Microcode to fight Spectre and Meltdown cpu flaws

jacksprat · 2018-08-15 19:28:52

I am sure that the latest Devuan 2.0 Linux kernels contain the patches to counteract these processor flaws. However, I keep reading that these also require new Microcode to be installed.

Does Devuan do this in the "initrd.img-4.9.0-7-amd64" file processed by GRUB at boot time? I looked inside this cpio.gz compressed file system, but couldn't see any references to microcode. I also couldn't see anything in the sysvinit or openrc init scripts that are related to microcode.

Is there a way to see what microcode is present in a running kernel from the Devuan command line? The only message from "dmesg" that refers to microcode is something like

microcode: sig=0x206a7, pf=0x10, revision=0x25

Now that new Spectre-like bugs are being published, what are the mechanisms in Devuan for keeping us safe?

thanks, jacksprat

cynwulf · 2018-08-16 08:47:16

Proprietary blobs will usually live in the "non-free" repository. Assuming you have that and "contrib" enabled then you should be able to install Intel microcode (and reboot).

But more Intel flaws just in: https://www.theregister.co.uk/2018/08/1 … ault_bugs/

And you can probably expect more...

jacksprat · 2018-08-16 10:46:28

thanks: I used Synaptic to select all repos, but the only "non-free" ones were marked "cdrom:[devuan_ascii...]" and would not be selected. The only package that looked appropriate was firmware-linux-free, which was already installed.

ivanovnegro · 2018-08-16 21:08:51

The package you want is called intel-microcode and is in non-free.

apt policy intel-microcode
intel-microcode:
  Installiert:           3.20180703.2~bpo9+1
  Installationskandidat: 3.20180703.2~bpo9+1
  Versionstabelle:
 *** 3.20180703.2~bpo9+1 100
        100 http://de.deb.devuan.org/merged ascii-backports/non-free amd64 Packages
        100 /var/lib/dpkg/status
     3.20180425.1~deb9u1 500
        500 http://de.deb.devuan.org/merged ascii/non-free amd64 Packages

jacksprat · 2018-08-16 23:02:58

thanks. I am struggling to get access to these packages. My /etc/apt/sources.list file now contains:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main

deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main

deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Yet when I try

apt-get install intel-microcode

I get nothing. Also

apt policy intel-microcode

says that it is unable to find the package. I must be doing something wrong, but can't see it [at the limit of my experience here].

MiyoLinux · 2018-08-16 23:24:59

Did you do an...

apt-get update

...after adding non-free?

MiyoLinux · 2018-08-16 23:47:50

jacksprat wrote:

deb http://gb.deb.devuan.org/merged/ ascii main
deb-src http://gb.deb.devuan.org/merged/ ascii main
deb http://gb.deb.devuan.org/merged/ ascii/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii/non-free main
deb http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb-src http://gb.deb.devuan.org/merged/ ascii-backports/non-free main
deb http://gb.deb.devuan.org/merged/ ascii-security main
deb-src http://gb.deb.devuan.org/merged/ ascii-security main
deb http://gb.deb.devuan.org/merged/ ascii-updates main
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Looks like I see a couple of issues with your sources.list also.

1. It appears that you have the two top lines listed twice...once with ascii main...then listed again with ascii/non-free main

2. I believe that you have extra / marks where they aren't needed. Perhaps try making this your sources.list, then try again? Remember to apt-get update if you change your sources.list.

deb http://gb.deb.devuan.org/merged/ ascii main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii main non-free

deb http://gb.deb.devuan.org/merged/ ascii-backports main non-free
deb-src http://gb.deb.devuan.org/merged/ ascii-backports main non-free

deb http://gb.deb.devuan.org/merged/ ascii-security main 
deb-src http://gb.deb.devuan.org/merged/ ascii-security main

deb http://gb.deb.devuan.org/merged/ ascii-updates main 
deb-src http://gb.deb.devuan.org/merged/ ascii-updates main

Also, you can comment out the deb-src lines...unless you need them for building things from source.

Here is my sources.list for comparison...

deb http://deb.devuan.org/merged/ ascii main non-free contrib
#deb-src http://deb.devuan.org/merged/ ascii main non-free contrib

deb http://deb.devuan.org/merged/ ascii-security main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-security main contrib non-free

deb http://deb.devuan.org/merged/ ascii-updates main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-updates main contrib non-free

deb http://deb.devuan.org/merged/ ascii-backports main contrib non-free
#deb-src http://deb.devuan.org/merged/ ascii-backports main contrib non-free

Last edited by MiyoLinux (2018-08-16 23:50:29)

cynwulf · 2018-08-17 07:58:00

You will also need the contrib repository.

jacksprat · 2018-08-17 10:25:56

I also tried:

apt-get update >/tmp/zzzz

and get error messages on stderr:

W: The repository 'http://gb.deb.devuan.org/merged ascii/non-free Release' does not have a Release file.
W: The repository 'http://gb.deb.devuan.org/merged ascii-backports/non-free Release' does not have a Release file.
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources 404 Not Found [IP: 31.220.0.151 80]
E: Failed to fetch http://gb.deb.devuan.org/merged/dists/a … ce/Sources 404 Not Found [IP: 31.220.0.151 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

which I do not understand, but maybe they mean something to someone.

jacksprat · 2018-08-17 11:28:11

thanks, and sorry: I was not reading carefully. When I cut and paste your sources.list file, and do apt-get update, then I can install intel-microcode! /lib/firmware/intel-ucode now exists. and I have to assume that the linux kernel finds this during boot [but I don't know how to interrogate the running kernel to prove this]. Is it safe to also install amd-microcode, or do they interfere?, Anyway, thanks for getting me this far.

fsmithred · 2018-08-17 11:30:44

As explained above, you need to fix your sources.list.

This is wrong:

deb http://gb.deb.devuan.org/merged/ ascii/non-free main

This is right:

deb http://gb.deb.devuan.org/merged/ ascii main contrib non-free

Make similar changes in the other lines and update the cache again.

Edit: Ah, you posted while I was typing.

The microcode will be inserted into the initrd when you install the package. I think you can have both the amd and intel packages installed, but only the one for your processor will be in the initrd.

jacksprat · 2018-08-17 11:55:35

Just for information, I ran the spectre-meltdown-checker.sh script in speed47's github repo, and it says that the hardware [microcode] does nothing to help with these intel bugs. I have version 0x25 and latest known version is 0x2e. So the only protection comes from the kernel mitigations. Feel old..

cynwulf · 2018-08-17 14:04:54

As I recall, "Spectre" variant 1 is not mitigated via microcode updates. Only "Meltdown" and "Spectre" variant 2 are fixable this way.

You also have "TLBleed" and "Foreshadow" to worry about...

If you have doubts, get and build a new kernel from kernel.org.

ivanovnegro · 2018-08-17 17:02:46

In reality if you want to get rid of this Intel mess, we all would need new hardware. The microcode and fixes on software level won't cut it.
Now we can all see why we should buy 100 % open hardware.

jacksprat · 2018-08-17 19:52:35

Open hardware is too far in the future for me. I had hoped that older AMD processors would be less of a rats nest than Intel ones, but even the latest Ryzen2 processors are heavily invested in speculative execution. Arm stand a better chance, but even they dabble in attackable speculative execution and are not immune. What a mess..

Last edited by jacksprat (2018-08-17 19:58:53)

chris2be8 · 2018-08-24 15:52:39

The only really effective counter to Spectre is not to allow any untrustworthy code to run on your system. Or assume that any code running on it can read (but not update) everything in memory on it. There is no CPU on the market now where you can guarantee there is no exploitable side channel that would leak memory contents.

Chris

The officially official Devuan Forum!

#1 2018-08-15 19:28:52

Microcode to fight Spectre and Meltdown cpu flaws

#2 2018-08-16 08:47:16

Re: Microcode to fight Spectre and Meltdown cpu flaws

#3 2018-08-16 10:46:28

Re: Microcode to fight Spectre and Meltdown cpu flaws

#4 2018-08-16 21:08:51

Re: Microcode to fight Spectre and Meltdown cpu flaws

#5 2018-08-16 23:02:58

Re: Microcode to fight Spectre and Meltdown cpu flaws

#6 2018-08-16 23:24:59

Re: Microcode to fight Spectre and Meltdown cpu flaws

#7 2018-08-16 23:47:50

Re: Microcode to fight Spectre and Meltdown cpu flaws

#8 2018-08-17 07:58:00

Re: Microcode to fight Spectre and Meltdown cpu flaws

#9 2018-08-17 10:25:56

Re: Microcode to fight Spectre and Meltdown cpu flaws

#10 2018-08-17 11:28:11

Re: Microcode to fight Spectre and Meltdown cpu flaws

#11 2018-08-17 11:30:44

Re: Microcode to fight Spectre and Meltdown cpu flaws

#12 2018-08-17 11:55:35

Re: Microcode to fight Spectre and Meltdown cpu flaws

#13 2018-08-17 14:04:54

Re: Microcode to fight Spectre and Meltdown cpu flaws

#14 2018-08-17 17:02:46

Re: Microcode to fight Spectre and Meltdown cpu flaws

#15 2018-08-17 19:52:35

Re: Microcode to fight Spectre and Meltdown cpu flaws

#16 2018-08-24 15:52:39

Re: Microcode to fight Spectre and Meltdown cpu flaws

Board footer