Upgrade Intel processor microcodes to mitigate the Spectre attack
Install Intel processor microcode firmware from stretch-backports (refs: #15173).
The maintainer of intel-microcode in Debian carefully uploads to
stretch-backports updates he thinks are safe for stable users. For example,
right now stretch-backports has 3.20171117.1~bpo9+1 which is the latest
available version that's not affected by the many regressions introduced by
This commit does not currently give us IBRS/IBPB/STIPB microcode support for
Spectre variant 2 mitigation: the currently available firmware with that support
is too buggy. Instead, it:
- updates microcode firmware to the latest good enough version, which usually
brings important bugfixes;
- paves the way for us to get this mitigation whenever it is ready in a form
that the maintainer of intel-microcode in Debian thinks can be safely pushed
to Debian stable users.
#4 Updated by intrigeri almost 2 years ago
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to feature/15173-upgrade-intel-microcode
There's no good enough firmware currently available with CPU support for Spectre variant 2 mitigation so in the meantime let's upgrade to the version in stretch-backports so we:
- push the other bugfixes to our users
- are better prepared for the Spectre variant 2 mitigation once it's ready
- minimize the change we'll have to make when we upgrade microcode to a version that supports Spectre variant 2 mitigation (which can be useful e.g. if we do that in a Tails bugfix release)
Note to the reviewer/merger¶
Do not close this ticket when merging the proposed branch.