need to ensure microcode updates are available to all bare-metal installs of Ubuntu

Bug #1738259 reported by Steve Langasek on 2017-12-14
282
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-meta (Ubuntu)
Critical
Unassigned
Precise
Undecided
Unassigned
Trusty
Medium
Unassigned
Xenial
Medium
Unassigned
Zesty
Undecided
Unassigned
Artful
Medium
Unassigned
Bionic
Critical
Unassigned
linux-meta-hwe (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
linux-meta-hwe-edge (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
linux-meta-lts-xenial (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
linux-meta-oem (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

From time to time, CPU vendors release updates to microcode that can be loaded into the CPU from the OS. For x86, we have these updates available in the archive as amd64-microcode and intel-microcode.

Sometimes, these microcode updates have addressed security issues with the CPU. They almost certainly will again in the future.

We should ensure that all users of Ubuntu on baremetal x86 receive these security updates, and have them applied to the CPU in early boot where at all feasible.

Because these are hardware-dependent packages which we don't want to install except on baremetal (so: not in VMs or containers), the logical place to pull them into the system is via the kernel, so that only the kernel baremetal flavors pull them in. This is analogous to linux-firmware, which is already a dependency of the linux-image-{lowlatency,generic} metapackages, and whose contents are applied to the hardware by the kernel similar to microcode.

So, please update the linux-image-{lowlatency,generic} metapackages to add a dependency on amd64-microcode [amd64], intel-microcode [amd64], and the corresponding hwe metapackages also.

Please time this change to coincide with the next updates of the microcode packages in the archive.

I believe we will also need to promote the *-microcode packages to main from restricted as part of this (again, by analogy with linux-firmware).

Steve Langasek (vorlon) on 2017-12-14
no longer affects: linux-meta-hwe (Ubuntu Precise)
no longer affects: linux-meta-hwe (Ubuntu Trusty)
Steve Langasek (vorlon) on 2017-12-14
no longer affects: linux-meta-hwe (Ubuntu Zesty)
no longer affects: linux-meta-hwe (Ubuntu Artful)
no longer affects: linux-meta-hwe (Ubuntu Bionic)
Steve Langasek (vorlon) on 2017-12-14
no longer affects: linux-meta-hwe-edge (Ubuntu Precise)
no longer affects: linux-meta-hwe-edge (Ubuntu Trusty)
no longer affects: linux-meta-hwe-edge (Ubuntu Zesty)
no longer affects: linux-meta-hwe-edge (Ubuntu Artful)
no longer affects: linux-meta-hwe-edge (Ubuntu Bionic)
Steve Langasek (vorlon) on 2018-01-09
information type: Private Security → Public Security
affects: linux-meta (Ubuntu) → linux (Ubuntu)

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1738259

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Xenial):
status: New → Incomplete
Steve Langasek (vorlon) on 2018-01-09
affects: linux (Ubuntu Bionic) → linux-meta (Ubuntu Bionic)
Steve Langasek (vorlon) on 2018-01-09
Changed in linux-meta (Ubuntu Xenial):
status: Incomplete → Triaged
Changed in linux-meta (Ubuntu Bionic):
status: Incomplete → Triaged
tags: added: kernel-da-key
Norbert (nrbrtx) wrote :

Intel released microcode updates https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
I think all microcode-20180108.tgz needs critically fast SRU.

Marc Deslauriers (mdeslaur) wrote :

There are microcode packages available in the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

They will be published today or tomorrow once we get the corresponding linux-meta packages.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.13.0.31.33

---------------
linux-meta (4.13.0.31.33) artful; urgency=medium

  * Bump ABI 4.13.0-31

linux-meta (4.13.0.30.32) artful; urgency=medium

  * Bump ABI 4.13.0-30

linux-meta (4.13.0.29.31) artful; urgency=medium

  * Remove dependency on the cpu microcode updates. (LP: #1738259)

linux-meta (4.13.0.29.30) artful; urgency=medium

  * Bump ABI 4.13.0-29

linux-meta (4.13.0.28.29) artful; urgency=medium

  * Bump ABI 4.13.0-28

linux-meta (4.13.0.27.28) artful; urgency=medium

  * Bump ABI 4.13.0-27

linux-meta (4.13.0.25.27) artful; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Marcelo Henrique Cerri <email address hidden> Fri, 19 Jan 2018 11:11:01 -0200

