intel-microcode (CPU security updates) in Debian Live
[Sorry to not post this on salsa; I haven't an account there yet.]
Regarding this comment:
https://salsa.debian.org/live-team/live-build/-/merge_requests/301#note_389659
I confirm this is still busted as at
rsync://mirror.internode.on.net/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.0.0-amd64-standard.iso
I can see amd64-microcode & intel-microcode in live/filesystem.packages, but
not in live/initrd.img. Therefore while running Debian Live, most
systems don't have security updates applied to the CPU microcode.
The fix is to put these in place BEFORE the last time update-initramfs runs:
/etc/default/intel-microcode:
IUCODE_TOOL_INITRAMFS=yes
IUCODE_TOOL_SCANCPUS=no
/etc/default/amd64-microcode:
AMD64UCODE_INITRAMFS=yes
Preseeding a debconf option would probably be simpler, but
neither package supports that.
If you do this before those packages are installed,
you need force-confold in dpkg.cfg.d, due to
https://bugs.debian.org/981004
To verify this worked you can lsinitramfs | grep /microcode/ and check
that there's both AMD and Intel files there.
I know of no sensible way to check if SCANCPUS=no worked;
the Intel firmware blob is the same size either way,
it just has slightly more entropy if it includes security updates for
ALL Intel CPUs. You'd have to build it with and without SCANCPUS=no,
then confirm the file sizes aren't equal.
You can also sometimes infer it is working from dmesg after booting
Debian Live on real hardware:
BEFORE
------
kernel: [Firmware Bug]: TSC_DEADLINE disabled due to Errata;
please update microcode to version: 0x22 (or later)
AFTER
-----
microcode: microcode updated early to revision 0x24, date = 2018-01-21
I've been running the above workaround for 5 years:
https://github.com/cyberitsolutions/bootstrap2020/blob/main/debian-11-main.py#L353-L360
I'd prepare an equivalent for live-build, but
I can't get my head around live-build :-)
Reply to: