Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Mon, 27 Aug 2018, Darius Spitznagel wrote: > today I've installed intel-microcode (3.20180807a.1~bpo9+1) from > stretch-backports to realize that firmware file "06-2c-02" is missing. Refer to bug #907402 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907402 -- Henrique Holschuh
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hello maintainers, today I've installed intel-microcode (3.20180807a.1~bpo9+1) from stretch-backports to realize that firmware file "06-2c-02" is missing. snippet from dmesg: [ 290.754628] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754701] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754758] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754812] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754866] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754919] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.754973] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755026] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755079] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755132] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755186] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755239] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755292] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755345] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755399] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755452] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755506] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.79] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755612] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755665] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755718] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755772] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755825] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) [ 290.755878] platform microcode: firmware: failed to load intel-ucode/06-2c-02 (-2) After downloading firmware from Intel (https://downloadmirror.intel.com/28087/eng/microcode-20180807a.tgz), unpacking and copying file "06-2c-02" to /lib/firmware/intel-ucode and executing "echo 1 > /sys/devices/system/cpu/microcode/reload" everything is fine. snippet from dmesg: [ 662.432843] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.433568] microcode: updated to revision 0x1f, date = 2018-05-08 [ 662.433702] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.434464] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.435062] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.435755] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.436408] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.437094] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.437767] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.438456] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.439115] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.439803] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.440465] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.441175] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.441802] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.442480] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.443098] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.443782] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.50] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.445149] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.445758] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.446698] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.447403] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.448272] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 [ 662.448936] platform microcode: firmware: direct-loading firmware intel-ucode/06-2c-02 System is an Intel Westmere E5645. Please add this firmware file as soon as possible. Kind regards Darius Hinweis zur DSGVO (Datenschutzgrundverordnung): Wir verarbeiten
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Thu, 23 Aug 2018 16:31:37 -0300 Henrique de Moraes Holschuh wrote: > Yes, it is much better to wait for a new download to be made available, > with the mcu-path-license-2018 version of the distribution license > inside. > > The text of this license is the same (or very close to) the older > license that Intel used in the .dat format for a *long* time. It is > non-free, of course, but it is both distributable and usable, as far as > I know (IANAL). > > Now, we wait. Feel free to send email to this bug report if you notice > the mcu-path-license-2018 release is already available. There is no > need to open a new bug report about it ;-) The new version is available for download here: https://downloadcenter.intel.com/download/28087/Linux-Processor-Microcode-Data-File Strange enough, it's flagged as an "older" release on the website. But it contains, in fact, the new license. Cheers, Mathias
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Thu, 23 Aug 2018, Markus Schade wrote: > apparently Intel has changed its mind and is reverting to the old license: > > https://01.org/mcu-path-license-2018 > https://wccftech.com/intel-microcode-update-gag-order-benchmarks/ > > But I guess we have to to wait for the actual MCU download to > incorporate this change. What do you think, Henrique? Yes, it is much better to wait for a new download to be made available, with the mcu-path-license-2018 version of the distribution license inside. The text of this license is the same (or very close to) the older license that Intel used in the .dat format for a *long* time. It is non-free, of course, but it is both distributable and usable, as far as I know (IANAL). Now, we wait. Feel free to send email to this bug report if you notice the mcu-path-license-2018 release is already available. There is no need to open a new bug report about it ;-) -- Henrique Holschuh
