<![CDATA[Dev1 Galaxy Forum / CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?id=2955 Mon, 15 Jul 2019 20:04:08 +0000 FluxBB <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17093#p17093 Dutch_Master wrote:

I wonder how an AMD Ryzen-9 proc would fare

My posted output is from a Ryzen 5 2500u. It doesn't suffer the MDS, L1TF or Meltdown vulnerabilities.

]]> Mon, 15 Jul 2019 20:04:08 +0000 http://dev1galaxy.org/viewtopic.php?pid=17093#p17093 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17071#p17071 From what I have been reading on Slashdot, they have far fewer vulnerabilities than Intel, but not none. Broadly, they tend to have a few of the "Spectre" problems, but nothing in the "Meltdown" category, which is mostly an Intel-specific problem. Quite a bit is riding on how secure this next generation of Intel processors turns out to be.

]]> Sun, 14 Jul 2019 22:08:06 +0000 http://dev1galaxy.org/viewtopic.php?pid=17071#p17071 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17070#p17070 I wonder how an AMD Ryzen-9 proc would fare wink

And I reckon now they're out (launched last week), the Ryzen-3 series will become dirt cheap. And TTBOMK (to the best of my knowledge) AMD doesn't suffer from Intel's security holes in their proc's.

]]> Sun, 14 Jul 2019 21:38:52 +0000 http://dev1galaxy.org/viewtopic.php?pid=17070#p17070 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17069#p17069 Intel are only issuing fixes for certain CPUs, I don't think yours is covered. They really are a bunch of incompetent twats.

https://www.intel.com/content/dam/www/p … idance.pdf

]]> Sun, 14 Jul 2019 20:47:14 +0000 http://dev1galaxy.org/viewtopic.php?pid=17069#p17069 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17066#p17066 Yes, I have a very old CPU but I'm sure it has at least some vulnerabilities. There was a paper published back in the 90s describing the potential security problems with speculative execution. Apparently Intel ignored it. But the worst vulnerabilities are probably in the latest generations due to the increasing use of speculative execution and other tricks to get all that performance. It will be interesting to see what happens with their new generation of CPUs after this problem became public.

grep -R . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: EPT disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

Gory details on the CPU itself:

cat /proc/cpuinfo

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 2
cpu cores	: 4
apicid		: 2
initial apicid	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 2
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 1
cpu cores	: 4
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 3
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 3
cpu cores	: 4
apicid		: 3
initial apicid	: 3
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:
]]> Sun, 14 Jul 2019 20:20:32 +0000 http://dev1galaxy.org/viewtopic.php?pid=17066#p17066 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17052#p17052 Micronaut wrote:

a comment that says it's not safe to allow microcode

No, it says that it's not safe to allow an attempted update when the microcode module autoloads.

Is your system vulnerable to Spectre/Meltdown? Check the /sys values reported by the kernel.

]]> Sun, 14 Jul 2019 12:41:42 +0000 http://dev1galaxy.org/viewtopic.php?pid=17052#p17052 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17031#p17031 As I said, it's got one active line. And a comment that says it's not safe to allow microcode. Here is the full content:

# The microcode module attempts to apply a microcode update when
# it autoloads.  This is not always safe, so we block it by default.
blacklist microcode
]]> Sat, 13 Jul 2019 21:22:47 +0000 http://dev1galaxy.org/viewtopic.php?pid=17031#p17031 <![CDATA[Re: CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=17007#p17007 Micronaut wrote:

The file is named "intel-microcode-blacklist.conf" and it has a line that simply says "blacklist microcode" -- meaning it will block ALL microcode, I guess.

No, the µcode is baked into the initramfs so it is still applied. Read the blacklist file to find out why it is there.

The kernel reports the vulnerability status for the various Meltdown/Spectre exploits:

E485:~$ grep -R . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
E485:~$

But your output will be more worrying than mine because of your unfortunate choice of CPU manufacturer big_smile

]]> Sat, 13 Jul 2019 08:09:46 +0000 http://dev1galaxy.org/viewtopic.php?pid=17007#p17007 <![CDATA[CPU microcode blacklisted by nvidia drivers]]> http://dev1galaxy.org/viewtopic.php?pid=16996#p16996 While researching the mysterious nvidia non-specific boot error message, I found something else annoying. The nvidia drivers install a blacklist that prevents microcode from being loaded for Intel CPUs! The file is named "intel-microcode-blacklist.conf" and it has a line that simply says "blacklist microcode" -- meaning it will block ALL microcode, I guess. Why? This is now very important with the meltdown/spectre issues. Granted, most cloud servers aren't going to be using nvidia video cards, so it's not an issue for them, but I am concerned that this might cause problems on a desktop with up-to-date kernels. Are there checks for the state of the CPU before the new security fixes are used? Or do they just assume that your Intel CPU is using the microcode that changes threading behavior?

]]> Sat, 13 Jul 2019 01:02:21 +0000 http://dev1galaxy.org/viewtopic.php?pid=16996#p16996