is; would that be available by entering into bios and getting the date there?

3. Question please I believe the intel-microcode package displayed in Synaptic Package Manager on Computer 2 was installed by default should I leave it installed then on Computer 2 ? Whereis I uninstall the intel-microcode package I installed on Computer 1.

Thank you all for your time and help.
Linux Mint 17 Qiana
Linux Mint 18 Serena
Ubuntu 10.04
Always =updatedb=
GNU LINUX

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Installing microcode to protect against Spectre/Meltdown

Post by thx-1138 » Sat Jan 20, 2018 9:22 pm

panorain wrote:1. Question please What are your suggestions I do with Computer 1 which is operating Mint 17 Qiana? I would prefer to not just be told I need to update the operating system and that's my only option if at all possible. That would not help with the microcode issue either.

2. Question please How would I more easily be able to tell what age or whatnot my CPU is; would that be available by entering into bios and getting the date there?

3. Question please I believe the intel-microcode package displayed in Synaptic Package Manager on Computer 2 was installed by default should I leave it installed then on Computer 2 ? Whereis I uninstall the intel-microcode package I installed on Computer 1.

Thank you all for your time and help.
Does this all mean that my computers with the old CPU's such as I have will never be patched with microcode from Intel for Spectre 1 and 2? I believe both Computers CPU's are older than 10 years.
...Paul, the microcode loaded in your Lenovo is from 2010-10-03, and in your Compaq from 2005-11-15.
Theoritically, ie. according to Intel's statements so far, they will gradually patch more older processors as time passes by - however, there is no guarantee whatsoever that they will ever release updates for any of those two. The Lenovo one, being 'only' 7-8 years old, probably has more chances than the Compaq to receive such - probably...now what they will decide to 'fix' eventually...your guess would be as good as anyone else's. Meaning that yes, more than likely, quite a few of older systems will remain unpatched from Intel - and their main mitigation would be an updated kernel.

You can see the BIOS date via inxi that you already used above, eg. inxi -Fxz or inxi -M...dmidecode could be used as well. Seeing that the Lenovo one is currently on 4.4.0-98, i'd recommended to update to a patched kernel (eg. 4.4.0-109 & later).

User avatar
panorain
Level 4
Level 4
Posts: 304
Joined: Mon Dec 16, 2013 3:21 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by panorain » Sat Jan 20, 2018 11:50 pm

@thx-1138 Thank you very much for your response and noting to me the 4.4.0-109-generic can be easily found within Update Manager [which I missed]. Please respond if you have time sometime. :o

I have to say again I appreciate all the persons on these forums alot for the time they have given me helping noobers like me.

I was able to enter the following command on my Lenovo:

Code: Select all

inxi -M


paul@Paul-Lenovo-m57p ~ $ inxi -M
Machine: System: LENOVO product: 9088A83 v: ThinkCentre M57p
Mobo: LENOVO model: LENOVO Bios: LENOVO v: 2RKT64BUS date: 01/08/2014

Please notice the date issued above as being: 01/08/2014 and not 2010-10-03 . Would that make some sense when I recall correctly that I have updated the Bios on the Lenovo computer prior or during the beginning of installation of Linux Mint 17 Qiana some time ago and if I recall correctly via floppy diskette heh. Will that give the Lenovo PC more 'time' until classified as being 10 years old by Intel? [granted the date format varies from your response] . Or are the dates of manufacturer hard coded or whatnot into the CPU during production and Bios has nothing to do with the [claimed 10 year old issue]?

@thx-1138 Thank you for pointing me to the --> viewtopic.php?f=90&t=261343 <-- I missed the option of ability 4.4.0-109-generic

Now onto the Compaq:

Code: Select all

inxi -M
Machine: System: Hewlett-Packard product: HP Compaq nc6400 (RC454AW#ABA) v: F.0B
Mobo: Hewlett-Packard model: 30AD v: KBC Version 56.34
Bios: Hewlett-Packard v: 68YCU Ver. F.0B date: 09/05/2007

<------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------->
So instead of making note/listing date differences once again as I have done at the above portion of the post.....

1. If it was only so easy as verifying CPU and downloading microcode Version: 20180108 then creating an /etc/firmware folder such as suggested here ----> https://downloadcenter.intel.com/downlo ... duct=30783

2. Then unzipping then copying folder to uh /etc/firmware and ugh rebooting ugh yeah. Ugh yeeeah.

Thank you again for everyones help and time.
Linux Mint 17 Qiana
Linux Mint 18 Serena
Ubuntu 10.04
Always =updatedb=
GNU LINUX

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Installing microcode to protect against Spectre/Meltdown

Post by thx-1138 » Sun Jan 21, 2018 1:03 am

Paul:
1) ...Core Duo CPU E6550 appears it was released back in late 2007 (had to look that up online): that's the main reference point / date. In regards to the BIOS version reported on your Lenovo: i'm actually somewhat surprised that Lenovo provided an update for it in 2014 considering it's a much older system... Still, the kernel doesn't 'lie': if it says it loaded microcode from October 2010, then that's what the newest available microcode contained in the BIOS update is.

2) ...you don't have to go through the hassle of manually extracting / copy / pasting etc. from Intel's site: you can alternatively either use Synaptic / Update Manager / Driver Manager (by far the recommended way), or alternatively, you could grab directly the '20180108' .deb file meant for your operating system from Launchpad (Trusty for 17.x, Xenial for 18.x). Note however that as Michael said it does NOT contain fixes for Core Duo yet - ie. you won't see a direct difference after installing it.

3) ...in regards to whether you should install it or not, maybe have a look at this thread here (& maybe also here). Then you can weight the pros & cons, and decide what to do & when (because no matter how objective i might try being, there's no way i can avoid having my own bias: as those bugs require a multi-layered approach, there's no 'one size fits them all' that is guaranteed to work problem-free in each & every case).

To cut a long story short: if there's one thing that should absolutely never ever be neglected, is having the kernel (& the browsers that you use) properly updated & in a timely manner...

User avatar
panorain
Level 4
Level 4
Posts: 304
Joined: Mon Dec 16, 2013 3:21 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by panorain » Sun Jan 21, 2018 3:26 am

@thx-1138 --> thank you once again .

Question 1 . How can I 'see / tell' the --> kernel loaded microcode is from 10 / 2010' on the Lenovo ? Please excuse my misunderstanding . Please respond . That is my underlying issue is with the 'microcode version' that is / has been installed .

Question 2 . Why when I enter the following command on the Compaq --> sudo dmesg | grep isolation <-- nothing is reported via bash terminal ? We / I can already see that the kernel has been updated to 4.4.0-109-generic


thx-1138
To cut a long story short: if there's one thing that should absolutely never ever be neglected, is having the kernel (& the browsers that you use) properly updated & in a timely manner...
Would there be a possibility of being able to open a post on why this Intel microcode has not been addressed and is now such an issue regardless of if I am just aware of this?

Off topic: Why would a company such as Cyrix not be able to compete with this issue of [Intel Microcode] if the company still was?

Off topic: The only way I think / concern these exploits can activate is if a network / user(')s 'installs' software to provide buffer-stack overflow affecting CPU to cause some random reboot or diminish su / sudo / root permissions.

Off topic: How serious is this really for an average person with a few grand a month moving out of a home office I mean persons have dealt with a breach with big card companies late this past year. I mean is this going to be an ongoing thing?

Thank you once again for your time and help I do appreciate it.
Linux Mint 17 Qiana
Linux Mint 18 Serena
Ubuntu 10.04
Always =updatedb=
GNU LINUX

User avatar
smurphos
Level 8
Level 8
Posts: 2011
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher...

Re: Installing microcode to protect against Spectre/Meltdown

Post by smurphos » Sun Jan 21, 2018 3:48 am

michael louwe wrote:@ Pjotr, .......
Pjotr wrote:My point is valid: everyone with an Intel CPU that's less than 10 years old, should install the intel-microcode package. Even if it currently doesn't contain a "Spectre / Meltdown / Spectre + Meltdown" fix for his CPU.
.
I don't think so. I think Linux users who have Intel processors that are more than 5 years old should wait for Intel to release the applicable microcode update, ie there is no need for them to install the non-applicable microcode 20180108 update. Also, microcode updates can bork computers = Linux users should be wary of microcode and kernel updates, even if the updates are applicable, ie wait a while until the dust has settled.

Should panorain also install all previously released Intel microcode updates listed for his/her Core2Duo processor, ie microcode 20090330 to 20171117 which are available for install at ...
....https://downloadcenter.intel.com/downlo ... roduct=873 .?
Michael - the Microcode packages from the repos are cumulative - i.e. 3.20180108 contains all current Microcodes not just the new and updated ones highlighted in the changelog.

So a user with an older machine will get the most up to date microcode available for their processor whether they install 3.20180108 package or the predecessor 3.20170707. They may as well stay up to date...

User avatar
thx-1138
Level 6
Level 6
Posts: 1245
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Installing microcode to protect against Spectre/Meltdown

Post by thx-1138 » Sun Jan 21, 2018 4:01 am

1)
paul@Paul-Lenovo-m57p ~ $ dmesg | grep microcode
[ 1.411262] microcode: CPU0 sig=0x6fb, pf=0x1, revision=0xba
[ 1.411272] microcode: CPU1 sig=0x6fb, pf=0x1, revision=0xba
By checking for the signature (6FB) in the convenient table here...
When microcode is manually loaded from the installed package, it returns something like:
[ 0.000000] microcode: microcode updated early to revision 0xc2, date = 2017-11-16
2)
Why when I enter the following command on the Compaq --> sudo dmesg | grep isolation <-- nothing is reported via bash terminal ? We / I can already see that the kernel has been updated to 4.4.0-109-generic
No idea - you have reboot into it? I don't use / have any 32-bit systems around to verify such i'm afraid.
Maybe someone else can fill this gap?
Note that there are various ways to check it, but note that not all of them will be applicable to all kernel versions necessary. Eg. on current upstream 4.15-rc8, the recommended method for x86-64 appears to be this one. But such certainly doesn't exist on Ubuntu kernel variants until now.
Last edited by thx-1138 on Sun Jan 21, 2018 4:35 am, edited 5 times in total.

User avatar
michael louwe
Level 9
Level 9
Posts: 2773
Joined: Sun Sep 11, 2016 11:18 pm

Re: Installing microcode to protect against Spectre/Meltdown

Post by michael louwe » Sun Jan 21, 2018 4:02 am

@ panorain, .......
panorain wrote:...
.
BIOS firmware updates for CPUs apply to Windows and MacOS, while Linux may use CPU microcode software updates.
… If the BIOS firmware for your computer’s CPU has been updated through Windows, you do not need to apply the similar Linux microcode software update.

Wrt Meltdown & Spectre, the BIOS firmware and microcode software updates for CPUs are to patch for Spectre 2 only(= CVE-2017-5715), for both 32bit and 64bit systems.

Wrt the Spectre 2 vulnerability, Intel has announced that they are beginning to only patch CPUs that are not more than 5 years old, ie 3rd-gen Ivy Town(= Xeon) and 4th-gen Haswell or newer, ie with the microcode 20180108 update.
… Intel microcode updates for 3rd-gen Ivy Bridge or older will be released by Intel later.

Meltdown can be patched by OS kernel updates only, ie the KPTI feature.

Spectre 1 is patched by OS kernel updates(= binary compatibility) or apps/programs, eg browsers.

Spectre 2 is patched by OS kernel updates(= the IBRS and IBPB features) and CPU BIOS firmware or microcode software updates. The OS and CPU updates work together or in conjunction, ie both have to be installed before mitigation against Spectre 2 is effected.

On 4 Jan 2018, M$ have issued Windows kernel updates for Meltdown, Spectre 1 and Spectre 2. But M$’s Meltdown patch does not yet cover 32bit Windows, ie only covers 64bit Windows. The Windows kernel updates for Spectre 1 and Spectre 2 apply to both 32bit and 64bit systems.

As of today, Canonical-Ubuntu have only issued Meltdown kernel updates for 64bit Linux, ie not yet for 32bit systems. Ubuntu have yet to release kernel updates for Spectre 1 and Spectre 2, ie the updates are still in testing.
... Most browsers have been patched for Spectre 1 for both 32bit and 64bit systems.

For LM 17.x, microcode updates will appear only in Synaptic PM and kernel updates will appear only in >Update Manager >View >Linux kernels.
For LM 18.x, microcode updates will appear in Driver Manager and/or Update Manager(= as Level 5 updates) and kernel updates will appear in Update Manager as Level 5 updates.

Post Reply

Return to “Newbie Questions”