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hi everyone, apparently Intel has changed its mind and is reverting to the old license: https://01.org/mcu-path-license-2018 https://wccftech.com/intel-microcode-update-gag-order-benchmarks/ But I guess we have to to wait for the actual MCU download to incorporate this change. What do you think, Henrique? Best regards, Markus
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hi, I cannot talk for the maintainer either, but AFAIU the new license doesn't make it possible for Debian to distribute the binaries. Gentoo has concluded that also, and that the files cannot be mirrored. El 19/08/18 a las 09:36, Markus Schade escribió: … > could you please clarify what concerns Debian has with the license? AFAICS, there are different points that Debian would be concerned about. Starting with: DO NOT DOWNLOAD, INSTALL, ACCESS, COPY, OR USE ANY PORTION OF THE SOFTWARE UNTIL YOU HAVE READ AND ACCEPTED THE TERMS AND CONDITIONS OF THIS AGREEMENT. (I didn't have to read the agreement to download, install…) And then: 2. LIMITED LICENSE. Conditioned on Your compliance with the terms and conditions of this Agreement, Intel grants to You … to (iii) distribute an object code representation of the Software, provided by Intel, through multiple levels of distribution, solely as embedded in or for execution on an Intel-based product and subject to these license terms, and if to an end user, pursuant to a license agreement with terms and conditions at least as restrictive as those contained in the Intel End User Software License Agreement in Appendix A hereto. Distribution to derivatives is problematic: 3. LICENSE RESTRICTIONS. … Unless expressly permitted under the Agreement, You will not, and will not allow any third party to (i) use, copy, distribute, sell or offer to sell the Software or associated documentation; … (iii) use or make the Software available for the use or benefit of third parties; And then, there are some restrictions, for which I am not sure we (Debian) would be concerned, such as 13. export, directly or indirectly", to some countries, or 14. "You will not provide the Software to the U.S. Government." Maybe it would be needed to change the package to provide a download helper from the intel servers? The user should have to be asked to accept or not the license and its appendix A. Cheers, -- S signature.asc Description: PGP signature
Bug#906158: intel-microcode: Update intel-microcode to 20180807
I can't speak for the maintainer, or the ability to redistribute, but clause 3 (v) of the license is pretty troublesome. To quote: 3. LICENSE RESTRICTIONS. All right, title and interest in and to the Software and associated documentation are and will remain the exclusive property of Intel and its licensors or suppliers. Unless expressly permitted under the Agreement, You will not, and will not allow any third party to **Snip** (v) publish or provide any Software benchmark or comparison test results. **Snip** This is basically telling end users that they can't use the software in any way they see fit, nor publish the results as they see fit. This package might already be in non-free, but this seems a bit much.
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Gentoo is now looking into this as well. We can restrict mirroring and ensure users accept the licence before installing so that's likely the way we'll go. https://bugs.gentoo.org/664134 -- Matthew Thode (prometheanfire) signature.asc Description: PGP signature
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Henrique, could you please clarify what concerns Debian has with the license? Other distros seem to have no problems. I see updated packages from Fedora, OpenSUSE, Gentoo and Archlinux. Best regards, Markus
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Sat, 18 Aug 2018, Ivan Baldo wrote: > Do you have confirmation that they will change the license? No. And apparently both SuSE and RedHat decided they are OK with the new license or something (since they have updates on the works or already available), so I will just ask them if they can share their analysis. > Should we contact (pester) them or do you think this is not more > necessary now? Please don't. It is unlikely to help. -- Henrique Holschuh
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hi, Am 18.08.2018 um 13:39 schrieb Moritz Mühlenhoff: > Do we have also indication whether the 20180703 release also fixed the > SGX angle? No sure, if you are asking Henrique or me, but yes, the microcode does include the mitigation for SGX aka Foreshadow. It is also explicitly stated by Intel in [1] "This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX)" ... "Microcode updates (MCUs) we released earlier this year are an important component of the mitigation strategy for all three applications of L1TF" Best regards, Markus [1] https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hello. Do you have confirmation that they will change the license? Should we contact (pester) them or do you think this is not more necessary now? Hey! Thanks a lot for the great work and service you are doing with this updates! Very appreciated! Have a great day. -- Ivan Baldo - iba...@adinet.com.uy - http://ibaldo.codigolibre.net/ Freelance C++/PHP programmer and GNU/Linux systems administrator. The sky is not the limit!
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Hi, On Fri, Aug 17, 2018 at 08:22:47AM -0300, Henrique de Moraes Holschuh wrote: > On Fri, 17 Aug 2018, Moritz Mühlenhoff wrote: > > Have you been able to confirm (e.g. by testing) that 20180807 implements > > changes > > necessary for L1TF (such as L1D_FLUSH) or is there some official statement > > by Intel on this? > > It does (privately tested on a few processor models). Exposes L1D_FLUSH > flags, and the MSRs. > > The L1D flush fixes are present on release 20180703, btw. As far as I > can tell, 20180807 builds on 20180703 by adding more processors and > fixing the single microcode update that regressed -- but not present in > 20180703 anyway -- (sig 0x706a1). > > This can be inferred from the microcode guidance tables Intel has > published for SA-00115 and SA-00161. > > As far as I can tell, Intel knew about L1TF early enough that they fixed > the whole thing along with SSBD. They just did not disclose anything > about it outside of the embargo group, apparently. Fantastic! I'll update the Debian Security Tracker later on. Those are somewhat tricky to track since it obviously depends on the CPU in use, but I'll clarify with some notes. Do we have also indication whether the 20180703 release also fixed the SGX angle? Cheers, Moritz
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Fri, 17 Aug 2018, Moritz Mühlenhoff wrote: > Have you been able to confirm (e.g. by testing) that 20180807 implements > changes > necessary for L1TF (such as L1D_FLUSH) or is there some official statement > by Intel on this? It does (privately tested on a few processor models). Exposes L1D_FLUSH flags, and the MSRs. The L1D flush fixes are present on release 20180703, btw. As far as I can tell, 20180807 builds on 20180703 by adding more processors and fixing the single microcode update that regressed -- but not present in 20180703 anyway -- (sig 0x706a1). This can be inferred from the microcode guidance tables Intel has published for SA-00115 and SA-00161. As far as I can tell, Intel knew about L1TF early enough that they fixed the whole thing along with SSBD. They just did not disclose anything about it outside of the embargo group, apparently. -- Henrique Holschuh
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Am 17.08.2018 um 09:54 schrieb Moritz Mühlenhoff: > This microcode release happened a week before the disclosure of L1TF and with > all previous CPU bugs, Intel initially only shipped updates to OEMs and only > released general microcode updates weeks/months later. > > Have you been able to confirm (e.g. by testing) that 20180807 implements > changes > necessary for L1TF (such as L1D_FLUSH) or is there some official statement > by Intel on this? Actually Intel is a bit better prepared this time. 20170703 already contained l1d_flush (in addition to ssbd) for most server CPUs. 20180807 just added more CPU models (mostly desktop products). So yes, I have tested and can confirm this MCU will provide ssbd and l1d_flush on kernels that have support for these features (e.g latest Ubuntu or vanilla) Actual mitigation results may vary as outlined in [1]. Tested models include: Core i/Xeon E3 (SNB, IVB, SKL), Xeon E5 (SNB, IVB, HSW, BDW), Xeon SP (SKL) Best regards, Markus [1] https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Wed, Aug 15, 2018 at 09:08:15AM +0200, Markus Schade wrote: > Package: intel-microcode > Version: 3.20180425.1 > Severity: grave > Tags: security > > Dear Maintainer, > > Intel has released a new microcode version which includes updates for > further CPU models providing the necessary code for SSBD as well as the > recently disclosed L1TF vulnerability > > https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File Hi Markus, This microcode release happened a week before the disclosure of L1TF and with all previous CPU bugs, Intel initially only shipped updates to OEMs and only released general microcode updates weeks/months later. Have you been able to confirm (e.g. by testing) that 20180807 implements changes necessary for L1TF (such as L1D_FLUSH) or is there some official statement by Intel on this? Cheers, Moritz
Bug#906158: intel-microcode: Update intel-microcode to 20180807
On Wed, 15 Aug 2018, Markus Schade wrote: > Intel has released a new microcode version which includes updates for > further CPU models providing the necessary code for SSBD as well as the > recently disclosed L1TF vulnerability > > https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File Unfortunately, that release is undistributable (refer to the new "license" file that was added by Intel to the microcode data file pack version 20180807). Packages have been ready since 2018-08-08, but could not be uploaded (or even pushed to public git trees) for that reason. Intel has been made aware of the issue and pestered by just about everyone, and should get it straightened up soon. -- Henrique Holschuh
Bug#906158: intel-microcode: Update intel-microcode to 20180807
Package: intel-microcode Version: 3.20180425.1 Severity: grave Tags: security Dear Maintainer, Intel has released a new microcode version which includes updates for further CPU models providing the necessary code for SSBD as well as the recently disclosed L1TF vulnerability https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File Please consider packaging this version to enable mitigations. Thanks! Markus
