Enable late loading of microcode by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
intel-microcode (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Won't Fix
|
Undecided
|
Unassigned | ||
Focal |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
* Normally intel microcode is applied "early" for an uncompressed prepended initramfs archive. However, on systems booting without an initrd, or a missbuilt one, microcode might not get applied. In that case, we need to attempt loading microcode late which may give users security protection against CPU vulnerabilities which they might otherwise be lacking. In an ideal world, everyone would apply their bios/OEM updates with microcode updates in a timely fashion and then we wouldn't need to update CPU microcode from userspace at all.
[Test Case]
* Install updated package
* Reobot
* Observe early application of microcode
$ journalctl -b | grep microcode
Feb 12 12:02:48 ottawa kernel: microcode: microcode updated early to revision 0xd6, date = 2019-10-03
* Remove /usr/share/
* Rebuild initrd with update-initramfs -u
* Reboot
* Observe in dmesg that late loading of microcode is performed
$ journalctl -b | grep microcode
Feb 12 12:32:54 ottawa kernel: TAA: Vulnerable: Clear CPU buffers attempted, no microcode
Feb 12 12:32:54 ottawa kernel: MDS: Vulnerable: Clear CPU buffers attempted, no microcode
Feb 12 12:32:54 ottawa kernel: microcode: sig=0x506e3, pf=0x20, revision=0xc6
Feb 12 12:32:54 ottawa kernel: microcode: Microcode Update Driver: v2.2.
Feb 12 12:32:57 ottawa kernel: microcode: updated to revision 0xd6, date = 2019-10-03
Feb 12 12:32:57 ottawa kernel: x86/CPU: CPU features have changed after loading microcode, but might not take effect.
Feb 12 12:32:57 ottawa kernel: microcode: Reload completed, microcode revision: 0xd6
(Note the lack of "early" in above messages)
[Regression Potential]
* Application of microcode is a risky operation, especially if the cores are busy. Hence we prefer bios updates & early microcode updates, and those will remain the place. The late loading of microcode is really here for the cases were the previous two update strategies have failed. For example, from time to time, certain microcode updates are pulled or get blacklisted from late loading.
[Other Info]
* The majority of our users on bare-metal machines boot correctly with early microcode updates.
Changed in intel-microcode (Ubuntu Focal): | |
status: | New → Fix Committed |
Changed in intel-microcode (Ubuntu): | |
status: | Fix Released → Won't Fix |
Changed in intel-microcode (Ubuntu Xenial): | |
status: | New → Won't Fix |
Changed in intel-microcode (Ubuntu Bionic): | |
status: | New → Won't Fix |
Changed in intel-microcode (Ubuntu Eoan): | |
status: | Fix Committed → Won't Fix |
Changed in intel-microcode (Ubuntu Focal): | |
status: | Fix Released → Won't Fix |
intel-microcode (3.20191115. 1ubuntu3) focal; urgency=medium
* Ship tmpfiles.d snippet to attempt late loading of microcode during
boot, in case early loading of microcode did not happen. Early
microcode loading might not happen if booting without initramfs or a
missbuilt one.
-- Dimitri John Ledkov <email address hidden> Wed, 12 Feb 2020 12:37:30 +0000