Project

General

Profile

Bug #15148

Upgrade AMD processor microcodes to mitigate the Spectre attack

Added by intrigeri over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
01/06/2018
Due date:
% Done:

100%

QA Check:
Pass
Feature Branch:
bugfix/15148-cpu-microcode-spectre
Type of work:
Code
Blueprint:
Starter:
Affected tool:


Related issues

Related to Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 11/17/2017
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 06/29/2017
Blocks Tails - Bug #15173: Upgrade Intel processor microcodes to mitigate the Spectre attack Resolved 01/16/2018

Associated revisions

Revision 21823873 (diff)
Added by intrigeri over 1 year ago

Upgrade snapshot of the Debian APT repository to 2018011101 (refs: #15148).

i.e. one that has intel-microcode 3.20180108 and amd64-microcode 3.20171205.1,
with mitigation against the Spectre vulnerability (CVE-2017-5715).

Revision 9e6aec2c (diff)
Added by intrigeri over 1 year ago

Install amd64-microcode and intel-microcode from sid (refs: #15148).

On the short term, this allows us to get the mitigation against
Spectre (CVE-2017-5715).

While this could be done via our freeze exception mechanism, instead I chose to
bump APT snapshots and add APT pinning to install these packages from sid for
the foreseeable future: keeping CPU microcode up-to-date has become an important
factor in securing systems these days and such security updates land faster in
sid than anywhere else in Debian.

Revision eab21354 (diff)
Added by intrigeri over 1 year ago

Don't install intel-microcode from sid (refs: #15148).

It causes too many regressions: https://bugs.debian.org/886998.

Partially reverts commit 9e6aec2c57f3c7041da718f5163b8ab90decd7bd.

Revision 25670be9 (diff)
Added by intrigeri over 1 year ago

Upgrade snapshot of the Debian APT repository to 2018011503 ⇒ upgrade to Linux 4.14.13 (refs: #15148).

Linux 4.14.13 is the first kernel that has the "[x86] microcode/AMD: Add support
for fam17h microcode loading" commit, that's needed to load the AMD fam17h
microcode for mitigating the Spectre vulnerability (CVE-2017-5715).

Revision 4b701604
Added by anonym over 1 year ago

Merge remote-tracking branch 'origin/bugfix/15148-cpu-microcode-spectre' into stable

Fix-committed: #15148

History

#1 Updated by intrigeri over 1 year ago

  • Related to Feature #14976: Upgrade the Linux kernel to get KPTI added

#2 Updated by intrigeri over 1 year ago

#3 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to anonym

An upgrade for intel-microcode is already in sid. It's somewhat unofficial and does not cover all CPUs. I'm tempted to take it for Tails 3.4 but the consequences are unclear to me.

No upgrade for amd64-microcode is in Debian yet. The one SUSE applied simply disables branch prediction on a CPU family.

All these changes feel risky, it's a bit scary to include them in an emergency release that will be tested only on a very small set of hardware. I propose we skip them for Tails 3.4 and in Tails 3.5 we follow whatever is done for Debian stable.

anonym, what do you think?

#4 Updated by anonym over 1 year ago

  • Assignee changed from anonym to intrigeri
  • Target version changed from Tails_3.4 to Tails_3.5
  • Type of work changed from Research to Code

In Redhat's advisory it is made pretty clear (in the descriptions for the three variants) that only CVE-2017-5715 (variant #2/Spectre) requires the Intel microcode update. Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM), which isn't affecting any supported use case in Tails, so we can safely postpone this until Tails 3.5.

#5 Updated by intrigeri over 1 year ago

anonym wrote:

Luckily (for us) variant #2 is about a malicious guest VM reading the host kernel memory (or memory from another guest VM)

I think you've been mislead by ambiguous wording on that page, that is clarified elsewhere:

So it seems pretty clear to me that variant 2 (CVE-2017-5715) is not only about VMs.

Anyway, this is moot now, let's apply the fixes in 3.5 if they're ready in time :)

#6 Updated by intrigeri over 1 year ago

  • Description updated (diff)

#7 Updated by intrigeri over 1 year ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15148-cpu-microcode-spectre

#8 Updated by intrigeri over 1 year ago

Post-merge steps

  • bump the expiration date of the debian APT snapshot this branch updates to

#9 Updated by intrigeri over 1 year ago

  • % Done changed from 10 to 20

The diff between 3.4's build-manifest and this branch's shows only 2 changes: the two packages this branch wants to update are updated. Same for the .packages file. I can't run tests on Jenkins yet due to #15163 so in the meantime I'll run tests locally (without using --old-iso 3.4). More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

#10 Updated by intrigeri over 1 year ago

intrigeri wrote:

More importantly I will test on the bare metal systems I have around, since I doubt Tails running in a VM is seriously impacted by this branch.

  • ThinkPad X200, Intel Core 2 Duo P8700 that's not on the list of affected products: no microcode update applied on boot, as expected since there's none for this CPU in the upgraded package (sig=0x1067a, pf=0x80, revision=0xa0b)
  • MacBook Pro 8,1 13-inch, Intel Core i5-2435M CPU that's is on the list of affected products: microcode updated on boot, but to a version from 2013, as expected since there's none for this CPU in the upgraded package (sig=0x206a7, pf=0x10, revision=0x29) :/
  • I was going to test on my own laptop, that is affected and whose CPU microcode is updated by the new intel-microcode package, but I've already updated my BIOS which included the last CPU microcode, so this test would be worthless.

#11 Updated by intrigeri over 1 year ago

On some AMD CPUs, one needs the "[x86] microcode/AMD: Add support for fam17h microcode loading" kernel commit for the updated microcode to be loaded. It's in Linux 4.14.13 so we're in for a (minor) kernel update. Having the bugfixes brought by this stable kernel branch will anyway be welcome. I'll handle it once 4.14.13 is in sid.

#12 Updated by intrigeri over 1 year ago

Full test suite passed here except the now well-known "Localization ǂ The Report an Error launcher will open the support documentation in supported non-English locales" issue.

#13 Updated by intrigeri over 1 year ago

Given https://bugs.debian.org/886998, wrt. Intel I'll hold on and follow Debian's lead i.e. I won't get that one in Tails until it's deemed good for Debian stable. But this does not block updating the AMD microcode.

#14 Updated by intrigeri over 1 year ago

  • Blocks Bug #15173: Upgrade Intel processor microcodes to mitigate the Spectre attack added

#15 Updated by intrigeri over 1 year ago

  • Subject changed from Upgrade Intel and AMD processor microcodes to mitigate the Spectre attack to Upgrade AMD processor microcodes to mitigate the Spectre attack
  • % Done changed from 20 to 30

Giving up on Intel for Tails 3.5 => moved that part to #15173 and postponed. The topic branch should now have everything needed on the AMD side.

#16 Updated by intrigeri over 1 year ago

Jenkins is happy, now running the full test suite locally.

#17 Updated by intrigeri over 1 year ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 30 to 50
  • QA Check set to Ready for QA

I think we're good to go:

  • Full test suite passed except "Thunderbird email client ǂ Thunderbird can download the inbox with POP3" (probably a transient network failure).
  • An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
  • The .{packages,build-manifest} diff vs. 3.4's looks sane modulo #15177 (which is unrelated to this branch).
  • I have no hardware around with an AMD CPU so I cannot test microcode updates. But I've verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Reminder:

Post-merge steps

  • bump the expiration date of the debian APT snapshot this branch updates to
  • note the kernel update (e.g. for changelog)

#18 Updated by anonym over 1 year ago

  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:

I think we're good to go:

  • Full test suite passed except "Thunderbird email client ǂ Thunderbird can download the inbox with POP3" (probably a transient network failure).
  • An ISO built from this branch has the expected 2 package updates, boots fine and connects to Tor successfully on libvirt/QEMU, MacBook Pro 8,1 13-inch and Thinkpad X200.
  • The .{packages,build-manifest} diff vs. 3.4's looks sane modulo #15177 (which is unrelated to this branch).
  • I have no hardware around with an AMD CPU so I cannot test microcode updates. But I've verified that no regression was reported against amd64-microcode in Debian since the update was uploaded a week ago (and since migrated to testing).

Thanks for all this! I don't know what testing I can do in addition (I did look at the .packages diff) as I too lack AMD hardware, so I'll just go ahead and merge it.

Reminder:

Post-merge steps

  • bump the expiration date of the debian APT snapshot this branch updates to

Done!

  • note the kernel update (e.g. for changelog)

I was gonna mention that I thought the kernel upgrade would be ok even though the increased 3.4_to_3.5 IUK size will be annoying given the little we gain from this upgrade.

#19 Updated by anonym over 1 year ago

  • Status changed from In Progress to Fix committed

#20 Updated by anonym over 1 year ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF