Public bug reported:
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
* Normally intel microcode is applied "early" for an uncompressed
prepended initramfs archive. However, on systems booting without an
initrd, or a missbuilt one, microcode might not get applied. In that
case, we need to attempt loading microcode late which may give users
security protection against CPU vulnerabilities which they might
otherwise be lacking. In an ideal world, everyone would apply their
bios/OEM updates with microcode updates in a timely fashion and then we
wouldn't need to update CPU microcode from userspace at all.
[Test Case]
* Install updated package
* Reobot
* Observe early application of microcode
$ journalctl -b | grep microcode
Feb 12 12:02:48 ottawa kernel: microcode: microcode updated early to revision
0xd6, date = 2019-10-03
* Remove /usr/share/initramfs-tools/hooks/intel_microcode to prevent correct
generation of early microcode updates
* Rebuild initrd with update-initramfs -u
* Reboot
* Observe in dmesg that late loading of microcode is performed
$ journalctl -b | grep microcode
Feb 12 12:32:54 ottawa kernel: TAA: Vulnerable: Clear CPU buffers attempted, no
microcode
Feb 12 12:32:54 ottawa kernel: MDS: Vulnerable: Clear CPU buffers attempted, no
microcode
Feb 12 12:32:54 ottawa kernel: microcode: sig=0x506e3, pf=0x20, revision=0xc6
Feb 12 12:32:54 ottawa kernel: microcode: Microcode Update Driver: v2.2.
Feb 12 12:32:57 ottawa kernel: microcode: updated to revision 0xd6, date =
2019-10-03
Feb 12 12:32:57 ottawa kernel: x86/CPU: CPU features have changed after loading
microcode, but might not take effect.
Feb 12 12:32:57 ottawa kernel: microcode: Reload completed, microcode revision:
0xd6
(Note the lack of "early" in above messages)
[Regression Potential]
* Application of microcode is a risky operation, especially if the
cores are busy. Hence we prefer bios updates & early microcode updates,
and those will remain the place. The late loading of microcode is really
here for the cases were the previous two update strategies have failed.
For example, from time to time, certain microcode updates are pulled or
get blacklisted from late loading.
[Other Info]
* The majority of our users on bare-metal machines boot correctly with early
microcode updates.
** Affects: intel-microcode (Ubuntu)
Importance: Undecided
Status: Fix Committed
** Affects: intel-microcode (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: intel-microcode (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: intel-microcode (Ubuntu Eoan)
Importance: Undecided
Status: New
** Affects: intel-microcode (Ubuntu Focal)
Importance: Undecided
Status: Fix Committed
** Also affects: intel-microcode (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: intel-microcode (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: intel-microcode (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: intel-microcode (Ubuntu Eoan)
Importance: Undecided
Status: New
** Changed in: intel-microcode (Ubuntu Focal)
Status: New => Fix Committed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1862938
Title:
Enable late loading of microcode by default
Status in intel-microcode package in Ubuntu:
Fix Committed
Status in intel-microcode source package in Xenial:
New
Status in intel-microcode source package in Bionic:
New
Status in intel-microcode source package in Eoan:
New
Status in intel-microcode source package in Focal:
Fix Committed
Bug description:
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
* Normally intel microcode is applied "early" for an uncompressed
prepended initramfs archive. However, on systems booting without an
initrd, or a missbuilt one, microcode might not get applied. In that
case, we need to attempt loading microcode late which may give users
security protection against CPU vulnerabilities which they might
otherwise be lacking. In an ideal world, everyone would apply their
bios/OEM updates with microcode updates in a timely fashion and then
we wouldn't need to update CPU microcode from userspace at all.
[Test Case]
* Install updated package
* Reobot
* Observe early application of microcode
$ journalctl -b | grep microcode
Feb 12 12:02:48 ottawa kernel: microcode: microcode updated early to revision
0xd6, date = 2019-10-03
* Remove /usr/share/initramfs-tools/hooks/intel_microcode to prevent correct
generation of early microcode updates
* Rebuild initrd with update-initramfs -u
* Reboot
* Observe in dmesg that late loading of microcode is performed
$ journalctl -b | grep microcode
Feb 12 12:32:54 ottawa kernel: TAA: Vulnerable: Clear CPU buffers attempted,
no microcode
Feb 12 12:32:54 ottawa kernel: MDS: Vulnerable: Clear CPU buffers attempted,
no microcode
Feb 12 12:32:54 ottawa kernel: microcode: sig=0x506e3, pf=0x20, revision=0xc6
Feb 12 12:32:54 ottawa kernel: microcode: Microcode Update Driver: v2.2.
Feb 12 12:32:57 ottawa kernel: microcode: updated to revision 0xd6, date =
2019-10-03
Feb 12 12:32:57 ottawa kernel: x86/CPU: CPU features have changed after
loading microcode, but might not take effect.
Feb 12 12:32:57 ottawa kernel: microcode: Reload completed, microcode
revision: 0xd6
(Note the lack of "early" in above messages)
[Regression Potential]
* Application of microcode is a risky operation, especially if the
cores are busy. Hence we prefer bios updates & early microcode
updates, and those will remain the place. The late loading of
microcode is really here for the cases were the previous two update
strategies have failed. For example, from time to time, certain
microcode updates are pulled or get blacklisted from late loading.
[Other Info]
* The majority of our users on bare-metal machines boot correctly with early
microcode updates.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862938/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
