It's official: Intel to only patch past 5 yrs chips ;-(

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

It's official: Intel to only patch past 5 yrs chips ;-(

#1 Post by belham2 »

Straight out of the Sodom & Gomorrah's Santa Clara mouths, Intel has made it official:

".....Intel today announced that the firmware updates and software patches that are being released for its CPUs render Intel-based computer systems "immune" to both the Spectre and Meltdown exploits that were widely publicized this....

.....Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates....

Intel says updates have been issued for the majority of Intel processor products introduced within the past five years, and by the end of next week, more than 90 percent of processor products from the last five years will be patched....

...As always, Intel advises it's also worth avoiding suspicious programs, websites, and links.
"

Love, love, absolutely love that last line :lol:


As I mentioned early last week & others have hinted at too, this just confirms my deep suspicion that Intel (and others) are giddy over this Spectre & Meltdown dustup. They are going to force a massive whale load of private citizen's & corporate servers & desktop PCs around the world, many of whom run Intel chips that are older than 5 yrs ago, to upgrade to a new chip & hardware system. Hardware mftrs, from the looks of Dells, HPs and Asus' statements the past few days, are overly joyed too.


Ahhhh, when given lemons, in Santa Clara, they make the most wunderbar lemonade :roll:

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#2 Post by Sailor Enceladus »

I found the slowness of disk writes when compiling using kernel 3.16.53 (released January 9th) in Slacko 6.9.9.9 a torturing unbearable experience on my Intel Pentium M laptop, so I reverted back to 3.16.51. Is this the kaiser/kpti patch at work? :twisted:

Might see if the newest 4.4 release handles it better in Puduan later...

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#3 Post by bark_bark_bark »

The age of your CPU is irrelevant if the company that makes the motherboard doesn't provide firmware updates anyways.
....

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

Re: It's official: Intel to only patch past 5 yrs chips ;-(

#4 Post by anikin »

belham2 wrote:Straight out of the Sodom & Gomorrah's Santa Clara mouths, Intel has made it official:

".....Intel today announced that the firmware updates and software patches that are being released for its CPUs render Intel-based computer systems "immune" to both the Spectre and Meltdown exploits that were widely publicized this....

.....Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates....

Intel says updates have been issued for the majority of Intel processor products introduced within the past five years, and by the end of next week, more than 90 percent of processor products from the last five years will be patched....

...As always, Intel advises it's also worth avoiding suspicious programs, websites, and links.
"

Love, love, absolutely love that last line :lol:


As I mentioned early last week & others have hinted at too, this just confirms my deep suspicion that Intel (and others) are giddy over this Spectre & Meltdown dustup. They are going to force a massive whale load of private citizen's & corporate servers & desktop PCs around the world, many of whom run Intel chips that are older than 5 yrs ago, to upgrade to a new chip & hardware system. Hardware mftrs, from the looks of Dells, HPs and Asus' statements the past few days, are overly joyed too.


Ahhhh, when given lemons, in Santa Clara, they make the most wunderbar lemonade :roll:

The reality is a little bit different. If I understand CEO of Intel correctly, eventually, most if not all their processors will be covered.

An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders
1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
https://newsroom.intel.com/news-release ... rst-pledge

Facts about The New Security Research Findings and Intel® Products
https://www.intel.com/content/www/us/en ... ducts.html

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: It's official: Intel to only patch past 5 yrs chips ;-(

#5 Post by belham2 »

anikin wrote:
belham2 wrote:Straight out of the Sodom & Gomorrah's Santa Clara mouths, Intel has made it official:

".....Intel today announced that the firmware updates and software patches that are being released for its CPUs render Intel-based computer systems "immune" to both the Spectre and Meltdown exploits that were widely publicized this....

.....Intel has developed and is rapidly issuing updates for all types of Intel-based computer systems -- including personal computers and servers -- that render those systems immune from both exploits (referred to as "Spectre" and "Meltdown") reported by Google Project Zero. Intel and its partners have made significant progress in deploying updates as both software patches and firmware updates....

