ANNOUNCEMENT: Intel processor microcode security update
THIS ANNOUNCEMENT IS ONLY RELEVANT TO SYSTEMS THAT HAVE INTEL
MICROPROCESSORS.
Intel has released a microcode update that fixes at least one severe fault
on every desktop and mobile Intel Core i* and server Intel Xeon system
processor models since (and including) the 1st generation Core-i3/i5/i7 and
Xeon 3500/5500.
Updated microcode packages are available for Debian unstable, Debian
testing, Debian "wheezy-backports", and Debian "stable-proposed-updates".
== What is a processor microcode update? ==
Microcode is a control sequence/program that implements several internal
functions of the system processor (CPU).
A microcode update can fix many classes of processor defects. The Linux
kernel can send a microcode update to the processor when one is supplied by
the operating system (Debian).
The microcode update has to be applied every time the processor is reset or
powered off: it doesn't "stick". Therefore, Debian has to install this
microcode update to the initramfs, so as to apply it every time the computer
boots.
Note: the microcode update is applied immediately when you install the
packages, you do not need to reboot. Howerver, we need to install the
update to the initramfs so that the update will not be _lost_ when you
reboot or power off the computer.
== Installing the Intel microcode update packages ==
Please install the "iucode-tool" package (from contrib) and the
"intel-microcode" package (from non-free).
http://packages.debian.org/search?keywords=iucode-tool
http://packages.debian.org/search?keywords=intel-microcode
This will be enough for Debian testing and Debian unstable users, but see
below about multiple kernels.
DEBIAN STABLE USERS NEED TO GET THE UPDATE FROM "PROPOSED-UPDATES" OR
FROM "BACKPORTS", SEE BELOW FOR STABLE UPDATE INSTRUCTIONS.
You must also update the initramfs so that the processor microcode will be
updated after a reboot/power off. The packages will try to do it
automatically for the running kernel and that should be enough for most
users.
However, if you use several different kernels, please update all the
initramfs images running "update-initramfs -k all -u" as root.
== Installing updated packages for Debian Stable ==
The updated intel-microcode package will be automatically available to all
Debian Stable users (that enabled "contrib" and "non-free" packages) only
after the next Debian Stable point release, which might happen in a couple
weeks.
However, Debian Stable users can receive the updates scheduled for the next
Stable point release early, and that includes this intel-microcode update.
The preferred way to get early stable updates is to configure the package
management system to use the "stable-proposed-updates" distribution.
To enable the "stable-proposed-updates", please read about it here:
http://www.debian.org/releases/proposed-updates.html
https://wiki.debian.org/StableProposedUpdates
Alternatively, you can install the packages manually. To get the updated
packages directly, please install the current "intel-microcode" and
"iucode-tool" packages normally, then download and install the updated
"intel-microcode" package directly:
apt-get install iucode-tool intel-microcode
For 64-bit installs, download:
http://http.debian.net/pool/non-free/i/intel-microcode_1.20130808.0+deb7u1_amd64.deb
For 32-bit installs, download:
http://http.debian.net/pool/non-free/i/intel-microcode_1.20130808.0+deb7u1_i386.deb
use "dpkg -i" to install the correct .deb file. You need to be root.
== Installing the update through backported packages (Linux 3.10+) ==
If you use Debian wheezy/stable *and* also a custom Linux kernel 3.10 or
later, please use the backported packages for enhanced functionality. You
*must* make sure to enable CONFIG_MICROCODE_EARLY and
CONFIG_MICROCODE_INTEL_EARLY "CONFIG_MICROCODE_EARLY" when you build the
Linux kernel.
How to enable the backports repository in Debian Wheezy:
http://backports.debian.org/Instructions/
To update/install iucode-tool from backports:
apt-get update
apt-get install -t wheezy-backports iucode-tool intel-microcode amd64-microcode
Updated backports of "amd64-microcode" were also provided to avoid bad
interactions with intel-microcode. The up-to-date amd64-microcode package
will be inactive in a system with an Intel processor, and it is very small.
== What do we know about this specific Intel microcode update (20130808)? ==
Intel doesn't publish to the general public much data about microcode
updates, therefore we only have very spotty information about update
20130808, gathered from several sources:
1. It fixes a critical erratum, classified by Intel as a security issue,
that affects any server running 32-bit VMs in PAE mode.
Erratum AAK167/BT248: "If a logical processor has EPT (Extended Page
Tables) enabled, is using 32-bit PAE paging, and accesses the
virtual-APIC page then a complex sequence of internal processor
micro-architectural events may cause an incorrect address translation or
machine check on either logical processor. This erratum may result in
unexpected faults, an uncorrectable TLB error logged in
IA32_MCI_STATUS.MCACOD bits [15:0], a guest or hypervisor crash, or
other unpredictable system behavior"
2. It might fix other errata. For example, it might fix erratum
AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used with 32-bit
paging.
3. It recently came to my attention that this microcode update might forbid
unsupported (by Intel) overclocking on 4th gen Core "K" processors installed
on motherboards that lack a Z-series chipset.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: