The officially official Devuan Forum!

You are not logged in.

#1 2018-08-15 19:28:52

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Microcode to fight Spectre and Meltdown cpu flaws

I am sure that the latest Devuan 2.0 Linux kernels contain the patches to counteract these processor flaws.  However, I keep reading that these also require new Microcode to be installed. 

Does Devuan do this in the "initrd.img-4.9.0-7-amd64" file processed by GRUB at boot time? I looked inside this cpio.gz compressed file system, but couldn't see any references to microcode.  I also couldn't see anything in the sysvinit or openrc init scripts that are related to microcode.

Is there a way to see what microcode is present in a running kernel from the Devuan command line?  The only message from "dmesg" that refers to microcode is something like

  microcode:  sig=0x206a7, pf=0x10, revision=0x25

Now that new Spectre-like bugs are being published, what are the mechanisms in Devuan for keeping us safe?

thanks, jacksprat

Offline

#2 2018-08-16 08:47:16

cynwulf
Member
Registered: 2017-10-09
Posts: 181  

Re: Microcode to fight Spectre and Meltdown cpu flaws

Proprietary blobs will usually live in the "non-free" repository.  Assuming you have that and "contrib" enabled then you should be able to install Intel microcode (and reboot).

But more Intel flaws just in: https://www.theregister.co.uk/2018/08/1 … ault_bugs/

And you can probably expect more...

Offline

#3 2018-08-16 10:46:28

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

thanks:  I used Synaptic to select all repos, but the only "non-free" ones were marked "cdrom:[devuan_ascii...]" and would not be selected.  The only package that looked appropriate was firmware-linux-free, which was already installed.

Offline

#4 2018-08-16 21:08:51

ivanovnegro
Member
Registered: 2018-05-15
Posts: 57  

Re: Microcode to fight Spectre and Meltdown cpu flaws

The package you want is called intel-microcode and is in non-free.

apt policy intel-microcode
intel-microcode:
  Installiert:           3.20180703.2~bpo9+1
  Installationskandidat: 3.20180703.2~bpo9+1
  Versionstabelle:
 *** 3.20180703.2~bpo9+1 100
        100 http://de.deb.devuan.org/merged ascii-backports/non-free amd64 Packages
        100 /var/lib/dpkg/status
     3.20180425.1~deb9u1 500
        500 http://de.deb.devuan.org/merged ascii/non-free amd64 Packages

Offline

#5 2018-08-16 23:02:58

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

thanks.  I am struggling to get access to these packages.  My /etc/apt/sources.list file now contains:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main

deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Yet when I try

   apt-get install intel-microcode

I get nothing. Also

  apt policy intel-microcode

says that it is unable to find the package.  I must be doing something wrong, but can't see it [at the limit of my experience here].

Offline

#6 2018-08-16 23:24:59

MiyoLinux
Member
Registered: 2016-12-05
Posts: 741  

Re: Microcode to fight Spectre and Meltdown cpu flaws

Did you do an...

apt-get update

...after adding non-free?


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#7 2018-08-16 23:47:50

MiyoLinux
Member
Registered: 2016-12-05
Posts: 741  

Re: Microcode to fight Spectre and Meltdown cpu flaws

jacksprat wrote:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main

deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Looks like I see a couple of issues with your sources.list also.

1.  It appears that you have the two top lines listed twice...once with ascii main...then listed again with ascii/non-free main

2. I believe that you have extra / marks where they aren't needed. Perhaps try making this your sources.list, then try again? Remember to apt-get update if you change your sources.list. 

deb http://gb.deb.devuan.org/merged/ ascii main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii main non-free

deb http://gb.deb.devuan.org/merged/ ascii-backports main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii-backports main non-free

deb http://gb.deb.devuan.org/merged/ ascii-security main 
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main 
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Also, you can comment out the deb-src lines...unless you need them for building things from source.

Here is my sources.list for comparison...

deb http://deb.devuan.org/merged/ ascii main non-free contrib
#deb-src http://deb.devuan.org/merged/ ascii main non-free contrib

deb http://deb.devuan.org/merged/ ascii-security main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-security main contrib non-free

deb http://deb.devuan.org/merged/ ascii-updates main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-updates main contrib non-free

deb http://deb.devuan.org/merged/ ascii-backports main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-backports main contrib non-free

Last edited by MiyoLinux (2018-08-16 23:50:29)


I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.

Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned. wink

Offline

#8 2018-08-17 07:58:00

cynwulf
Member
Registered: 2017-10-09
Posts: 181  

Re: Microcode to fight Spectre and Meltdown cpu flaws

You will also need the contrib repository.

Offline

#9 2018-08-17 10:25:56

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

I also tried:

  apt-get update >/tmp/zzzz

and get error messages on stderr:

W: The repository 'http://gb.deb.devuan.org/merged ascii/non-free Release' does not have a Release file.
W: The repository 'http://gb.deb.devuan.org/merged ascii-backports/non-free Release' does not have a Release file.
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources  404  Not Found [IP: 31.220.0.151 80]
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources  404  Not Found [IP: 31.220.0.151 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

which I do not understand, but maybe they mean something to someone.

Offline

#10 2018-08-17 11:28:11

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

thanks, and sorry:  I was not reading carefully.  When I cut and paste your sources.list file, and do apt-get update, then I can install intel-microcode!  /lib/firmware/intel-ucode now exists. and I have to assume that the linux kernel finds this during boot [but I don't know how to interrogate the running kernel to prove this]. Is it safe to also install amd-microcode, or do they interfere?,  Anyway, thanks for getting me this far.

Offline

#11 2018-08-17 11:30:44

fsmithred
Administrator
Registered: 2016-11-25
Posts: 912  

Re: Microcode to fight Spectre and Meltdown cpu flaws

As explained above, you need to fix your sources.list.

This is wrong:

deb http://gb.deb.devuan.org/merged/ ascii/non-free main

This is right:

deb http://gb.deb.devuan.org/merged/ ascii main contrib non-free

Make similar changes in the other lines and update the cache again.

Edit: Ah, you posted while I was typing.

The microcode will be inserted into the initrd when you install the package. I think you can have both the amd and intel packages installed, but only the one for your processor will be in the initrd.

Offline

#12 2018-08-17 11:55:35

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

Just for information, I ran the  spectre-meltdown-checker.sh script in speed47's github repo, and it says that the hardware [microcode] does nothing to help with these intel bugs. I have version 0x25 and latest known version is 0x2e.  So the only protection comes from the kernel mitigations.  Feel old..

Offline

#13 2018-08-17 14:04:54

cynwulf
Member
Registered: 2017-10-09
Posts: 181  

Re: Microcode to fight Spectre and Meltdown cpu flaws

As I recall, "Spectre" variant 1 is not mitigated via microcode updates.  Only "Meltdown" and "Spectre" variant 2 are fixable this way.

You also have "TLBleed" and "Foreshadow" to worry about...

If you have doubts, get and build a new kernel from kernel.org.

Offline

#14 2018-08-17 17:02:46

ivanovnegro
Member
Registered: 2018-05-15
Posts: 57  

Re: Microcode to fight Spectre and Meltdown cpu flaws

In reality if you want to get rid of this Intel mess, we all would need new hardware. The microcode and fixes on software level won't cut it.
Now we can all see why we should buy 100 % open hardware.

Offline

#15 2018-08-17 19:52:35

jacksprat
Member
Registered: 2017-11-10
Posts: 7  

Re: Microcode to fight Spectre and Meltdown cpu flaws

Open hardware is too far in the future for me.  I had hoped that older AMD processors would be less of a rats nest than Intel ones, but even the latest Ryzen2 processors are heavily invested in speculative execution. Arm stand a better chance, but even they dabble in attackable speculative execution and are not immune. What a mess..

Last edited by jacksprat (2018-08-17 19:58:53)

Offline

#16 2018-08-24 15:52:39

chris2be8
Member
Registered: 2018-08-11
Posts: 29  

Re: Microcode to fight Spectre and Meltdown cpu flaws

The only really effective counter to Spectre is not to allow any untrustworthy code to run on your system. Or assume that any code running on it can read (but not update) everything in memory on it. There is no CPU on the market now where you can guarantee there is no exploitable side channel that would leak memory contents.

Chris

Offline

Board footer