Intel says updates have been issued for the majority of Intel processor products introduced within the past five years, and by the end of next week, more than 90 percent of processor products from the last five years will be patched....

...As always, Intel advises it's also worth avoiding suspicious programs, websites, and links.
"

Love, love, absolutely love that last line :lol:


As I mentioned early last week & others have hinted at too, this just confirms my deep suspicion that Intel (and others) are giddy over this Spectre & Meltdown dustup. They are going to force a massive whale load of private citizen's & corporate servers & desktop PCs around the world, many of whom run Intel chips that are older than 5 yrs ago, to upgrade to a new chip & hardware system. Hardware mftrs, from the looks of Dells, HPs and Asus' statements the past few days, are overly joyed too.


Ahhhh, when given lemons, in Santa Clara, they make the most wunderbar lemonade :roll:

The reality is a little bit different. If I understand CEO of Intel correctly, eventually, most if not all their processors will be covered.

An Open Letter from Brian Krzanich, CEO of Intel Corporation, to Technology Industry Leaders
1. Customer-First Urgency: By Jan. 15, we will have issued updates for at least 90 percent of Intel CPUs introduced in the past five years, with updates for the remainder of these CPUs available by the end of January. We will then focus on issuing updates for older products as prioritized by our customers.
https://newsroom.intel.com/news-release ... rst-pledge

Facts about The New Security Research Findings and Intel® Products
https://www.intel.com/content/www/us/en ... ducts.html

No, it is only processors from the past 5 years. You're trying to read between the lines, and employ wishful thinking. Their CEO and various heads came blatantly out (verbally) the other day and said "Only past 5 years". When asked about anything before that, they said "NO". Same is now occurring for hardware manufacturers.


Customers he was referring to are not you and me, not retail. It's the huge commercial companies and vendors servicing them. Would be nice, but they nixed that yesterday.

Keisha
Posts: 469
Joined: Tue 18 Nov 2014, 05:43

#6 Post by Keisha »

The title of this thread, "It's official: Intel to only patch past 5 yrs chips ;-(" is mistaken, since Intel does seem to be making a good-faith effort to supply the necessary microcode to defend against Spectre, for processors older than five years. The Intel microcode update page (https://downloadcenter.intel.com/downlo ... -Data-File), published yesterday January 11 2018, includes a long scrollable list of all the processors the latest update (20180108) applies to. The list appears to include every CPU Intel has ever made during the last 19 years, all the way back to vintage-1999 Pentium 3 and Celeron processors with 100 MHz front side bus.
“A wise man can learn more from a foolish question than a fool can learn from a wise answer.â€￾ --Bruce Lee

User avatar
Marv
Posts: 1264
Joined: Wed 04 May 2005, 13:47
Location: SW Wisconsin

#7 Post by Marv »

Keisha wrote:The title of this thread, "It's official: Intel to only patch past 5 yrs chips ;-(" is mistaken, since Intel does seem to be making a good-faith effort to supply the necessary microcode to defend against Spectre, for processors older than five years. The Intel microcode update page (https://downloadcenter.intel.com/downlo ... -Data-File), published yesterday January 11 2018, includes a long scrollable list of all the processors the latest update (20180108) applies to. The list appears to include every CPU Intel has ever made during the last 19 years, all the way back to vintage-1999 Pentium 3 and Celeron processors with 100 MHz front side bus.
Watching and waiting, not with a lot of hope. I have three classes of intel CPUs older than 5 yrs that are all vulnerable and in that 'covered' list but the relevant microcode for none of them is in the 20180108 update. We'll see. I do have a kernel running on all of my pups that has the kpti patches in and working and ucode load capability in and working (from Fatdog64-721) so I can test any future releases quickly.
Pups currently in kennel :D Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupEF for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.

ozsouth
Posts: 858
Joined: Fri 01 Jan 2010, 22:08
Location: S.E Australia

#8 Post by ozsouth »

My 5-8 yr old CPUs are on the list, but Slacko 64 does not appear to be able to use the microcode (CONFIG_MICROCODE not enabled in kernels). Tahr 64 6.0.6 has it as a module, also with OLD enabled, so I ran modprobe microcode, then tried to install via dd instruction. Had to delete /dev/cpu/microcode first.
Must re-run on each bootup. Package manager only has iucode-tool, which wouldn't install.

