[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ANNOUNCEMENT: Intel processor microcode security update

at bottom :-

On 9/7/13, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
> On Sat, 07 Sep 2013, shirish शिरीष wrote:
>> Would installing the intel processor microcode package and the
>> icu-tools have any benefit to me ?
>>
>>  cpuid -1 | grep 'Intel Pentium'
>>       family          = Intel Pentium Pro/II/III/Celeron/Core/Core
>> 2/Atom, AMD Athlon/Duron, Cyrix M2, VIA C3 (6)
>>    (synth) = Intel Pentium Dual-Core Processor E5000/E6000 (Wolfdale R0),
>> 45nm
>
> Probably yes.
>
>> The CPU is around 7 yrs. old hence curious if this will improve the CPU or
>> not ?
>
> I feel the easiest way to know this is to actually install the packages and
> check whether the kernel reports it updated microcode or not in
> /var/log/kern.log.
>
> Here's an example:
>
> 	grep 'microcode.*update' /var/log/kern.log
>
> 	kernel: microcode: CPU0 updated to revision 0xab, date = ZZZZ-ZZ-ZZ
>
> If you want to verify it manually, you need to know the numeric signature
> of
> the processor, and search for it on the microcode package changelog.
>
> You can install the iucode-tool package, and ask iucode-tool to check the
> processor signature:
>
> *as root*:
> modprobe cpuid
> apt-get install iucode-tool
> /usr/sbin/iucode-tool --scan-system
>
> Then, you look for that signature in the tables at:
> http://ftp-master.metadata.debian.org/changelogs/non-free/i/intel-microcode/unstable_changelog
>
> and if you find it there, it is very possible that there is a microcode
> update for your processor (there's the pf mask detail, but if you want to
> know more about that, please read iucode-tool's README documentation and
> manpage).  It is also possible that your BIOS already has the latest
> version
> of the microcode for your processor.
>
> --
>   "One disk to rule them all, One disk to find them. One disk to bring
>   them all and in the darkness grind them. In the Land of Redmond
>   where the shadows lie." -- The Silicon Valley Tarot
>   Henrique Holschuh

Thanx. That worked.

See :-

root@debian:/home/shirish# modprobe cpuid
root@debian:/home/shirish# aptitude install iucode-tool -y
The following NEW packages will be installed:
  intel-microcode{a} iucode-tool
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 371 kB of archives. After unpacking 484 kB will be used.
Get: 1 http://debian.ec.as6453.net/debian/ testing/contrib iucode-tool
amd64 1.0-1 [31.0 kB]
Get: 2 http://debian.ec.as6453.net/debian/ testing/non-free
intel-microcode amd64 2.20130808.1 [340 kB]
Fetched 371 kB in 51s (7,162 B/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package iucode-tool.
(Reading database ... 294220 files and directories currently installed.)
Unpacking iucode-tool (from .../iucode-tool_1.0-1_amd64.deb) ...
Selecting previously unselected package intel-microcode.
Unpacking intel-microcode (from .../intel-microcode_2.20130808.1_amd64.deb) ...
Processing triggers for man-db ...
Setting up iucode-tool (1.0-1) ...
Setting up intel-microcode (2.20130808.1) ...
Updating microcode on all online processors...
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.10-2-amd64

root@debian:/home/shirish#grep 'microcode.*update' /var/log/kern.log
Sep  7 20:00:35 debian kernel: [ 2735.191011] microcode: CPU0 updated
to revision 0xa0b, date = 2010-09-28
Sep  7 20:00:35 debian kernel: [ 2735.195814] microcode: CPU1 updated
to revision 0xa0b, date = 2010-09-28

So some changes were done.

root@debian:/home/shirish# /usr/sbin/iucode-tool --scan-system
/usr/sbin/iucode-tool: system has processor(s) with signature 0x0001067a

Just read the manpage and it seems these microcode updates just became
available after kernel 3.9 .

>From the manpage of iu-code tool :-

Linux Notes
       The cpuid kernel driver is required for the --scan-system
functionality to work.

       Early initramfs support for microcode updates is available
since Linux v3.9.  Kernels without early initramfs support will just
make the microcode file available to the initramfs environment at
/kernel/x86/microcode/GenuineIntel.bin.
qq

I also tried :-

# /usr/sbin/iucode-tool --scan-system -vvv
/usr/sbin/iucode-tool: trying to get CPUID information from /dev/cpu/0/cpuid
/usr/sbin/iucode-tool: system has processor(s) with signature 0x0001067a
/usr/sbin/iucode-tool: trying to get CPUID information from /dev/cpu/1/cpuid
/usr/sbin/iucode-tool: checked the signature of 2 processor(s)

but couldn't get the pf mask thing.

I did figure out this however :-

$ sudo iucode_tool -L /lib/firmware/intel-ucode/06-17-0a
microcode bundle 1: /lib/firmware/intel-ucode/06-17-0a
  01/001: sig 0x0001067a, pf mask 0xa0, 2010-09-28, rev 0x0a0b, size 8192
  01/002: sig 0x0001067a, pf mask 0x11, 2010-09-28, rev 0x0a0b, size 8192
  01/003: sig 0x0001067a, pf mask 0x44, 2010-09-28, rev 0x0a0b, size 8192

I also read the README.gz and realized it's kinda pointless till Intel
starts distributing some sort of errata and changelog information
about what the updates contain. For all we know it could be one of the
NSA backdoors ( just don't have any info.)

I'm still reading the documentation but if somebody finds how to get
the info. about pf mask bit please share the same with me.

Thank you Henrique for packaging and sharing the package as whatever I
have shared is upstream issues and nothing to do with your packaging
efforts.
-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
065C 6D79 A68C E7EA 52B3  8D70 950D 53FB 729A 8B17
Reply to: