Changeset 83d1722c


Ignore:
Timestamp:
06/09/2020 09:18:09 PM (16 months ago)
Author:
Ken Moffat <ken@…>
Branches:
10.0, 10.1, 11.0, ken/refactor-virt, lazarus, qt5new, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
5eb179fa
Parents:
edcb4a5
Message:

Intel-microcode-20200609.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23272 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • introduction/welcome/changelog.xml

    redcb4a5 r83d1722c  
    4646      <itemizedlist>
    4747        <listitem>
     48          <para>[ken] - Update Intel microcode to 20200609 [security fix].
     49          If you are hosting VMs, please read the ticket to see what is and
     50          what is not fixed. Fixes
     51          <ulink url="&blfs-ticket-root;13656">#13656</ulink>.</para>
     52        </listitem>
     53        <listitem>
    4854          <para>[renodr] - Update to evince-3.36.4. Fixes
    4955          <ulink url="&blfs-ticket-root;13655">#13655</ulink>.</para>
  • postlfs/config/firmware.xml

    redcb4a5 r83d1722c  
    2525    class="directory">/lib/firmware</filename>, where the kernel or kernel
    2626    drivers look for firmware images.
    27   </para>
    28 
    29   <para>
    30     Preparing firmware for multiple different machines, as a distro would
    31     do, is outside the scope of this book.
    3227  </para>
    3328
     
    129124
    130125    <para>
    131       Intel provide updates of their microcode for SandyBridge and later
    132       processors as new vulnerabilities come to light. New versions of AMD
     126      Intel provide updates of their microcode for Haswell and later
     127      processors as new vulnerabilities come to light, and have in the past
     128      provided updates for processors from SandyBridge onwards, although those
     129      are no-longer supported for new fixes. New versions of AMD
    133130      firmware are rare and usually only apply to a few models, although
    134131      motherboard manufacturers get extra updates which maybe update microcode
     
    166163    </para>
    167164
     165    <para>
     166      If you are creating an initrd to update firmware for different machines,
     167      as a distro would do, go down to 'Early loading of microcode' and cat all
     168      the Intel blobs to GenuineIntel.bin or cat all the AMD blobs to
     169      AuthenticAMD.bin. This creates a larger initrd - for all Intel machines in
     170      the 20200609 update the size is 3.0 MB compared to typically 24 KB for one
     171      machine.
     172    </para>
     173
    168174    <sect3 id="intel-microcode">
    169175      <title>Intel Microcode for the CPU</title>
     
    174180         'https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/'/>
    175181        and downloading the latest file there.  As of this writing the most
    176         recent version of the microcode is microcode-20191115.  Extract this
     182        recent version of the microcode is microcode-20200609.  Extract this
    177183        file in the normal way, the microcode is in the <filename>intel-ucode
    178184        </filename> directory, containing various blobs with names in the form
     
    196202
    197203      <para>
    198         To be able to use this latest microcode to provide mitigation on all
    199         the affected processors, the kernel version needs to be at least 5.3.11
    200         (or 4.19.84 if you are using the 4.19 long term support series).
     204        The documentation on the latest SRBDS (Special Register Buffer Data
     205        Sampling) vulnerabilities/fixes will be documented in kernels 5.4.46,
     206        5.6.18, 5.7.2, 5.8.0 and later.
    201207      </para>
    202208
     
    245251      <para>
    246252        Then use the following command to see if anything was loaded:
     253        (N.B. the dates when microcode was created may be months ahead of when
     254        it was released.)
    247255      </para>
    248256
     
    250258
    251259      <para>
    252         This reformatted example was created by temporarily booting without
     260        This reformatted example for an old (20191115) verison of the microcode
     261        was created by temporarily booting without
    253262        microcode, to show the current Firmware Bug message, then the late load
    254263        shows it being updated to revision 0xd6.
     
    417426      <para>
    418427        The places and times where early loading happens are very different
    419         in AMD and Intel machines. First, an Intel example with early loading:
    420       </para>
    421 
    422 <screen><literal>[    0.000000] microcode: microcode updated early to revision 0xd6, date = 2019-10-03
    423 [    0.000000] Linux version 5.4.6 (ken@leshp) (gcc version 9.2.0 (GCC))i
    424                #4 SMP PREEMPT Sat Dec 21 21:41:03 GMT 2019
    425 [    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.4.6-sda11 root=/dev/sda11 ro resume=/dev/sda10
    426 [    0.579936] microcode: sig=0x506e3, pf=0x2, revision=0xd6
    427 [    0.579961] microcode: Microcode Update Driver: v2.2.</literal></screen>
     428        in AMD and Intel machines. First, an Intel (Haswell) example with early loading:
     429      </para>
     430
     431<screen><literal>[    0.000000] microcode: microcode updated early to revision 0x28, date = 2019-11-12
     432[    0.000000] Linux version 5.6.2 (ken@plexi) (gcc version 9.2.0 (GCC)) #2 SMP PREEMPT Tue Apr 7 21:34:32 BST 2020
     433[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.6.2-sda10 root=/dev/sda10 ro resume=/dev/sdb1
     434[    0.371462] microcode: sig=0x306c3, pf=0x2, revision=0x28
     435[    0.371491] microcode: Microcode Update Driver: v2.2.</literal></screen>
     436
    428437
    429438      <para>
Note: See TracChangeset for help on using the changeset viewer.