Project

General

Profile

Bug #15173

Upgrade Intel processor microcodes to mitigate the Spectre attack

Added by intrigeri about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
01/16/2018
Due date:
% Done:

100%

Feature Branch:
feature/15173-upgrade-intel-microcode
Type of work:
Wait
Blueprint:
Starter:
Affected tool:

Description

This is a follow-up on #15148 because we could not upgrade the Intel microcode in Tails 3.5.

Once https://bugs.debian.org/886998 is fixed we can revert eab2135464682cac54ed5cfc8ef2f9e0529a9913.


Related issues

Blocked by Tails - Bug #15148: Upgrade AMD processor microcodes to mitigate the Spectre attack Resolved 01/06/2018
Blocked by Tails - Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid Resolved 01/30/2018
Blocks Tails - Feature #13245: Core work 2018Q1: Foundations Team Resolved 06/29/2017

Associated revisions

Revision 20b79c23 (diff)
Added by intrigeri almost 2 years ago

Install Intel processor microcode firmware from stretch-backports (refs: #15173).

The maintainer of intel-microcode in Debian carefully uploads to
stretch-backports updates he thinks are safe for stable users. For example,
right now stretch-backports has 3.20171117.1~bpo9+1 which is the latest
available version that's not affected by the many regressions introduced by
3.20180108.1.

This commit does not currently give us IBRS/IBPB/STIPB microcode support for
Spectre variant 2 mitigation: the currently available firmware with that support
is too buggy. Instead, it:

- updates microcode firmware to the latest good enough version, which usually
brings important bugfixes;
- paves the way for us to get this mitigation whenever it is ready in a form
that the maintainer of intel-microcode in Debian thinks can be safely pushed
to Debian stable users.

Revision 31f5407c
Added by bertagaz almost 2 years ago

Merge remote-tracking branch 'origin/feature/15173-upgrade-intel-microcode' into devel

Refs: #15173

History

#1 Updated by intrigeri about 2 years ago

#2 Updated by intrigeri about 2 years ago

  • Blocked by Bug #15148: Upgrade AMD processor microcodes to mitigate the Spectre attack added

#3 Updated by intrigeri about 2 years ago

  • Priority changed from Normal to Elevated

#4 Updated by intrigeri almost 2 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/15173-upgrade-intel-microcode

There's no good enough firmware currently available with CPU support for Spectre variant 2 mitigation so in the meantime let's upgrade to the version in stretch-backports so we:

  • push the other bugfixes to our users
  • are better prepared for the Spectre variant 2 mitigation once it's ready
  • minimize the change we'll have to make when we upgrade microcode to a version that supports Spectre variant 2 mitigation (which can be useful e.g. if we do that in a Tails bugfix release)

Note to the reviewer/merger

Do not close this ticket when merging the proposed branch.

#5 Updated by intrigeri almost 2 years ago

  • Blocked by Bug #15270: devel branch FTBFS since torbrowser-launcher 0.2.9 entered sid added

#6 Updated by intrigeri almost 2 years ago

  • Assignee changed from intrigeri to bertagaz
  • QA Check set to Ready for QA

Note to the reviewer/merger

When merging the proposed branch, do not close this ticket. Instead, reassign it to me for 3.7. Thanks!

#7 Updated by bertagaz almost 2 years ago

  • Assignee changed from bertagaz to intrigeri
  • Target version changed from Tails_3.6 to Tails_3.7
  • % Done changed from 10 to 20
  • QA Check changed from Ready for QA to Dev Needed

Ok, this first part is merged congrats, reassigning as asked.

#8 Updated by intrigeri almost 2 years ago

  • QA Check deleted (Dev Needed)

#9 Updated by intrigeri almost 2 years ago

The fix is now in stretch-backports: 3.20180312.1~bpo9+1. But given the cautious timeline the maintainer wants wrt. upgrading in stable, let's not rush this. I'll check closer to 3.7 if we want to make a freeze exception for that upgrade.

#10 Updated by intrigeri almost 2 years ago

  • Priority changed from Elevated to Normal

#11 Updated by intrigeri almost 2 years ago

#12 Updated by intrigeri almost 2 years ago

#13 Updated by intrigeri almost 2 years ago

  • Status changed from In Progress to 11
  • Target version changed from Tails_3.7 to Tails_3.6.2
  • % Done changed from 20 to 100

Done via #15457.

#14 Updated by intrigeri almost 2 years ago

#15 Updated by intrigeri almost 2 years ago

#16 Updated by anonym almost 2 years ago

  • Assignee deleted (intrigeri)

#17 Updated by anonym almost 2 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF