Ubuntu
intel-microcode package

intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant 2 on Intel i7-6850k platform

Bug #1743786 reported by Robert Dinse
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
intel-microcode (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Using the test script: spectre-meltdown-checker.sh
Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: intel-microcode 3.20180108.0~ubuntu17.10.1
ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
Uname: Linux 4.13.0-29-lowlatency x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
Date: Wed Jan 17 06:00:56 2018
InstallationDate: Installed on 2017-05-05 (256 days ago)
InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
ProcEnviron:
 TERM=xterm-color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: intel-microcode
UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)

CVE References

Revision history for this message
Robert Dinse (nanook) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

What's the output of "dmesg | grep microcode" ?

Revision history for this message
Robert Dinse (nanook) wrote : Re: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant 2 on Intel i7-6850k platform
Download full text (3.4 KiB)

      On i7-6700k machine:

[ 0.000000] microcode: microcode updated early to revision 0xc2, date =
2017-11-16

      On i7-6850k machine:

[ 0.000000] microcode: microcode updated early to revision 0xb000021, date =
2017-03-01

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Marc Deslauriers wrote:

> Date: Wed, 17 Jan 2018 14:36:59 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi,
>
> What's the output of "dmesg | grep microcode" ?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> ...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Those aren't the lines I'm interested in seeing. Please post the complete results of the grep.

Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (3.5 KiB)

      That is all the grep returned:

root@igloo:~# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xc2, date =
2017-11-16
root@igloo:~#

root@iglulik:~# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xb000021, date =
2017-03-01
root@iglulik:~#

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Marc Deslauriers wrote:

> Date: Wed, 17 Jan 2018 15:09:54 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> Those aren't the lines I'm interested in seeing. Please post the
> complete results of the grep.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

That's odd...I was expecting something like this:

$ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x80, date = 2018-01-04
[ 1.694283] microcode: sig=0x806e9, pf=0x80, revision=0x80
[ 1.694368] microcode: Microcode Update Driver: v2.2.

I need the sig for your two cpus.

Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (3.5 KiB)

      Sorry processor sig? Is this something I can get from /proc/cpuinfo?

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Marc Deslauriers wrote:

> Date: Wed, 17 Jan 2018 15:31:20 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> That's odd...I was expecting something like this:
>
> $ dmesg | grep microcode
> [ 0.000000] microcode: microcode updated early to revision 0x80, date = 2018-01-04
> [ 1.694283] microcode: sig=0x806e9, pf=0x80, revision=0x80
> [ 1.694368] microcode: Microcode Update Driver: v2.2.
>
> I need the sig for your two cpus.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> T...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

You can install and use the cpuid tool:

cpuid -r | grep "0x00000001 0x00"

Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (4.8 KiB)

On the i7-6700k machine:

    0x00000001 0x00: eax=0x000506e3 ebx=0x00100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x02100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x04100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x06100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x01100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x03100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x05100800 ecx=0x7ffafbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000506e3 ebx=0x07100800 ecx=0x7ffafbbf edx=0xbfebfbff

On the i7-6850k machine:

    0x00000001 0x00: eax=0x000406f1 ebx=0x00100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x02100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x04100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x06100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x08100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x0a100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x01100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x03100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x05100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x07100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x09100800 ecx=0x7ffefbbf edx=0xbfebfbff
    0x00000001 0x00: eax=0x000406f1 ebx=0x0b100800 ecx=0x7ffefbbf edx=0xbfebfbff

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Marc Deslauriers wrote:

> Date: Wed, 17 Jan 2018 20:20:08 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> You can install and use the cpuid tool:
>
> cpuid -r | grep "0x00000001 0x00"
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches beco...

Read more...

Revision history for this message
Emily Ratliff (emilyr) wrote :

Hi Robert, would you mind installing and running the iucode-tool? With that tool you will see something like the following:
$ iucode-tool -S
iucode-tool: system has processor(s) with signature 0x000306c3

Revision history for this message
Robert Dinse (nanook) wrote :

      I received no body only subject.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Emily Ratliff wrote:

> Date: Wed, 17 Jan 2018 21:26:54 -0000
> From: Emily Ratliff <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>

Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (3.4 KiB)

      On i7-6700k:

iucode-tool: system has processor(s) with signature 0x000506e3

      On i7-6850k:

iucode-tool: system has processor(s) with signature 0x000406f1

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Emily Ratliff wrote:

> Date: Wed, 17 Jan 2018 21:26:54 -0000
> From: Emily Ratliff <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi Robert, would you mind installing and running the iucode-tool? With that tool you will see something like the following:
> $ iucode-tool -S
> iucode-tool: system has processor(s) with signature 0x000306c3
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64 (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> ...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

OK, on the machine with the 506e3 cpu, you need to have microcode revision 0xc2
on the machine with the 406f1 cpu, you need to have microcode revision 0x25

Are you sure you have the intel-microcode package installed? If so, for some reason your microcode is not being updated at boot.

Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (3.8 KiB)

apt list intel-microcode -a
Listing... Done
intel-microcode/artful-updates,artful-security,now 3.20180108.0~ubuntu17.10.1
amd64 [installed]
intel-microcode/artful 3.20170707.1 amd64

apt list intel-microcode -a
Listing... Done
intel-microcode/artful-security,artful-updates,now 3.20180108.0~ubuntu17.10.1
amd64 [installed]
intel-microcode/artful 3.20170707.1 amd64

      As you can see it is installed on both machines and it has been rebooted
since they were installed.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Wed, 17 Jan 2018, Marc Deslauriers wrote:

> Date: Wed, 17 Jan 2018 22:08:21 -0000
> From: Marc Deslauriers <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> OK, on the machine with the 506e3 cpu, you need to have microcode revision 0xc2
> on the machine with the 406f1 cpu, you need to have microcode revision 0x25
>
> Are you sure you have the intel-microcode package installed? If so, for
> some reason your microcode is not being updated at boot.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> New
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu ...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Robert, is there a reason to keep this bug private? I believe others may benefit from it.

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

OK, I just looked at the Intel's microcode release from 20180108 and it does not yet contain the update for 406f1.

For 506e3, revision 0xc2 should be in the package.

What's the output of:

grep MICROCODE /boot/config-4.13*

Revision history for this message
Robert Dinse (nanook) wrote :

     Ok, guess will just have to wait for you to kick out a package
with that included.

On Wed, January 17, 2018 4:12 pm, Marc Deslauriers wrote:
> OK, I just looked at the Intel's microcode release from 20180108 and it
> does not yet contain the update for 406f1.
>
> For 506e3, revision 0xc2 should be in the package.
>
>
> What's the output of:
>
>
> grep MICROCODE /boot/config-4.13*
>
> --
> You received this bug notification because you are subscribed to the bug
> report. https://bugs.launchpad.net/bugs/1743786
>
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant
> 2 on Intel i7-6850k platform
>
>
> Status in intel-microcode package in Ubuntu:
> New
>
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux
> 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018
> x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
>
>> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic
>> to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
>
>> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with
>> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
>
>> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>>
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64
> (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: intel-microcode
> UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)
>
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1743786/+su
> bscriptions
>

Revision history for this message
Robert Dinse (nanook) wrote :

     Since the exploits are in public domain, I see no reason to.

On Wed, January 17, 2018 3:09 pm, Seth Arnold wrote:
> Hello Robert, is there a reason to keep this bug private? I believe
> others may benefit from it.
>
> Thanks
>
>
> --
> You received this bug notification because you are subscribed to the bug
> report. https://bugs.launchpad.net/bugs/1743786
>
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre variant
> 2 on Intel i7-6850k platform
>
>
> Status in intel-microcode package in Ubuntu:
> New
>
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux
> 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018
> x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
>
>> STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic
>> to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
>
>> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with
>> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
>
>> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>>
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56 2018
> InstallationDate: Installed on 2017-05-05 (256 days ago)
> InstallationMedia: Ubuntu-MATE 17.04 "Zesty Zapus" - Release amd64
> (20170412)
> ProcEnviron:
> TERM=xterm-color
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: intel-microcode
> UpgradeStatus: Upgraded to artful on 2017-10-20 (89 days ago)
>
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1743786/+su
> bscriptions
>

Marc Deslauriers (mdeslaur)
information type: Private Security → Public
Revision history for this message
Henrique de Moraes Holschuh (hmh) wrote :

I believe this is fixed in the latest version of intel-microcode available on every still-supported branch of Ubuntu...

Can you confirm and close the report, please?

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Robert,

The intel-microcode 3.20180807a.0ubuntu0.18.04.1 update should contain updates for both your hosts:

  002/001: sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
  001/001: sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328

Can you confirm, please? Thanks!

Changed in intel-microcode (Ubuntu):
status: New → Incomplete
Revision history for this message
Robert Dinse (nanook) wrote :
Download full text (3.6 KiB)

      I have stopped installing microcode on the i7-6850k because if I do then
it will not overclock. I do install on the i7-6700k machines as it does not
seem to be an issue with them.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Fri, 21 Sep 2018, Steve Beattie wrote:

> Date: Fri, 21 Sep 2018 08:04:28 -0000
> From: Steve Beattie <email address hidden>
> Reply-To: Bug 1743786 <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1743786] Re: intel-microcode-3.20180108.0~ubuntu17.10.1 fails to
> address spectre variant 2 on Intel i7-6850k platform
>
> Hi Robert,
>
> The intel-microcode 3.20180807a.0ubuntu0.18.04.1 update should contain
> updates for both your hosts:
>
> 002/001: sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
> 001/001: sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
>
> Can you confirm, please? Thanks!
>
>
>
> ** Changed in: intel-microcode (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1743786
>
> Title:
> intel-microcode-3.20180108.0~ubuntu17.10.1 fails to address spectre
> variant 2 on Intel i7-6850k platform
>
> Status in intel-microcode package in Ubuntu:
> Incomplete
>
> Bug description:
> Using the test script: spectre-meltdown-checker.sh
> Checking for vulnerabilities against live running kernel Linux 4.13.0-29-lowlatency #32-Ubuntu SMP PREEMPT Fri Jan 12 13:47:11 UTC 2018 x86_64
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel: YES
> > STATUS: NOT VULNERABLE (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
> * Hardware (CPU microcode) support for mitigation: NO
> * Kernel support for IBRS: YES
> * IBRS enabled for Kernel space: NO
> * IBRS enabled for User space: NO
> * Mitigation 2
> * Kernel compiled with retpoline option: NO
> * Kernel compiled with a retpoline-aware compiler: NO
> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI): YES
> * PTI enabled and active: YES
> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see
> --disclaimer
>
> ProblemType: Bug
> DistroRelease: Ubuntu 17.10
> Package: intel-microcode 3.20180108.0~ubuntu17.10.1
> ProcVersionSignature: Ubuntu 4.13.0-29.32-lowlatency 4.13.13
> Uname: Linux 4.13.0-29-lowlatency x86_64
> NonfreeKernelModules: nvidia
> ApportVersion: 2.20.7-0ubuntu3.7
> Architecture: amd64
> Date: Wed Jan 17 06:00:56...

Read more...

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for intel-microcode (Ubuntu) because there has been no activity for 60 days.]

Changed in intel-microcode (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.