<![CDATA[Dev1 Galaxy Forum / Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?id=2312 Fri, 24 Aug 2018 15:52:39 +0000 FluxBB <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11485#p11485 The only really effective counter to Spectre is not to allow any untrustworthy code to run on your system. Or assume that any code running on it can read (but not update) everything in memory on it. There is no CPU on the market now where you can guarantee there is no exploitable side channel that would leak memory contents.

Chris

]]> Fri, 24 Aug 2018 15:52:39 +0000 http://dev1galaxy.org/viewtopic.php?pid=11485#p11485 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11381#p11381 Open hardware is too far in the future for me.  I had hoped that older AMD processors would be less of a rats nest than Intel ones, but even the latest Ryzen2 processors are heavily invested in speculative execution. Arm stand a better chance, but even they dabble in attackable speculative execution and are not immune. What a mess..

]]> Fri, 17 Aug 2018 19:52:35 +0000 http://dev1galaxy.org/viewtopic.php?pid=11381#p11381 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11373#p11373 In reality if you want to get rid of this Intel mess, we all would need new hardware. The microcode and fixes on software level won't cut it.
Now we can all see why we should buy 100 % open hardware.

]]> Fri, 17 Aug 2018 17:02:46 +0000 http://dev1galaxy.org/viewtopic.php?pid=11373#p11373 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11363#p11363 As I recall, "Spectre" variant 1 is not mitigated via microcode updates.  Only "Meltdown" and "Spectre" variant 2 are fixable this way.

You also have "TLBleed" and "Foreshadow" to worry about...

If you have doubts, get and build a new kernel from kernel.org.

]]> Fri, 17 Aug 2018 14:04:54 +0000 http://dev1galaxy.org/viewtopic.php?pid=11363#p11363 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11361#p11361 Just for information, I ran the  spectre-meltdown-checker.sh script in speed47's github repo, and it says that the hardware [microcode] does nothing to help with these intel bugs. I have version 0x25 and latest known version is 0x2e.  So the only protection comes from the kernel mitigations.  Feel old..

]]> Fri, 17 Aug 2018 11:55:35 +0000 http://dev1galaxy.org/viewtopic.php?pid=11361#p11361 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11360#p11360 As explained above, you need to fix your sources.list.

This is wrong:

deb http://gb.deb.devuan.org/merged/ ascii/non-free main

This is right:

deb http://gb.deb.devuan.org/merged/ ascii main contrib non-free

Make similar changes in the other lines and update the cache again.

Edit: Ah, you posted while I was typing.

The microcode will be inserted into the initrd when you install the package. I think you can have both the amd and intel packages installed, but only the one for your processor will be in the initrd.

]]> Fri, 17 Aug 2018 11:30:44 +0000 http://dev1galaxy.org/viewtopic.php?pid=11360#p11360 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11359#p11359 thanks, and sorry:  I was not reading carefully.  When I cut and paste your sources.list file, and do apt-get update, then I can install intel-microcode!  /lib/firmware/intel-ucode now exists. and I have to assume that the linux kernel finds this during boot [but I don't know how to interrogate the running kernel to prove this]. Is it safe to also install amd-microcode, or do they interfere?,  Anyway, thanks for getting me this far.

]]> Fri, 17 Aug 2018 11:28:11 +0000 http://dev1galaxy.org/viewtopic.php?pid=11359#p11359 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11357#p11357 I also tried:

  apt-get update >/tmp/zzzz

and get error messages on stderr:

W: The repository 'http://gb.deb.devuan.org/merged ascii/non-free Release' does not have a Release file.
W: The repository 'http://gb.deb.devuan.org/merged ascii-backports/non-free Release' does not have a Release file.
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources  404  Not Found [IP: 31.220.0.151 80]
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources  404  Not Found [IP: 31.220.0.151 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

which I do not understand, but maybe they mean something to someone.

]]> Fri, 17 Aug 2018 10:25:56 +0000 http://dev1galaxy.org/viewtopic.php?pid=11357#p11357 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11356#p11356 You will also need the contrib repository.

]]> Fri, 17 Aug 2018 07:58:00 +0000 http://dev1galaxy.org/viewtopic.php?pid=11356#p11356 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11353#p11353 jacksprat wrote:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main

deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Looks like I see a couple of issues with your sources.list also.

1.  It appears that you have the two top lines listed twice...once with ascii main...then listed again with ascii/non-free main

2. I believe that you have extra / marks where they aren't needed. Perhaps try making this your sources.list, then try again? Remember to apt-get update if you change your sources.list.  

deb http://gb.deb.devuan.org/merged/ ascii main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii main non-free

deb http://gb.deb.devuan.org/merged/ ascii-backports main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii-backports main non-free

deb http://gb.deb.devuan.org/merged/ ascii-security main 
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main 
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Also, you can comment out the deb-src lines...unless you need them for building things from source.

Here is my sources.list for comparison...

deb http://deb.devuan.org/merged/ ascii main non-free contrib
#deb-src http://deb.devuan.org/merged/ ascii main non-free contrib

deb http://deb.devuan.org/merged/ ascii-security main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-security main contrib non-free

deb http://deb.devuan.org/merged/ ascii-updates main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-updates main contrib non-free

deb http://deb.devuan.org/merged/ ascii-backports main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-backports main contrib non-free
]]> Thu, 16 Aug 2018 23:47:50 +0000 http://dev1galaxy.org/viewtopic.php?pid=11353#p11353 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11352#p11352 Did you do an...

apt-get update

...after adding non-free?

]]> Thu, 16 Aug 2018 23:24:59 +0000 http://dev1galaxy.org/viewtopic.php?pid=11352#p11352 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11351#p11351 thanks.  I am struggling to get access to these packages.  My /etc/apt/sources.list file now contains:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main

deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Yet when I try

   apt-get install intel-microcode

I get nothing. Also

  apt policy intel-microcode

says that it is unable to find the package.  I must be doing something wrong, but can't see it [at the limit of my experience here].

]]> Thu, 16 Aug 2018 23:02:58 +0000 http://dev1galaxy.org/viewtopic.php?pid=11351#p11351 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11350#p11350 The package you want is called intel-microcode and is in non-free. 

apt policy intel-microcode
intel-microcode:
  Installiert:           3.20180703.2~bpo9+1
  Installationskandidat: 3.20180703.2~bpo9+1
  Versionstabelle:
 *** 3.20180703.2~bpo9+1 100
        100 http://de.deb.devuan.org/merged ascii-backports/non-free amd64 Packages
        100 /var/lib/dpkg/status
     3.20180425.1~deb9u1 500
        500 http://de.deb.devuan.org/merged ascii/non-free amd64 Packages
]]> Thu, 16 Aug 2018 21:08:51 +0000 http://dev1galaxy.org/viewtopic.php?pid=11350#p11350 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11339#p11339 thanks:  I used Synaptic to select all repos, but the only "non-free" ones were marked "cdrom:[devuan_ascii...]" and would not be selected.  The only package that looked appropriate was firmware-linux-free, which was already installed.

]]> Thu, 16 Aug 2018 10:46:28 +0000 http://dev1galaxy.org/viewtopic.php?pid=11339#p11339 <![CDATA[Re: Microcode to fight Spectre and Meltdown cpu flaws]]> http://dev1galaxy.org/viewtopic.php?pid=11338#p11338 Proprietary blobs will usually live in the "non-free" repository.  Assuming you have that and "contrib" enabled then you should be able to install Intel microcode (and reboot).

But more Intel flaws just in: https://www.theregister.co.uk/2018/08/1 … ault_bugs/

And you can probably expect more...

]]> Thu, 16 Aug 2018 08:47:16 +0000 http://dev1galaxy.org/viewtopic.php?pid=11338#p11338