Changed in linux-meta (Ubuntu Artful):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.4.0.112.118

---------------
linux-meta (4.4.0.112.118) xenial; urgency=medium

  * Bump ABI 4.4.0-112

linux-meta (4.4.0.111.117) xenial; urgency=medium

  * Bump ABI 4.4.0-111

linux-meta (4.4.0.110.116) xenial; urgency=medium

  * Bump ABI 4.4.0-110

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta (4.4.0.109.115) xenial; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Stefan Bader <email address hidden> Fri, 19 Jan 2018 11:20:51 +0100

Changed in linux-meta (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 3.13.0.141.151

---------------
linux-meta (3.13.0.141.151) trusty; urgency=medium

  * Bump ABI 3.13.0-141

linux-meta (3.13.0.140.150) trusty; urgency=medium

  * Bump ABI 3.13.0-140

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta (3.13.0.139.149) trusty; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Stefan Bader <email address hidden> Fri, 19 Jan 2018 13:38:42 +0100

Changed in linux-meta (Ubuntu Trusty):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-hwe - 4.13.0.31.51

---------------
linux-meta-hwe (4.13.0.31.51) xenial; urgency=medium

  * Bump ABI 4.13.0-31

linux-meta-hwe (4.13.0.30.50) xenial; urgency=medium

  * Bump ABI 4.13.0-30

linux-meta-hwe (4.13.0.29.49) xenial; urgency=medium

  * Remove dependency on the cpu microcode updates. (LP: #1738259)

linux-meta-hwe (4.13.0.29.48) xenial; urgency=medium

  * Bump ABI 4.13.0-29

linux-meta-hwe (4.13.0.26.47) xenial; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Marcelo Henrique Cerri <email address hidden> Fri, 19 Jan 2018 14:40:08 -0200

Changed in linux-meta-hwe (Ubuntu Xenial):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-lts-xenial - 4.4.0.111.95

---------------
linux-meta-lts-xenial (4.4.0.111.95) trusty; urgency=medium

  * Bump ABI 4.4.0-111

linux-meta-lts-xenial (4.4.0.110.94) trusty; urgency=medium

  * Bump ABI 4.4.0-110

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta-lts-xenial (4.4.0.109.93) trusty; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Kleber Sacilotto de Souza <email address hidden> Mon, 15 Jan 2018 16:22:12 +0100

Changed in linux-meta-lts-xenial (Ubuntu):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-hwe-edge - 4.13.0.31.33

---------------
linux-meta-hwe-edge (4.13.0.31.33) xenial; urgency=medium

  * Bump ABI 4.13.0-31

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta-hwe-edge (4.13.0.25.32) xenial; urgency=medium

  * Make the kernel image packages depend on the cpu microcode updates,
    to ensure they are pulled into all host installs of Ubuntu on upgrade.
    LP: #1738259.

 -- Marcelo Henrique Cerri <email address hidden> Fri, 19 Jan 2018 14:54:30 -0200

Changed in linux-meta-hwe-edge (Ubuntu Xenial):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.13.0.32.34

---------------
linux-meta (4.13.0.32.34) artful; urgency=medium

  * Bump ABI 4.13.0-32

 -- Stefan Bader <email address hidden> Thu, 25 Jan 2018 09:43:53 +0100

Changed in linux-meta (Ubuntu Bionic):
status: Triaged → Fix Released
tags: added: id-5a20305cc21096d164992af9
Doug McMahon (mc3man) wrote :

How can this be marked as various "Fix Released" when the kernel depend was reverted??
Also note that ubuntu-drivers-common removed the micocode detection based on these so-called changes.

tags: added: reverted
dino99 (9d9) wrote :

Zesty EOL reached

Changed in linux-meta (Ubuntu Zesty):
status: New → Invalid
Steve Langasek (vorlon) wrote :

Indeed, this was reverted and does not appear to have re-landed yet; resetting the bug state.

Changed in linux-meta-lts-xenial (Ubuntu):
status: Fix Released → Triaged
Changed in linux-meta-hwe-edge (Ubuntu Xenial):
status: Fix Released → Triaged
Changed in linux-meta-hwe (Ubuntu Xenial):
status: Fix Released → Triaged
Changed in linux-meta (Ubuntu Bionic):
status: Fix Released → Triaged
Steve Langasek (vorlon) on 2018-03-25
Changed in linux-meta (Ubuntu Artful):
status: Fix Released → Triaged
Changed in linux-meta (Ubuntu Xenial):
status: Fix Released → Triaged
Changed in linux-meta (Ubuntu Trusty):
status: Fix Released → Triaged
Stefan Bader (smb) on 2018-04-20
Changed in linux-meta (Ubuntu Artful):
status: Triaged → Fix Committed
Changed in linux-meta (Ubuntu Xenial):
importance: Undecided → Medium
status: Triaged → Fix Committed
Changed in linux-meta (Ubuntu Artful):
importance: Undecided → Medium
Changed in linux-meta-hwe (Ubuntu Xenial):
importance: Undecided → Medium
status: Triaged → Fix Committed
Changed in linux-meta-hwe-edge (Ubuntu Xenial):
importance: Undecided → Medium
status: Triaged → Fix Committed
Stefan Bader (smb) wrote :

linux-meta-lts-xenial should be nominated for trusty, not xenial

Changed in linux-meta-lts-xenial (Ubuntu Xenial):
importance: Undecided → Medium
status: New → Fix Committed
Changed in linux-meta-lts-xenial (Ubuntu):
status: Triaged → Invalid
Changed in linux-meta (Ubuntu Trusty):
importance: Undecided → Medium
status: Triaged → Fix Committed
Timo Aaltonen (tjaalton) on 2018-04-27
Changed in linux-meta-oem (Ubuntu):
status: New → Invalid
Changed in linux-meta-oem (Ubuntu Xenial):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-hwe-edge - 4.15.0.20.42

---------------
linux-meta-hwe-edge (4.15.0.20.42) xenial; urgency=medium

  * Fix transitional linux-signed* packages to use the proper suffix.

linux-meta-hwe-edge (4.15.0.20.41) xenial; urgency=medium

  * Bump ABI 4.15.0-20

  * signing: only install a signed kernel (LP: #1764794)
    - switch to linux-image as signed when available
    - convert linux-signed* into transitional packages

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

 -- Thadeu Lima de Souza Cascardo <email address hidden> Wed, 25 Apr 2018 08:51:35 -0300

Changed in linux-meta-hwe-edge (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 3.13.0.147.157

---------------
linux-meta (3.13.0.147.157) trusty; urgency=medium

  * Bump ABI 3.13.0-147

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta (3.13.0.146.156) trusty; urgency=medium

  * Bump ABI 3.13.0-146

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 02 May 2018 17:09:27 +0200

Changed in linux-meta (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-lts-xenial - 4.4.0.124.104

---------------
linux-meta-lts-xenial (4.4.0.124.104) trusty; urgency=medium

  * Bump ABI 4.4.0-124

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

 -- Stefan Bader <email address hidden> Thu, 03 May 2018 09:17:50 +0200

Changed in linux-meta-lts-xenial (Ubuntu):
status: Invalid → Fix Released
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.4.0.124.130

---------------
linux-meta (4.4.0.124.130) xenial; urgency=medium

  * Bump ABI 4.4.0-124

  * Miscellaneous upstream changes
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

 -- Stefan Bader <email address hidden> Wed, 02 May 2018 14:28:37 +0200

Changed in linux-meta (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-hwe - 4.13.0.41.60

---------------
linux-meta-hwe (4.13.0.41.60) xenial; urgency=medium

  * Bump ABI 4.13.0-41

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta-hwe (4.13.0.40.59) xenial; urgency=medium

  * Bump ABI 4.13.0-40

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

 -- Kleber Sacilotto de Souza <email address hidden> Thu, 03 May 2018 11:35:12 +0200

Changed in linux-meta-hwe (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.13.0.41.44

---------------
linux-meta (4.13.0.41.44) artful; urgency=medium

  * Bump ABI 4.13.0-41

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Revert "UBUNTU: Make kernel image packages depend on cpu microcode updates"

linux-meta (4.13.0.40.43) artful; urgency=medium

  * Bump ABI 4.13.0-40

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 02 May 2018 12:46:37 +0200

Changed in linux-meta (Ubuntu Artful):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-oem - 4.15.0.1006.8

---------------
linux-meta-oem (4.15.0.1006.8) bionic; urgency=medium

  * Bump ABI 4.15.0-1006

linux-meta-oem (4.15.0.1005.7) bionic; urgency=medium

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

linux-meta-oem (4.15.0.1005.6) bionic; urgency=medium

  * Bump ABI 4.15.0-1005

 -- Stefan Bader <email address hidden> Fri, 18 May 2018 09:13:24 +0200

Changed in linux-meta-oem (Ubuntu):
status: Invalid → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-oem - 4.13.0.1028.33

---------------
linux-meta-oem (4.13.0.1028.33) xenial; urgency=medium

  * Bump ABI 4.13.0-1028

linux-meta-oem (4.13.0.1027.32) xenial; urgency=medium

  * need to ensure microcode updates are available to all bare-metal installs of
    Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

linux-meta-oem (4.13.0.1027.31) xenial; urgency=medium

  * Bump ABI 4.13.0-1027

 -- Stefan Bader <email address hidden> Fri, 18 May 2018 10:17:58 +0200

Changed in linux-meta-oem (Ubuntu Xenial):
status: Fix Committed → Fix Released
Explorer09 (explorer09) wrote :

Um, excuse me. When I check the updates on my Ubuntu Trusty machine, I found out it now asks for new install of the amd64-microcode package. May I ask why? My CPU is not AMD's but Intel's, and it seems that amd64-microcode had no use for me. Why does the linux-image-generic package hard depend on it?

This way when I have linux-image-generic just for wish for the kernel update, a useless package is installed on me. I mean, wouldn't that be better if linux-image-generic just "Recommends" the microcode package, without "Depending" on it?

Stefan Bader (smb) on 2018-05-30
Changed in linux-meta (Ubuntu Bionic):
status: Triaged → Fix Committed
EdLesMann (edlesmann) wrote :

Agree with Explorer09. Why are my Intel systems now getting AMD microcode packages and why are my AMD systems getting Intel microcode packages?? This is a bug.

I would rather it see that I already have one of them installed that matches my CPU and call it good. If that isn't an option, then just a recommends.

In the meantime, I just blocked these meta packages from updating on my systems.

Thanks.

Richard Laager (rlaager) wrote :

This is particularly annoying for me too.

All of my virtual machines use linux-image-generic because I need linux-image-extra to get the i6300esb watchdog driver for the KVM watchdog. This change forces the amd64-microcode and intel-microcode packages to be installed on all of my VMs.

Simon Déziel (sdeziel) wrote :

@rlaager, for the VM case, considering that QEMU/KVM only supports a few watchdog devices, I think it would make sense to ship this i6300esb driver in linux-image-virtual directly.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.15.0.23.25

---------------
linux-meta (4.15.0.23.25) bionic; urgency=medium

  * Need to ensure microcode updates are available to all bare-metal installs
    of Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

linux-meta (4.15.0.23.24) bionic; urgency=medium

  * Bump ABI 4.15.0-23

 -- Stefan Bader <email address hidden> Wed, 30 May 2018 17:35:06 +0200

Changed in linux-meta (Ubuntu Bionic):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Richard Laager (rlaager) wrote :

@sdeziel, I agree 100%.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta - 4.15.0.23.25

---------------
linux-meta (4.15.0.23.25) bionic; urgency=medium

  * Need to ensure microcode updates are available to all bare-metal installs
    of Ubuntu (LP: #1738259)
    - Make kernel image packages depend on cpu microcode updates

linux-meta (4.15.0.23.24) bionic; urgency=medium

  * Bump ABI 4.15.0-23

 -- Stefan Bader <email address hidden> Wed, 30 May 2018 17:35:06 +0200

Changed in linux-meta (Ubuntu):
status: Triaged → Fix Released
Explorer09 (explorer09) wrote :

Look like my comment gets ignored.
In short: Please revert this and fix it properly. Don't let linux-image-generic package depend on amd64-microcode or intel-microcode! Change the relationship to "Recommends" instead!

Alexey (alexey-muranov) wrote :

+1 to @explorer09.

lee berry (lee2) wrote :

This microcode forced update bricked my Samsung APU until I could flash the bios back using DOS to a clear flag state. This should be down-graded until better ucode tools are available. It fails on AMD-K1-1500 APU and AMD-A12 with Radeon ATI GPUs. I was forced to downgrade to x32-bit machine just to fix this. It also locks up the USB-ports making them unusable for reboot over USB. This leaves most users confused. (amd64 ucode 3.20180524.1) why is this update also on my Intel machines?

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers