Bug #15148

Upgrade AMD processor microcodes to mitigate the Spectre attack

Added by intrigeri 2018-01-06 08:02:56 . Updated 2018-01-23 19:50:35 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2018-01-06
Due date:
% Done:

100%

Feature Branch:
bugfix/15148-cpu-microcode-spectre
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:


Subtasks


Related issues

Related to Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 2017-11-17
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 2017-06-29
Blocks Tails - Bug #15173: Upgrade Intel processor microcodes to mitigate the Spectre attack Resolved 2018-01-16

History

#1 Updated by intrigeri 2018-01-06 08:03:16

  • related to Feature #14976: Upgrade the Linux kernel to get KPTI added

#2 Updated by intrigeri 2018-01-06 08:03:21

#3 Updated by intrigeri 2018-01-06 08:07:23

  • Assignee changed from intrigeri to anonym

An upgrade for intel-microcode is already in sid. It’s somewhat unofficial and does not cover all CPUs. I’m tempted to take it for Tails 3.4 but the consequences are unclear to me.

No upgrade for amd64-microcode is in Debian yet. The one SUSE applied simply disables branch prediction on a CPU family.

All these changes feel risky, it’s a bit scary to include them in an emergency release that will be tested only on a very small set of hardware. I propose we skip them for Tails 3.4 and in Tails 3.5 we follow whatever is done for Debian stable.

anonym, what do you think?

#4 Updated by anonym 2018-01-08 14:18:50

  • Assignee changed from anonym to intrigeri
  • Target version changed from Tails_3.4 to Tails_3.5
  • Type of work changed from Research to Code

In Redhat’s advisory it is made pretty clear (in the descriptions for the three variants) that only CVE-2017-5715 (variant #2/Spectre) requires the Intel microcode update. Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM), which isn’t affecting any supported use case in Tails, so we can safely postpone this until Tails 3.5.

#5 Updated by intrigeri 2018-01-10 08:51:46

anonym wrote:
> Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM)

I think you’ve been mislead by ambiguous wording on that page, that is clarified elsewhere:

So it seems pretty clear to me that variant 2 (CVE-2017-5715) is not only about VMs.

Anyway, this is moot now, let’s apply the fixes in 3.5 if they’re ready in time :)

#6 Updated by intrigeri 2018-01-11 09:06:00

  • Description updated

#7 Updated by intrigeri 2018-01-11 09:22:28

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15148-cpu-microcode-spectre

#8 Updated by intrigeri 2018-01-11 10:35:55

Post-merge steps

  • bump the expiration date of the debian APT snapshot this branch updates to

#9 Updated by intrigeri 2018-01-11 10:38:32

  • % Done changed from 10 to 20

The diff between 3.4’s build-manifest and this branch’s shows only 2 changes: the two packages this branch wants to update are updated. Same for the .packages file. I can’t run tests on Jenkins yet due to Bug #15163 so in the meantime I’ll run tests locally (without using —old-iso 3.4). More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

#10 Updated by intrigeri 2018-01-11 11:21:24

intrigeri wrote:
> More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

  • ThinkPad X200, Intel Core 2 Duo P8700 that’s not on the list of affected products: no microcode update applied on boot, as expected since there’s none for this CPU in the upgraded package (sig=0x1067a, pf=0x80, revision=0xa0b)
  • MacBook Pro 8,1 13-inch, Intel Core i5-2435M CPU that’s is on the list of affected products: microcode updated on boot, but to a version from 2013, as expected since there’s none for this CPU in the upgraded package (sig=0x206a7, pf=0x10, revision=0x29) :/
  • I was going to test on my own laptop, that is affected and whose CPU microcode is updated by the new intel-microcode package, but I’ve already updated my BIOS which included the last CPU microcode, so this test would be worthless.

#11 Updated by intrigeri 2018-01-11 12:57:57

On some AMD CPUs, one needs the “[x86] microcode/AMD: Add support for fam17h microcode loading” kernel commit for the updated microcode to be loaded. It’s in Linux 4.14.13 so we’re in for a (minor) kernel update. Having the bugfixes brought by this stable kernel branch will anyway be welcome. I’ll handle it once 4.14.13 is in sid.

#12 Updated by intrigeri 2018-01-11 14:38:57

Full test suite passed here except the now well-known “Localization ǂ The Report an Error launcher will open the support documentation in supported non-English locales” issue.

#13 Updated by intrigeri 2018-01-15 16:44:17

Given https://bugs.debian.org/886998, wrt. Intel I’ll hold on and follow Debian’s lead i.e. I won’t get that one in Tails until it’s deemed good for Debian stable. But this does not block updating the AMD microcode.

#14 Updated by intrigeri 2018-01-16 13:40:58

  • blocks Bug #15173: Upgrade Intel processor microcodes to mitigate the Spectre attack added

#15 Updated by intrigeri 2018-01-16 13:42:40

  • Subject changed from Upgrade Intel and AMD processor microcodes to mitigate the Spectre attack to Upgrade AMD processor microcodes to mitigate the Spectre attack
  • % Done changed from 20 to 30

Giving up on Intel for Tails 3.5 => moved that part to Bug #15173 and postponed. The topic branch should now have everything needed on the AMD side.

#16 Updated by intrigeri 2018-01-16 18:03:52

Jenkins is happy, now running the full test suite locally.

#17 Updated by intrigeri 2018-01-17 07:23:04

  • Assignee changed from intrigeri to anonym
  • % Done changed from 30 to 50
  • QA Check set to Ready for QA

I think we’re good to go:

  • Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
  • An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
  • The .{packages,build-manifest} diff vs. 3.4’s looks sane modulo Bug #15177 (which is unrelated to this branch).
  • I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Reminder:

Post-merge steps

  • bump the expiration date of the debian APT snapshot this branch updates to
  • note the kernel update (e.g. for changelog)

#18 Updated by anonym 2018-01-19 22:45:25

  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> I think we’re good to go:
>
> * Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
> * An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
> * The .{packages,build-manifest} diff vs. 3.4’s looks sane modulo Bug #15177 (which is unrelated to this branch).
> * I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Thanks for all this! I don’t know what testing I can do in addition (I did look at the .packages diff) as I too lack AMD hardware, so I’ll just go ahead and merge it.

> Reminder:
>
> h2. Post-merge steps
>
> * bump the expiration date of the debian APT snapshot this branch updates to

Done!

> * note the kernel update (e.g. for changelog)

I was gonna mention that I thought the kernel upgrade would be ok even though the increased 3.4_to_3.5 IUK size will be annoying given the little we gain from this upgrade.

#19 Updated by anonym 2018-01-19 22:45:50

  • Status changed from In Progress to Fix committed

#20 Updated by anonym 2018-01-23 19:50:35

  • Status changed from Fix committed to Resolved