[elrepo] kernel-ml microcode outdated (re: spectre and meltdown)
Phil Perry
phil at elrepo.org
Mon Jan 8 02:24:34 EST 2018
On 07/01/18 23:57, Sam McLeod wrote:
>
>> On 8 Jan 2018, at 10:48 am, Sam McLeod <mailinglists at smcleod.net> wrote:
>>
>>> My hint is that you execute the following command and see from whence
>>> you have obtained the microcode_ctl package --
>>>
>>> rpm -q --qf "%{V}-%{R}-%{ARCH}\t%{VENDOR}\n" microcode_ctl
>>>
>>> Alan.
>>
>> Thanks Alan,
>> Indeed microcode_ctl comes from CentOS, not elrepo, but I thought that was simply the tool to deploy the microcode?
>>
>> from yum info microcode_ctl:
>>
> ...
>
> Answered my own question:
>
> rpm -q --changelog microcode_ctl|head
> * Fri Dec 15 2017 Petr Oros <poros at redhat.com> - 2.1-22.2
> - Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04
> - Resolves: #1527358
>
> So indeed the microcode_ctl package does contain the patches themselves...
Hi Sam,
You are correct.
As you have concluded above, I too have firmware that hasn't been
updated in the latest release (Intel i3-6100):
# dmesg|grep -i microcode
[ 0.000000] microcode: microcode updated early to revision 0xba, date
= 2017-04-09
[ 0.695625] microcode: CPU0 sig=0x506e3, pf=0x2, revision=0xba
[ 0.695635] microcode: CPU1 sig=0x506e3, pf=0x2, revision=0xba
[ 0.695638] microcode: CPU2 sig=0x506e3, pf=0x2, revision=0xba
[ 0.695650] microcode: CPU3 sig=0x506e3, pf=0x2, revision=0xba
[ 0.695682] microcode: Microcode Update Driver: v2.01
<tigran at aivazian.fsnet.co.uk>, Peter Oruba
Further, I examined the latest microcode tarball from Intel, and found
only 8 microcode firmwares have been updated (from the changelog above,
looks like RH only updated 3??) since the last release around 6 months ago.
I was unable to find any documentation from Intel to indicate which CPUs
the affected blobs relate to, nor what has supposedly been fixed. I note
the changelog entry in the updated RH/CentOS package above doesn't
mention a CVE reference and the bug entry number is private and
inaccessible so we have no way of knowing what was fixed.
Please also check with your system manufacturer for the availability of
a BIOS update.
After diligently applying all available updates, Intel's INTEL-SA-00086
vulnerability tool still declares my system as vulnerable.
Good luck!
Phil
More information about the elrepo
mailing list