EDIT: Test via pkg in this forum's Security section says VULNERABLE = NOT WORKING. Back to mitigation.
Last edited by ozsouth on Sat 13 Jan 2018, 02:36, edited 2 times in total.

Keisha
Posts: 469
Joined: Tue 18 Nov 2014, 05:43

#9 Post by Keisha »

Marv wrote:...I have three classes of intel CPUs older than 5 yrs that are all vulnerable and in that 'covered' list but the relevant microcode for none of them is in the 20180108 update...
Ah...so it's a list of CPU's which Intel *promises* it can fix some of now and the rest Real Soon with microcode,...and the microcode for the ones it doesn't cover, such as yours, is still vaporware!

Not encouraging, when you consider that Intel has actually had since last June, six or seven months now, to work on devising the needed microcode.
“A wise man can learn more from a foolish question than a fool can learn from a wise answer.â€￾ --Bruce Lee

Keisha
Posts: 469
Joined: Tue 18 Nov 2014, 05:43

#10 Post by Keisha »

(***edited: I should've studied the readme that comes with the source to iucode-tool before I tried fixing this.***)

I've deleted my wild guesses and rants which were formerly here.

A few links and useful code snippets:

Download the iucode-tool source:

Code: Select all

git clone https://gitlab.com/iucode-tool/iucode-tool.git
To check versions of after-boot application of Intel microcode:

Code: Select all

iucode_tool -tb -lS /lib/firmware/intel-ucode/*
The Intel microcode updates as of Jan. 12 2018:
https://downloadcenter.intel.com/downlo ... -Data-File
The spectre-meltdown-checker.sh script:
https://www.ghacks.net/2018/01/11/check ... erability/
Ubuntu kernel updates against Spectre and Meltdown:
https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown, https://usn.ubuntu.com/usn/usn-3524-1/)
Last edited by Keisha on Sat 13 Jan 2018, 19:24, edited 2 times in total.
“A wise man can learn more from a foolish question than a fool can learn from a wise answer.â€￾ --Bruce Lee

Keisha
Posts: 469
Joined: Tue 18 Nov 2014, 05:43

#11 Post by Keisha »

(deleted by poster)
Last edited by Keisha on Sat 13 Jan 2018, 19:23, edited 1 time in total.
“A wise man can learn more from a foolish question than a fool can learn from a wise answer.â€￾ --Bruce Lee

Keisha
Posts: 469
Joined: Tue 18 Nov 2014, 05:43

#12 Post by Keisha »

Uh...wait a minute...in Fedora, microcode is loaded during the initramfs...
“A wise man can learn more from a foolish question than a fool can learn from a wise answer.â€￾ --Bruce Lee

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#13 Post by jamesbond »

The best source of information is straight from the horse's mouth: https://www.kernel.org/doc/Documentatio ... rocode.txt.

For the record, Fatdog64 721 uses early microcode loading. The kernel actually supports both. The early microcode data is in Fatdog's initrd under /kernel directory, which comes from Intel's website, processed according to the link given above.

The iucode-tool that Keisha referred to earlier is useful to check if there is an update to the CPU where that tool is running on, and if yes, the last updated date of that update.
Here's output from my system:

Code: Select all

# ./iucode_tool -v -S -l /tmp/x/microcode.dat 
...
selected microcodes:
  001/142: sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
./iucode_tool: selected 1 microcode(s), 1 signature(s)
This output matches my "dmesg" output:

Code: Select all

[    0.000000] microcode: microcode updated early to revision 0x21, date = 2017-11-20
Now the bigger question is this: what does the microcode update fix, actually? :twisted:
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

Post Reply