Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian ucode update for CVE-2017-5715 (Spectre) #33563

Closed
wants to merge 3 commits into from
Closed

Debian ucode update for CVE-2017-5715 (Spectre) #33563

wants to merge 3 commits into from

Conversation

andir
Copy link
Member

@andir andir commented Jan 7, 2018

Motivation for this change

Debian, Redhat, Suse etc. seem to already got a pre-release (or acquire the files early) of the intel ucode patches relate to Spectre (CVE-2017-5715).

This PR adds a package intelMicrocodeDebian which uses the Debian source tarball, builds the firmware images and provides them in the same way as intelMicrocode. The new package can be used as a drop-in replacement of intelMicrocode.

Additionally a new configuration switch (hardware.cpu.intel.microcodePackage) has been added to provide users a simple way to select the desired firmware package.

I did rebuild my system using this package and so far it seems to be fine.

Changes that are contained within the Debian firmware package are:

  * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367)
    New upstream microcodes to partially address CVE-2017-5715
    + Updated Microcodes:
      sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
      sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
      sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
      sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
      sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
      sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
      sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
      sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
      sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
      sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
  * Implements IBRS and IBPB support via new MSR (Spectre variant 2
    mitigation, indirect branches).  Support is exposed through cpuid(7).EDX.
  * LFENCE terminates all previous instructions (Spectre variant 2
    mitigation, conditional branches).

(The full log can be seen at http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/intel-microcode_3.20171215.1_changelog)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@andir
iucode_tool: init at 2.2
fcd1220
@andir
microcodeIntelDebian: init at 3.20171215.1
7392c35 
This package provides the intel microcode updates from debian.
@Mic92 Mic92 added the 9.needs: port to stable A PR needs a backport to the stable release. label Jan 7, 2018
@Mic92
Copy link
Member

Mic92 commented Jan 7, 2018

Should we set the debian version as default?

@andir
Copy link
Member Author

andir commented Jan 7, 2018

It would (currently) make sense. For changing the default I'd rather have a few more people test this out.

Mic92
Mic92 reviewed Jan 7, 2018
View reviewed changes
nixos/modules/hardware/cpu/intel-microcode.nix Outdated
'';
};
microcodePackage = mkOption {
default = pkgs.micrcodeIntel;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo:

-        default = pkgs.micrcodeIntel; 
+        default = pkgs.microcodeIntel;

Copy link
Member Author

@andir andir Jan 7, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@globin
Copy link
Member

globin commented Jan 7, 2018

ping @fpletz

@fpletz fpletz self-assigned this Jan 7, 2018
fpletz
fpletz approved these changes Jan 7, 2018
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I've also refactored the microcode modules so that microcode updates can also applied at runstime instead of reboots with our only method via initrd. Integrating the patched files from Red Hat proved more difficult than anticipated so this approach makes more sense.

I'll merge after integrating with my changes and a few tests.

@pbogdan
Copy link
Member

pbogdan commented Jan 9, 2018

FYI Intel published microcode updates yesterday - https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=122139 However I don't see how to view any sort of a change log on what's included in the update though...

@andir
Copy link
Member Author

andir commented Jan 10, 2018

Thank you @pbogdan!

The changelog with in the released tarball. In this specific release they have included the changelog from the previous version. In the mentioned release the changelog looks like this:

Intel Processor Microcode Package for Linux
20180108 Release

-- Updates upon 20171117 release --
IVT C0          (06-3e-04:ed) 428->42a
SKL-U/Y D0      (06-4e-03:c0) ba->c2
BDW-U/Y E/F     (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx   (06-45-01:72) 20->21
Crystalwell Cx  (06-46-01:32) 17->18
BDW-H E/G       (06-47-01:22) 17->1b
HSX-EX E0       (06-3f-04:80) 0f->10
SKL-H/S R0      (06-5e-03:36) ba->c2
HSW Cx/Dx       (06-3c-03:32) 22->23
HSX C0          (06-3f-02:6f) 3a->3b
BDX-DE V0/V1    (06-56-02:10) 0f->14
BDX-DE V2       (06-56-03:10) 700000d->7000011
KBL-U/Y H0      (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0      (06-9e-09:2a) 5e->80
CFL U0          (06-9e-0a:22) 70->80
CFL B0          (06-9e-0b:02) 72->80
SKX H0          (06-55-04:b7) 2000035->200003c
GLK B0          (06-7a-01:01) 1e->22

I'll provide an updated PR. We can close this PR.

@andir andir mentioned this pull request Jan 10, 2018
Merged
8 tasks
@harshanarayana harshanarayana mentioned this pull request Jan 10, 2018
Closed
@Mic92 Mic92 closed this Jan 10, 2018
@ghost
Copy link

ghost commented Jan 20, 2018
edited by ghost

@andir Accoding to spectre-meltdown-checker --no-sysfs output, to actually protect user, microcode update alone is not enought, IBRS patches for kernel are also required, but these have not been mainlined yet, right?

@andir
Copy link
Member Author

andir commented Jan 20, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

@fpletz fpletz fpletz approved these changes

Assignees

@fpletz fpletz

Labels
1.severity: security 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@andir @Mic92 @globin @pbogdan @fpletz @vcunat @GrahamcOfBorg