Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 15 Dec 2019, 10:29
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Microcode update howto
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Author Message
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Mon 10 Jun 2019, 21:39    Post subject:  Microcode update howto  

Microcode - early loading of latest microcode - vital security. (64 bit works; I don't have 32 bit bootloader to test).

There has been much talk about this vital security update with little 'howto'. I finally got it to work. I got Fatdog's .cpio update (see link below) & put in same folder as initrd.gz (in examples below, is /EFI/boot/puppy). Is for syslinux or grub boot & must edit initrd line. Use at own risk.

For SYSLINUX, have a comma (no spaces) between the 2 entries. For GRUB one space only.

Syslinux example:

initrd puppy/microcode-update-20190514a.cpio,puppy/initrd.gz


Grub example:

initrd /EFI/boot/puppy/microcode-update-20190514a.cpio /EFI/boot/puppy/initrd.gz

NOTE: if you have multiple puppies to boot, put .cpio file in a folder (i.e. micd) & reference that for all.

Get file here: http://distro.ibiblio.org/fatdog/kernels/800/microcode-update-20190514a.cpio

Last edited by ozsouth on Thu 21 Nov 2019, 02:40; edited 2 times in total
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Tue 11 Jun 2019, 03:49    Post subject:  

Thanks ozsouth........

Would it work if the /lib/firmware/intel-ucode directory
from
http://ftp.uk.debian.org/debian/pool/non-free/i/intel-microcode/intel-microcode_3.20190514.1_i386.deb
was present in the fdrv? or is this too late in the boot sequence?

Cheers
peebee

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Tue 11 Jun 2019, 05:04    Post subject:  

Peebee - This seems to be a late-install .deb, so I booted upupbb 18.05 & installed it, made a small save file & rebooted (twice). No effect.
Here's some info I found about late installs:

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in /lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g. echo 1 > /sys/devices/system/cpu/microcode/reload

Both 32bit pups I tried (slacko-6.3.0 the other) failed at step 1. We need jamesbond to help us.

EDIT: Downloaded iucode-tool .deb, installed in upupbb, made a .cpio file from your intel-ucode. Didn't work.
A hybrid x86_64 kernel in upupbb with fatdog's .cpio above works.
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Tue 11 Jun 2019, 13:01    Post subject:  

Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Wed 12 Jun 2019, 05:04    Post subject:  

This is the list of updated cpu's

https://support.microsoft.com/en-us/help/4465065/kb4465065-intel-microcode-updates

My desktop Xeon cpu is not listed...... Sad

CPU(s): 2 Quad core Intel Xeon E5450s

# dmesg | grep microcode
MDS: Vulnerable: Clear CPU buffers attempted, no microcode
microcode: sig=0x1067a, pf=0x40, revision=0xa0b

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Wed 12 Jun 2019, 09:18    Post subject:  

Thanks for the list Peebee. My 9yo i3-2310M & 3yo celeron n3060 make the list. Interestingly, another family member's 6yo Celeron 1000M isn't on the list, but the spec-melt check is all green. In case people think new AMDs are the answer, I got a cheap AMD e2-9000e (was $100 off for a day) - checker all green, but not much faster than my celeron n3060 & had radeon2 video & shutdown issues with 4.19 & 5.x kernels (fatdogs 4.18.12 kernel works well). Also had to compile rtl8821ce wireless driver - getting good source code reminded me of broadcom issues.
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Thu 13 Jun 2019, 04:24    Post subject:  

Interestingly..........??

the 32-bit .deb has 124 data files

whereas

the 64-bit .deb has just 74.....

This seems to be the repo for the data files which can be watched for updates:

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/tree/master/intel-ucode

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
Marv


Joined: 04 May 2005
Posts: 1216
Location: SW Wisconsin

PostPosted: Sun 16 Jun 2019, 19:14    Post subject:  

peebee wrote:
Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Tested early loading on my second generation i5 laptop (Sandy Bridge, i5-2520M) using the .cpio file and instructions above in the current LxPupSc and LxPupSc64, both running Kernel Release 5.1.8-lxpup64.

Grub4Dos install, the relevant menu entry line for LxPupSc64 as an example:
initrd /LxPupSc64b/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz

In both pups, dmesg shows:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x2f, date = 2019-02-17

and mitigation changes from:
l1tf:Mitigation: PTE Inversion
mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Vulnerable
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
to:
l1tf:Mitigation: PTE Inversion
mds:Mitigation: Clear CPU buffers; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

I've had no success with late loading on the above hardware and pups. Checking dmesg there, the update occurs but must be too late. Mitigation is unchanged. Thus this is a step forward for me.

Thanks all,

_________________
Pups currently in kennel Very Happy Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupee for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Sun 16 Jun 2019, 19:58    Post subject:  

Marv - I found that only one instance of the .cpio file is allowed.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).
Back to top
View user's profile Send private message 
Marv


Joined: 04 May 2005
Posts: 1216
Location: SW Wisconsin

PostPosted: Sun 16 Jun 2019, 21:15    Post subject:  

ozsouth wrote:
Marv - I found that only one instance of the .cpio file works.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupScb/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).
Thanks, that's kind of the next step. I'd like to get it working for upupdd but for now the stock kernel for that isn't configured to do early loading so I'm going to fiddle with that first. I share SFS and profiles with all the pups in the kennel so I definitely see the advantage of that approach both from a space and maintenance standpoint.

Update: Did a kernel swap into upupdd for now. Early loading and mitigation working there now and the shared microcode folder is working correctly on all 3 pups. I'll play more later with that kernel.

Monday June 17 update: All above also holds for peebees 5.1.11 kernel.

_________________
Pups currently in kennel Very Happy Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupee for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Thu 19 Sep 2019, 14:09    Post subject:  

New release:

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20190918

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Thu 19 Sep 2019, 21:26    Post subject:  

I've made a 64bit .cpio 18-Sep-2019 microcode update file. Attempts to make 32bit file failed (64bit x86_64 kernel works if 64bit cpu).
http://s000.tinyupload.com/?file_id=00803872803831092183
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Wed 13 Nov 2019, 03:01    Post subject:  

New release:

microcode-20191112 release

The following files have changed in microcode-20191112 since microcode-20190918:
New Platforms
Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
AVN B0/C0 6 4d 8 01 0000012D Atom C2xxx
CML-U62 A0 6 a6 0 80 000000c6 Core Gen10 Mobile
CNL-U D0 6 66 3 80 0000002a Core Gen8 Mobile
SKX-SP B1 6 55 3 97 01000151 Xeon Scalable
GKL B0 6 7a 1 01 00000032 Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
GKL-R R0 6 7a 8 01 00000016 Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
ICL U/Y D1 6 7e 5 80 00000046 Core Gen10 Mobile
Updated Platforms
Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
SKL U/Y D0 6 4e 3 c0 000000cc 000000d4 Core Gen6 Mobile
SKX-SP H0/M0/U0 6 55 4 b7 02000064 00000065 Xeon Scalable
SKX-D M1 6 55 4 b7 02000064 00000065 Xeon D-21xx
CLX-SP B0 6 55 6 bf 0400002b 0400002c Xeon Scalable Gen2
CLX-SP B1 6 55 7 bf 0500002b 0500002c Xeon Scalable Gen2
SKL H/S/E3 R0/N0 6 5e 3 36 000000cc 000000d4 Core Gen6
AML-Y22 H0 6 8e 9 10 000000b4 000000c6 Core Gen8 Mobile
KBL-U/Y H0 6 8e 9 c0 000000b4 000000c6 Core Gen7 Mobile
CFL-U43e D0 6 8e a c0 000000b4 000000c6 Core Gen8 Mobile
WHL-U W0 6 8e b d0 000000b8 000000c6 Core Gen8 Mobile
AML-Y V0 6 8e c 94 000000b8 000000c6 Core Gen10 Mobile
CML-U42 V0 6 8e c 94 000000b8 000000c6 Core Gen10 Mobile
WHL-U V0 6 8e c 94 000000b8 000000c6 Core Gen8 Mobile
KBL-G/X H0 6 9e 9 2a 000000b4 000000c6 Core Gen7/Gen8
KBL-H/S/E3 B0 6 9e 9 2a 000000b4 000000c6 Core Gen7; Xeon E3 v6
CFL-H/S/E3 U0 6 9e a 22 000000b4 000000c6 Core Gen8 Desktop, Mobile, Xeon E
CFL-S B0 6 9e b 02 000000b4 000000c6 Core Gen8
CFL-H R0 6 9e d 22 000000b8 000000c6 Core Gen9 Mobile

For updated Specification Update documents, please visit Intel Resource & Design Center.

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 608
Location: S.E Australia

PostPosted: Wed 13 Nov 2019, 04:25    Post subject:  

I've made a 64bit .cpio 12-Nov-2019 microcode update file. Have had no success making 32bit files (64bit x86_64 kernel works if 64bit cpu).
** Superseded - see 2 posts down **

Last edited by ozsouth on Thu 14 Nov 2019, 03:15; edited 1 time in total
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 4099
Location: Worcestershire, UK

PostPosted: Thu 14 Nov 2019, 02:55    Post subject:  

microcode-20191113 release

Processor Model Stepping Family Code Model Number Stepping Id Platform Id Old Version New Version Products
CFL-S P0 6 9e c 22 000000a4 000000c6 Core Gen9 Desktop

NOTE: This microcode was previously incorrectly listed as both CFL-S (Desktop) and CFL-H (Mobile) and was removed from the 20191112 release. This processor is now correctly listed as CFL-S (Desktop) only.

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPups, ScPup & ScPup64, LxPup, LxPupSc & LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0754s ][ Queries: 12 (0.0273s) ][ GZIP on ]