Bug #15148
Upgrade AMD processor microcodes to mitigate the Spectre attack
100%
Description
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-11-17 | |
Blocks Tails - |
Resolved | 2017-06-29 | |
Blocks Tails - |
Resolved | 2018-01-16 |
History
#1 Updated by intrigeri 2018-01-06 08:03:16
- related to
Feature #14976: Upgrade the Linux kernel to get KPTI added
#2 Updated by intrigeri 2018-01-06 08:03:21
- blocks
Feature #13245: Core work 2018Q1: Foundations Team added
#3 Updated by intrigeri 2018-01-06 08:07:23
- Assignee changed from intrigeri to anonym
An upgrade for intel-microcode is already in sid. It’s somewhat unofficial and does not cover all CPUs. I’m tempted to take it for Tails 3.4 but the consequences are unclear to me.
No upgrade for amd64-microcode is in Debian yet. The one SUSE applied simply disables branch prediction on a CPU family.
All these changes feel risky, it’s a bit scary to include them in an emergency release that will be tested only on a very small set of hardware. I propose we skip them for Tails 3.4 and in Tails 3.5 we follow whatever is done for Debian stable.
anonym, what do you think?
#4 Updated by anonym 2018-01-08 14:18:50
- Assignee changed from anonym to intrigeri
- Target version changed from Tails_3.4 to Tails_3.5
- Type of work changed from Research to Code
In Redhat’s advisory it is made pretty clear (in the descriptions for the three variants) that only CVE-2017-5715 (variant #2/Spectre) requires the Intel microcode update. Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM), which isn’t affecting any supported use case in Tails, so we can safely postpone this until Tails 3.5.
#5 Updated by intrigeri 2018-01-10 08:51:46
anonym wrote:
> Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM)
I think you’ve been mislead by ambiguous wording on that page, that is clarified elsewhere:
- https://access.redhat.com/security/vulnerabilities/speculativeexecution says “These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2)” and “Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate”.
- https://access.redhat.com/security/cve/cve-2017-5715 reads “an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory”.
- https://security-tracker.debian.org/tracker/CVE-2017-5715 says “Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis”.
So it seems pretty clear to me that variant 2 (CVE-2017-5715) is not only about VMs.
Anyway, this is moot now, let’s apply the fixes in 3.5 if they’re ready in time :)
#6 Updated by intrigeri 2018-01-11 09:06:00
- Description updated
#7 Updated by intrigeri 2018-01-11 09:22:28
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/15148-cpu-microcode-spectre
#8 Updated by intrigeri 2018-01-11 10:35:55
Post-merge steps
- bump the expiration date of the
debian
APT snapshot this branch updates to
#9 Updated by intrigeri 2018-01-11 10:38:32
- % Done changed from 10 to 20
The diff between 3.4’s build-manifest and this branch’s shows only 2 changes: the two packages this branch wants to update are updated. Same for the .packages file. I can’t run tests on Jenkins yet due to Bug #15163 so in the meantime I’ll run tests locally (without using —old-iso 3.4). More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.
#10 Updated by intrigeri 2018-01-11 11:21:24
intrigeri wrote:
> More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.
- ThinkPad X200, Intel Core 2 Duo P8700 that’s not on the list of affected products: no microcode update applied on boot, as expected since there’s none for this CPU in the upgraded package (sig=0x1067a, pf=0x80, revision=0xa0b)
- MacBook Pro 8,1 13-inch, Intel Core i5-2435M CPU that’s is on the list of affected products: microcode updated on boot, but to a version from 2013, as expected since there’s none for this CPU in the upgraded package (sig=0x206a7, pf=0x10, revision=0x29) :/
- I was going to test on my own laptop, that is affected and whose CPU microcode is updated by the new intel-microcode package, but I’ve already updated my BIOS which included the last CPU microcode, so this test would be worthless.
#11 Updated by intrigeri 2018-01-11 12:57:57
On some AMD CPUs, one needs the “[x86] microcode/AMD: Add support for fam17h microcode loading” kernel commit for the updated microcode to be loaded. It’s in Linux 4.14.13 so we’re in for a (minor) kernel update. Having the bugfixes brought by this stable kernel branch will anyway be welcome. I’ll handle it once 4.14.13 is in sid.
#12 Updated by intrigeri 2018-01-11 14:38:57
Full test suite passed here except the now well-known “Localization ǂ The Report an Error launcher will open the support documentation in supported non-English locales” issue.
#13 Updated by intrigeri 2018-01-15 16:44:17
Given https://bugs.debian.org/886998, wrt. Intel I’ll hold on and follow Debian’s lead i.e. I won’t get that one in Tails until it’s deemed good for Debian stable. But this does not block updating the AMD microcode.
#14 Updated by intrigeri 2018-01-16 13:40:58
- blocks
Bug #15173: Upgrade Intel processor microcodes to mitigate the Spectre attack added
#15 Updated by intrigeri 2018-01-16 13:42:40
- Subject changed from Upgrade Intel and AMD processor microcodes to mitigate the Spectre attack to Upgrade AMD processor microcodes to mitigate the Spectre attack
- % Done changed from 20 to 30
Giving up on Intel for Tails 3.5 => moved that part to Bug #15173 and postponed. The topic branch should now have everything needed on the AMD side.
#16 Updated by intrigeri 2018-01-16 18:03:52
Jenkins is happy, now running the full test suite locally.
#17 Updated by intrigeri 2018-01-17 07:23:04
- Assignee changed from intrigeri to anonym
- % Done changed from 30 to 50
- QA Check set to Ready for QA
I think we’re good to go:
- Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
- An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
- The
.{packages,build-manifest}
diff vs. 3.4’s looks sane moduloBug #15177(which is unrelated to this branch). - I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).
Reminder:
Post-merge steps
- bump the expiration date of the
debian
APT snapshot this branch updates to - note the kernel update (e.g. for changelog)
#18 Updated by anonym 2018-01-19 22:45:25
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
intrigeri wrote:
> I think we’re good to go:
>
> * Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
> * An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
> * The .{packages,build-manifest}
diff vs. 3.4’s looks sane modulo Bug #15177 (which is unrelated to this branch).
> * I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).
Thanks for all this! I don’t know what testing I can do in addition (I did look at the .packages
diff) as I too lack AMD hardware, so I’ll just go ahead and merge it.
> Reminder:
>
> h2. Post-merge steps
>
> * bump the expiration date of the debian
APT snapshot this branch updates to
Done!
> * note the kernel update (e.g. for changelog)
I was gonna mention that I thought the kernel upgrade would be ok even though the increased 3.4_to_3.5 IUK size will be annoying given the little we gain from this upgrade.
#19 Updated by anonym 2018-01-19 22:45:50
- Status changed from In Progress to Fix committed
#20 Updated by anonym 2018-01-23 19:50:35
- Status changed from Fix committed to Resolved