[Bug 1700373] Re: intel-microcode is out of date, version 20170707 fixes errata on 6th and 7th generation platforms
Launchpad Bug Tracker
1700373 at bugs.launchpad.net
Thu Jan 11 18:58:13 UTC 2018
This bug was fixed in the package intel-microcode -
3.20180108.0~ubuntu14.04.2
---------------
intel-microcode (3.20180108.0~ubuntu14.04.2) trusty-security; urgency=medium
* Sync package to xenial's latest update
* New upstream microcode datafile 20180108
+ New Microcodes:
sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ Updated Microcodes:
sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
* source: remove unneeded intel-ucode/ directory
* source: remove superseded upstream data file: 20170707
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Tue, 09 Jan 2018
13:28:52 -0500
** Changed in: intel-microcode (Ubuntu Trusty)
Status: Won't Fix => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1700373
Title:
intel-microcode is out of date, version 20170707 fixes errata on 6th
and 7th generation platforms
Status in intel-microcode package in Ubuntu:
Fix Released
Status in intel-microcode source package in Trusty:
Fix Released
Status in intel-microcode source package in Xenial:
Fix Released
Status in intel-microcode source package in Yakkety:
Won't Fix
Status in intel-microcode source package in Zesty:
Fix Released
Status in intel-microcode source package in Artful:
Fix Released
Bug description:
[Impact]
* A security fix has been made available as part of intel-microcode
* It is advisable to apply it
* Thus an SRU of the latest intel-microcode is desirable for all stable releases
[Test Case]
* Upgrade intel-microcode package, if it is already installed / one is
running on Intel CPUs
* Reboot and verify no averse results, and/or that microcode for your
cpu was loaded as expected.
* Ocaml crash reproducer
Download report.tar.gz from https://caml.inria.fr/mantis/view.php?id=7452 and place in your schroot scratch directory.
$ mk-sbuild artful --arch=amd64
$ schroot -c artful -u root
// Artful was chosen as it contains the required versions of Ocaml for the reproducer.
$ apt install ocaml opam ocaml-findlib m4
$ opam init
$ opam install extprot
$ eval `opam config env`
$ while ocamlfind opt -c -g -bin-annot -ccopt -g -ccopt -O2 -ccopt -Wextra -ccopt '-Wstrict-overflow=5' -thread -w +a-4-40..42-44-45-48-58 -w -27-32 -package extprot test.ml -o test.cmx; do echo "ok"; done
[Test case reporting]
* Please paste the output of:
dpkg-query -W intel-microcode
grep -E 'model|stepping' /proc/cpuinfo | sort -u
journalctl -k | grep microcode
[Regression Potential]
Microcode are proprietary blobs, and can cause any number of new errors and regressions. Microcode bugs have been reported before, therefore longer than usual phasing and monitoring of intel-microcode bugs should be done with extra care.
Additional notes from ~racb, wearing an ~ubuntu-sru hat:
SRU verification needs to take care to consider CPUs actually tested.
We should have a representative sample of CPUs tested in SRU
verification reports before considering release to the updates
pockets.
Given the potential severity of regressions, we should keep this in
the proposed pockets for longer than the usual minimum ageing period.
Let's have users opt-in to this update first, and only recommend it
once we confidence that a reasonable number (and representative CPU
sample) of opted-in users have not hit any problems.
Testers: please mark verification-done-* only after you consider that
the above additional requirements have been met.
[Other]
caml discussion describing test case to reproduce the crash.
https://caml.inria.fr/mantis/view.php?id=7452
* I did not backport the full debian/changelog, as some of the changes
were ommitted for SRU purposes, and I don't like the idea of modifying
the changelog of others.
* I did not backport this below change but I feel as though the SRU team should evaluate including it. I left it out due to the change as little as possible guidance from the SRU team. Additionally we have already been shipping the microcode version that included this change for a long time. More information here
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&languageid=en-fr
'''
# 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen).
#
# When Intel released a fix for Intel SA-00030, they issued a MCU that
# bumps the minimum acceptable version of the Intel TXT ACMs in the
# TPM persistent storage. This permanently blacklists the vulnerable
# ACMs *even on older microcode* in order to make it somewhat harder
# to work around the security fix through a BIOS downgrade attack.
#
# It is possible that such a microcode update, when peformed by the
# operating system, could sucessfully trigger the TPM persistent
# storage update Intel intended to happen during firmware boot: we
# simply don't know enough to rule it out. Should that happen, Intel
# TXT will be permanently disabled. This could easily interact very
# badly with the firmware, rendering the system unbootable. If *that*
# happens, it would likely require either a TPM module replacement
# (rendering sealed data useless) or a direct flash of a new BIOS with
# updated ACMs, to repair.
#
# Blacklist updates for signature 0x206c2 as a safety net.
IUC_EXCLUDE += -s !0x206c2
'''
* I versioned the packages 3.20170511.1~ubuntu<release> as I feel this
more appropriately reflects the contents of each package rather than
simply incrementing the ubuntu version number.
=========================================================================
[Original bug report]
NB: I am *not* directly affected by this bug.
Henrique emailed a warning to Debian devel today [1] on a potentially
serious issue with (sky|kaby)lake processors. Excerpt:
"This warning advisory is relevant for users of systems with the Intel
processors code-named "Skylake" and "Kaby Lake". These are: the 6th and
7th generation Intel Core processors (desktop, embedded, mobile and
HEDT), their related server processors (such as Xeon v5 and Xeon v6), as
well as select Intel Pentium processor models.
TL;DR: unfixed Skylake and Kaby Lake processors could, in some
situations, dangerously misbehave when hyper-threading is enabled.
Disable hyper-threading immediately in BIOS/UEFI to work around the
problem. Read this advisory for instructions about an Intel-provided
fix."
It is probably a good idea to:
(1) issue a warning to our users about this;
(2) update intel-microcode on all our supported releases
I leave the discussion on whether this can have security implications
to others.
[1] https://lists.debian.org/debian-devel/2017/06/msg00308.html
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: intel-microcode 3.20161104.1
ProcVersionSignature: Ubuntu 4.10.0-24.28-generic 4.10.15
Uname: Linux 4.10.0-24-generic x86_64
ApportVersion: 2.20.4-0ubuntu4.1
Architecture: amd64
CurrentDesktop: Unity:Unity7
Date: Sun Jun 25 10:14:19 2017
InstallationDate: Installed on 2017-05-26 (30 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
SourcePackage: intel-microcode
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373/+subscriptions
More information about the foundations-bugs
mailing list