| Message ID | 1516218066-1622-1-git-send-email-wigyori@uid0.hu |
|---|---|
| Headers | show |
| Series | x86: add support for microcode update | expand |
On January 17, 2018 11:41:01 AM PST, Zoltan HERPAI <wigyori@uid0.hu> wrote: >Hi, > >This series will add support for microcode update on x86 targets, >in light of the recent security issues. > >While other distributions use an early initramfs approach to update >the microcode as early as possible, in OpenWrt the earliest place >where we can do this is preinit. > >The Intel microcode package is using the source package by Debian, >the AMD microcode package is downloaded from the linux-firmware >git repository. > >This was tested on various Intel-based desktops with ancient BIOSes. > >Once the series is merged into trunk, this could/should be backported >into 17.01 and 15.05 without too much hassle. FWIW: Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
On 17/01/18 20:41, Zoltan HERPAI wrote: > Hi, > > This series will add support for microcode update on x86 targets, > in light of the recent security issues. > > While other distributions use an early initramfs approach to update > the microcode as early as possible, in OpenWrt the earliest place > where we can do this is preinit. due to the importance of this i would propose, that we add a dedicated step inside procd that calls right before preinit. John > > The Intel microcode package is using the source package by Debian, > the AMD microcode package is downloaded from the linux-firmware > git repository. > > This was tested on various Intel-based desktops with ancient BIOSes. > > Once the series is merged into trunk, this could/should be backported > into 17.01 and 15.05 without too much hassle. > > Thanks, > Zoltan H > > > Zoltan HERPAI (5): > x86: enable microcode loading for Intel and AMD > firmware: add microcode package for AMD64 > tools: add iucode-tool > firmware: add microcode package for Intel > packages: intel-microcode: update to 20180108 > > package/firmware/intel-microcode/Makefile | 51 ++++++++++++++++++++++ > .../intel-microcode/files/intel-microcode.preinit | 8 ++++ > package/firmware/linux-firmware/x86.mk | 9 ++++ > package/system/iucode-tool/Makefile | 47 ++++++++++++++++++++ > target/linux/x86/config-4.14 | 5 ++- > target/linux/x86/config-4.9 | 5 ++- > 6 files changed, 123 insertions(+), 2 deletions(-) > create mode 100644 package/firmware/intel-microcode/Makefile > create mode 100644 package/firmware/intel-microcode/files/intel-microcode.preinit > create mode 100644 package/firmware/linux-firmware/x86.mk > create mode 100644 package/system/iucode-tool/Makefile >
Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to properly address this? There are fixes to mitigate Spectre.
On 01/18/2018 01:51 PM, Nick Lowe wrote: > Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to > properly address this? There are fixes to mitigate Spectre. We even need a patch for GCC which will be in GCC 8 and 7.3. For master we should backport it to GCC 5.5, but what do we want to do with 17.01 and 15.05 ? The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 which we already have. Hauke
On Thu, 18 Jan 2018, Hauke Mehrtens wrote: > On 01/18/2018 01:51 PM, Nick Lowe wrote: >> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >> properly address this? There are fixes to mitigate Spectre. > > We even need a patch for GCC which will be in GCC 8 and 7.3. > For master we should backport it to GCC 5.5, but what do we want to do > with 17.01 and 15.05 ? I'll speak only of CC - there is no microcode updater in it at all, so while 3.18 contains partial patches and GCC 4.8 is unlikely to get fixed, we should add this facility into it anyway. > The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, > 4.4.111 which we already have. That's only for the fam17h (Zen) CPUs, earlier CPU types should work with earlier kernels, and this can likely be backported into 3.18. (I don't have a Zen-based box to test, hands up whoever has one.) Regards, -w-
On 01/18/2018 11:41 PM, Zoltan HERPAI wrote: > > > On Thu, 18 Jan 2018, Hauke Mehrtens wrote: > >> On 01/18/2018 01:51 PM, Nick Lowe wrote: >>> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >>> properly address this? There are fixes to mitigate Spectre. >> >> We even need a patch for GCC which will be in GCC 8 and 7.3. >> For master we should backport it to GCC 5.5, but what do we want to do >> with 17.01 and 15.05 ? > > I'll speak only of CC - there is no microcode updater in it at all, so > while 3.18 contains partial patches and GCC 4.8 is unlikely to get > fixed, we should add this facility into it anyway. I am fine with your solution when we do not fix all possible problems as it is hard to exploit it anyway and most processes are anyway running as root. >> The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, >> 4.4.111 which we already have. > > That's only for the fam17h (Zen) CPUs, earlier CPU types should work > with earlier kernels, and this can likely be backported into 3.18. (I > don't have a Zen-based box to test, hands up whoever has one.) Hauke
