[Bug 1883016] [NEW] revert tmpfiles.d loading of microcode
Dimitri John Ledkov
1883016 at bugs.launchpad.net
Wed Jun 10 20:57:48 UTC 2020
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
revert tmpfiles.d loading of microcode
Sometimes, despite intensive testing bad microcode can be shipped.
When bad microcode is shipped and it is attempted to be loaded at
package configuration time, system will end up in inconsistent state.
Specifically apt transaction is aborted, new microcode is unpacked on
disk but dpkg database is in inconsistent state.
Thus whilst it was meant to be a canary, it wasn't a good one. Also it
applies on initrd-less boot, initrd-full boot, early initrd and package
upgrades. Which is not the right design here.
Ideally, installing microcode update would generate a one time boot
option to try new microcode, if successful commit booting with it.
Otherwise fallback to previous version of the microcode. None of that is
solvable with tmpfiles however.
Most recent examples is the Skylake regression on 0x000406e3 systems
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002
[Test Case]
* downgrade to old intel-microcode package
* reboot
* upgrade to new intel-microcode package
* observe that uncoordinate microcode update is not attempted at package configuration time
[Regression Potential]
* This is a revert
[Other Info]
* microcode try, commit or revert would be nice to implement.
** Affects: intel-microcode (Ubuntu)
Importance: Undecided
Status: In Progress
** Affects: intel-microcode (Ubuntu Eoan)
Importance: Undecided
Status: In Progress
** Affects: intel-microcode (Ubuntu Focal)
Importance: Undecided
Status: In Progress
** Affects: intel-microcode (Ubuntu Groovy)
Importance: Undecided
Status: In Progress
** Also affects: intel-microcode (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: intel-microcode (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: intel-microcode (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: intel-microcode (Ubuntu Groovy)
Status: New => In Progress
** Changed in: intel-microcode (Ubuntu Focal)
Status: New => In Progress
** Changed in: intel-microcode (Ubuntu Eoan)
Status: New => In Progress
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to intel-microcode in Ubuntu.
https://bugs.launchpad.net/bugs/1883016
Title:
revert tmpfiles.d loading of microcode
Status in intel-microcode package in Ubuntu:
In Progress
Status in intel-microcode source package in Eoan:
In Progress
Status in intel-microcode source package in Focal:
In Progress
Status in intel-microcode source package in Groovy:
In Progress
Bug description:
[Impact]
revert tmpfiles.d loading of microcode
Sometimes, despite intensive testing bad microcode can be shipped.
When bad microcode is shipped and it is attempted to be loaded at
package configuration time, system will end up in inconsistent state.
Specifically apt transaction is aborted, new microcode is unpacked on
disk but dpkg database is in inconsistent state.
Thus whilst it was meant to be a canary, it wasn't a good one. Also it
applies on initrd-less boot, initrd-full boot, early initrd and
package upgrades. Which is not the right design here.
Ideally, installing microcode update would generate a one time boot
option to try new microcode, if successful commit booting with it.
Otherwise fallback to previous version of the microcode. None of that
is solvable with tmpfiles however.
Most recent examples is the Skylake regression on 0x000406e3 systems
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882890
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883002
[Test Case]
* downgrade to old intel-microcode package
* reboot
* upgrade to new intel-microcode package
* observe that uncoordinate microcode update is not attempted at package configuration time
[Regression Potential]
* This is a revert
[Other Info]
* microcode try, commit or revert would be nice to implement.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1883016/+subscriptions
More information about the foundations-bugs
mailing list