[elrepo] Recommended minimum fixes in both the kernel and Intel microcode for Meltdown and Spectre
Phil Perry
phil at elrepo.org
Sat Jan 6 08:49:04 EST 2018
On 06/01/18 01:50, David Ranch wrote:
> Hello Everyone,
>
> I have two questions about the recent CPU bugs that were announced this
> week:
>
> - Which Linus kernel versions included the kernel side fixes that
> help mitigate these issues? I'm specifically looking at the LT series
> for Centos 6
>
From this bug:
https://elrepo.org/bugs/view.php?id=810
It looks like it was fixed in 4.4.110
http://lists.elrepo.org/pipermail/elrepo/2018-January/004022.html
but I will defer to Alan's expertise to comment more on the matter if
required.
Generally though, users should run the latest release, built from the
latest upstream kernel sources to ensure they have all the latest patches.
Alan builds the kernel-lt and kernel-ml packages from the latest
upstream kernel source releases unmodified and "as-is", so if the issue
is fixed upstream on kernel.org, Alan's corresponding kernel-lt|ml
package will also contain the fix.
> - To get some of the Intel microcode fixes, should I be expecting
> that the Centos 6 "microcode_ctl-1.17-25.2.el6_9.x86_64" package I
> received today will be applicable on *any* ElRepo kernel I choose to run?
>
Yes. As I understand this package applies microcode patches to the CPU
regardless of the running kernel. I would also check with hardware
vendors for any bios updates that also address the issue.
> - I have systems which still need Centos5 that I want to secure but
> that's obviously EOL. I'd like to understand what the ElRepo group
> recommends to run as a vanilla kernel that has these needed CPU fixes as
> well as any recommendations on how to get an updated CPU microcode
> package for it.
>
As you are aware, EL5 is EOL, so if still running should not be internet
facing as there will be many other security risks besides meltdown and
spectre. But to address these issues specifically, one should run the
latest release of a supported kernel branch, check for any vendor bios
updates and apply the latest microcode updates. For the latter, you
could either look to build an updated package containing the latest
upstream microcode from Intel, or you can download the microcode files
from Intel, unpack the intel-ucode folder into
/usr/lib/firmware/intel-ucode/ overwriting the files provided by the
microcode_ctl package and manually force an update without rebooting by
doing:
echo 1 > /sys/devices/system/cpu/microcode/reload
dmesg should then show something similar to below indicating the
microcode has been updated:
[693680.818073] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xa0
[693680.818944] microcode: CPU0 updated to revision 0xba, date = 2017-04-09
[693680.818993] microcode: CPU1 sig=0x506e3, pf=0x2, revision=0xa0
[693680.819861] microcode: CPU1 updated to revision 0xba, date = 2017-04-09
[693680.819946] microcode: CPU2 sig=0x506e3, pf=0x2, revision=0xa0
[693680.820788] microcode: CPU2 updated to revision 0xba, date = 2017-04-09
[693680.820834] microcode: CPU3 sig=0x506e3, pf=0x2, revision=0xa0
[693680.821622] microcode: CPU3 updated to revision 0xba, date = 2017-04-09
Note: the above works on RHEL7 but I have not tested it on earlier
versions of RHEL. Directory paths may be different on RHEL5.
More information about the elrepo
mailing list