Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Matt B]

Hi,

My deepest apologies if this doesn't show up in the right spot, despite
editing the subject. I'm a dummy and I'm switching off digest mode right
now.

I'm no expert on microcode but I'll share my personal stance which I think
is pretty reasonable and practical. As the saying goes, the best way to ask
a question on the Internet is to give the wrong answer. :)

For some context, see:
https://lwn.net/Articles/744818/

My understanding of microcode, both from what I've read and what I've
studied is that it is or is more analogous to the contents of one or more
state tables, for state machinery in the CPU, and most useful for handling
complicated functionality (like a multi-word copy). (the actual details are
probably a hugely proprietary secret)

I seems to me that most people hear the 'code' part of 'microcode' and
assume it's a huge compiled binary blob running on a general-purpose
processor, and can do just about anything and attacker could possibly want.
I wrote this sentence, then then realized that everyone knows that's what
the IME is for. ;D

Do I expect you could introduce a very subtle security vulnerability with
it? Absolutely. The spectre microcode patches effectively do the reverse of
that.

Do I worry about that too much? Not really. My reasoning is that it would
be equivalent to introducing it in the in-silicon architecture of the CPU,
and that's already something we *assume* Intel/AMD/ect don't (or shouldn't,
for practical/legal/moral reasons) do. We can talk about silicon poisoning
later over (preferably alcoholic) beverages.

Do I think that this has any bearing on whether you should install
microcode patches? Not really, no. Microcode patches are (typically)
created to fix some specific errata. You could make some argument that they
also provide the opportunity introduce/remove some vulnerability, since
they can't really be inspected that well (or at all), but I refer you to #2.

Since they typically exist to fix some (sometimes serious) errata I install
them as a matter of "best security practice" like I do for innumerable
software updates.

Note that all of the above is purely from a practical stability/security
perspective. Proprietary IP (code and otherwise) permeating everything we
use at a deep level is also a huge moral issue (or so I am repeatedly told
:D), it's just that I tend to focus on the practical aspects/implications.

That said, even if you have stronger free-software moral fortitude than me
[1], I can't fathom why you wouldn't install a microcode patch. You're free
to abstain, but I would *mostly* equate running a CPU with unpatched
microcode with running one that's patched. I say mostly, because I consider
the patching to be small potatoes, especially compared with, say, not
infecting your friends with a virus that exploits a significant errata. (I
won't say more on this though, since I've probably already just ensured a
"lively" ethics debate. I just want the option to load the damn things.)

Don't get me wrong, for both moral and practical reasons I would love more
than anything to be using a 100% open computer. But I would have to not
ignore hardware in that, especially if we count microcode. I don't think we
can expect Intel/AMD/ect to release the complete design of *any* CPU since
at least the Z80, and that still may not do anyone any good if they're the
only ones making them. I think the best we can look forward to on that
front right now right now is RISC-V hitting silicon from a variety of
manufacturers. I recently saw their dev board running youtube videos, so
that looks promising.

[1] I will, on occasion, use N-F software *Gasp!* that's convenient *Gasp!*
and from sources I sufficiently trust in contexts where that trust is
sufficient.

Sincerely,
-Matt

On Thu, May 24, 2018 at 6:00 AM,  wrote:

> Message: 8
> Date: Wed, 23 May 2018 22:37:47 +0100
> From: Andrew Luke Nesbit 
> To: coreboot@coreboot.org
> Subject: Re: [coreboot] When does AMD release the fam15 spectre
> microcode updates?
> Message-ID: 
> Content-Type: text/plain; charset=utf-8
>
> On 23/05/2018 20:55, ron minnich wrote:
> >
> >
> > On Wed, May 23, 2018 at 12:54 PM Rudolf Marek  > <mailto:r.ma...@assembler.cz>> wrote:
> >
> > Hi all,
> >
> > Dne 22.5.2018 v 07:03 taii...@gmx.com <mailto:taii...@gmx.com>
> > napsal(a):
> >
> >
> > > don't they have those in this update? Would it be possible to
> > easily add
> > > the support flags without microcode for those who use libreboot?
> >
> > So libreboot guys don't want any fixes for a CPU?
> >
> >
> > I've been wondering about this. IIRC the original motivation for the
> > libreboot fork was microcode.?
> > Is microcode still out of bounds for libreboot?
>
> I don't know if the original motivation still appl

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Ivan Ivanov]

Maybe it just AMD's microcode versioning got messed up and this is
indeed the latest microcode despite its' lower number, but the only
way to check it - is to test both microcodes for their degree of
vulnerability to the Spectres. It does not make much sense to release
an outdated microcode, assuming its' not an accidental mistake by AMD
- so I hope that AMD guy would notice your messages

Ivan

2018-05-27 13:17 GMT+03:00 Mike Banon :
> Hi Rudolf,
>
> Please could you try contacting this AMD person again, regarding the
> problems with this recent microcode update? Because it looks like he
> noticed your messages since he at least tried to fix, but haven't
> noticed mine for some reason (regarding the lack of updated 16h
> microcode; why only 15h and 17h are being updated while 16h is
> forgotten - I could not understand, and this is relevant since there
> are some coreboot-supporting 16h boards)
>
> Best regards,
> Mike Banon
>
> On Sat, May 26, 2018 at 7:13 PM, Rudolf Marek  wrote:
>> Hi again,
>>
>> Dne 23.5.2018 v 21:52 Rudolf Marek napsal(a):
>>> For some reason this firmware update deletes microcode for Trinity CPUs, I 
>>> tried to contact the person who commit this
>>> without any luck. As I have previously written the github page has even 
>>> newer microcode.
>>
>> This was fixed, however the old (same) microcode was provided again.
>>
>> Thanks
>> Rudolf
>>
>>
>>
>>
>> --
>> coreboot mailing list: coreboot@coreboot.org
>> https://mail.coreboot.org/mailman/listinfo/coreboot
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Mike Banon]

Hi Rudolf,

Please could you try contacting this AMD person again, regarding the
problems with this recent microcode update? Because it looks like he
noticed your messages since he at least tried to fix, but haven't
noticed mine for some reason (regarding the lack of updated 16h
microcode; why only 15h and 17h are being updated while 16h is
forgotten - I could not understand, and this is relevant since there
are some coreboot-supporting 16h boards)

Best regards,
Mike Banon

On Sat, May 26, 2018 at 7:13 PM, Rudolf Marek  wrote:
> Hi again,
>
> Dne 23.5.2018 v 21:52 Rudolf Marek napsal(a):
>> For some reason this firmware update deletes microcode for Trinity CPUs, I 
>> tried to contact the person who commit this
>> without any luck. As I have previously written the github page has even 
>> newer microcode.
>
> This was fixed, however the old (same) microcode was provided again.
>
> Thanks
> Rudolf
>
>
>
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi again,

Dne 23.5.2018 v 21:52 Rudolf Marek napsal(a):
> For some reason this firmware update deletes microcode for Trinity CPUs, I 
> tried to contact the person who commit this
> without any luck. As I have previously written the github page has even newer 
> microcode.

This was fixed, however the old (same) microcode was provided again.

Thanks
Rudolf

 


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Alberto Bursi]

On 22/05/2018 07:03, taii...@gmx.com wrote:
> AMD has at long last coughed up the stuff to the linux-firmware people
>
> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/diff/amd-ucode/microcode_amd_fam15h.bin?id=77101513943ef198e2050667c87abf19e6cbb1d8
>
> The fam15h microcode update adds IBPB
>
>    * Indirect Branch Prediction Barrier (IBPB)
>      * PRED_CMD MSR is available:  YES
>      * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
>
> The question is what about the other stuff? IBRS, STIBP? This is
> confusing due to zero documentation on these updates from amd...Why
> don't they have those in this update? Would it be possible to easily add
> the support flags without microcode for those who use libreboot?
>

What you mean with "add the support flags without microcode"?

A CPU either supports some instructions (like IBPB) because it actually 
does (i.e. the microcode tells it how to do that), or it does not.

I don't know if you can fake enable these support flags, but I don't 
think it is a good idea at all, at best it would just be a lie, at worst 
it could cause issues (crashing?) if the kernel calls an instruction 
that isn't available (I don't know how that is handled).

-Alberto
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Andrew Luke Nesbit]

On 23/05/2018 20:55, ron minnich wrote:
> 
> 
> On Wed, May 23, 2018 at 12:54 PM Rudolf Marek  > wrote:
> 
> Hi all,
> 
> Dne 22.5.2018 v 07:03 taii...@gmx.com 
> napsal(a):
> 
> 
> > don't they have those in this update? Would it be possible to
> easily add
> > the support flags without microcode for those who use libreboot?
> 
> So libreboot guys don't want any fixes for a CPU?
> 
> 
> I've been wondering about this. IIRC the original motivation for the
> libreboot fork was microcode. 
> Is microcode still out of bounds for libreboot?

I don't know if the original motivation still applies.  This is an
important discussion to have.

I've pinged the folks in #libreboot and #vikings on Freenode to alert
them to this discussion.  There are probably other relevant channels
I've missed.

Hopefully somebody with a wider and deeper understanding of the issue
than I have is reading this list.  Hopefully they will chime in and
provide a more authoritative answer.  If not I will keep pestering them
because I don't want to see this unresolved, but I would like to help
out however I can and learn whatever is needed to make a positive
contribution.

