F26: how verify installation of CPU microcode patch ?

[boycottsystemd]

I've placed patch to /etc/firmware as recommended on intel webpage and rebooted. How can I verify that patch installation has succeded ?

[leigh123linux]

I've placed patch to /etc/firmware as recommended on intel webpage and rebooted. How can I verify that patch installation has succeded ?

Try dmesg

Code:

dmesg |grep patch
[    1.407995] microcode: microcode updated early to new patch_level=0x0600084f
[    1.408020] microcode: CPU0: patch_level=0x0600084f
[    1.408023] microcode: CPU1: patch_level=0x0600084f
[    1.408031] microcode: CPU2: patch_level=0x0600084f
[    1.408037] microcode: CPU3: patch_level=0x0600084f
[    1.408044] microcode: CPU4: patch_level=0x0600084f
[    1.408052] microcode: CPU5: patch_level=0x0600084f
[    1.408059] microcode: CPU6: patch_level=0x0600084f
[    1.408065] microcode: CPU7: patch_level=0x0600084f

P.S Installation is bad wording, loaded would be a better description.

[boycottsystemd]

Try dmesg

Code:

dmesg |grep patch
[    1.407995] microcode: microcode updated early to new patch_level=0x0600084f
[    1.408020] microcode: CPU0: patch_level=0x0600084f
[    1.408023] microcode: CPU1: patch_level=0x0600084f
[    1.408031] microcode: CPU2: patch_level=0x0600084f
[    1.408037] microcode: CPU3: patch_level=0x0600084f
[    1.408044] microcode: CPU4: patch_level=0x0600084f
[    1.408052] microcode: CPU5: patch_level=0x0600084f
[    1.408059] microcode: CPU6: patch_level=0x0600084f
[    1.408065] microcode: CPU7: patch_level=0x0600084f

P.S Installation is bad wording, loaded would be a better description.

Thank you.

It seems that patch isn't loaded:

Code:

[u@fedora ~]$ dmesg | grep patch
[u@fedora ~]$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[    1.580344] microcode: sig=0x306a9, pf=0x10, revision=0x1c
[    1.580697] microcode: Microcode Update Driver: v2.2.
[u@fedora ~]$

[leigh123linux]

microcode is loaded early by initramfs so you will probably need to rebuild it.

Code:

sudo dracut -f -vvv

You should see it listed in the build log

[srakitnican]

The other possibility is that CPU is not supported anymore. Like Ivy Bridge/Sandy Bridge.

[antikythera]

The other possibility is that CPU is not supported anymore. Like Ivy Bridge/Sandy Bridge.

please link to where you've read that information

[srakitnican]

Not sure about official status, unofficially there weren't a microcode update for these CPU architectures for almost 3 years. What is boycottsystemd seeing is what I am seeing as well. Although I am on Fedora 25 where there are not upgrades anymore, I don't expect one.

[boycottsystemd]

Not sure about official status, unofficially there weren't a microcode update for these CPU architectures for almost 3 years. What is boycottsystemd seeing is what I am seeing as well. Although I am on Fedora 25 where there are not upgrades anymore, I don't expect one.

Update is officially addressed to this CPU and I believe we would learn if Intel would provide wrong information.

[srakitnican]

In order to not all stay just on words.

Code:

$ sudo dnf --releasever 26 --disablerepo \* --enablerepo updates-testing upgrade microcode_ctl
$ rpm -q microcode_ctl
microcode_ctl-2.1-20.fc26.x86_64
$ sudo dracut -vf --kver $(uname -r)
dracut: Executing: /usr/bin/dracut -vf --kver 4.13.16-100.fc25.x86_64
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: nss-softokn ***
dracut: *** Including module: i18n ***
dracut: *** Including module: network ***
dracut: *** Including module: ifcfg ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: kernel-network-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies ***
dracut: *** Installing kernel module dependencies done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: *** Creating image file '/boot/initramfs-4.13.16-100.fc25.x86_64.img' ***
dracut: *** Creating initramfs image file '/boot/initramfs-4.13.16-100.fc25.x86_64.img' done ***
$ ls -l /boot/initramfs-$(uname -r).img
-rw-------. 1 root root 19028265 Jan 12 10:22 /boot/initramfs-4.13.16-100.fc25.x86_64.img

After a reboot:

Code:

$ uname -r
4.13.16-100.fc25.x86_64
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[    0.682853] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[    0.683623] microcode: Microcode Update Driver: v2.2.

[antikythera]

what is concerning is that Intel are now aware of a bug in the microcode update that needs addressing. I guess it's what comes from knee-jerk patching without sufficient internal development and testing.

As Intel CEO Brian Krzanich emphasized in his Security-First Pledge, Intel is committed to transparency in reporting progress in handling the Google Project Zero exploits.
We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center. We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue.
End-users should continue to apply updates recommended by their system and operating system providers.

Source: https://newsroom.intel.com/news/inte...reboot-issues/

[srakitnican]

I am afraid that are just words to silence the masses, there are no intentions to support it anymore. But that is alright, developers with work around these issues in software.

[boycottsystemd]

In order to not all stay just on words.

Code:

$ sudo dnf --releasever 26 --disablerepo \* --enablerepo updates-testing upgrade microcode_ctl
$ rpm -q microcode_ctl
microcode_ctl-2.1-20.fc26.x86_64
$ sudo dracut -vf --kver $(uname -r)
dracut: Executing: /usr/bin/dracut -vf --kver 4.13.16-100.fc25.x86_64
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: dracut module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: nss-softokn ***
dracut: *** Including module: i18n ***
dracut: *** Including module: network ***
dracut: *** Including module: ifcfg ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: kernel-network-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies ***
dracut: *** Installing kernel module dependencies done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: *** Creating image file '/boot/initramfs-4.13.16-100.fc25.x86_64.img' ***
dracut: *** Creating initramfs image file '/boot/initramfs-4.13.16-100.fc25.x86_64.img' done ***
$ ls -l /boot/initramfs-$(uname -r).img
-rw-------. 1 root root 19028265 Jan 12 10:22 /boot/initramfs-4.13.16-100.fc25.x86_64.img

After a reboot:

Code:

$ uname -r
4.13.16-100.fc25.x86_64
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[    0.682853] microcode: sig=0x306a9, pf=0x2, revision=0x1c
[    0.683623] microcode: Microcode Update Driver: v2.2.

I've tried it and there was some error:

Code:

# rpm -q microcode_ctl
microcode_ctl-2.1-19.fc26.x86_64


# dracut -vf --kver $(uname -r)
dracut: Executing: /usr/bin/dracut -vf --kver 4.14.11-200.fc26.x86_64
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: dracut module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut: *** Including module: bash ***
dracut: *** Including module: systemd ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: nss-softokn ***
dracut: *** Including module: i18n ***
dracut: *** Including module: network ***
dracut: *** Including module: ifcfg ***
dracut: *** Including module: drm ***
dracut: *** Including module: plymouth ***
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: kernel-network-modules ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: biosdevname ***
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies ***
dracut: *** Installing kernel module dependencies done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done***
dracut: *** Hardlinking files ***
dracut: *** Hardlinking files done ***
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Constructing GenuineIntel.bin ****
dracut: *** Store current command line parameters ***
dracut: *** Creating image file '/boot/initramfs-4.14.11-200.fc26.x86_64.img' ***
cat: write error: Broken pipe
dracut: *** Creating initramfs image file '/boot/initramfs-4.14.11-200.fc26.x86_64.img' done ***
# ls -l /boot/initramfs-$(uname -r).img
-rw------- 1 root root 21059908 12 Jan 11:56 /boot/initramfs-4.14.11-200.fc26.x86_64.img

After reboot:

Code:

$ uname -a
Linux fedora 4.14.11-200.fc26.x86_64 #1 SMP Wed Jan 3 13:58:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[    1.572208] microcode: sig=0x306a9, pf=0x10, revision=0x1c
[    1.572558] microcode: Microcode Update Driver: v2.2.

[Texas]

Does this microcode update also patch Meltdown?

Seitensprung

[srakitnican]

No, Meltdown is not possible to fix without redesigning CPU architecture entirely it seems. It might take a while before it is fixed even with new CPUs. There was a workaround merged to kernel 4.14.11. What it does is basically flushes cache every time so that there is nothing to read from it which affects performance in some scenarios.

[antikythera]

the patch is for meltdown but so far only applies to a limited set of processors. more will be patched in the coming weeks.

https://www.wired.com/story/meltdown...erability-fix/