RE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

RE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

Wall, Stephen
> New CPU microcode may be available in a BIOS update from your system vendor,
> or by installing the devcpu-data package or sysutils/devcpu-data port.
> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
>
> If using the package or port the microcode update can be applied at boot time
> by adding the following lines to the system's /boot/loader.conf:
>
> cpu_microcode_load="YES"
> cpu_microcode_name="/boot/firmware/intel-ucode.bin"

Is this applicable in a virtualized environment, or only on bare metal?
If not applicable in a VM, is it at least harmless?

Thanks

- Steve Wall



_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

mdtancsa
On 5/15/2019 8:18 AM, Wall, Stephen wrote:

>> New CPU microcode may be available in a BIOS update from your system vendor,
>> or by installing the devcpu-data package or sysutils/devcpu-data port.
>> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
>>
>> If using the package or port the microcode update can be applied at boot time
>> by adding the following lines to the system's /boot/loader.conf:
>>
>> cpu_microcode_load="YES"
>> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> Is this applicable in a virtualized environment, or only on bare metal?
> If not applicable in a VM, is it at least harmless?


Actually, just tried this on RELENG_11 (r347613)  and I get

don't know how to load module '/boot/firmware/intel-ucode.bin'

In boot/loader.conf I have

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

# ls -l /boot/firmware/intel-ucode.bin
-rw-r--r--  1 root  wheel  uarch 2571264 May 15 08:47
/boot/firmware/intel-ucode.bin

# sha256 /boot/firmware/intel-ucode.bin
SHA256 (/boot/firmware/intel-ucode.bin) =
1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

freebsd-security mailing list


> On 15 May 2019, at 15:32, mike tancsa <[hidden email]> wrote:
>
> Actually, just tried this on RELENG_11 (r347613)  and I get
>
> don't know how to load module '/boot/firmware/intel-ucode.bin'
>
> In boot/loader.conf I have
>
> cpu_microcode_load="YES"
> cpu_microcode_name="/boot/firmware/intel-ucode.bin”

I used this:
microcode_update_enable=“YES"


on /etc/rc.conf with the devcpu-data port installed and as far as I know it updated the microcode.

The script in /usr/local/etc/rc.d used cpucontrol(8) to load it.

Or am I holding it wrong?



Borja.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

Jan Bramkamp-2
In reply to this post by Wall, Stephen
On 15.05.19 14:18, Wall, Stephen wrote:

>> New CPU microcode may be available in a BIOS update from your system vendor,
>> or by installing the devcpu-data package or sysutils/devcpu-data port.
>> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
>>
>> If using the package or port the microcode update can be applied at boot time
>> by adding the following lines to the system's /boot/loader.conf:
>>
>> cpu_microcode_load="YES"
>> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> Is this applicable in a virtualized environment, or only on bare metal?
> If not applicable in a VM, is it at least harmless?
Afaik you can't modify the microcode inside a VM, but give them time.
I'm sure Intel optimized that security check away as well in some corner
case yet to be discovered.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

freebsd-security mailing list
In reply to this post by mdtancsa
cpu_microcode_load="intel-ucode”

Don’t remember that as needing to be yes but could be wrong.

--
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

> On May 15, 2019, at 08:32, mike tancsa <[hidden email]> wrote:
>
> cpu_microcode_load="

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

mdtancsa
In reply to this post by freebsd-security mailing list
On 5/15/2019 10:27 AM, Borja Marcos wrote:

>
>> On 15 May 2019, at 15:32, mike tancsa <[hidden email]> wrote:
>>
>> Actually, just tried this on RELENG_11 (r347613)  and I get
>>
>> don't know how to load module '/boot/firmware/intel-ucode.bin'
>>
>> In boot/loader.conf I have
>>
>> cpu_microcode_load="YES"
>> cpu_microcode_name="/boot/firmware/intel-ucode.bin”
> I used this:
> microcode_update_enable=“YES"
>
>
> on /etc/rc.conf with the devcpu-data port installed and as far as I know it updated the microcode.
>
> The script in /usr/local/etc/rc.d used cpucontrol(8) to load it.
>
> Or am I holding it wrong?

Supposedly 2 ways to do it. When you install the port, it writes ....
and I missed the part where it says running FreeBSD 12.0....

---------------------

Installing this port will allow host startup to update the CPU microcode on
a FreeBSD system automatically.  There are two methods for updating CPU
microcode: the first methods loads and applies the update before the kernel
begins booting, and the second method loads and applies updates using an
rc script.  The first method is preferred, but is currently only supported
on Intel i386 and amd64 processors running FreeBSD 12.0.  It is safe to
enable both methods.

