New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I have a feeling for RHEL7 based systems you need to set the microcode service to start on boot. 6 based looks like it works via udev rules instead. Worth checking out the service if you didn't already.
same for my i7 4790k https://community.centminmod.com/posts/57896/
2017-01-27 is last date for microcode updates for i7 4790K so there are no more recent microcode updates available for my i7 4790K yet.
majority of intel microcode updates are scheduled for next week AFAIK
on CentOS 7.4 64bit, microcode updates happened with or without service enabled on boot, but i set microcode service to boot anyway
Glad to know I'm not the only one then :-D
Meanwhile, can I ask, what output do you get from
cat /sys/kernel/debug/x86/{ibpb_enabled,ibrs_enabled,pti_enabled}
?I assume the microcodes will arrive for ibpb and ibrs as well somewhere next week, because no matter what CPU I run (tested on like 15 different CPUs, different generations), ibpb and ibrs always stays zero even for CPUs where the microcode is up to date:
FYI https://openvz.org/Download/kernel/rhel6/042stab127.2
0, 0, 1 respectively as microcode update not available yet
Reading 40 bytes: Reading at malicious_x = 0xffffffffffdfebb8... Success: 0x54=’T’ score=2 Reading at malicious_x = 0xffffffffffdfebb9... Success: 0x68=’h’ score=2 Reading at malicious_x = 0xffffffffffdfebba... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfebbb... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebbc... Success: 0x4D=’M’ score=2 Reading at malicious_x = 0xffffffffffdfebbd... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfebbe... Success: 0x67=’g’ score=2 Reading at malicious_x = 0xffffffffffdfebbf... Success: 0x69=’i’ score=2 Reading at malicious_x = 0xffffffffffdfebc0... Success: 0x63=’c’ score=2 Reading at malicious_x = 0xffffffffffdfebc1... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebc2... Success: 0x57=’W’ score=2 Reading at malicious_x = 0xffffffffffdfebc3... Success: 0x6F=’o’ score=2 Reading at malicious_x = 0xffffffffffdfebc4... Success: 0x72=’r’ score=2 Reading at malicious_x = 0xffffffffffdfebc5... Success: 0x64=’d’ score=2 Reading at malicious_x = 0xffffffffffdfebc6... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfebc7... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebc8... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfebc9... Success: 0x72=’r’ score=2 Reading at malicious_x = 0xffffffffffdfebca... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfebcb... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebcc... Success: 0x53=’S’ score=2 Reading at malicious_x = 0xffffffffffdfebcd... Success: 0x71=’q’ score=2 Reading at malicious_x = 0xffffffffffdfebce... Success: 0x75=’u’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfebcf... Success: 0x65=’e’ score=7 (second best: 0x05 score=1) Reading at malicious_x = 0xffffffffffdfebd0... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfebd1... Success: 0x6D=’m’ score=2 Reading at malicious_x = 0xffffffffffdfebd2... Success: 0x69=’i’ score=2 Reading at malicious_x = 0xffffffffffdfebd3... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfebd4... Success: 0x68=’h’ score=2 Reading at malicious_x = 0xffffffffffdfebd5... Success: 0x20=’ ’ score=2 Reading at malicious_x = 0xffffffffffdfebd6... Success: 0x4F=’O’ score=2 Reading at malicious_x = 0xffffffffffdfebd7... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfebd8... Success: 0x73=’s’ score=2 Reading at malicious_x = 0xffffffffffdfebd9... Success: 0x69=’i’ score=2 Reading at malicious_x = 0xffffffffffdfebda... Success: 0x66=’f’ score=2 Reading at malicious_x = 0xffffffffffdfebdb... Success: 0x72=’r’ score=2 Reading at malicious_x = 0xffffffffffdfebdc... Success: 0x61=’a’ score=2 Reading at malicious_x = 0xffffffffffdfebdd... Success: 0x67=’g’ score=2 Reading at malicious_x = 0xffffffffffdfebde... Success: 0x65=’e’ score=2 Reading at malicious_x = 0xffffffffffdfebdf... Success: 0x2E=’.’ score=2 root@xxxxxxxx:~# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 79 model name : Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz
On openVZ with an undisclosed provider.
99.4% marketshare in datacenter speaks for itself. That's single player by all accounts.
Sure you are limited by the node but let's look at AMDs launch of Ryzen and Eypc and the large core count. Intel's response finally the 8xxx series at 6 cores and 12thread was only the result of AMD Ryzen. It was not planned or announced before Ryzen stole sales.
Then we have features. AMDs Memory Encryption technology in their new Eypc and Ryzen pro line processors. Are you telling me Intel couldn't come up with that?
Intel drip fed the market chip advancements to maximize their profit. Make no doubt if AMD isn't supported despite finally having competitive products because people perceive Intel as the only choice which they now No longer are. Then we'll end up back where we were before ryzen.
Or you can keep coming up for excuses for why a company with 20x the market cap of AMD couldn't do what AMD did with 5% the research as development resources...
I think you've forgotten how convoluted the Intel platform has gotten. They released three different pin layouts and chipsets within this past year just to Keeup with AMD
@spycrab101 interesting - it’s not surprising that OpenVZ is vulnerable but there doesn’t seem to be any news about providers updating the kernel despite an update now being available.
There's no microcode for spectre yet - so rebooting twice within a week might suck
There is, depending hardware you have.
So.. please give a list of CPUs that actually has microcode available that fixes both variants of spectre - because none of the v5, v4, v3, v2 and vNothing I have actually has the microcode available that enables ibpb and ibrs.
Let me check my E3-v6 if that has the microcode :-D
So.. If I download the latest microcodes from Intel's website, use iucode_tool to see what's available for my CPU, then it reveals:
As you can see the microcode is from 2017-04-06 for
model name : Intel(R) Xeon(R) CPU E3-1230 v6 @ 3.50GHz
Now.. v6 is so new that it should probably have been released - some of the others, there's microcodes available that was made in november - however - none of those actually fixes both spectre variants.
Even if you can mention a single CPU, that got microcodes for both variants, and a link to that specific microcode - then it would be good
http://metadata.ftp-master.debian.org/changelogs/non-free/i/intel-microcode/intel-microcode_3.20171215.1_changelog
Sure - tell that to Ubuntu:
http://archive.ubuntu.com/ubuntu/pool/main/i/intel-microcode/
And tell it to CentOS, CloudLinux, Red Hat, Intel's own website
If you download the microcodes directly from Intel ( https://downloadcenter.intel.com/download/27337/Linux-Processor-Microcode-Data-File?product=873 ) you'll not find any microcodes matching e.g. the v6 above other than the 2017-04-06.
Now, if we take that specific deb package there, first then we'll have an available microcode:
So the fact that Debian has a package with (possible) working microcodes, but ubuntu, RHEL based systems or intel didn't publish them
There's also some upgrade of microcode_ctl in CentOS and RHEL repos (microcode_ctl.x86_64 1:1.17-25.2.el6_9).
@Zerpy @rdes I posted this in the other thread, but according to https://github.com/hannob/meltdownspectre-patches#cpu-microcode RHEL, Debian, and others have pushed version 2017-12-15 that supposedly resolves Spectre variant 2, which is newer than the 2017-11-17 published on Intel's website. I don't know why Intel's website is not updated though.
Edit: Zerpy said the update is not affecting many CPU models -- https://www.lowendtalk.com/discussion/comment/2601841/#Comment_2601841
I'm not sure how much use it will be. This is from that microcode_ctl package.
[root@microcode ~]# iucode_tool -t d microcode.dat --write-all-named-to=test --date-after=2017-12-01 iucode_tool: No valid microcodes were selected, nothing to do...
Uh, another flaw, this time AMD:
https://www.theregister.co.uk/2018/01/06/amd_cpu_psp_flaw/
Intel was aware of that issue since 2012 not 6 months ago:
That CPU usage, #rip
https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update
I installed the latest Intel microcode package in Debian:
and yet on boot-up it says:
Apparently this Core i5-3570S is "too old" for Intel to bother fixing. So just because you have the latest microcode package, doesn't mean it's going to contain any fixes for your particular CPU.
No, I don't think so. Your processor is simply too end user. I strongly presume that first there will be/are provided band aids for infrastructure critical processors, i.e. xeons.
Side note: It seems there's a new yardstick to seperate the good and the low end VPS providers, The good one will bite it and take the performance loss, i.e. will spread their vpss over somewhat more nodes. The low end one won't.
Really? Sure? -> https://lh6.googleusercontent.com/MwzsHRXQLVbmJ3pusNuGwn0ZQVjo9h8nRJHJhIo4d3XFqbvUYCj8EPq5jV7zeVEEcHAkraNBesbbNDW_UAlIjvw-hZBd80rKt7ZYl35nBIcfCCVyRvW5V7M7KVejv9tvVBHfgSKr
(from Epic Games re. their patched servers)
Oh, no, I'm going going to go through another IP issue with Intel again!*
* also a joke.
I think the good ones had always some margins to account for the extra load now and then and can afford to sit back and watch what product and nodes need some intervention, if any. What you mention is the average provider.
If you look inside the release, it's 20171117 with some supplementary binary patches:
I suggest anyone interested in following this without blindly rebooting or wondering why sending to /dev/cpu/microcode isn't doing anything, get familiar with iucode_tool.
The syntax is pretty simple. Here's how you'd extract using a standard Intel .dat format file (and not the raw binary examples above) for your specific CPU:
My whole weekend is dead. Thank you computers!
Which is all good, but even with iucode_tool - the microcode for a specific processor has to be available, and even if taking e.g. version 20171117 from Intel's website - it won't contain microcodes for a lot of CPUs yet, such as E3-1230v6
A great way of testing if a microcode is available for the CPU is by doing:
In case there's no microcode with a date after november or december, it's pointless to "patch" and reboot, since it won't do anything anyway.
e.g. version 20171117 from intel:
No fix for E3-1230v6 yet ... Let's all wait happily, what can possibly go wrong :')
That's why I wrote the above.
Just doesn't mention the fact that simply supplying the dat file, still doesn't guarantee that your CPU might be patched, simply running the command:
Will give the same result regardless of a new patching being available or not compared to what the CPU already contains.