John Crispin wrote: > > > On 17/01/18 20:41, Zoltan HERPAI wrote: >> Hi, >> >> This series will add support for microcode update on x86 targets, >> in light of the recent security issues. >> >> While other distributions use an early initramfs approach to update >> the microcode as early as possible, in OpenWrt the earliest place >> where we can do this is preinit. > > due to the importance of this i would propose, that we add a dedicated > step inside procd that calls right before preinit. Fine with me for trunk (and maybe 17.01) - can you add the sysfs poke then, please? For CC, which is currently at 2015-10-29, I think we can stay with running this from preinit. Regards, Zoltan H
Yes, compiler updates will ultimately be necessary to properly close this. We can see for now with 4.9.77: root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat spectre_v2 Vulnerable: Minimal AMD ASM retpoline AMD processors are also incorrectly being marked as being vulnerable to Meltdown. On my APU2C4 I see: root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown Vulnerable From /proc/cpuinfo flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl nonstop_tsc extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt topoext perfctr_nb bpext ptsc perfctr_l2 cpb hw_pstate retpoline retpoline_amd vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save tsc_scale flushbyasid decodeassists pausefilter pfthreshold overflow_recov bugs : fxsave_leak sysret_ss_attrs null_seg cpu_meltdown spectre_v1 spectre_v2 This following patch seen in 4.14.14 is missing from 4.9.77: x86/cpu, x86/pti: Do not enable PTI on AMD processor https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.14.14&id=151d7039757b71ebd9d170af0944562f51149372 We can see that in this commit which renamed X86_BUG_CPU_INSECURE to X86_BUG_CPU_MELTDOWN https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.77&id=43fe95308d276bdfd133f5951cc25565e39982ec Can we backport this? Cheers, Nick On Thu, Jan 18, 2018 at 9:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: > On 01/18/2018 01:51 PM, Nick Lowe wrote: >> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >> properly address this? There are fixes to mitigate Spectre. > > We even need a patch for GCC which will be in GCC 8 and 7.3. > For master we should backport it to GCC 5.5, but what do we want to do > with 17.01 and 15.05 ? > > The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, > 4.4.111 which we already have. > > Hauke
Citeren Nick Lowe <nick.lowe@gmail.com>: > Yes, compiler updates will ultimately be necessary to properly close this. > > We can see for now with 4.9.77: > > root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat spectre_v2 > Vulnerable: Minimal AMD ASM retpoline > > AMD processors are also incorrectly being marked as being vulnerable > to Meltdown. On my APU2C4 I see: > > root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown > Vulnerable > > From /proc/cpuinfo > > flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov > pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt > pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl nonstop_tsc > extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 cx16 > sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy svm > extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit > wdt topoext perfctr_nb bpext ptsc perfctr_l2 cpb hw_pstate retpoline > retpoline_amd vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save > tsc_scale flushbyasid decodeassists pausefilter pfthreshold > overflow_recov > > bugs : fxsave_leak sysret_ss_attrs null_seg cpu_meltdown spectre_v1 > spectre_v2 > > This following patch seen in 4.14.14 is missing from 4.9.77: > > x86/cpu, x86/pti: Do not enable PTI on AMD processor > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.14.14&id=151d7039757b71ebd9d170af0944562f51149372 > > We can see that in this commit which renamed X86_BUG_CPU_INSECURE to > X86_BUG_CPU_MELTDOWN > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.77&id=43fe95308d276bdfd133f5951cc25565e39982ec > > Can we backport this? No, it's not missing, it's just in a different location: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/arch/x86/mm/kaiser.c?h=v4.9.75&id=8018307a45a90ab2eecfd03d48b7efb31707df37 I already wrote this in a reply on Jan 8th... > Cheers, > > Nick > > On Thu, Jan 18, 2018 at 9:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: >> On 01/18/2018 01:51 PM, Nick Lowe wrote: >>> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >>> properly address this? There are fixes to mitigate Spectre. >> >> We even need a patch for GCC which will be in GCC 8 and 7.3. >> For master we should backport it to GCC 5.5, but what do we want to do >> with 17.01 and 15.05 ? >> >> The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, >> 4.4.111 which we already have. >> >> Hauke > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
Hi Arjen, The point I was making is that we see: root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown Vulnerable This should not be marked as vulnerable and it is being. Cheers, Nick On Sun, Jan 21, 2018 at 12:04 PM, Arjen de Korte <arjen+lede@de-korte.org> wrote: > Citeren Nick Lowe <nick.lowe@gmail.com>: > > >> Yes, compiler updates will ultimately be necessary to properly close this. >> >> We can see for now with 4.9.77: >> >> root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat spectre_v2 >> Vulnerable: Minimal AMD ASM retpoline >> >> AMD processors are also incorrectly being marked as being vulnerable >> to Meltdown. On my APU2C4 I see: >> >> root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown >> Vulnerable >> >> From /proc/cpuinfo >> >> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov >> pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt >> pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl nonstop_tsc >> extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 cx16 >> sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy svm >> extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit >> wdt topoext perfctr_nb bpext ptsc perfctr_l2 cpb hw_pstate retpoline >> retpoline_amd vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save >> tsc_scale flushbyasid decodeassists pausefilter pfthreshold >> overflow_recov >> >> bugs : fxsave_leak sysret_ss_attrs null_seg cpu_meltdown spectre_v1 >> spectre_v2 >> >> This following patch seen in 4.14.14 is missing from 4.9.77: >> >> x86/cpu, x86/pti: Do not enable PTI on AMD processor >> >> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.14.14&id=151d7039757b71ebd9d170af0944562f51149372 >> >> We can see that in this commit which renamed X86_BUG_CPU_INSECURE to >> X86_BUG_CPU_MELTDOWN >> >> >> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.77&id=43fe95308d276bdfd133f5951cc25565e39982ec >> >> Can we backport this? > > > No, it's not missing, it's just in a different location: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/arch/x86/mm/kaiser.c?h=v4.9.75&id=8018307a45a90ab2eecfd03d48b7efb31707df37 > > I already wrote this in a reply on Jan 8th... > >> Cheers, >> >> Nick >> >> On Thu, Jan 18, 2018 at 9:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: >>> >>> On 01/18/2018 01:51 PM, Nick Lowe wrote: >>>> >>>> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >>>> properly address this? There are fixes to mitigate Spectre. >>> >>> >>> We even need a patch for GCC which will be in GCC 8 and 7.3. >>> For master we should backport it to GCC 5.5, but what do we want to do >>> with 17.01 and 15.05 ? >>> >>> The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, >>> 4.4.111 which we already have. >>> >>> Hauke >> >> >> _______________________________________________ >> Lede-dev mailing list >> Lede-dev@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/lede-dev > > > > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
On 01/21/2018 01:07 PM, Nick Lowe wrote: > Hi Arjen, > > The point I was making is that we see: > > root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown > Vulnerable > > This should not be marked as vulnerable and it is being. > > Cheers, > > Nick > > On Sun, Jan 21, 2018 at 12:04 PM, Arjen de Korte > <arjen+lede@de-korte.org> wrote: >> Citeren Nick Lowe <nick.lowe@gmail.com>: >> >> >>> Yes, compiler updates will ultimately be necessary to properly close this. >>> >>> We can see for now with 4.9.77: >>> >>> root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat spectre_v2 >>> Vulnerable: Minimal AMD ASM retpoline >>> >>> AMD processors are also incorrectly being marked as being vulnerable >>> to Meltdown. On my APU2C4 I see: >>> >>> root@LEDE:/sys/devices/system/cpu/vulnerabilities# cat meltdown >>> Vulnerable >>> >>> From /proc/cpuinfo >>> >>> flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov >>> pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt >>> pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl nonstop_tsc >>> extd_apicid aperfmperf eagerfpu pni pclmulqdq monitor ssse3 cx16 >>> sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy svm >>> extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit >>> wdt topoext perfctr_nb bpext ptsc perfctr_l2 cpb hw_pstate retpoline >>> retpoline_amd vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save >>> tsc_scale flushbyasid decodeassists pausefilter pfthreshold >>> overflow_recov >>> >>> bugs : fxsave_leak sysret_ss_attrs null_seg cpu_meltdown spectre_v1 >>> spectre_v2 >>> >>> This following patch seen in 4.14.14 is missing from 4.9.77: >>> >>> x86/cpu, x86/pti: Do not enable PTI on AMD processor >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.14.14&id=151d7039757b71ebd9d170af0944562f51149372 >>> >>> We can see that in this commit which renamed X86_BUG_CPU_INSECURE to >>> X86_BUG_CPU_MELTDOWN >>> >>> >>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=v4.9.77&id=43fe95308d276bdfd133f5951cc25565e39982ec >>> >>> Can we backport this? >> >> >> No, it's not missing, it's just in a different location: >> >> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/arch/x86/mm/kaiser.c?h=v4.9.75&id=8018307a45a90ab2eecfd03d48b7efb31707df37 >> >> I already wrote this in a reply on Jan 8th... >> >>> Cheers, >>> >>> Nick >>> >>> On Thu, Jan 18, 2018 at 9:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: >>>> >>>> On 01/18/2018 01:51 PM, Nick Lowe wrote: >>>>> >>>>> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >>>>> properly address this? There are fixes to mitigate Spectre. >>>> >>>> >>>> We even need a patch for GCC which will be in GCC 8 and 7.3. >>>> For master we should backport it to GCC 5.5, but what do we want to do >>>> with 17.01 and 15.05 ? >>>> >>>> The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, >>>> 4.4.111 which we already have. >>>> >>>> Hauke If your Linux kernel 4.9.77 running on an AMD APU is reported as vulnerable to meltdown you should probably report this to the Linux stable mailing list. Greg wrote here that this should work: http://kroah.com/log/blog/2018/01/19/meltdown-status-2/ Hauke
Hi, Thanks! I have done so and this is now queued for 4.9.y and 4.4.y https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=d28663e54705568523979ab8097b9672ee79b17f https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=8ea729c00403414d74417bb5e29efa00ad642e48 Thanks, Nick
Hi, There's a backport to GCC 5.5 here: https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-5-branch/master Cheers, Nick
> On Jan 18, 2018, at 2:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: > > On 01/18/2018 01:51 PM, Nick Lowe wrote: >> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >> properly address this? There are fixes to mitigate Spectre. > > We even need a patch for GCC which will be in GCC 8 and 7.3. > For master we should backport it to GCC 5.5, but what do we want to do > with 17.01 and 15.05 ? > > The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, > 4.4.111 which we already have. > > Hauke For those of us following this from the sidelines (but not too closely), what’s the relationship of GCC to microcode updating? -Philip
On 02/09/2018 09:46 PM, Philip Prindeville wrote: > > >> On Jan 18, 2018, at 2:15 PM, Hauke Mehrtens <hauke@hauke-m.de> wrote: >> >> On 01/18/2018 01:51 PM, Nick Lowe wrote: >>> Does an update to the Kernel, 4.9.77 and 4.14.14 need to be made to >>> properly address this? There are fixes to mitigate Spectre. >> >> We even need a patch for GCC which will be in GCC 8 and 7.3. >> For master we should backport it to GCC 5.5, but what do we want to do >> with 17.01 and 15.05 ? >> >> The AMD microcoded updater needs at least kernel 4.15, 4.14.13, 4.9.76, >> 4.4.111 which we already have. >> >> Hauke > > > For those of us following this from the sidelines (but not too closely), what’s the relationship of GCC to microcode updating? > > -Philip GCC 7.3 supports retpoline which helps to mitigate one of the Spectre variants. Some of the mitigations are already done by some ASM code in the kernel, but not everything. The microcode update will provides some extra registers or instructions to also mitigate Spectre or help the software to mitigate it. Intel released here a plan which CPUs will get an updated microcode and in which state it is: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf Hauke