CentOS

I am having trouble applying recently released microcode updates provided by Intel to mitigate SPECTRE.

I'm running Centos 6.9 with OpenVZ kernel 2.6.32-042stab127.2. Have installed microcode_ctl, loaded the microcode kernel module, and downloaded the most recent microcode from Intel from 20180108.

[root@server ~]# microcode_ctl -f /lib/firmware/microcode.dat
microcode_ctl: writing microcode (length: 1613824)
microcode_ctl: microcode successfuly written to /dev/cpu/microcode

This reports success, however /proc/cpuinfo does not show the new SPEC_CTRL flag and POC code to detect SPEC_CTRL fails and reports the system is still vulnerable.

On a different, newer machine that got a vendor BIOS update the SPEC_CTRL flag does show up. This specific Centos 6 machine does not have a BIOS update available yet.

Appreciate any assistance with loading Intel's newest microcode.

/proc/cpuinfo is provided by the kernel, and as you are running an OpenVZ kernel you should probably ask this from the OpenVZ people.

I get the feeling they would tell me the same thing, microcode_ctl and microcode module is provided from Centos. The other machine I'm running with the BIOS update applied is the same Centos 6.9, same OpenVZ kernel, and it shows the expected SPEC_CTRL in /proc/cpuinfo and also shows the system is secured against SPECTRE.

I suspect something is going wrong with microcode_ctl.

No, it's that you have an openvz container not a real CentOS system so your container has no access to the BIOS or the processor to load the microcode. Your hoster needs to do this for you. You cannot.

This machine is currently a test machine with no vms on it that I'm using to test the meltdown / spectre patches before rolling out to the rest of the server farm.

[root@server ~]# vzlist -a
CTID NPROC STATUS IP_ADDR HOSTNAME
[root@server ~]#

Then you need to seek support from openvz as it's their kernel that is stopping you from updating the microcode.

Thank you will try that.

To prove that, you only need to boot the real CentOS kernel and watch it update (if there is an update available for your processor).

Btw, you don't need to do what you did, the firmware comes from /lib/firmware/intel-ucode/ and the file name is ff-mm-ss (from /proc/cpuinfo's "family", "model" and "stepping" fields though you do need to convert the model number to hex first - i.e

cpu family : 6
model : 60
stepping : 3

uses a file called 06-3c-03

Once you replace that one file, you echo 1 >/sys/devices/system/cpu/microcode/reload and it will load it for you.

Thank you Trevor. I've looked in there and seen those files. I noted Intel's microcode.dat file doesn't seem to match that format and wondered how those files were generated.

Ah, you're on CentOS 6. CentOS 7 is different and has a /lib/firmware/intel-ucode directory that matches the one in their microcode-20180108.tgz file. However, my microcode-20180108.tgz also contains a microcode.dat file and that _appears_ to be in the same format as the CentOS 6 /lib/firmware/microcode.dat file.