The first method ensures that any CPU features introduced by a microcode
update are visible to the kernel.  In other words, the update is loaded
before the kernel performs CPU feature detection.

To enable updates using the first method, add the following lines to
the system's /boot/loader.conf:

cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"

    ---Mike


>
>
> Borja.
>
>

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

Kyle Evans-3
In reply to this post by mdtancsa
On Wed, May 15, 2019 at 8:33 AM mike tancsa <[hidden email]> wrote:

>
> On 5/15/2019 8:18 AM, Wall, Stephen wrote:
> >> New CPU microcode may be available in a BIOS update from your system vendor,
> >> or by installing the devcpu-data package or sysutils/devcpu-data port.
> >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
> >>
> >> If using the package or port the microcode update can be applied at boot time
> >> by adding the following lines to the system's /boot/loader.conf:
> >>
> >> cpu_microcode_load="YES"
> >> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> > Is this applicable in a virtualized environment, or only on bare metal?
> > If not applicable in a VM, is it at least harmless?
>
>
> Actually, just tried this on RELENG_11 (r347613)  and I get
>
> don't know how to load module '/boot/firmware/intel-ucode.bin'
>
> In boot/loader.conf I have
>
> cpu_microcode_load="YES"
> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
>
> # ls -l /boot/firmware/intel-ucode.bin
> -rw-r--r--  1 root  wheel  uarch 2571264 May 15 08:47
> /boot/firmware/intel-ucode.bin
>
> # sha256 /boot/firmware/intel-ucode.bin
> SHA256 (/boot/firmware/intel-ucode.bin) =
> 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc
>

r337715 + r337716 were responsible for making this work, and they've
not yet been MFC'd as far as I can tell. CC markj@, because that's
probably good to sneak in soon.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

freebsd-security mailing list
In reply to this post by mdtancsa


> On 15 May 2019, at 16:33, mike tancsa <[hidden email]> wrote:
>
>> on /etc/rc.conf with the devcpu-data port installed and as far as I know it updated the microcode.
>>
>> The script in /usr/local/etc/rc.d used cpucontrol(8) to load it.
>>
>> Or am I holding it wrong?
>
> Supposedly 2 ways to do it. When you install the port, it writes ....
> and I missed the part where it says running FreeBSD 12.0….

Ah yes, I've always been doing this since FreeBSD 11. Using the port, not the loader.conf stuff.




Borja.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-19:07.mds

Mark Johnston-2
In reply to this post by Kyle Evans-3
On Wed, May 15, 2019 at 09:33:50AM -0500, Kyle Evans wrote:

> On Wed, May 15, 2019 at 8:33 AM mike tancsa <[hidden email]> wrote:
> >
> > On 5/15/2019 8:18 AM, Wall, Stephen wrote:
> > >> New CPU microcode may be available in a BIOS update from your system vendor,
> > >> or by installing the devcpu-data package or sysutils/devcpu-data port.
> > >> Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14.
> > >>
> > >> If using the package or port the microcode update can be applied at boot time
> > >> by adding the following lines to the system's /boot/loader.conf:
> > >>
> > >> cpu_microcode_load="YES"
> > >> cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> > > Is this applicable in a virtualized environment, or only on bare metal?
> > > If not applicable in a VM, is it at least harmless?
> >
> >
> > Actually, just tried this on RELENG_11 (r347613)  and I get
> >
> > don't know how to load module '/boot/firmware/intel-ucode.bin'
> >
> > In boot/loader.conf I have
> >
> > cpu_microcode_load="YES"
> > cpu_microcode_name="/boot/firmware/intel-ucode.bin"
> >
> > # ls -l /boot/firmware/intel-ucode.bin
> > -rw-r--r--  1 root  wheel  uarch 2571264 May 15 08:47
> > /boot/firmware/intel-ucode.bin
> >
> > # sha256 /boot/firmware/intel-ucode.bin
> > SHA256 (/boot/firmware/intel-ucode.bin) =
> > 1fdb3a25467d285394eded8039ee8ab488f074903654981d35a4cdfe6ebf12fc
> >
>
> r337715 + r337716 were responsible for making this work, and they've
> not yet been MFC'd as far as I can tell. CC markj@, because that's
> probably good to sneak in soon.

I'm working on this.  In any case, 11.2 doesn't have and won't get
boot-time microcode update support, so an updated SA with instructions
for 11 will be released shortly.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"