Andrew
-- 
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[ron minnich]

On Wed, May 23, 2018 at 12:54 PM Rudolf Marek  wrote:

> Hi all,
>
> Dne 22.5.2018 v 07:03 taii...@gmx.com napsal(a):
>
>
> > don't they have those in this update? Would it be possible to easily add
> > the support flags without microcode for those who use libreboot?
>
> So libreboot guys don't want any fixes for a CPU?
>
>
I've been wondering about this. IIRC the original motivation for the
libreboot fork was microcode.
Is microcode still out of bounds for libreboot?
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi all,

Dne 22.5.2018 v 07:03 taii...@gmx.com napsal(a):
> AMD has at long last coughed up the stuff to the linux-firmware people
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/diff/amd-ucode/microcode_amd_fam15h.bin?id=77101513943ef198e2050667c87abf19e6cbb1d8
> 
> The fam15h microcode update adds IBPB
> 
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  YES
>     * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)

For some reason this firmware update deletes microcode for Trinity CPUs, I 
tried to contact the person who commit this
without any luck. As I have previously written the github page has even newer 
microcode.

> The question is what about the other stuff? IBRS, STIBP? This is
> confusing due to zero documentation on these updates from amd...Why

Not true, check:
https://developer.amd.com/resources/speculative-execution/

You only need IBPB + retpoline in kernel + RSB clear on CPL switch.

> don't they have those in this update? Would it be possible to easily add
> the support flags without microcode for those who use libreboot?

So libreboot guys don't want any fixes for a CPU?

> Would it still be a good idea to add the lfence msr as rmarek mentioned?

You could, but OS will do that for you (at least Linux). Moreover the Variant 
4, can
be mitigated on fam15h by switch off some chicken bits in the CFG_LS see above.

I think I have seen some commit in Linux to do that.

Thanks
Rudolf


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

AMD has at long last coughed up the stuff to the linux-firmware people

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/diff/amd-ucode/microcode_amd_fam15h.bin?id=77101513943ef198e2050667c87abf19e6cbb1d8

The fam15h microcode update adds IBPB

  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)

The question is what about the other stuff? IBRS, STIBP? This is
confusing due to zero documentation on these updates from amd...Why
don't they have those in this update? Would it be possible to easily add
the support flags without microcode for those who use libreboot?

Would it still be a good idea to add the lfence msr as rmarek mentioned?

As this is all above my pay-grade I would very much appreciate one of
the experts to chime in.


0xDF372A17.asc
Description: application/pgp-keys
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

My lord yet another one.
https://www.phoronix.com/scan.php?page=news_item=Spectre-V3-V4-Vulnerabilities
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b78ce4a34b761c7fe13520de822984019ff1a8f
Now we also seem to need something called SSBD (Speculative Store Bypass
Disable) of which I can't find much information on, does anyone know if
fam15h will receive it? and if the microcode update 0x06000852 I have
posted is the latest one currently in the wild? It only has one of
mitigations whilst AMD's
"Architecture_Guidelines_Update_Indirect_Branch_Control.pdf" seems to
indicate that there are microcode with all three (and now 4) mitigations.

Where can one obtain the microcode with all 4 for fam15h?


0xDF372A17.asc
Description: application/pgp-keys
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Ivan Ivanov]

If I understood all this correctly, the updated microcodes should be
forcing the CPU to do these MSR writes (or the low level action which
stands behind them) by default. So that, when you got this updated
microcode on your CPU, its already fixed and no further operations are
necessary!

At the moment both me and Mike have sent many letters to AMD (example
provided below, you could use its parts as well). Have not received
any good reply yet (only one reply, with a stupid link to spectre v2
description page and without any files attached) - but we are trying
hard and hope to eventually reach a smart person at AMD who could help
us...

By the way, these microcodes from platomav github page - are from
february/march, and I believe they do not contain a spectre v2 fix. So
we hope to either eventually get these microcodes from AMD, or to
somehow extract them from a super bloated Win10 update, or to try to
extract them from the updated BIOSes of other companies when they come
out

===
1) go to amd support page and open a ticket form
2) set company as "coreboot" or "coreboot BIOS"
Subject: Updated microcode for coreboot BIOS devs
We, the coreboot BIOS developers, have not received any microcode
updates from AMD (aimed towards patching the spectre v2
vulnerability). AMD sent these updated microcode binaries to many
motherboard and BIOS development companies, but forgot to send these
files to us at coreboot! Could you please provide a standalone
download of your updated microcode binaries, to make it possible for
us to include them to our coreboot BIOS running on AMD platforms ? We
will appreciate if you will share these updated microcode binaries
with us - maybe together with SHA-256 or SHA-512 hashes of these files
or GnuPG signatures to ensure the security of transaction Best
regards, Ivan Ivanov, coreboot BIOS firmware engineer

P.S. Although, ideally these new updated microcodes should be
committed tokernel/git/firmware/linux-firmware.git repository -->
directory called
"amd-ucode" .Currently it contains the following files:
microcode_amd.bin ,microcode_amd.bin.asc , microcode_amd_fam15h.bin
,microcode_amd_fam15h.bin.asc , microcode_amd_fam16h.bin
,microcode_amd_fam16h.bin.asc .They have been last updated at 2015/16
year, and we would like to see them updated again

