[Bug 1700373] Re: intel-microcode is out of date, version 20170707 fixes errata on 6th and 7th generation platforms
Dmitrii Shcherbakov
1700373 at bugs.launchpad.net
Sun Jul 23 13:37:33 UTC 2017
Tested on 17.04 with a 4.13-rc1 kernel + a pinned microcode package from
artful:
➜ linux git:(5771a8c08880) ✗ apt policy intel-microcode
intel-microcode:
Installed: 3.20170707.1
Candidate: 3.20170707.1
Version table:
*** 3.20170707.1 500
500 http://ru.archive.ubuntu.com/ubuntu artful/restricted amd64 Packages
100 /var/lib/dpkg/status
3.20170511.1~ubuntu17.04.0 990
990 http://archive.ubuntu.com/ubuntu zesty-updates/restricted amd64 Packages
3.20161104.1 990
990 http://archive.ubuntu.com/ubuntu zesty/restricted amd64 Packages
➜ ~ uname -r
4.13.0-rc1
➜ ~ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 158
Model name: Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
Stepping: 9
CPU MHz: 2800.000
CPU max MHz: 3800,0000
CPU min MHz: 800,0000
BogoMIPS: 5616.00
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 6144K
NUMA node0 CPU(s): 0-3
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp
➜ ~ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x5e, date = 2017-04-06
[ 2.621961] microcode: sig=0x906e9, pf=0x20, revision=0x5e
[ 2.622083] microcode: Microcode Update Driver: v2.2.
My system definitely does not have 0x5e by default, the previous microcode version was 0x48:
[ 2.561730] microcode: sig=0x906e9, pf=0x20, revision=0x48
[ 2.561811] microcode: Microcode Update Driver: v2.2.
The microcode update also resulted in absence of a 'Firmware Bug' message due to TSC_DEADLINE APIC mode usage:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd9240a18edfbfa72e957fc2ba831cf1f13ea073
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/kernel/apic/apic.c?id=c6e9f42bbeecbc10cd4fbcca474b5859aba1de67#n386
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1700373
Title:
intel-microcode is out of date, version 20170707 fixes errata on 6th
and 7th generation platforms
Status in intel-microcode package in Ubuntu:
Fix Released
Status in intel-microcode source package in Trusty:
Won't Fix
Status in intel-microcode source package in Xenial:
Confirmed
Status in intel-microcode source package in Yakkety:
Confirmed
Status in intel-microcode source package in Zesty:
Confirmed
Status in intel-microcode source package in Artful:
Fix Released
Bug description:
[Impact]
* A security fix has been made available as part of intel-microcode
* It is advisable to apply it
* Thus an SRU of the latest intel-microcode is desirable for all stable releases
[Test Case]
* Upgrade intel-microcode package, if it is already installed / one is
running on Intel CPUs
* Reboot and verify no averse results, and/or that microcode for your
cpu was loaded as expected.
[Test case reporting]
* Please paste the output of:
dpkg-query -W intel-microcode
grep -E 'model|stepping' /proc/cpuinfo | sort -u
journalctl -k | grep microcode
[Regression Potential]
Microcode are proprietary blobs, and can cause any number of new errors and regressions. Microcode bugs have been reported before, therefore longer than usual phasing and monitoring of intel-microcode bugs should be done with extra care.
[Other]
caml discussion describing test case to reproduce the crash.
https://caml.inria.fr/mantis/view.php?id=7452
* I did not backport the full debian/changelog, as some of the changes
were ommitted for SRU purposes, and I don't like the idea of modifying
the changelog of others.
* I did not backport this below change but I feel as though the SRU team should evaluate including it. I left it out due to the change as little as possible guidance from the SRU team. Additionally we have already been shipping the microcode version that included this change for a long time. More information here
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&languageid=en-fr
'''
# 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen).
#
# When Intel released a fix for Intel SA-00030, they issued a MCU that
# bumps the minimum acceptable version of the Intel TXT ACMs in the
# TPM persistent storage. This permanently blacklists the vulnerable
# ACMs *even on older microcode* in order to make it somewhat harder
# to work around the security fix through a BIOS downgrade attack.
#
# It is possible that such a microcode update, when peformed by the
# operating system, could sucessfully trigger the TPM persistent
# storage update Intel intended to happen during firmware boot: we
# simply don't know enough to rule it out. Should that happen, Intel
# TXT will be permanently disabled. This could easily interact very
# badly with the firmware, rendering the system unbootable. If *that*
# happens, it would likely require either a TPM module replacement
# (rendering sealed data useless) or a direct flash of a new BIOS with
# updated ACMs, to repair.
#
# Blacklist updates for signature 0x206c2 as a safety net.
IUC_EXCLUDE += -s !0x206c2
'''
* I versioned the packages 3.20170511.1~ubuntu<release> as I feel this
more appropriately reflects the contents of each package rather than
simply incrementing the ubuntu version number.
=========================================================================
[Original bug report]
NB: I am *not* directly affected by this bug.
Henrique emailed a warning to Debian devel today [1] on a potentially
serious issue with (sky|kaby)lake processors. Excerpt:
"This warning advisory is relevant for users of systems with the Intel
processors code-named "Skylake" and "Kaby Lake". These are: the 6th and
7th generation Intel Core processors (desktop, embedded, mobile and
HEDT), their related server processors (such as Xeon v5 and Xeon v6), as
well as select Intel Pentium processor models.
TL;DR: unfixed Skylake and Kaby Lake processors could, in some
situations, dangerously misbehave when hyper-threading is enabled.
Disable hyper-threading immediately in BIOS/UEFI to work around the
problem. Read this advisory for instructions about an Intel-provided
fix."
It is probably a good idea to:
(1) issue a warning to our users about this;
(2) update intel-microcode on all our supported releases
I leave the discussion on whether this can have security implications
to others.
[1] https://lists.debian.org/debian-devel/2017/06/msg00308.html
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: intel-microcode 3.20161104.1
ProcVersionSignature: Ubuntu 4.10.0-24.28-generic 4.10.15
Uname: Linux 4.10.0-24-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
CurrentDesktop: Unity:Unity7
Date: Sun Jun 25 10:14:19 2017
InstallationDate: Installed on 2017-05-26 (30 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
SourcePackage: intel-microcode
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373/+subscriptions
More information about the foundations-bugs
mailing list