search

intel / Intel-Linux-Processor-Microcode-Data-Files

Other
637 stars 70 forks source link

A newer microcode for 0x00020655 #20

Closed morfikov closed 3 years ago

morfikov commented 4 years ago

According to iucode_tool, my machine's CPU needs the following microcodes:

# iucode_tool -S -l /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x00020655
...
microcode bundle 17: /lib/firmware/intel-ucode/06-25-02
microcode bundle 18: /lib/firmware/intel-ucode/06-25-05
...
selected microcodes:
  017/001: sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216
  018/001: sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096

As you can see the microcodes are pretty old, and I have the newest intel-microcode package installed in my Debian system:

# dpkg -l | grep intel-microcode
ii  intel-microcode  3.20191112.1  amd64 Processor microcode firmware for Intel CPUs

According to spectre-meltdown-checker , this CPU is vulnerable to some CVEs due to the old microcode (it says Your kernel supports mitigation, but your CPU microcode also needs to be updated to mitigate the vulnerability).

Will the processor ever get newer microcode or will it be bugged forever?

esyr-rh commented 4 years ago

Only Sandy Bridge and newer have received MDS-related microcode updates (06-25-05 is Clarkdale, a variant of Westmere). See also issue #2.

morfikov commented 4 years ago

So FreeBSD can deal with the MDS bugs using the hw.mds_disable sysctl option -- I don't have this switch in my system (linux kernel 5.3.11-amd64). Are there any kernel patches I could apply to fix this issue?

esyr-rh commented 4 years ago

Linux includes only VERW/VMWERV-based mitigation (that relies on an updated microcode being available), and it can be enabled with "mds=full,nosmt" kernel command line parameter.

morfikov commented 4 years ago

So I still have the same question -- will the microcode be updated or not, since this CPU is vulnerable.

hmh commented 4 years ago

@morfikov: Intel's official documentation (any of the recent microcode revision guidance documents will do) seems to have your answer. Not that you will like it (I didn't like it either).

kevinff commented 2 years ago

Old issue but if people come here:

In fact it's very difficult to find any documentation, as recent pdf show no info for certain families, because they were shown as discontinued in old pdf which have (intentionally?) been moved or deleted (check links in CVEs).

In fact in 2018/2019 Intel has given up of dozens of models and all of them are therefore vulnerable to CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091

And probably others, and future new ones, all of them without any kind of workaround.

This should actually be a scandal that millions of servers around the world are vulnerable but it seems everybody is very quiet about it. I think everybody should tell them what Linus told Nvidia. So * from deep in my heart.