[Bug 1862938] Re: Enable late loading of microcode by default

Timo Aaltonen tjaalton at ubuntu.com
Fri Feb 14 09:33:27 UTC 2020 

Hello Dimitri, or anyone else affected,

Accepted intel-microcode into eoan-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/intel-
microcode/3.20191115.1ubuntu0.19.10.3 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-eoan to verification-done-eoan. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-eoan. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: intel-microcode (Ubuntu Eoan)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-eoan

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1862938

Title:
  Enable late loading of microcode by default

Status in intel-microcode package in Ubuntu:
  Fix Committed
Status in intel-microcode source package in Xenial:
  New
Status in intel-microcode source package in Bionic:
  New
Status in intel-microcode source package in Eoan:
  Fix Committed
Status in intel-microcode source package in Focal:
  Fix Committed

Bug description:
  [Impact]

   * An explanation of the effects of the bug on users and

   * justification for backporting the fix to the stable release.

   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.

   * Normally intel microcode is applied "early" for an uncompressed
  prepended initramfs archive. However, on systems booting without an
  initrd, or a missbuilt one, microcode might not get applied. In that
  case, we need to attempt loading microcode late which may give users
  security protection against CPU vulnerabilities which they might
  otherwise be lacking. In an ideal world, everyone would apply their
  bios/OEM updates with microcode updates in a timely fashion and then
  we wouldn't need to update CPU microcode from userspace at all.

  [Test Case]

   * Install updated package
   * Reobot
   * Observe early application of microcode

  $ journalctl -b | grep microcode
  Feb 12 12:02:48 ottawa kernel: microcode: microcode updated early to revision 0xd6, date = 2019-10-03

   * Remove /usr/share/initramfs-tools/hooks/intel_microcode to prevent correct generation of early microcode updates
   * Rebuild initrd with update-initramfs -u
   * Reboot
   * Observe in dmesg that late loading of microcode is performed

  $ journalctl -b | grep microcode
  Feb 12 12:32:54 ottawa kernel: TAA: Vulnerable: Clear CPU buffers attempted, no microcode
  Feb 12 12:32:54 ottawa kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
  Feb 12 12:32:54 ottawa kernel: microcode: sig=0x506e3, pf=0x20, revision=0xc6
  Feb 12 12:32:54 ottawa kernel: microcode: Microcode Update Driver: v2.2.
  Feb 12 12:32:57 ottawa kernel: microcode: updated to revision 0xd6, date = 2019-10-03
  Feb 12 12:32:57 ottawa kernel: x86/CPU: CPU features have changed after loading microcode, but might not take effect.
  Feb 12 12:32:57 ottawa kernel: microcode: Reload completed, microcode revision: 0xd6

  (Note the lack of "early" in above messages)

  [Regression Potential]

   * Application of microcode is a risky operation, especially if the
  cores are busy. Hence we prefer bios updates & early microcode
  updates, and those will remain the place. The late loading of
  microcode is really here for the cases were the previous two update
  strategies have failed. For example, from time to time, certain
  microcode updates are pulled or get blacklisted from late loading.

  [Other Info]
   
   * The majority of our users on bare-metal machines boot correctly with early microcode updates.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862938/+subscriptions

More information about the foundations-bugs mailing list