Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 17 Jun 2019, 00:37
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Microcode update howto
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [10 Posts]  
Author Message
ozsouth

Joined: 01 Jan 2010
Posts: 517
Location: S.E Australia

PostPosted: Mon 10 Jun 2019, 21:39    Post subject:  Microcode update howto  

Microcode - early loading of latest microcode - vital security. (64 bit works; I don't have 32 bit bootloader to test).

There has been much talk about this vital security update with little 'howto'. I finally got it to work. I got Fatdog's .cpio update (see link below) & put in same folder as initrd.gz (in examples below, is /EFI/boot/puppy). Is for syslinux or grub boot & must edit initrd line. Use at own risk.

For SYSLINUX, have a comma (no spaces) between the 2 entries. For GRUB one space only.

Syslinux example:

initrd puppy/microcode-update-20190514a.cpio,puppy/initrd.gz


Grub example:

initrd /EFI/boot/puppy/microcode-update-20190514a.cpio /EFI/boot/puppy/initrd.gz

NOTE: if you have multiple puppies to boot, put .cpio file in a folder (i.e. micd) & reference that for all.

Get file here: http://distro.ibiblio.org/fatdog/kernels/800/microcode-update-20190514a.cpio
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 3884
Location: Worcestershire, UK

PostPosted: Tue 11 Jun 2019, 03:49    Post subject:  

Thanks ozsouth........

Would it work if the /lib/firmware/intel-ucode directory
from
http://ftp.uk.debian.org/debian/pool/non-free/i/intel-microcode/intel-microcode_3.20190514.1_i386.deb
was present in the fdrv? or is this too late in the boot sequence?

Cheers
peebee

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPup, ScPup & ScPup64, LxPup, LxPupSc and LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 517
Location: S.E Australia

PostPosted: Tue 11 Jun 2019, 05:04    Post subject:  

Peebee - This seems to be a late-install .deb, so I booted upupbb 18.05 & installed it, made a small save file & rebooted (twice). No effect.
Here's some info I found about late installs:

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in /lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g. echo 1 > /sys/devices/system/cpu/microcode/reload

Both 32bit pups I tried (slacko-6.3.0 the other) failed at step 1. We need jamesbond to help us.

EDIT: Downloaded iucode-tool .deb, installed in upupbb, made a .cpio file from your intel-ucode. Didn't work.
A hybrid x86_64 kernel in upupbb with fatdog's .cpio above works.
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 3884
Location: Worcestershire, UK

PostPosted: Tue 11 Jun 2019, 13:01    Post subject:  

Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPup, ScPup & ScPup64, LxPup, LxPupSc and LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
peebee


Joined: 21 Sep 2008
Posts: 3884
Location: Worcestershire, UK

PostPosted: Wed 12 Jun 2019, 05:04    Post subject:  

This is the list of updated cpu's

https://support.microsoft.com/en-us/help/4465065/kb4465065-intel-microcode-updates

My desktop Xeon cpu is not listed...... Sad

CPU(s): 2 Quad core Intel Xeon E5450s

# dmesg | grep microcode
MDS: Vulnerable: Clear CPU buffers attempted, no microcode
microcode: sig=0x1067a, pf=0x40, revision=0xa0b

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPup, ScPup & ScPup64, LxPup, LxPupSc and LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
ozsouth

Joined: 01 Jan 2010
Posts: 517
Location: S.E Australia

PostPosted: Wed 12 Jun 2019, 09:18    Post subject:  

Thanks for the list Peebee. My 9yo i3-2310M & 3yo celeron n3060 make the list. Interestingly, another family member's 6yo Celeron 1000M isn't on the list, but the spec-melt check is all green. In case people think new AMDs are the answer, I got a cheap AMD e2-9000e (was $100 off for a day) - checker all green, but not much faster than my celeron n3060 & had radeon2 video & shutdown issues with 4.19 & 5.x kernels (fatdogs 4.18.12 kernel works well). Also had to compile rtl8821ce wireless driver - getting good source code reminded me of broadcom issues.
Back to top
View user's profile Send private message 
peebee


Joined: 21 Sep 2008
Posts: 3884
Location: Worcestershire, UK

PostPosted: Thu 13 Jun 2019, 04:24    Post subject:  

Interestingly..........??

the 32-bit .deb has 124 data files

whereas

the 64-bit .deb has just 74.....

This seems to be the repo for the data files which can be watched for updates:

https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/tree/master/intel-ucode

_________________
LxPup = Puppy + LXDE
Main version used daily: LxPupSc; Assembler of UPup, ScPup & ScPup64, LxPup, LxPupSc and LxPupSc64
Back to top
View user's profile Send private message Visit poster's website 
Marv


Joined: 04 May 2005
Posts: 1167
Location: SW Wisconsin

PostPosted: Yesterday, at 19:14    Post subject:  

peebee wrote:
Using the altered initrd command....

On my Celeron based laptop I got indications in dmesg and using PupSysInfo that microcode had been updated and vulnerability mitigation had changed.

However on my Xeon based desktop it indicated that microcode was not found - presumably because it isn't currently in the .cpio file for these cpu's.

Celeron:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x838, date = 2019-04-22

spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
changes to:
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
Tested early loading on my second generation i5 laptop (Sandy Bridge, i5-2520M) using the .cpio file and instructions above in the current LxPupSc and LxPupSc64, both running Kernel Release 5.1.8-lxpup64.

Grub4Dos install, the relevant menu entry line for LxPupSc64 as an example:
initrd /LxPupSc64b/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz

In both pups, dmesg shows:
# dmesg | grep microcode
microcode: microcode updated early to revision 0x2f, date = 2019-02-17

and mitigation changes from:
l1tf:Mitigation: PTE Inversion
mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Vulnerable
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
to:
l1tf:Mitigation: PTE Inversion
mds:Mitigation: Clear CPU buffers; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

I've had no success with late loading on the above hardware and pups. Checking dmesg there, the update occurs but must be too late. Mitigation is unchanged. Thus this is a step forward for me.

Thanks all,

_________________
Pups currently in kennel Very Happy LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64, LxPupBionic and upupdd for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.
Back to top
View user's profile Send private message 
ozsouth

Joined: 01 Jan 2010
Posts: 517
Location: S.E Australia

PostPosted: Yesterday, at 19:58    Post subject:  

Marv - I found that only one instance of the .cpio file is allowed.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupSc64b/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).
Back to top
View user's profile Send private message 
Marv


Joined: 04 May 2005
Posts: 1167
Location: SW Wisconsin

PostPosted: Yesterday, at 21:15    Post subject:  

ozsouth wrote:
Marv - I found that only one instance of the .cpio file works.
Make a microcode folder (mine is micd) at the same level as your LxPupSc64b, put the .cpio file there only, & change your initrd line to:
/micd/microcode-update-20190514a.cpio /LxPupScb/initrd.gz & reboot. Ditto any other Pups using the same bootloader.
If that fails, try using a comma between entries, no spaces. (I used grub2 & syslinux in my tests).
Thanks, that's kind of the next step. I'd like to get it working for upupdd but for now the stock kernel for that isn't configured to do early loading so I'm going to fiddle with that first. I share SFS and profiles with all the pups in the kennel so I definitely see the advantage of that approach both from a space and maintenance standpoint.

Update: Did a kernel swap into upupdd for now. Early loading and mitigation working there now and the shared microcode folder is working correctly on all 3 pups. I'll play more later with that kernel.

_________________
Pups currently in kennel Very Happy LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64, LxPupBionic and upupdd for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [10 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0380s ][ Queries: 12 (0.0055s) ][ GZIP on ]