A poster on lkml mentioned that debian have new intel firmware. The package is intel-microcode_3.20171215.1.tar.xz from https://packages.debian.org/sid/intel-microcode : reading this, it includes old firmware releases from intel which are no longer on its site (e.g. for very old machines, but they might still be running) as well as the current release, PLUS a supplemental release which has not yet arrived at the intel download site. This is labelled as CVE-2017-5715, which is one of the Spectre variants, the PTI fixes address Meltdown).
So, there is a question of trust to consider. You might prefer to wait until intel officially releases this firmware. To process this, iucode_tool is needed : https://gitlab.com/iucode-tool/iucode-tool/ and for the download https://gitlab.com/iucode-tool/releases/tree/latest This is just CMMI (although the developer recommends --sbindir=/usr/bin). With that installed, 'make' creates intel-microcode.bin and intel-microcode-64.bin which is a smaller version for x86_64 and X32 processors. (X32 is NOT i686, its a 64-bit CPU with the extra registers, but building for 32-bit userspace). But that is just a 'data' file and I had no idea how to use it. Fortunately, gentoo also use iucode_tool and their wiki shows: iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/* I'm already set for early loading, and -S interrogates the current machine to find its processor, so I tried that against intel-microcode-64.bin and succeeded in getting a cpio. I then moved that to /boot (keeping my existing microcode.img, after the problems on my skylake), and changed the initrd only for the current PTI kernel (just in case). Before this, my firmware was version 0x22. After booting, I'm on version 0x23 so the process was successful. The SBU is now slower, but no comments on the overall effect until I've built a new system! ĸen -- Truth, in front of her huge walk-in wardrobe, selected black leather boots with stiletto heels for such a barefaced truth. - Unseen Academicals -- http://lists.linuxfromscratch.org/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page Do not top post on this list. A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? http://en.wikipedia.org/wiki/Posting_style