2018-04-25 4:02 GMT+03:00 awokd via coreboot :
> On Tue, April 24, 2018 11:31 pm, Nico Huber wrote:
>> On 25.04.2018 00:18, taii...@gmx.com wrote:
>
>>> I can't believe everyone else is so nonchalant about all this
>>> considering how important it is I still haven't figured out how to update
>>> the microcode on any of my computers - no guides I have found actually
>>> work and no distros have the new microcode for intel or amd despite it
>>> having been months.
>
> I'm not nonchalant, but I'm not entirely sure what to do with those patch
> files and was hoping to see a new amd microcode 15h bin with them
> incorporated.
>
>> I can't believe everybody is so nonchalant about Rowhammer but many
>> people make a big thing out of the comparatively tiny Spectre problem.
>>
>>>
>>> For the best security one should have both the new microcode and the
>>> lfence msr?
>>
>> Not for the best but for any security, you have to understand first that
>> both options only change something if your software is prepared to uti-
>> lize them. First update your software, then check what it needs / what the
>> developers expect (the new microcode I'd guess).
>
> If I remember the earlier discussion right on that lfence msr, the OS can
> also set it so although it would be nice if coreboot did as well, it's not
> required?
>
>
> --
> coreboot mailing list: coreboot@coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[awokd via coreboot]

On Tue, April 24, 2018 11:31 pm, Nico Huber wrote:
> On 25.04.2018 00:18, taii...@gmx.com wrote:

>> I can't believe everyone else is so nonchalant about all this
>> considering how important it is I still haven't figured out how to update
>> the microcode on any of my computers - no guides I have found actually
>> work and no distros have the new microcode for intel or amd despite it
>> having been months.

I'm not nonchalant, but I'm not entirely sure what to do with those patch
files and was hoping to see a new amd microcode 15h bin with them
incorporated.

> I can't believe everybody is so nonchalant about Rowhammer but many
> people make a big thing out of the comparatively tiny Spectre problem.
>
>>
>> For the best security one should have both the new microcode and the
>> lfence msr?
>
> Not for the best but for any security, you have to understand first that
> both options only change something if your software is prepared to uti-
> lize them. First update your software, then check what it needs / what the
> developers expect (the new microcode I'd guess).

If I remember the earlier discussion right on that lfence msr, the OS can
also set it so although it would be nice if coreboot did as well, it's not
required?


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Nico Huber]

On 25.04.2018 00:18, taii...@gmx.com wrote:
> On 04/17/2018 03:30 AM, Rudolf Marek wrote:
> 
>> Hi,
>>
>> I found new microcode here [1], I used 
>> cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin as a microcode for my 
>> Trinity family15h CPU.
>> I hacked together a new microcode header which contains the equivalence 
>> table etc to be able to load this microcode into the CPU from Linux.
>>
>> dd if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin bs=1 count=84 
>> of=header.bin
>> cat header.bin cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin > 
>> microcode_amd_fam15h.bin
>>
>> copy the file to same location and trigger update:
>>
>> echo 1 >  /sys/devices/system/cpu/microcode/reload
>>
>> [ 6032.948243] microcode: CPU0: new patch_level=0x0600111f
>> [ 6032.964913] microcode: CPU2: new patch_level=0x0600111f
>>
>> Please note that the header.bin does contain a size of the microcode blob, 
>> but it happens to be the same, so it works. Normally the container
>> may contain more microcode blobs. But in my case I use just "right" one for 
>> my CPU.
>>
>> The new microcode seems to be adding the IBPB feature.
>>
>> Thanks
>> Rudolf
>>
>>
>> [1] https://github.com/platomav/CPUMicrocodes
> This didn't work on my piledriver CPU's :[
> 
> When I try to "reload" nothing happens not even an error in dmesgthe
> reload command has never worked for me no matter what system I use intel
> or amd.
> 
> Thanks for helping.
> I can't believe everyone else is so nonchalant about all this
> considering how important it is I still haven't figured out how to
> update the microcode on any of my computers - no guides I have found
> actually work and no distros have the new microcode for intel or amd
> despite it having been months.

I can't believe everybody is so nonchalant about Rowhammer but many
people make a big thing out of the comparatively tiny Spectre problem.

> 
> For the best security one should have both the new microcode and the
> lfence msr?

Not for the best but for any security, you have to understand first that
both options only change something if your software is prepared to uti-
lize them. First update your software, then check what it needs / what
the developers expect (the new microcode I'd guess).

Nico

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

On 04/17/2018 03:30 AM, Rudolf Marek wrote:

> Hi,
>
> I found new microcode here [1], I used 
> cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin as a microcode for my Trinity 
> family15h CPU.
> I hacked together a new microcode header which contains the equivalence table 
> etc to be able to load this microcode into the CPU from Linux.
>
> dd if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin bs=1 count=84 
> of=header.bin
> cat header.bin cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin > 
> microcode_amd_fam15h.bin
>
> copy the file to same location and trigger update:
>
> echo 1 >  /sys/devices/system/cpu/microcode/reload
>
> [ 6032.948243] microcode: CPU0: new patch_level=0x0600111f
> [ 6032.964913] microcode: CPU2: new patch_level=0x0600111f
>
> Please note that the header.bin does contain a size of the microcode blob, 
> but it happens to be the same, so it works. Normally the container
> may contain more microcode blobs. But in my case I use just "right" one for 
> my CPU.
>
> The new microcode seems to be adding the IBPB feature.
>
> Thanks
> Rudolf
>
>
> [1] https://github.com/platomav/CPUMicrocodes
This didn't work on my piledriver CPU's :[

When I try to "reload" nothing happens not even an error in dmesgthe
reload command has never worked for me no matter what system I use intel
or amd.

Thanks for helping.
I can't believe everyone else is so nonchalant about all this
considering how important it is I still haven't figured out how to
update the microcode on any of my computers - no guides I have found
actually work and no distros have the new microcode for intel or amd
despite it having been months.

For the best security one should have both the new microcode and the
lfence msr?

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[awokd via coreboot]

On Tue, April 17, 2018 10:31 am, Rudolf Marek wrote:
> Hi,
>
>
> Dne 17.4.2018 v 12:09 awokd via coreboot napsal(a):
>
>> At what byte locations in the header is the equivalence table? I was
>> looking for this...
>
> Hm I'm not aware where is it documented, or if there is some tool to
> manipulate it/dump the structure. Maybe it could be added to some existing
> tool?

I ran into that too, couldn't find it documented anywhere!

> Here is what I deduced from Linux arch/x86/kernel/cpu/microcode/amd.c
> + header files
>
>
> + 0 u32 UCODE_MAGIC
> + 4 u32 UCODE_EQUIV_CPU_TABLE_TYPE (0x0)
> + 8 u32 size of following equiv table say "N"
>
>
> Then this follows, the last table has installed_cpu_cpuid == 0
>
>
> u32 installed_cpu_cpuid u32 fixed_errata_mask u32 fixed_errata_compare u16
> equiv_cpu u16 res
>
> + N u32 UCODE_UCODE_TYPE (0x1)
> + N + 4 u32 sizeof blob (without this header)
> + N + 8 microcode blob from github follows here
> ...
> Then after that, there clould be again
>
>
> + X u32 UCODE_UCODE_TYPE
> + X + 4 u32 SECTION_SIZE
> + X + 8 microcode header (blob from github follows here)

Thank you; I'll try to cross-reference against the AGESA code and see if I
can work it out. That was the only way I could get my corebooted system to
recognize my equivalent CPU for microcode updates before.



-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi,

Dne 17.4.2018 v 12:09 awokd via coreboot napsal(a):
> At what byte locations in the header is the equivalence table? I was
> looking for this...

Hm I'm not aware where is it documented, or if there is some tool to manipulate 
it/dump the structure. Maybe
it could be added to some existing tool?

 Here is what I deduced from Linux arch/x86/kernel/cpu/microcode/amd.c
+ header files

+ 0 u32 UCODE_MAGIC 
+ 4 u32 UCODE_EQUIV_CPU_TABLE_TYPE (0x0)
+ 8 u32 size of following equiv table say "N"

Then this follows, the last table has installed_cpu_cpuid == 0

u32 installed_cpu_cpuid
u32 fixed_errata_mask
u32 fixed_errata_compare
u16 equiv_cpu
u16 res

+ N u32 UCODE_UCODE_TYPE (0x1)
+ N + 4 u32 sizeof blob (without this header)
+ N + 8 microcode blob from github follows here
...
Then after that, there clould be again

+ X u32 UCODE_UCODE_TYPE
+ X + 4 u32 SECTION_SIZE
+ X + 8 microcode header (blob from github follows here)

The microcode blob has the header which already matches the usual microcode 
header:

struct microcode_header_amd {
u32 data_code;
u32 patch_id;
u16 mc_patch_data_id;
u8  mc_patch_data_len;
u8  init_flag;
u32 mc_patch_data_checksum;
u32 nb_dev_id;
u32 sb_dev_id;
u16 processor_rev_id;
u8  nb_rev_id;
u8  sb_rev_id;
u8  bios_api_rev;
u8  reserved1[3];
u32 match_reg[8];
} __attribute__((packed));

Thanks
Rudolf





-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[awokd via coreboot]

On Tue, April 17, 2018 7:30 am, Rudolf Marek wrote:
> Hi,
>
>
> I found new microcode here [1], I used
> cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin as a microcode for my
> Trinity family15h CPU.
> I hacked together a new microcode header which contains the equivalence
> table etc to be able to load this microcode into the CPU from Linux.
>
> dd if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin bs=1 count=84
> of=header.bin cat header.bin
> cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin >
> microcode_amd_fam15h.bin

At what byte locations in the header is the equivalence table? I was
looking for this...



-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi,

I found new microcode here [1], I used 
cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin as a microcode for my Trinity 
family15h CPU.
I hacked together a new microcode header which contains the equivalence table 
etc to be able to load this microcode into the CPU from Linux.

dd if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin bs=1 count=84 
of=header.bin
cat header.bin cpu00610F01_ver0600111F_2018-03-05_AC55EB96.bin > 
microcode_amd_fam15h.bin

copy the file to same location and trigger update:

echo 1 >  /sys/devices/system/cpu/microcode/reload

[ 6032.948243] microcode: CPU0: new patch_level=0x0600111f
[ 6032.964913] microcode: CPU2: new patch_level=0x0600111f

Please note that the header.bin does contain a size of the microcode blob, but 
it happens to be the same, so it works. Normally the container
may contain more microcode blobs. But in my case I use just "right" one for my 
CPU.

The new microcode seems to be adding the IBPB feature.

Thanks
Rudolf


[1] https://github.com/platomav/CPUMicrocodes

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

On 04/12/2018 09:06 AM, Mike Banon wrote:

>> AMD kept their promise.
> Are you sure? I cannot find any download links except for the Windows 10.
> Yes, theoretically it should be possible to unpack those monstrous .cab files
> aimed for Win10 and extract a microcode hidden somewhere, but this is stupid.
> Do you have the download links for the standalone microcode updates?
Yeah its absolutely retarded but this is par for the course these days,
I unfortunately have no idea where to obtain them but they apparently do
exist.

The so called experts in charge these days think letting us peons own
and control our computer, and run and have access to whatever code we
please is simply too dangerous.
In this absurdly risk adverse society they don't want to have any tech
support requests because they released it to everyone and "help it
doesn't work".


0xDF372A17.asc
Description: application/pgp-keys
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Mike Banon]

> AMD kept their promise.
Are you sure? I cannot find any download links except for the Windows 10.
Yes, theoretically it should be possible to unpack those monstrous .cab files
aimed for Win10 and extract a microcode hidden somewhere, but this is stupid.
Do you have the download links for the standalone microcode updates?

Best regards,
Mike Banon

On Thu, Apr 12, 2018 at 11:01 AM, taii...@gmx.com  wrote:
> AMD kept their promise.
> https://www.bleepingcomputer.com/news/hardware/amd-releases-spectre-v2-microcode-updates-for-cpus-going-back-to-2011/

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

AMD kept their promise.
https://www.bleepingcomputer.com/news/hardware/amd-releases-spectre-v2-microcode-updates-for-cpus-going-back-to-2011/


0xDF372A17.asc
Description: application/pgp-keys
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi,

There is slight update from AMD [1], relevant part for you:

*AMD Microcode Updates for GPZ Variant 2/Spectre*

In addition, microcode updates with our recommended mitigations addressing 
Variant 2 (Spectre) have been released to our customers and ecosystem partners 
for AMD processors dating back to the first “Bulldozer” core products introduced 
in 2011.


AMD customers will be able to install the microcode by downloading BIOS updates 
provided by PC and server manufacturers and motherboard providers.  Please check 
with your provider for the latest updates.


Unfortnately, I dont know where to get that microcode. Any ideas?

And also, it changed in [2] the claims that IBPB should be made on context 
switch.

Thanks
Rudolf

[1] https://www.amd.com/en/corporate/security-updates
[2] 
https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf


-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi,

Dne 29.3.2018 v 20:39 taii...@gmx.com napsal(a):
>> Plus make sure you enable "LFENCE is dispatch serializing" - perhaps 
>> coreboot can do that :) it is simple
>> MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE 
>> is dispatch serilizing.
> Hmm do you have more info links about this?

Yes sure, goto [1] click on [2] and check "MITIGATION G-2". Basically just set:
MSR C001_1029[1]=1 on 10h/12h/14h/15h/16h/17h the 0fh and 11h don't have it but 
there is LFENCE dispatch serializing already.

Thanks
Rudolf

[1] https://www.amd.com/en/corporate/security-updates
[2] 
https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

On 02/18/2018 07:03 AM, Rudolf Marek wrote:
> Hi,
Thanks for the detailed reply :]
> What do you want to protect?
I just looked at the AMD page saw they said they would be releasing
updates and I figured I should have them even though there is no
description of as to what they actually will do.
>  If you want to protect the kernel, retpolines are OK on AMD.
> And you don't need any microcode update. Your CPU needs to have SMEP, 
> otherwise
> you would need to clear RSB on CPL change (the paper on mentined page says 
> that you need to do that
> always, but at least on Ryzen, the attack using RSB is not working (we tried 
> that out, maybe it works
> only on some circumstances).
>
> If you want to protect userspace, the RSB will be clear by IBPB (which you 
> would need if you don't have userspace compiled
> with retpolines). I don't know if intel clears RSB on IBPB... probably not
>
> To sum it up on AMD:
>
> kernel:
> retpolines, RSB clear on CPL change on CPU without SMEP (see above)
>
> userspace:
> retpolines, RSB clear on context switch necessary or IBPB (needs microcode 
> update).
>
> Plus make sure you enable "LFENCE is dispatch serializing" - perhaps coreboot 
> can do that :) it is simple
> MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE 
> is dispatch serilizing.
Hmm do you have more info links about this?
> Besides that, you don't need any microcode update.
>
> Plus of course there is a spectre variant 1, which is more difficult to 
> mitigate, basically you need to check all the software
> and look for any pattern like array_x[array_z[untrusted_index] * any 
> transformation].
>
> The first access would leak just address (ASLR defated), second will leak 
> data.
> The variant 1 works on user/user attack and as well as user/kernel.
>
> As far I know there are no automated tools to check for this.


0xDF372A17.asc
Description: application/pgp-keys
-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Piotr Kubaj via coreboot]

AFAIK it's not only fam15 that is vulnerable. If you're going to ask, could you 
ask about updates for other CPU's than Ryzen in general? I also have fam14 and 
fam16 boards.

On 18-02-19 12:00:01, coreboot-requ...@coreboot.org wrote:

Send coreboot mailing list submissions to
coreboot@coreboot.org

To subscribe or unsubscribe via the World Wide Web, visit
https://mail.coreboot.org/mailman/listinfo/coreboot
or, via email, send a message with subject or body 'help' to
coreboot-requ...@coreboot.org

You can reach the person managing the list at
coreboot-ow...@coreboot.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of coreboot digest..."


Today's Topics:

  1. Re: When does AMD release the fam15 spectre microcode
 updates? (Mike Banon)
  2. Re: When does AMD release the fam15 spectre microcode
 updates? (Rudolf Marek)


--

Message: 1
Date: Sun, 18 Feb 2018 14:48:05 +0300
From: Mike Banon <mikeb...@gmail.com>
To: "taii...@gmx.com" <taii...@gmx.com>, coreboot@coreboot.org
Subject: Re: [coreboot] When does AMD release the fam15 spectre
microcode updates?
Message-ID:
<cak7947kcpwzwt0mpc6uttvk-z8suy-cl-0e0x5gz8rdj41c...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Maybe its' a good idea to write to AMD support regarding this question
- please share a reply if you would get an answer. I'm curious about
other fam15 CPUs as well, e.g. A10-5750M microcode update would be
nice, maybe a request could be more general, e.g. : what is the
estimated release date for the microcode updates for fam15 AMD CPUs
(so a request is  not about "opterons only")

On Sun, Feb 18, 2018 at 2:47 PM, Mike Banon <mikeb...@gmail.com> wrote:

Maybe its' a good idea to write to AMD support regarding this question
- please share a reply if you would get an answer. I'm curious about
other fam15 CPUs as well, e.g. A10-5750M microcode update would be
nice, maybe a request could be more general, e.g. : what is the
estimated release date for the microcode updates for fam15 AMD CPUs
(so a request is  not about "opterons only")

On Sun, Feb 18, 2018 at 4:30 AM, taii...@gmx.com <taii...@gmx.com> wrote:

They said they would be releasing opteron microcode updates in a few weeks
but it has been over a month and I am wondering when this is going to happen
or if it already has and I should re-compile coreboot?

https://www.amd.com/en/corporate/speculative-execution
"We expect to make updates available for our previous generation products
over the coming weeks."

Thanks!


--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot




--

Message: 2
Date: Sun, 18 Feb 2018 13:03:07 +0100
From: Rudolf Marek <r.ma...@assembler.cz>
To: Mike Banon <mikeb...@gmail.com>, "taii...@gmx.com"
<taii...@gmx.com>, coreboot@coreboot.org
Subject: Re: [coreboot] When does AMD release the fam15 spectre
microcode updates?
Message-ID: <e4ebdd27-1446-43eb-e902-aa1ddee54...@assembler.cz>
Content-Type: text/plain; charset=iso-8859-2

Hi,

What do you want to protect? If you want to protect the kernel, retpolines are 
OK on AMD.
And you don't need any microcode update. Your CPU needs to have SMEP, otherwise
you would need to clear RSB on CPL change (the paper on mentined page says that 
you need to do that
always, but at least on Ryzen, the attack using RSB is not working (we tried 
that out, maybe it works
only on some circumstances).

If you want to protect userspace, the RSB will be clear by IBPB (which you 
would need if you don't have userspace compiled
with retpolines). I don't know if intel clears RSB on IBPB... probably not

To sum it up on AMD:

kernel:
retpolines, RSB clear on CPL change on CPU without SMEP (see above)

userspace:
retpolines, RSB clear on context switch necessary or IBPB (needs microcode 
update).

Plus make sure you enable "LFENCE is dispatch serializing" - perhaps coreboot 
can do that :) it is simple
MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE is 
dispatch serilizing.

Besides that, you don't need any microcode update.

Plus of course there is a spectre variant 1, which is more difficult to 
mitigate, basically you need to check all the software
and look for any pattern like array_x[array_z[untrusted_index] * any 
transformation].

The first access would leak just address (ASLR defated), second will leak data.
The variant 1 works on user/user attack and as well as user/kernel.

As far I know there are no automated tools to check for this.


Thanks
Rudolf









Dne 18.2.2018 v 12:48 Mike Banon napsal(a):

Maybe its' a good idea to write to AMD support regarding this question
- please share a reply if you would get an an

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Rudolf Marek]

Hi,

What do you want to protect? If you want to protect the kernel, retpolines are 
OK on AMD.
And you don't need any microcode update. Your CPU needs to have SMEP, otherwise
you would need to clear RSB on CPL change (the paper on mentined page says that 
you need to do that
always, but at least on Ryzen, the attack using RSB is not working (we tried 
that out, maybe it works
only on some circumstances).

If you want to protect userspace, the RSB will be clear by IBPB (which you 
would need if you don't have userspace compiled
with retpolines). I don't know if intel clears RSB on IBPB... probably not

To sum it up on AMD:

kernel:
retpolines, RSB clear on CPL change on CPU without SMEP (see above)

userspace:
retpolines, RSB clear on context switch necessary or IBPB (needs microcode 
update).

Plus make sure you enable "LFENCE is dispatch serializing" - perhaps coreboot 
can do that :) it is simple
MSR write on fam 10h 12h+ the fam 11h and 0fh dont have this MSR but LFENCE is 
dispatch serilizing.

Besides that, you don't need any microcode update.

Plus of course there is a spectre variant 1, which is more difficult to 
mitigate, basically you need to check all the software
and look for any pattern like array_x[array_z[untrusted_index] * any 
transformation].

The first access would leak just address (ASLR defated), second will leak data.
The variant 1 works on user/user attack and as well as user/kernel.

As far I know there are no automated tools to check for this.


Thanks
Rudolf









Dne 18.2.2018 v 12:48 Mike Banon napsal(a):
> Maybe its' a good idea to write to AMD support regarding this question
> - please share a reply if you would get an answer. I'm curious about
> other fam15 CPUs as well, e.g. A10-5750M microcode update would be
> nice, maybe a request could be more general, e.g. : what is the
> estimated release date for the microcode updates for fam15 AMD CPUs
> (so a request is  not about "opterons only")
> 
> On Sun, Feb 18, 2018 at 2:47 PM, Mike Banon  wrote:
>> Maybe its' a good idea to write to AMD support regarding this question
>> - please share a reply if you would get an answer. I'm curious about
>> other fam15 CPUs as well, e.g. A10-5750M microcode update would be
>> nice, maybe a request could be more general, e.g. : what is the
>> estimated release date for the microcode updates for fam15 AMD CPUs
>> (so a request is  not about "opterons only")
>>
>> On Sun, Feb 18, 2018 at 4:30 AM, taii...@gmx.com  wrote:
>>> They said they would be releasing opteron microcode updates in a few weeks
>>> but it has been over a month and I am wondering when this is going to happen
>>> or if it already has and I should re-compile coreboot?
>>>
>>> https://www.amd.com/en/corporate/speculative-execution
>>> "We expect to make updates available for our previous generation products
>>> over the coming weeks."
>>>
>>> Thanks!
>>>
>>>
>>> --
>>> coreboot mailing list: coreboot@coreboot.org
>>> https://mail.coreboot.org/mailman/listinfo/coreboot
> 

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

Re: [coreboot] When does AMD release the fam15 spectre microcode updates?

[Mike Banon]

Maybe its' a good idea to write to AMD support regarding this question
- please share a reply if you would get an answer. I'm curious about
other fam15 CPUs as well, e.g. A10-5750M microcode update would be
nice, maybe a request could be more general, e.g. : what is the
estimated release date for the microcode updates for fam15 AMD CPUs
(so a request is  not about "opterons only")

On Sun, Feb 18, 2018 at 2:47 PM, Mike Banon  wrote:
> Maybe its' a good idea to write to AMD support regarding this question
> - please share a reply if you would get an answer. I'm curious about
> other fam15 CPUs as well, e.g. A10-5750M microcode update would be
> nice, maybe a request could be more general, e.g. : what is the
> estimated release date for the microcode updates for fam15 AMD CPUs
> (so a request is  not about "opterons only")
>
> On Sun, Feb 18, 2018 at 4:30 AM, taii...@gmx.com  wrote:
>> They said they would be releasing opteron microcode updates in a few weeks
>> but it has been over a month and I am wondering when this is going to happen
>> or if it already has and I should re-compile coreboot?
>>
>> https://www.amd.com/en/corporate/speculative-execution
>> "We expect to make updates available for our previous generation products
>> over the coming weeks."
>>
>> Thanks!
>>
>>
>> --
>> coreboot mailing list: coreboot@coreboot.org
>> https://mail.coreboot.org/mailman/listinfo/coreboot

-- 
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot

[coreboot] When does AMD release the fam15 spectre microcode updates?

[taii...@gmx.com]

They said they would be releasing opteron microcode updates in a few 
weeks but it has been over a month and I am wondering when this is going 
to happen or if it already has and I should re-compile coreboot?


https://www.amd.com/en/corporate/speculative-execution
"We expect to make updates available for our previous generation 
products over the coming weeks."


Thanks!


--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot