lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170630113706.qomehkph75ohudnf@pd.tnic>
Date:   Fri, 30 Jun 2017 13:37:07 +0200
From:   Borislav Petkov <bp@...en8.de>
To:     Paul Menzel <pmenzel@...gen.mpg.de>
Cc:     linux-kernel@...r.kernel.org, Fenghua Yu <fenghua.yu@...el.com>
Subject: Re: Early loading of microcode updates with all firmware

Dear Paul,

On Fri, Jun 30, 2017 at 12:44:43PM +0200, Paul Menzel wrote:
> But, the microcode is not updated. For example, I have to manually run the
> command below.

Yes, you need something in userspace to trigger that reload.

> Reading the document, that method is not explicitly mentioned there, so I
> guess it’s not supported.

Note the "early" in that file's name.

And that method is supported - it is the late loading method. I could
rename that file to microcode.txt and document all the loading methods
there. Here's a TODO list item...

> So two question. If I want to add it to the initramfs image, the document
> says to prepend the updates. But I am unclear how to create `microcode.bin`
> to contain all the files in `/lib/firmware/intel-ucode/`, and then the ones
> for AMD devices. Do I just concatenate both?

Here's a script I'm using, it should make it all clear:

---
#!/bin/bash

if [ -z "$1" ]; then
    echo "You need to supply an initrd file"
    exit 1
fi

INITRD="$1"

DSTDIR=kernel/x86/microcode
TMPDIR=/tmp/initrd

rm -rf $TMPDIR

mkdir $TMPDIR
cd $TMPDIR
mkdir -p $DSTDIR

if [ -d /lib/firmware/amd-ucode ]; then
	cat /lib/firmware/amd-ucode/microcode_amd*.bin > $DSTDIR/AuthenticAMD.bin
fi

if [ -d /lib/firmware/intel-ucode ]; then
	cat /lib/firmware/intel-ucode/* > $DSTDIR/GenuineIntel.bin
fi

find . | cpio -o -H newc >../ucode.cpio
cd ..
mv $INITRD $INITRD.orig
cat ucode.cpio $INITRD.orig > $INITRD

rm -rf $TMPDIR
---

You can adjust the regex selecting the Intel files to something more
restrictive as you don't want to carry everything in your initrd. Not
that putting every microcode file in the initrd doesn't work - it does
just fine.

> Regarding the section *Builtin microcode*, it would be quite cumbersome to
> list all the microcode files. It looks like wildcards like `*` are not
> supported. At least the build breaks, if `intel-ucode/*` is used in the
> prompt.

Yes, you need to list them one-by-one.

I wouldn't use that method though as it means you need to rebuild the
kernel when there's a new microcode. So stick to the initrd instead.

HTH.

-- 
Regards/Gruss,
    Boris.

Good mailing practices for 400: avoid top-posting and trim the reply.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