need to ensure microcode updates are available to all bare-metal installs of Ubuntu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-meta (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Zesty |
Invalid
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Critical
|
Unassigned | ||
linux-meta-hwe (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
linux-meta-hwe-edge (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
linux-meta-lts-xenial (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
linux-meta-oem (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
From time to time, CPU vendors release updates to microcode that can be loaded into the CPU from the OS. For x86, we have these updates available in the archive as amd64-microcode and intel-microcode.
Sometimes, these microcode updates have addressed security issues with the CPU. They almost certainly will again in the future.
We should ensure that all users of Ubuntu on baremetal x86 receive these security updates, and have them applied to the CPU in early boot where at all feasible.
Because these are hardware-dependent packages which we don't want to install except on baremetal (so: not in VMs or containers), the logical place to pull them into the system is via the kernel, so that only the kernel baremetal flavors pull them in. This is analogous to linux-firmware, which is already a dependency of the linux-image-
So, please update the linux-image-
Please time this change to coincide with the next updates of the microcode packages in the archive.
I believe we will also need to promote the *-microcode packages to main from restricted as part of this (again, by analogy with linux-firmware).
no longer affects: | linux-meta-hwe (Ubuntu Precise) |
no longer affects: | linux-meta-hwe (Ubuntu Trusty) |
no longer affects: | linux-meta-hwe (Ubuntu Zesty) |
no longer affects: | linux-meta-hwe (Ubuntu Artful) |
no longer affects: | linux-meta-hwe (Ubuntu Bionic) |
no longer affects: | linux-meta-hwe-edge (Ubuntu Precise) |
no longer affects: | linux-meta-hwe-edge (Ubuntu Trusty) |
no longer affects: | linux-meta-hwe-edge (Ubuntu Zesty) |
no longer affects: | linux-meta-hwe-edge (Ubuntu Artful) |
no longer affects: | linux-meta-hwe-edge (Ubuntu Bionic) |
information type: | Private Security → Public Security |
affects: | linux-meta (Ubuntu) → linux (Ubuntu) |
affects: | linux (Ubuntu Bionic) → linux-meta (Ubuntu Bionic) |
Changed in linux-meta (Ubuntu Xenial): | |
status: | Incomplete → Triaged |
Changed in linux-meta (Ubuntu Bionic): | |
status: | Incomplete → Triaged |
tags: | added: kernel-da-key |
tags: | added: id-5a20305cc21096d164992af9 |
Changed in linux-meta (Ubuntu Artful): | |
status: | Fix Released → Triaged |
Changed in linux-meta (Ubuntu Xenial): | |
status: | Fix Released → Triaged |
Changed in linux-meta (Ubuntu Trusty): | |
status: | Fix Released → Triaged |
Changed in linux-meta (Ubuntu Artful): | |
status: | Triaged → Fix Committed |
Changed in linux-meta (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | Triaged → Fix Committed |
Changed in linux-meta (Ubuntu Artful): | |
importance: | Undecided → Medium |
Changed in linux-meta-hwe (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | Triaged → Fix Committed |
Changed in linux-meta-hwe-edge (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | Triaged → Fix Committed |
Changed in linux-meta-oem (Ubuntu): | |
status: | New → Invalid |
Changed in linux-meta-oem (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux-meta (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
Changed in linux-meta (Ubuntu Precise): | |
status: | New → Won't Fix |
Changed in linux-meta-hwe (Ubuntu): | |
status: | New → Fix Released |
Changed in linux-meta-hwe-edge (Ubuntu): | |
status: | New → Fix Released |
Changed in linux-meta-lts-xenial (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1738259
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.