New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian ucode update for CVE-2017-5715 (Spectre) #33563
Conversation
This package provides the intel microcode updates from debian.
Should we set the debian version as default? |
It would (currently) make sense. For changing the default I'd rather have a few more people test this out. |
''; | ||
}; | ||
microcodePackage = mkOption { | ||
default = pkgs.micrcodeIntel; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo:
- default = pkgs.micrcodeIntel;
+ default = pkgs.microcodeIntel;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
ping @fpletz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've also refactored the microcode modules so that microcode updates can also applied at runstime instead of reboots with our only method via initrd. Integrating the patched files from Red Hat proved more difficult than anticipated so this approach makes more sense.
I'll merge after integrating with my changes and a few tests.
FYI Intel published microcode updates yesterday - https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=122139 However I don't see how to view any sort of a change log on what's included in the update though... |
Thank you @pbogdan! The changelog with in the released tarball. In this specific release they have included the changelog from the previous version. In the mentioned release the changelog looks like this:
I'll provide an updated PR. We can close this PR. |
@andir Accoding to |
Not to my knowledge. I am travelling for a week so I am a bit out of the
loop.
…On Jan 20, 2018 1:01 PM, "gnidorah" ***@***.***> wrote:
@andir <https://github.com/andir> Accoding to spectre-meltdown-checker
--no-sysfs output, to actually protect user, microcode update is not
enought, IBRS patches for kernel are also required, but these have not been
mainlined yet, right?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#33563 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAm_dIulj3lE6dQAnB6eSeQcJH2OjV13ks5tMeOOgaJpZM4RVnJT>
.
|
Motivation for this change
Debian, Redhat, Suse etc. seem to already got a pre-release (or acquire the files early) of the intel ucode patches relate to Spectre (CVE-2017-5715).
This PR adds a package
intelMicrocodeDebian
which uses the Debian source tarball, builds the firmware images and provides them in the same way asintelMicrocode
. The new package can be used as a drop-in replacement ofintelMicrocode
.Additionally a new configuration switch (
hardware.cpu.intel.microcodePackage
) has been added to provide users a simple way to select the desired firmware package.I did rebuild my system using this package and so far it seems to be fine.
Changes that are contained within the Debian firmware package are:
(The full log can be seen at http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/intel-microcode_3.20171215.1_changelog)
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)