Did the Intel microcode update 20180108 fix Spectre?


#1

Before the update journal says:

kernel: microcode: microcode updated early to revision 0xba, date = 2017-04-09

After the upgrade it says:

kernel: microcode: microcode updated early to revision 0xc2, date = 2017-11-16

Isnt that too old? There is a version from 2018-01-08 on the intel webpage:

https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File


[Stable Update] 2018-01-12 - Kernels, Microcodes, Nvidia, Firefox, Boost, Cleanup
[Stable Update] 2018-01-12 - Kernels, Microcodes, Nvidia, Firefox, Boost, Cleanup
[Stable Update] 2018-01-12 - Kernels, Microcodes, Nvidia, Firefox, Boost, Cleanup
[Stable Update] 2018-01-12 - Kernels, Microcodes, Nvidia, Firefox, Boost, Cleanup
#2

No; Microcode updates are usually tested for many months.


#3

No; Microcode updates are usually tested for many months.

But how can it then prevent “issues with Spectre and Meltdown”? I thought Spectre and Meltdown were only detected in 2018.


#4

Now you can check your systems with smc:

sudo pacman -U https://mirror.netzspielplatz.de/manjaro/packages/pool/overlay/spectre-meltdown-checker-0.28-1-any.pkg.tar.xz

Example output:


phil@manjaro ~ $ sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.28

Checking for vulnerabilities against running kernel Linux 4.14.13-1-MANJARO #1 SMP PREEMPT Wed Jan 10 21:11:43 UTC 2018 x86_64
CPU is AMD Ryzen 7 1700 Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

#5

No, that’s when it was publically disclosed.


#6

Please follow the separate thread. It is known since June 2017 to manufacturers!


#7

Another curiosity:
I upgrade my laptop and my PC. The laptop has Core i5-6200U the PC has a Core i7-7700K.

The i5 reports: microcode updated early to revision 0xc2, date = 2017-11-16
The i7 reports: microcode updated early to revision 0x80, date = 2018-01-04
So much about long testing cycles :wink:

I tested spectre-meltdown-checker. Both i5 and i7 give the same output. After the upgrade both processors are still VULNERABLE for both Spectre variances.

Is that correct? Only meltdown is fixed for Intel CPUs?

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

What does the Intel microcode update do?
#8

Meltdown is “fixed” by a kernel patch.

Spectre requires a microcode update which needs to be created, tested, and deployed for each CPU family/series. Not all CPUs have updates yet.

This (and more) is covered in the other thread.


#9

Most probably, as Meltdown was focused first to be fixed on wide ranges in Linux. Spectre is harder to fix. Most likely newer CPUs might fix that. Your current CPU might be mitigated, however never fixed.


#10

fyi (inside this thread but buried):


#11

i have checked for microcode skylake ( i6700K)

dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xc2, date = 2017-11-16
[    0.479757] microcode: sig=0x506e3, pf=0x2, revision=0xc2
[    0.479966] microcode: Microcode Update Driver: v2.2.

sudo pacman -Qs intel-ucode

local/intel-ucode 20180108-1
    Microcode update files for Intel CPUs

waiting next step


#12

before and after update the same output:

[lucy@DEMOON ~]$ dmesg | grep microcode
[    0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0xb000020 (or later)
[    9.061373] microcode: sig=0x406f1, pf=0x1, revision=0xb00001c
[    9.061519] microcode: Microcode Update Driver: v2.2.
[   11.366728] microcode: late loading on model 79 is disabled.

on a Xeon E5 2630 v4

my is blacklistet

 ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late
    loading.

#13

Similar to smc:


#14

Hi guys, I updated today and rebooted my system. No problem with the update.

About ‘Spectre’ and ‘Meltdown’ vulnerabilities, today I ran the script taken from here and this is the outcome:

  1. My system information:
[saverio@manjaro-linux Scaricati]$ screenfetch

 ██████████████████  ████████     saverio@manjaro-linux
 ██████████████████  ████████     OS: Manjaro 17.1.1 Hakoila
 ██████████████████  ████████     Kernel: x86_64 Linux 4.14.13-1-MANJARO
 ██████████████████  ████████     Uptime: 7m
 ████████            ████████     Packages: 1344
 ████████  ████████  ████████     Shell: bash 4.4.12
 ████████  ████████  ████████     Resolution: 1920x1080
 ████████  ████████  ████████     DE: KDE 5.41.0 / Plasma 5.11.5
 ████████  ████████  ████████     WM: KWin
 ████████  ████████  ████████     WM Theme: Breath
 ████████  ████████  ████████     GTK Theme: Breath [GTK2/3]
 ████████  ████████  ████████     Icon Theme: maia
 ████████  ████████  ████████     Font: Noto Sans Regular
 ████████  ████████  ████████     CPU: Intel Core i7 960 @ 8x 3.201GHz [37.5°C]
                                  GPU: GeForce GTX 970
                                  RAM: 1343MiB / 12002MiB
[saverio@manjaro-linux Scaricati]$ 
[saverio@manjaro-linux Scaricati]$ 
[saverio@manjaro-linux Scaricati]$ uname -a
Linux manjaro-linux 4.14.13-1-MANJARO #1 SMP PREEMPT Wed Jan 10 21:11:43 UTC 2018 x86_64 GNU/Linux
[saverio@manjaro-linux Scaricati]$ 
  1. script outcome:
[saverio@manjaro-linux ~]$ su -
Password:
[root@manjaro-linux Scaricati]# 
[root@manjaro-linux Scaricati]# ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.28

Checking for vulnerabilities against running kernel Linux 4.14.13-1-MANJARO #1 SMP PREEMPT Wed Jan 10 21:11:43 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 21 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
[root@manjaro-linux Scaricati]#

is this normal after the update?


#15

Yes it’s perfectly normal. There are going to months of new tweaks and patches for the spectre issues. It can’t be mitigated overnight :slight_smile:


#16

same here with Intel, is normal… (?!?) :nauseated_face:


#17

[ 0.000000] microcode: microcode updated early to revision 0x28, date = 2017-11-17
Is KPTI still needed after this update?
if yes, then what things this microcode has fixed?
if spectre variants, then what spectre has to do with intel’s meltown microcode update?


#18

Please read this thread for all the details: