search

intel / Intel-Linux-Processor-Microcode-Data-Files

Other
620 stars 68 forks source link

Microcode does not protect against CVE-2020-0543 on i5-6200U #38

Closed sreyan32 closed 3 years ago

sreyan32 commented 3 years ago

I am running Fedora 32:

NAME=Fedora
VERSION="32 (Workstation Edition)"
ID=fedora
VERSION_ID=32
VERSION_CODENAME=""
PLATFORM_ID="platform:f32"
PRETTY_NAME="Fedora 32 (Workstation Edition)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:32"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f32/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=32
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=32
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Workstation Edition"
VARIANT_ID=workstation

Kernel Info: 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The latest microcode update does not protect against SRBDS or CVE-2020-0543 on i5-6200U.

I have tested via meltdown.ovh script.

Though the Fedora team has confirmed the exploit is mitigated via the update: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5OUM24ZC43G4IDT3JUCIHJTSDXJSK6Y//

My CPU info is as follows:

processor   : 0
vendor_id   : GenuineIntel
cpu family  : 6
model       : 78
model name  : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
stepping    : 3
microcode   : 0xd6
cpu MHz     : 2342.107
cache size  : 3072 KB
physical id : 0
siblings    : 4
core id     : 0
cpu cores   : 2
apicid      : 0
initial apicid  : 0
fpu     : yes
fpu_exception   : yes
cpuid level : 22
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
bogomips    : 4800.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

processor   : 1
vendor_id   : GenuineIntel
cpu family  : 6
model       : 78
model name  : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
stepping    : 3
microcode   : 0xd6
cpu MHz     : 2516.160
cache size  : 3072 KB
physical id : 0
siblings    : 4
core id     : 1
cpu cores   : 2
apicid      : 2
initial apicid  : 2
fpu     : yes
fpu_exception   : yes
cpuid level : 22
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
bogomips    : 4800.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

processor   : 2
vendor_id   : GenuineIntel
cpu family  : 6
model       : 78
model name  : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
stepping    : 3
microcode   : 0xd6
cpu MHz     : 2507.150
cache size  : 3072 KB
physical id : 0
siblings    : 4
core id     : 0
cpu cores   : 2
apicid      : 1
initial apicid  : 1
fpu     : yes
fpu_exception   : yes
cpuid level : 22
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
bogomips    : 4800.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:

processor   : 3
vendor_id   : GenuineIntel
cpu family  : 6
model       : 78
model name  : Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
stepping    : 3
microcode   : 0xd6
cpu MHz     : 2438.839
cache size  : 3072 KB
physical id : 0
siblings    : 4
core id     : 1
cpu cores   : 2
apicid      : 3
initial apicid  : 3
fpu     : yes
fpu_exception   : yes
cpuid level : 22
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp md_clear flush_l1d
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
bogomips    : 4800.00
clflush size    : 64
cache_alignment : 64
address sizes   : 39 bits physical, 48 bits virtual
power management:
esyr-rh commented 3 years ago

On Sun, Jul 26, 2020 at 09:04:33AM -0700, Sreyan Chakravarty wrote:

The latest microcode update does not protect against SRBDS or CVE-2020-0543 on i5-6200U.

microcode : 0xd6

The microcode update has been reverted to the previously available revision due to stability issues[1]. See also [2].

[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/36

sreyan32 commented 3 years ago

On Sun, Jul 26, 2020 at 09:04:33AM -0700, Sreyan Chakravarty wrote: The latest microcode update does not protect against SRBDS or CVE-2020-0543 on i5-6200U. microcode : 0xd6 The microcode update has been reverted to the previously available revision due to stability issues[1]. See also [2]. [1] #31 (comment) [2] #36

So is my system still vulnerable to SRBDS ?

If so any approx time line when this will be fixed ?

esyr-rh commented 3 years ago

On Mon, Jul 27, 2020 at 05:40:27AM -0700, Sreyan Chakravarty wrote:

On Sun, Jul 26, 2020 at 09:04:33AM -0700, Sreyan Chakravarty wrote: The latest microcode update does not protect against SRBDS or CVE-2020-0543 on i5-6200U. microcode : 0xd6 The microcode update has been reverted to the previously available revision due to stability issues[1]. See also [2]. [1] #31 (comment) [2] #36

So is my system still vulnerable to SRBDS ?

You can try out microcode-20200609-release-based package[1] and see if it works for you (or use a system-firmware-provided microcode update; per [2], the issue is confirmed only for OS-based updates).

[1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1522890 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826

heitbaum commented 3 years ago

Do we have an update on a fixed version of Skylake microcode?

sreyan32 commented 3 years ago

Nothing yet

On Fri, 6 Nov 2020, 4:54 pm heitbaum, notifications@github.com wrote:

Do we have an update on a fixed version of Skylake microcode?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/38#issuecomment-723028999, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGJGGE52C2IBKJHR7WBFXLSOPMFXANCNFSM4PIBMBWQ .

esyr-rh commented 3 years ago

06-4e-03 microcode is updated to revision 0xe2 (that contains SRBDS mitigations) with microcode-20201110 release.

heitbaum commented 3 years ago

Tested. So far so good. — Intel(R) Core(TM) i5-6260U —

[ 0.000000] microcode: microcode updated early to revision 0xe2, date = 2020-07-14 [ 0.000000] Linux version 5.9.7 (rudi@10ad6d490609) (x86_64-libreelec-linux-gnu-gcc-10.2.0 (GCC) 10.2.0, GNU ld (GNU Binutils) 2.34) #1 SMP Wed Nov 11 10:04:38 UTC 2020 [ 0.222354] SRBDS: Mitigation: Microcode [ 0.226459] smpboot: CPU0: Intel(R) Core(TM) i5-6260U CPU @ 1.80GHz (family: 0x6, model: 0x4e, stepping: 0x3) [ 1.589680] microcode: sig=0x406e3, pf=0x40, revision=0xe2 [ 1.589838] microcode: Microcode Update Driver: v2.2.

sreyan32 commented 3 years ago

Has it been pushed to the repository yet?

Will I get it with dnf upgrade?

On Wed, 11 Nov 2020, 6:04 pm heitbaum, notifications@github.com wrote:

Tested. So far so good. — Intel(R) Core(TM) i5-6260U —

[ 0.000000] microcode: microcode updated early to revision 0xe2, date = 2020-07-14 [ 0.000000] Linux version 5.9.7 (rudi@10ad6d490609) (x86_64-libreelec-linux-gnu-gcc-10.2.0 (GCC) 10.2.0, GNU ld (GNU Binutils) 2.34) #1 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/1 SMP Wed Nov 11 10:04:38 UTC 2020 [ 0.222354] SRBDS: Mitigation: Microcode [ 0.226459] smpboot: CPU0: Intel(R) Core(TM) i5-6260U CPU @ 1.80GHz (family: 0x6, model: 0x4e, stepping: 0x3) [ 1.589680] microcode: sig=0x406e3, pf=0x40, revision=0xe2 [ 1.589838] microcode: Microcode Update Driver: v2.2.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/38#issuecomment-725398419, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGJGGBU64GG43D4KNCUWS3SPKAF7ANCNFSM4PIBMBWQ .

antoniogi commented 3 years ago

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20201110

esyr-rh commented 3 years ago

On Wed, Nov 11, 2020 at 08:58:07AM -0800, Sreyan Chakravarty wrote:

Has it been pushed to the repository yet?

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20201110

Will I get it with dnf upgrade?

One can follow[1][2][3] for the update status in Fedora.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2020-79bd31e5d9 [2] https://bodhi.fedoraproject.org/updates/FEDORA-2020-bc0c5f2527 [3] https://bodhi.fedoraproject.org/updates/FEDORA-2020-14fda1bf85