Re: Intel Microcode updates
On Mon, 10 Jun 2019, Russell Coker wrote: > model name : Intel(R) Core(TM)2 Quad CPUQ9505 @ 2.83GHz > > On a system with the above CPU running Debian/Testing I get the following > results from the spectre-meltdown-checker script. Is this a bug in the intel- > microcode package that the latest version isn't packaged? There is no newer > version of intel-microcode in Unstable. Intel upstream decided to not distribute it, for whatever reason. The Core2 will not get any fixes for MDS either (nor will Nehalem and Westmere). It is easy enough to source that microcode update if you look for it, and you can just drop it on /usr/share/misc/intel-microcode.bin with intel-microcode installed, and update the initramfs. It will pick the extra microcode up. -- Henrique Holschuh
Re: Intel Microcode updates
On Mon, Jun 10, 2019 at 07:46:47PM +0200, Davide Prina wrote: On 10/06/19 13:16, Michael Stone wrote: Your CPU is not supported my Intel, so you either accept the risk or buy a new one. you have another choice: disable the SMP & C. and all mitigation form Linux That's not correct, but will set your performance back 20 years. * you will get only mitigation and not bug correction. Mitigation == the attack is more hard, but it can be done successfully. I don't have That is also not correct. * your CPU run slower because of these mitigation (I have rad that for some task you can have 50% or less performance), That depends on the CPU, some see significant impacts, others see none or were never vulnerable to some of these issues. There's enough misinformation about this class of attacks without spreading more... * new hardware bugs and variant of previous bugs are found constantly, so we need a new CPU class designed for security. I have read that some people want to create a new CPU under free license, I think that is the only solution that we can trust For those who want to use a computer now, that's not particularly helpful.
Re: Intel Microcode updates
On 10/06/19 13:16, Michael Stone wrote: On Mon, Jun 10, 2019 at 02:01:25PM +1000, Russell Coker wrote: I just discovered the spectre-meltdown-checker package model name : Intel(R) Core(TM)2 Quad CPU Q9505 @ 2.83GHz Your CPU is not supported my Intel, so you either accept the risk or buy a new one. you have another choice: disable the SMP & C. and all mitigation form Linux (Note that the latest version of the microcode is from 2015--long before any of these speculative execution vulnerabilities were mitigated.) Yours is a yorkfield: https://www.theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/ Intel(R) Core(TM)2 Quad CPU was already on sell on many site when the spectre/meltdown hardware bug was discovered and probably you can buy also now. It is a shame that intel do not give microcode update for these CPU and others. For me, buying new CPU do not give you protection against possible hardware bug because: * you will get only mitigation and not bug correction. Mitigation == the attack is more hard, but it can be done successfully. I don't have read any new CPU that was designed against this bug... probably because need 5-10 years have these CPU on the market * your CPU run slower because of these mitigation (I have rad that for some task you can have 50% or less performance), also some software have been modified (== make more slower) for these bugs: compiler, browser, ... and, in theory, these mitigation in compilation can be propagate to all the software you are running (== slowing all your software) * each CPU has a lot of undocumented instructions each of these can be a potentially new attack target. There are tools that let you find some of these, but after that understand how to use or abuse of them is an another story * firmware also is nearly always an obscure piece of code, always bigger that the previous one and in that can be present back door (recently it has been found back doors in firmware of some cellphone sell in Germany) * new hardware bugs and variant of previous bugs are found constantly, so we need a new CPU class designed for security. I have read that some people want to create a new CPU under free license, I think that is the only solution that we can trust * ... Ciao Davide
Re: Intel Microcode updates
On Mon, Jun 10, 2019 at 02:01:25PM +1000, Russell Coker wrote: I just discovered the spectre-meltdown-checker package (thanks Sylvestre for packaging this). model name : Intel(R) Core(TM)2 Quad CPUQ9505 @ 2.83GHz On a system with the above CPU running Debian/Testing I get the following results from the spectre-meltdown-checker script. Is this a bug in the intel- microcode package that the latest version isn't packaged? There is no newer version of intel-microcode in Unstable. # spectre-meltdown-checker |grep CPU.mic * Hardware support (CPU microcode) for mitigation techniques * CPU microcode is known to cause stability problems: NO (model 0x17 family 0x6 stepping 0xa ucode 0xa0b cpuid 0x1067a) * CPU microcode is the latest known available version: NO (latest version is 0xa0e dated 2015/07/29 according to builtin MCExtractor DB v111 - 2019/05/18) IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it * CPU microcode mitigates the vulnerability: NO STATUS: VULNERABLE (an up-to-date CPU microcode is needed to mitigate this vulnerability) * CPU microcode mitigates the vulnerability: N/A Your CPU is not supported my Intel, so you either accept the risk or buy a new one. (Note that the latest version of the microcode is from 2015--long before any of these speculative execution vulnerabilities were mitigated.) Yours is a yorkfield: https://www.theregister.co.uk/2018/04/04/intel_spectre_microcode_updates/