Microcode Update Centos 6.9 Spectre

Support for security such as Firewalls and securing linux
mkandoll
Posts: 5
Joined: 2018/01/11 19:27:34

Microcode Update Centos 6.9 Spectre

Post by mkandoll » 2018/01/11 19:41:20

I am having trouble applying recently released microcode updates provided by Intel to mitigate SPECTRE.

I'm running Centos 6.9 with OpenVZ kernel 2.6.32-042stab127.2. Have installed microcode_ctl, loaded the microcode kernel module, and downloaded the most recent microcode from Intel from 20180108.

[root@server ~]# microcode_ctl -f /lib/firmware/microcode.dat
microcode_ctl: writing microcode (length: 1613824)
microcode_ctl: microcode successfuly written to /dev/cpu/microcode

This reports success, however /proc/cpuinfo does not show the new SPEC_CTRL flag and POC code to detect SPEC_CTRL fails and reports the system is still vulnerable.

On a different, newer machine that got a vendor BIOS update the SPEC_CTRL flag does show up. This specific Centos 6 machine does not have a BIOS update available yet.

Appreciate any assistance with loading Intel's newest microcode.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Microcode Update Centos 6.9 Spectre

Post by avij » 2018/01/11 20:18:18

/proc/cpuinfo is provided by the kernel, and as you are running an OpenVZ kernel you should probably ask this from the OpenVZ people.

mkandoll
Posts: 5
Joined: 2018/01/11 19:27:34

Re: Microcode Update Centos 6.9 Spectre

Post by mkandoll » 2018/01/11 20:33:12

I get the feeling they would tell me the same thing, microcode_ctl and microcode module is provided from Centos. The other machine I'm running with the BIOS update applied is the same Centos 6.9, same OpenVZ kernel, and it shows the expected SPEC_CTRL in /proc/cpuinfo and also shows the system is secured against SPECTRE.

I suspect something is going wrong with microcode_ctl.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Microcode Update Centos 6.9 Spectre

Post by TrevorH » 2018/01/11 20:40:33

No, it's that you have an openvz container not a real CentOS system so your container has no access to the BIOS or the processor to load the microcode. Your hoster needs to do this for you. You cannot.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mkandoll
Posts: 5
Joined: 2018/01/11 19:27:34

Re: Microcode Update Centos 6.9 Spectre

Post by mkandoll » 2018/01/11 20:46:58

This machine is currently a test machine with no vms on it that I'm using to test the meltdown / spectre patches before rolling out to the rest of the server farm.

[root@server ~]# vzlist -a
CTID NPROC STATUS IP_ADDR HOSTNAME
[root@server ~]#

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Microcode Update Centos 6.9 Spectre

Post by TrevorH » 2018/01/11 21:35:41

Then you need to seek support from openvz as it's their kernel that is stopping you from updating the microcode.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mkandoll
Posts: 5
Joined: 2018/01/11 19:27:34

Re: Microcode Update Centos 6.9 Spectre

Post by mkandoll » 2018/01/11 21:49:39

Thank you will try that.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Microcode Update Centos 6.9 Spectre

Post by TrevorH » 2018/01/11 22:08:56

To prove that, you only need to boot the real CentOS kernel and watch it update (if there is an update available for your processor).

Btw, you don't need to do what you did, the firmware comes from /lib/firmware/intel-ucode/ and the file name is ff-mm-ss (from /proc/cpuinfo's "family", "model" and "stepping" fields though you do need to convert the model number to hex first - i.e

cpu family : 6
model : 60
stepping : 3

uses a file called 06-3c-03

Once you replace that one file, you echo 1 >/sys/devices/system/cpu/microcode/reload and it will load it for you.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mkandoll
Posts: 5
Joined: 2018/01/11 19:27:34

Re: Microcode Update Centos 6.9 Spectre

Post by mkandoll » 2018/01/11 22:14:46

Thank you Trevor. I've looked in there and seen those files. I noted Intel's microcode.dat file doesn't seem to match that format and wondered how those files were generated.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Microcode Update Centos 6.9 Spectre

Post by TrevorH » 2018/01/11 23:41:21

Ah, you're on CentOS 6. CentOS 7 is different and has a /lib/firmware/intel-ucode directory that matches the one in their microcode-20180108.tgz file. However, my microcode-20180108.tgz also contains a microcode.dat file and that _appears_ to be in the same format as the CentOS 6 /lib/firmware/microcode.dat file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply