Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

microcodeIntel: 20180312 -> 20180807 and iucode-tool: init at 2.3.1 #45101

Merged
merged 2 commits into from Aug 17, 2018
Merged

microcodeIntel: 20180312 -> 20180807 and iucode-tool: init at 2.3.1 #45101

merged 2 commits into from Aug 17, 2018

Conversation

peterhoeg
Copy link
Member

Motivation for this change

Instead of using our vendored version of the microcode processing tool, use iucode-tool.

I can confirm that at least on one machine, the microcode as processed by this PR is successfully applied.

Cc: @fpletz @wkennington

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: microcodeIntel

Partial log (click to expand)

no Makefile, doing nothing
installing
iucode_tool: Writing selected microcodes to: kernel/x86/microcode/GenuineIntel.bin
3413 blocks
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/dy3r3khdc34naac5hybaq0j0hlcs91b7-microcode-intel-20180807
strip is /nix/store/gpc2wld1s0c6qzx9326cwn1wcx29xzsj-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/dy3r3khdc34naac5hybaq0j0hlcs91b7-microcode-intel-20180807
checking for references to /build in /nix/store/dy3r3khdc34naac5hybaq0j0hlcs91b7-microcode-intel-20180807...
/nix/store/dy3r3khdc34naac5hybaq0j0hlcs91b7-microcode-intel-20180807

@GrahamcOfBorg
Copy link

Failure on aarch64-linux (full log)

Attempted: microcodeIntel

Partial log (click to expand)

iucode_tool.c:33:10: fatal error: cpuid.h: No such file or directory
 #include <cpuid.h>
          ^~~~~~~~~
compilation terminated.
make[1]: *** [Makefile:451: iucode_tool.o] Error 1
make[1]: Leaving directory '/build/source'
make: *** [Makefile:330: all] Error 2
builder for '/nix/store/62jkkw824qhngbyk0jqra11jxl3agrwm-iucode-tool-2.3.1.drv' failed with exit code 2
cannot build derivation '/nix/store/6la51dhpaj4wsq6g79v97r0ayjp88kjg-microcode-intel-20180807.drv': 1 dependencies couldn't be built
error: build of '/nix/store/6la51dhpaj4wsq6g79v97r0ayjp88kjg-microcode-intel-20180807.drv' failed

Mic92
Mic92 reviewed Aug 16, 2018
View reviewed changes
pkgs/os-specific/linux/microcode/intel.nix Outdated
mkdir -p $out kernel/x86/microcode
mv microcode.bin kernel/x86/microcode/GenuineIntel.bin
iucode_tool -w kernel/x86/microcode/GenuineIntel.bin intel-ucode{,-with-caveats}/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is intel-ucode-with-caveats?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arch Linux includes it (it's a relatively new addition to the microcode distribution) but the problem is that in order to safely apply them, various kernel patches must be in place. I don't know if they are, so I ripped it out again.

Mic92
Mic92 reviewed Aug 16, 2018
View reviewed changes
pkgs/os-specific/linux/microcode/iucode-tool.nix Outdated
homepage = https://gitlab.com/iucode-tool/iucode-tool;
license = licenses.gpl2;
maintainers = with maintainers; [ peterhoeg ];
platforms = platforms.linux;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you restrict platforms to x86? The tool uses cpuid which is processor specific.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: microcodeIntel

Partial log (click to expand)

/nix/store/dy3r3khdc34naac5hybaq0j0hlcs91b7-microcode-intel-20180807

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: microcodeIntel

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

gebner
gebner reviewed Aug 16, 2018
View reviewed changes
pkgs/os-specific/linux/microcode/iucode-tool.nix Outdated

nativeBuildInputs = [ autoreconfHook ];

enableParallalBuilding = true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: microcodeIntel

Partial log (click to expand)


a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowUnsupportedSystem = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowUnsupportedSystem = true; }
to ~/.config/nixpkgs/config.nix.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: microcodeIntel

Partial log (click to expand)

no Makefile, doing nothing
installing
iucode_tool: Writing selected microcodes to: kernel/x86/microcode/GenuineIntel.bin
3357 blocks
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/0l3vil8q0jfmiqc9sdc9bwcqa5p46x0x-microcode-intel-20180807
strip is /nix/store/gpc2wld1s0c6qzx9326cwn1wcx29xzsj-binutils-2.30/bin/strip
patching script interpreter paths in /nix/store/0l3vil8q0jfmiqc9sdc9bwcqa5p46x0x-microcode-intel-20180807
checking for references to /build in /nix/store/0l3vil8q0jfmiqc9sdc9bwcqa5p46x0x-microcode-intel-20180807...
/nix/store/0l3vil8q0jfmiqc9sdc9bwcqa5p46x0x-microcode-intel-20180807

@peterhoeg peterhoeg merged commit 5d18f66 into NixOS:master Aug 17, 2018
@peterhoeg peterhoeg deleted the u/ucode branch August 17, 2018 03:37
@peterhoeg peterhoeg restored the u/ucode branch August 17, 2018 13:28
@Moredread
Copy link
Contributor

I think we should backport this to 18.03, as it contains microcode level fixes for some of the Spectre and Meltdown vulnerabilities.

@andir
Copy link
Member

andir commented Sep 3, 2018

@Moredread good idea. I am working on it.

@andir andir mentioned this pull request Sep 3, 2018
Merged
9 tasks
@peterhoeg peterhoeg deleted the u/ucode branch September 4, 2018 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@gebner gebner gebner left review comments

@andir andir andir approved these changes

Assignees
No one assigned
Labels
8.has: package (new) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@peterhoeg @GrahamcOfBorg @Moredread @andir @Mic92 @gebner