Bug 1005585

Summary:	Intel: microcode security-update
Product:	[Fedora] Fedora	Reporter:	Harald Reindl <h.reindl>
Component:	microcode_ctl	Assignee:	Anton Arapov <anton>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	18	CC:	anton, jonathan, nobody
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	microcode_ctl-2.0-5.fc18	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-10-10 01:13:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Harald Reindl 2013-09-08 18:58:48 UTC

please update the fedora-packages - thank you!

Date: Tue, 3 Sep 2013 09:05:29 -0300
http://lists.debian.org/debian-user/2013/09/msg00126.html

Intel has released a microcode update that fixes at least one severe fault
on every desktop and mobile Intel Core i* and server Intel Xeon system
processor models since (and including) the 1st generation Core-i3/i5/i7 and
Xeon 3500/5500.

Updated microcode packages are available for Debian unstable, Debian
testing, Debian "wheezy-backports", and Debian "stable-proposed-updates".

Comment 1 Harald Reindl 2013-09-08 19:53:18 UTC

besides the above this new package replacing the service does *not* work
in the past you needed only to replace /usr/lib/firmware/microcode.dat and restart the service, now calling "intel-microcode2ucode" shows the update *but* it is not used at reboot nor applied at runtime

for now i took the src.rpm, replace the microcode-traball from intel with the new one and the same name and rebuilt the packge with rpmbuild and voila after boot it is applied

holy hell that *can not* be the way to go for an ordinary user who cares and does not want until someone is so gently and update the package itself

[    3.095769] microcode: CPU0 sig=0x306a9, pf=0x2, revision=0x12
[    3.140811] microcode: CPU0 sig=0x306a9, pf=0x2, revision=0x12
[    3.141384] microcode: CPU0 updated to revision 0x19, date = 2013-06-13
[    3.141474] microcode: CPU1 sig=0x306a9, pf=0x2, revision=0x12
[    3.141589] microcode: CPU1 sig=0x306a9, pf=0x2, revision=0x12
[    3.141918] microcode: CPU1 updated to revision 0x19, date = 2013-06-13
[    3.141994] microcode: CPU2 sig=0x306a9, pf=0x2, revision=0x12
[    3.142087] microcode: CPU2 sig=0x306a9, pf=0x2, revision=0x12
[    3.142407] microcode: CPU2 updated to revision 0x19, date = 2013-06-13
[    3.142483] microcode: CPU3 sig=0x306a9, pf=0x2, revision=0x12
[    3.142613] microcode: CPU3 sig=0x306a9, pf=0x2, revision=0x12
[    3.142930] microcode: CPU3 updated to revision 0x19, date = 2013-06-13
[    3.143003] microcode: CPU4 sig=0x306a9, pf=0x2, revision=0x12
[    3.143085] microcode: CPU4 sig=0x306a9, pf=0x2, revision=0x12
[    3.143403] microcode: CPU4 updated to revision 0x19, date = 2013-06-13
[    3.143476] microcode: CPU5 sig=0x306a9, pf=0x2, revision=0x12
[    3.143591] microcode: CPU5 sig=0x306a9, pf=0x2, revision=0x12
[    3.143921] microcode: CPU5 updated to revision 0x19, date = 2013-06-13
[    3.143994] microcode: CPU6 sig=0x306a9, pf=0x2, revision=0x12
[    3.144081] microcode: CPU6 sig=0x306a9, pf=0x2, revision=0x12
[    3.144397] microcode: CPU6 updated to revision 0x19, date = 2013-06-13
[    3.144478] microcode: CPU7 sig=0x306a9, pf=0x2, revision=0x12
[    3.144593] microcode: CPU7 sig=0x306a9, pf=0x2, revision=0x12
[    3.144921] microcode: CPU7 updated to revision 0x19, date = 2013-06-13

Comment 2 Anton Arapov 2013-09-09 09:16:16 UTC

Harald,

Yeah, Fedora 19 was updated with this microcode almost a month ago, and I didn't push the same update for Fedora 18. Will do in a few.

You don't need a user-space helper(nor system service) to load the Intel's microcode anymore. Linux kernel /catches/ the microcode itself from the /lib/firmware directory.

If you want to update it yourself, use "intel-microcode2ucode" utility to translate the microcode.dat file into ucode data, and put this data to /lib/firmware/intel-ucode directory. reboot.

Anton

Comment 3 Fedora Update System 2013-09-09 09:21:57 UTC

microcode_ctl-2.0-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/microcode_ctl-2.0-4.fc18

Comment 4 Harald Reindl 2013-09-09 09:24:11 UTC

> use "intel-microcode2ucode" utility to translate the microcode.dat file

how?
this tool does not have any help option nor a manpage

calling "intel-microcode2ucode" gives a output i would expect with the new file at /usr/lib/firmware/microcode.dat and honestly normally i would expect that at the same time it get installed

BTW: 
i do not see any improvement in the new microcode_ctl given that
a) it is does not what a enduser expects
b) it needs a reboot to load the new microcode

in the past you simply refreshed /usr/lib/firmware/microcode.dat and restarted the no longer existing microcode_ctl service *without* reboot

Comment 5 Anton Arapov 2013-09-09 10:26:13 UTC

Harald, I agree, it is not straightforward and you are welcome to write a help for the tool.

Once you refresh the data in /lib/firmware/intel-ucode/, you can do:
# modprobe -r microcode
# modprobe microcode
this way you will get an updated microcode applied without reboot.

Note, that very soon microcode_ctl will not exist at all. We are just waiting for the Intel to integrate their bits into "linux-firmware" package. (AMD already did this)

Note 2: You may have even newer microcode from 20130906, you may want it if you run Haswell CPU. Find it here: https://fedorahosted.org/microcode_ctl, both tarballs v1.23 and v2.1-2 has it inside.

hope this help,
and cheers,
Anton

Comment 6 Harald Reindl 2013-09-09 10:35:24 UTC

Sandy Bridge / Ivy Bridge

the package i downloaded yesterday applies 2013-06-12 on the SamdyBridge and so i guess it looks what CPU needs what microcode, confirmed also for the koji package

Sep 09 12:17:35 Updated: 2:microcode_ctl-2.0-4.fc18.x86_64

Comment 7 Harald Reindl 2013-09-09 10:38:00 UTC

> Once you refresh the data in /lib/firmware/intel-ucode/, you can do:
> # modprobe -r microcode
> # modprobe microcode
> this way you will get an updated microcode applied without reboot

calling intel-microcode2ucode does *not* refresh /lib/firmware/intel-ucode/ even with a recent /usr/lib/firmware/microcode.dat and IMHO *that* is a bug because i have no idea how to refresh /lib/firmware/intel-ucode/ at all

that this goes into linux-firmware is nice but i doubt that the linux-firmware package is always recent and in case of CPU bugs i for mysself does not want to wait

Comment 8 Anton Arapov 2013-09-09 10:41:54 UTC

(In reply to Harald Reindl from comment #6)
> Sandy Bridge / Ivy Bridge
> 
> the package i downloaded yesterday applies 2013-06-12 on the SamdyBridge and
> so i guess it looks what CPU needs what microcode, confirmed also for the
> koji package
> 
> Sep 09 12:17:35 Updated: 2:microcode_ctl-2.0-4.fc18.x86_64

Yes, correct,
...
[    3.141589] microcode: CPU1 sig=0x306a9, pf=0x2, revision=0x12
[    3.141918] microcode: CPU1 updated to revision 0x19, date = 2013-06-13
...
from your dmesg you see that CPU was updated from rev. 0x12 to 0x19(dated 2013-06-13). If newer(20130808+) microcode update does not update *this* CPU it just means that *this* CPU is not vulnerable and doesn't require an update.

Anton.

Comment 9 Anton Arapov 2013-09-09 10:49:31 UTC

(In reply to Harald Reindl from comment #7)
> > Once you refresh the data in /lib/firmware/intel-ucode/, you can do:
> > # modprobe -r microcode
> > # modprobe microcode
> > this way you will get an updated microcode applied without reboot
> 
> calling intel-microcode2ucode does *not* refresh /lib/firmware/intel-ucode/
> even with a recent /usr/lib/firmware/microcode.dat and IMHO *that* is a bug
> because i have no idea how to refresh /lib/firmware/intel-ucode/ at all
> 
> that this goes into linux-firmware is nice but i doubt that the
> linux-firmware package is always recent and in case of CPU bugs i for
> mysself does not want to wait

Yes, it doesn't, it just saves the parsed microcode.dat into intel-ucode directory to the same location where "intel-microcode2ucode" was executed.

We expect, only tech-savvy person will go manual way and it will not make him a problem, others - will do 'yum update'.


If you want to do it manually:

Put the microcode.dat to /tmp/ucode, and:
[anton@bandura ~]$ cd /tmp/ucode/
[anton@bandura ucode]$ ls
microcode.dat
[anton@bandura ucode]$ intel-microcode2ucode microcode.dat 
microcode.dat: 576512(563k) bytes, 144128 integers

intel-ucode/0f-00-0a
signature: 0xf0a
flags:     0x02
revision:  0x15
date:      2002-08-21
size:      2048

[...snip...]

intel-ucode/06-1e-04
signature: 0x106e4
flags:     0x09
revision:  0x03
date:      2013-07-01
size:      6144

[anton@bandura ucode]$ ls -l
total 1696
drwxr-x--- 2 anton anton    1540 Sep  9 12:44 intel-ucode
-rw-r--r-- 1 anton anton 1734491 Sep  6 08:21 microcode.dat

[anton@bandura ucode]$ mv intel-ucode/ /lib/firmware/

And either reboot or reload microcode kernel module to apply the microcode.

Comment 10 Fedora Update System 2013-09-09 10:51:09 UTC

microcode_ctl-2.0-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/microcode_ctl-2.0-5.fc18

Comment 11 Fedora Update System 2013-09-09 23:50:44 UTC

Package microcode_ctl-2.0-5.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing microcode_ctl-2.0-5.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16186/microcode_ctl-2.0-5.fc18
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2013-10-10 01:13:22 UTC

microcode_ctl-2.0-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.