The officially official Devuan Forum!

You are not logged in.

#1 2019-07-13 01:02:21

Micronaut
Member
Registered: 2019-07-04
Posts: 201  

CPU microcode blacklisted by nvidia drivers

While researching the mysterious nvidia non-specific boot error message, I found something else annoying. The nvidia drivers install a blacklist that prevents microcode from being loaded for Intel CPUs! The file is named "intel-microcode-blacklist.conf" and it has a line that simply says "blacklist microcode" -- meaning it will block ALL microcode, I guess. Why? This is now very important with the meltdown/spectre issues. Granted, most cloud servers aren't going to be using nvidia video cards, so it's not an issue for them, but I am concerned that this might cause problems on a desktop with up-to-date kernels. Are there checks for the state of the CPU before the new security fixes are used? Or do they just assume that your Intel CPU is using the microcode that changes threading behavior?

Last edited by Micronaut (2019-07-13 01:31:51)

Offline

#2 2019-07-13 08:09:46

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: CPU microcode blacklisted by nvidia drivers

Micronaut wrote:

The file is named "intel-microcode-blacklist.conf" and it has a line that simply says "blacklist microcode" -- meaning it will block ALL microcode, I guess.

No, the µcode is baked into the initramfs so it is still applied. Read the blacklist file to find out why it is there.

The kernel reports the vulnerability status for the various Meltdown/Spectre exploits:

E485:~$ grep -R . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
E485:~$

But your output will be more worrying than mine because of your unfortunate choice of CPU manufacturer big_smile


Brianna Ghey — Rest In Power

Offline

#3 2019-07-13 21:22:47

Micronaut
Member
Registered: 2019-07-04
Posts: 201  

Re: CPU microcode blacklisted by nvidia drivers

As I said, it's got one active line. And a comment that says it's not safe to allow microcode. Here is the full content:

# The microcode module attempts to apply a microcode update when
# it autoloads.  This is not always safe, so we block it by default.
blacklist microcode

Offline

#4 2019-07-14 12:41:42

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: CPU microcode blacklisted by nvidia drivers

Micronaut wrote:

a comment that says it's not safe to allow microcode

No, it says that it's not safe to allow an attempted update when the microcode module autoloads.

Is your system vulnerable to Spectre/Meltdown? Check the /sys values reported by the kernel.


Brianna Ghey — Rest In Power

Offline

#5 2019-07-14 20:20:32

Micronaut
Member
Registered: 2019-07-04
Posts: 201  

Re: CPU microcode blacklisted by nvidia drivers

Yes, I have a very old CPU but I'm sure it has at least some vulnerabilities. There was a paper published back in the 90s describing the potential security problems with speculative execution. Apparently Intel ignored it. But the worst vulnerabilities are probably in the latest generations due to the increasing use of speculative execution and other tricks to get all that performance. It will be interesting to see what happens with their new generation of CPUs after this problem became public.

grep -R . /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: EPT disabled
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI

Gory details on the CPU itself:

cat /proc/cpuinfo

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 2
cpu cores	: 4
apicid		: 2
initial apicid	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 2
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 1
cpu cores	: 4
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 3
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz
stepping	: 11
microcode	: 0xba
cpu MHz		: 1800.000
cache size	: 4096 KB
physical id	: 0
siblings	: 4
core id		: 3
cpu cores	: 4
apicid		: 3
initial apicid	: 3
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good nopl aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm kaiser tpr_shadow vnmi flexpriority dtherm
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds
bogomips	: 5394.85
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

Offline

#6 2019-07-14 20:47:14

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: CPU microcode blacklisted by nvidia drivers

Intel are only issuing fixes for certain CPUs, I don't think yours is covered. They really are a bunch of incompetent twats.

https://www.intel.com/content/dam/www/p … idance.pdf


Brianna Ghey — Rest In Power

Offline

#7 2019-07-14 21:38:52

Dutch_Master
Member
Registered: 2018-05-31
Posts: 275  

Re: CPU microcode blacklisted by nvidia drivers

I wonder how an AMD Ryzen-9 proc would fare wink

And I reckon now they're out (launched last week), the Ryzen-3 series will become dirt cheap. And TTBOMK (to the best of my knowledge) AMD doesn't suffer from Intel's security holes in their proc's.

Offline

#8 2019-07-14 22:08:06

Micronaut
Member
Registered: 2019-07-04
Posts: 201  

Re: CPU microcode blacklisted by nvidia drivers

From what I have been reading on Slashdot, they have far fewer vulnerabilities than Intel, but not none. Broadly, they tend to have a few of the "Spectre" problems, but nothing in the "Meltdown" category, which is mostly an Intel-specific problem. Quite a bit is riding on how secure this next generation of Intel processors turns out to be.

Offline

#9 2019-07-15 20:04:08

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: CPU microcode blacklisted by nvidia drivers

Dutch_Master wrote:

I wonder how an AMD Ryzen-9 proc would fare

My posted output is from a Ryzen 5 2500u. It doesn't suffer the MDS, L1TF or Meltdown vulnerabilities.


Brianna Ghey — Rest In Power

Offline

Board footer