Bug #15148: Upgrade AMD processor microcodes to mitigate the Spectre attack

Bug #15148

Upgrade AMD processor microcodes to mitigate the Spectre attack

Added by intrigeri 2018-01-06 08:02:56 . Updated 2018-01-23 19:50:35 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_3.5

Start date:

2018-01-06

Due date:

% Done:

100%

Feature Branch:

bugfix/15148-cpu-microcode-spectre

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Subtasks

Related issues

Related to Tails - ~~Feature #14976~~: Upgrade the Linux kernel to get KPTI	Resolved	2017-11-17
Blocks Tails - ~~Feature #13245~~: Core work 2018Q1: Foundations Team	Resolved	2017-06-29
Blocks Tails - ~~Bug #15173~~: Upgrade Intel processor microcodes to mitigate the Spectre attack	Resolved	2018-01-16

History

#1 Updated by intrigeri 2018-01-06 08:03:16

related to ~~Feature #14976~~: Upgrade the Linux kernel to get KPTI added

#2 Updated by intrigeri 2018-01-06 08:03:21

blocks ~~Feature #13245~~: Core work 2018Q1: Foundations Team added

#3 Updated by intrigeri 2018-01-06 08:07:23

Assignee changed from intrigeri to anonym

An upgrade for intel-microcode is already in sid. It’s somewhat unofficial and does not cover all CPUs. I’m tempted to take it for Tails 3.4 but the consequences are unclear to me.

No upgrade for amd64-microcode is in Debian yet. The one SUSE applied simply disables branch prediction on a CPU family.

All these changes feel risky, it’s a bit scary to include them in an emergency release that will be tested only on a very small set of hardware. I propose we skip them for Tails 3.4 and in Tails 3.5 we follow whatever is done for Debian stable.

anonym, what do you think?

#4 Updated by anonym 2018-01-08 14:18:50

Assignee changed from anonym to intrigeri
Target version changed from Tails_3.4 to Tails_3.5
Type of work changed from Research to Code

In Redhat’s advisory it is made pretty clear (in the descriptions for the three variants) that only CVE-2017-5715 (variant #2/Spectre) requires the Intel microcode update. Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM), which isn’t affecting any supported use case in Tails, so we can safely postpone this until Tails 3.5.

#5 Updated by intrigeri 2018-01-10 08:51:46

anonym wrote:
> Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM)

I think you’ve been mislead by ambiguous wording on that page, that is clarified elsewhere:

https://access.redhat.com/security/vulnerabilities/speculativeexecution says “These variants could be used not only to cross syscall boundary (variant 1 and variant 2) but also guest/host boundary (variant 2)” and “Variant 2 can be exploited both locally (within the same OS) and through the virtualization guest boundary. Fixes require CPU microcode/firmware to activate”.
https://access.redhat.com/security/cve/cve-2017-5715 reads “an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory”.
https://security-tracker.debian.org/tracker/CVE-2017-5715 says “Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis”.

So it seems pretty clear to me that variant 2 (CVE-2017-5715) is not only about VMs.

Anyway, this is moot now, let’s apply the fixes in 3.5 if they’re ready in time :)

#6 Updated by intrigeri 2018-01-11 09:06:00

Description updated

#7 Updated by intrigeri 2018-01-11 09:22:28

Status changed from Confirmed to In Progress
% Done changed from 0 to 10
Feature Branch set to bugfix/15148-cpu-microcode-spectre

#8 Updated by intrigeri 2018-01-11 10:35:55

Post-merge steps

bump the expiration date of the debian APT snapshot this branch updates to

#9 Updated by intrigeri 2018-01-11 10:38:32

% Done changed from 10 to 20

The diff between 3.4’s build-manifest and this branch’s shows only 2 changes: the two packages this branch wants to update are updated. Same for the .packages file. I can’t run tests on Jenkins yet due to ~~Bug #15163~~ so in the meantime I’ll run tests locally (without using —old-iso 3.4). More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

#10 Updated by intrigeri 2018-01-11 11:21:24

intrigeri wrote:
> More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

ThinkPad X200, Intel Core 2 Duo P8700 that’s not on the list of affected products: no microcode update applied on boot, as expected since there’s none for this CPU in the upgraded package (sig=0x1067a, pf=0x80, revision=0xa0b)
MacBook Pro 8,1 13-inch, Intel Core i5-2435M CPU that’s is on the list of affected products: microcode updated on boot, but to a version from 2013, as expected since there’s none for this CPU in the upgraded package (sig=0x206a7, pf=0x10, revision=0x29) :/
I was going to test on my own laptop, that is affected and whose CPU microcode is updated by the new intel-microcode package, but I’ve already updated my BIOS which included the last CPU microcode, so this test would be worthless.

#11 Updated by intrigeri 2018-01-11 12:57:57

On some AMD CPUs, one needs the “[x86] microcode/AMD: Add support for fam17h microcode loading” kernel commit for the updated microcode to be loaded. It’s in Linux 4.14.13 so we’re in for a (minor) kernel update. Having the bugfixes brought by this stable kernel branch will anyway be welcome. I’ll handle it once 4.14.13 is in sid.

#12 Updated by intrigeri 2018-01-11 14:38:57

Full test suite passed here except the now well-known “Localization ǂ The Report an Error launcher will open the support documentation in supported non-English locales” issue.

#13 Updated by intrigeri 2018-01-15 16:44:17

Given https://bugs.debian.org/886998, wrt. Intel I’ll hold on and follow Debian’s lead i.e. I won’t get that one in Tails until it’s deemed good for Debian stable. But this does not block updating the AMD microcode.

#14 Updated by intrigeri 2018-01-16 13:40:58

blocks ~~Bug #15173~~: Upgrade Intel processor microcodes to mitigate the Spectre attack added

#15 Updated by intrigeri 2018-01-16 13:42:40

Subject changed from Upgrade Intel and AMD processor microcodes to mitigate the Spectre attack to Upgrade AMD processor microcodes to mitigate the Spectre attack
% Done changed from 20 to 30

Giving up on Intel for Tails 3.5 => moved that part to ~~Bug #15173~~ and postponed. The topic branch should now have everything needed on the AMD side.

#16 Updated by intrigeri 2018-01-16 18:03:52

Jenkins is happy, now running the full test suite locally.

#17 Updated by intrigeri 2018-01-17 07:23:04

Assignee changed from intrigeri to anonym
% Done changed from 30 to 50
QA Check set to Ready for QA

I think we’re good to go:

Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
The .{packages,build-manifest} diff vs. 3.4’s looks sane modulo ~~Bug #15177~~ (which is unrelated to this branch).
I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Reminder:

Post-merge steps

bump the expiration date of the debian APT snapshot this branch updates to
note the kernel update (e.g. for changelog)

#18 Updated by anonym 2018-01-19 22:45:25

Assignee deleted (~~anonym~~)
% Done changed from 50 to 100
QA Check changed from Ready for QA to Pass

intrigeri wrote:
> I think we’re good to go:
>
> * Full test suite passed except “Thunderbird email client ǂ Thunderbird can download the inbox with POP3” (probably a transient network failure).
> * An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
> * The .{packages,build-manifest} diff vs. 3.4’s looks sane modulo ~~Bug #15177~~ (which is unrelated to this branch).
> * I have no hardware around with an AMD CPU so I cannot test microcode updates. But I’ve verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Thanks for all this! I don’t know what testing I can do in addition (I did look at the .packages diff) as I too lack AMD hardware, so I’ll just go ahead and merge it.

> Reminder:
>
> h2. Post-merge steps
>
> * bump the expiration date of the debian APT snapshot this branch updates to

Done!

> * note the kernel update (e.g. for changelog)

I was gonna mention that I thought the kernel upgrade would be ok even though the increased 3.4_to_3.5 IUK size will be annoying given the little we gain from this upgrade.

#19 Updated by anonym 2018-01-19 22:45:50

Status changed from In Progress to Fix committed

#20 Updated by anonym 2018-01-23 19:50:35

Status changed from Fix committed to Resolved