intel{, amd64}-microcode packages and where is the microcode option (vide "Software & Updates - Additional Drivers" tab)?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

intel{, amd64}-microcode packages and where is the microcode option (vide "Software & Updates - Additional Drivers" tab)?

daniel curtis
Hello.

I would like to ask a question about 'intel{,amd64}-microcode'
packages. During system and Linux v4.4.0-123-generic kernel updating
process via apt(8), on one of my testing computer running 16.04 LTS
Release, there was an information that "The following NEW packages
will be installed" etc. (it was about both mentioned 'microcode'
packages). I did not have these packages installed, until then.

It's an Intel processor, but it seems, that Intel Corporation will not
publish any microcode updates for some processor. Intel reveals (on
Apr. 3., 2018) list of processors that won't receive "Meltdown &
Spectre" patches. It seems, that some of older processors won't
receive any microcode updates designed to mitigate mentioned
vulnerabilities. On the list we can find, for example: Bloomfield,
Bloomfield Xeon, Clarksfield, Gulftown, Gulftown, Harpertown Xeon C0
and E0 etc.

So, I would like to ask if it was normal, that apt(8) installed such
packages? And why both since it's an Intel processor (but with 64. bit
instruction support)? There is not and was not any informations about
this, for example, on the Xenial-changes mailing list! I'm really
confused by this.

Anyway, can I remove both packages (since there is no changes related
to the microcode and "Spectre & Meltdown" mitigations on this testing
computer; just 'revision' change in '/proc/cpuinfo' virtual file
or/and dmesg(1) etc.)?

On Tue., May 8. there was a security update for 'intel-microcode'
package (see 1). But what about 'amd64-microcode'? The last time,
apt(8) installed both packages: 'intel{,amd64}-microcode'. Maybe it
was a bug?

By the way: a couple of weeks ago, about a month ago, I noticed, that
there is no microcode option in the "Additional Drivers" tab
(available, for example, in Xfce4 "Settings" menu etc.) There is just
one option to choose: NVIDIA driver or an Open Source version -
'nouveau'. There always was an option to choose/enable device -
microcode (an example of how it looked; see 2.) Now, there is no
'microcode' option, even with 'intel{,amd64}-microcode' packages
installed.

Can someone of you check this one on his own computer? (For now, I
have an access to my testing computer only). Maybe it's a bug and
should be a bug report should be created on Launchpad?

Thanks, best regards.
_____________________
1. https://lists.ubuntu.com/archives/xenial-changes/2018-May/020972.html
2. https://i.stack.imgur.com/8WAEw.png

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
Reply | Threaded
Open this post in threaded view
|

Re: intel{, amd64}-microcode packages and where is the microcode option (vide "Software & Updates - Additional Drivers" tab)?

Seth Arnold
On Wed, May 09, 2018 at 06:13:49PM +0000, daniel curtis wrote:
> So, I would like to ask if it was normal, that apt(8) installed such
> packages? And why both since it's an Intel processor (but with 64. bit

Hello Daniel,

We're going to modify the kernel packages to require the cpu microcode
packages to be installed. APT cannot decide whether or not to install
the microcode packages based on the CPU in use. Everyone will have the
pacakges installed, regardless if Intel has provided any useful fixes
for any specific CPU.

I strongly recommend leaving this alone and just install the updates as
we pass them along from Intel. You do not gain anything from trying to
second-guess Intel's fixes, if any.

Thanks

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: intel{, amd64}-microcode packages and where is the microcode option (vide "Software & Updates - Additional Drivers" tab)?

daniel curtis
Hello Seth,

Thank You for an answer. It seems, that my testing computer processor
is on the list revealed by Intel Corp. I mean a list of processors
that won't receive "Meltdown & Spectre" patches etc. (see my first
message). On Tue. May 8., 'intel-microcode' package has been updated
to v3.20180425.1~ubuntu0.16.04.1 version. However, after system reboot
nothing has changed - no IBRS/IBPB/STIBP microcode support.

The one thing that changed is a 'revision' number. Without
'intel-microcode' package it was e.g. "revision=0xa01", after
mentioned auto-install of 'intel{,amd64}-microcode' packages, via
apt(8), "revision" number has changed to: "0xa02". And now, after
update from Tue. May 8. it's "revision=0xa01" again! Strange. It looks
like the new 'intel-microcode' package version is bringing back the
default "revision" value!

Well, if Intel will not provide any microcode updates for this
particullar processor type, designed to mitigate mentioned
vulnerabilities, I think 'intel-microcode' package can/should be
removed... I don't know what to do. Really.

Seth, and what about 'microcode' options in "Software & Updates -
Additional Drivers" tab? Can You check if it's available in your
system? (It can be checked, for example, by running 'update-manager'
command, next "Settings" and "Additional drivers" tab.)

Thanks, best regards.

2018-05-09 22:48 GMT, Seth Arnold <[hidden email]>:

> On Wed, May 09, 2018 at 06:13:49PM +0000, daniel curtis wrote:
>> So, I would like to ask if it was normal, that apt(8) installed such
>> packages? And why both since it's an Intel processor (but with 64. bit
>
> Hello Daniel,
>
> We're going to modify the kernel packages to require the cpu microcode
> packages to be installed. APT cannot decide whether or not to install
> the microcode packages based on the CPU in use. Everyone will have the
> pacakges installed, regardless if Intel has provided any useful fixes
> for any specific CPU.
>
> I strongly recommend leaving this alone and just install the updates as
> we pass them along from Intel. You do not gain anything from trying to
> second-guess Intel's fixes, if any.
>
> Thanks
>

--
ubuntu-hardened mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened