Intel Microcode 64bit Updates & howto

Moderator: Forum moderators

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Intel Microcode 64bit Updates & howto

Post by ozsouth »

NOTE: As of 2023, many (all?) woof-ce built Puppies contain their own microcode files.

A. I have made a 64bit Intel microcode file, offering some protection against Meldown/Spectre etc issues.
Needs to be used in conjunction with a kernel with Meltdown/Spectre mitigation for effective protection.
For usage guide, see section B below. Released 08Aug2023. Tested OK in s15pup64-22.12. Use at own risk.
Is here: https://www.mediafire.com/file/19i3o8uc ... .cpio/file
I apologise if any ads shown at Mediafire links are inappropriate.

B. How to use microcode-update-(x)-64.cpio files in Puppy on 64bit UEFI systems:

EFI folder structure - on boot partition (I use folder micd, as in examples below):
/EFI/BOOT/micd .cpio file goes in folder micd, on same level as folders with initrd.gz

if grub bootloader, initrd line:
initrd /EFI/BOOT/micd/microcode-update-(x)-64.cpio /EFI/BOOT/(folder)/initrd.gz

if syslinux bootloader, initrd line:
initrd micd/microcode-update-(x)-64.cpio,(folder)/initrd.gz

Last edited by ozsouth on Tue Aug 15, 2023 12:45 pm, edited 22 times in total.
ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Re: Microcode 64bit Updates & howto

Post by ozsouth »

I'm concerned about 'checker' programs' results. I have a celeron n3350, which all the checker programs say is vulnerable to spectre 3a & not mitigated by microcode (nor will be). However, from Intel's own list, dated Jan 2021, n3350 is 'Not Affected' by 3a!
List here: https://software.intel.com/security-sof ... -cpu-model

Attachments
n3350-notaffected.jpg
n3350-notaffected.jpg (55.58 KiB) Viewed 9958 times
user1111

Re: Microcode 64bit Updates & howto

Post by user1111 »

Isn't Spectre/Meltdown attack vectors rather hit and miss, there are far easier ways/things to attack. Most browsers adjusted their clocks after S/M that largely mitigates attacks. OpenBSD opted to turn off SMP and drop to single core that equally negates the risk.

If you're running a browser even as spot on a system that shares the same X session and has other root windows open, then that is a vastly more likely attack surface.

User avatar
peebee
Posts: 1646
Joined: Mon Jul 13, 2020 10:54 am
Location: Worcestershire, UK
Has thanked: 158 times
Been thanked: 724 times
Contact:

Re: Intel Microcode 64bit Updates & howto

Post by peebee »

Builder of LxPups, SPups, UPup32s, VoidPups; LXDE, LXQt, Xfce addons; Chromium, Firefox etc. sfs; & Kernels

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Checker - Intel Microcode 64bit

Post by ozsouth »

There is a test script to see if early loading microcode is working, here:
https://github.com/speed47/spectre-melt ... master.zip

Unzip this in a folder (your folder), then in a terminal (full screen) run

Code: Select all

cd /(your folder)/spectre-meltdown-checker-master

, then run

Code: Select all

./spectre-meltdown-checker.sh

All green at the bottom is the desired result.

Last edited by ozsouth on Thu May 19, 2022 11:24 pm, edited 2 times in total.
User avatar
gychang
Posts: 596
Joined: Fri Aug 28, 2020 4:51 pm
Location: San Diego, CA
Has thanked: 208 times
Been thanked: 64 times

Re: Intel Microcode 64bit Updates & howto

Post by gychang »

ozsouth wrote: Wed Nov 11, 2020 8:27 am

How to use microcode-update-(x)-64.cpio files in Puppy on 64bit UEFI systems:

EFI folder structure - on boot partition (I use folder micd, as in examples below):
/EFI/BOOT/micd .cpio file goes in folder micd, on same level as folders with initrd.gz

if grub bootloader, initrd line:
initrd /EFI/BOOT/micd/microcode-update-(x)-64.cpio /EFI/BOOT/(folder)/initrd.gz

if syslinux bootloader, initrd line:
initrd micd/microcode-update-(x)-64.cpio,(folder)/initrd.gz

1. am unsure exactly where the file should go on my UEFI PC. I am running FP64 with intel 7 CPU. my boot loader is sda1 as seen, but my initrd.gz is in sda2/FP64/ (a USB stick)
2. does it matter if I had installed intel-microcode using PPM before?

Attachments
FP-2022-02-09-1644413875_screenshot_1360x768.jpg
FP-2022-02-09-1644413875_screenshot_1360x768.jpg (25.63 KiB) Viewed 9573 times

======

Puppy Bytes, utube videos
https://www.youtube.com/channel/UCg-DUU ... u62_iqR-MA

======

User avatar
mikewalsh
Moderator
Posts: 6185
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 803 times
Been thanked: 1994 times

Re: Intel Microcode 64bit Updates & howto

Post by mikewalsh »

@ozsouth :-

Oz, does it make any difference whether you're running AS UEFI OR in 'legacy' mode? I take it this applies to the hardware itself, yes, regardless of actual boot method..?

I'm assuming this would work with Fossapup's default kernel, since PupSysInfo shows this about it:-

Code: Select all

itlb_multihit:KVM: Vulnerable
l1tf:Mitigation: PTE Inversion
mds:Mitigation: Clear CPU buffers; SMT vulnerable
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
swapgs barriers and __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
srbds:Vulnerable: No microcode
tsx_async_abort:Not affected

.....and does anything else need to be installed first.....BEFORE applying this update?

:?: :?:

(This is for a Pentium 'Gold' G5400, 8th-gen 'Coffee Lake'...)

Mike. ;)

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Re: Intel Microcode 64bit Updates & howto

Post by ozsouth »

@gychang - I would make a folder under EFI named micd & put the .cpio file in there. Then you would have to reference it exactly in your grub.cfg as in the 1st post. As I'm not sure how the ppm installed your old .cpio, I would uninstall it and ensure grub.cfg only references the new one.

@mikewalsh - I've set this as an early-load option, so the mode shouldn't matter, just the manner of referencing the .cpio changes according to your bootloader. I haven't looked at very new bootloaders (just syslinux & grub), so there may be syntax changes needed in the future. Nothing needed other than the .cpio now.

NOTE: There is a test script to see if it's working - see here:
viewtopic.php?p=49488#p49488

Last edited by ozsouth on Thu May 19, 2022 11:25 pm, edited 1 time in total.
User avatar
mikewalsh
Moderator
Posts: 6185
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 803 times
Been thanked: 1994 times

Re: Intel Microcode 64bit Updates & howto

Post by mikewalsh »

@ozsouth :-

Oz, is this usable with Grub4DOS? That's what I use throughout the kennels, and don't really want to switch bootloaders simply to use this, y'see....

Just wondering where to place it.

With the 'checker' program, I have solid greens, except for one red....and that's "CVE-2020-0543":-

https://cve.circl.lu/cve/CVE-2020-0543

According to the 'checker', there IS no microcode 'fix' for this one, so what d'you reckon? Should I bother with it, or not? :?:

Mike. ;)

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Re: Intel Microcode 64bit Updates & howto

Post by ozsouth »

@mikewalsh - you should be able to edit your grub.cfg as per 1st post, but you're pretty well covered, so it
may not make much difference. Perhaps try if you feel adventurous - I'd be interested to know if it helps.

User avatar
mikewalsh
Moderator
Posts: 6185
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 803 times
Been thanked: 1994 times

Re: Intel Microcode 64bit Updates & howto

Post by mikewalsh »

@ozsouth :-

ozsouth wrote: Thu Feb 10, 2022 12:56 pm

@mikewalsh - you should be able to edit your grub.cfg as per 1st post, but you're pretty well covered, so it
may not make much difference. Perhaps try if you feel adventurous - I'd be interested to know if it helps.

Mm. Oh, I may.....I may not. If I do, the thing I need to know is whether Grub4DOS's 'menu.lst' will edit same as GRUB2's 'grub.cfg'. Still, I guess it should, so long as I point the initrd.gz line AT the thing, yes?

I don't suppose it matters too much where the /micd directory goes, does it.....so long as the init line points to it, and in the right sequence. I.e., it wants loading just before the initrd.gz, yes?

------ (later) ------------------

Let me just run this by you, OK? Using your directions as a template, this is my Grub4DOS 'menu.lst' entry for jrb's 'lite' spin on Barry's old Quirky April64, where I'm running Fossapup's k5.4.53 kernel (very sweetly, I might add).

  • Sda1 is the FAT32-formatted 'boot' partition (remember, although I run in 'legacy' mode, this IS a modern rig with UEFI as opposed to BIOS) with the Grub4DOS bootloader stuff on it.

  • The kennels is sda2, with multiple sub-directories; I've created /micd in Quirky's sub-directory, and placed the .cpio file inside it. This puts it at the same level as Quirky's initrd.gz.

Code: Select all

title Quirky April 64 'lite' (sda2/Quirky7_64_lite)
  find --set-root uuid () b142cd08-ce81-413e-b963-12b393d8eaa3
  kernel /Quirky7_64_lite/vmlinuz  pdrv=b142cd08-ce81-413e-b963-12b393d8eaa3  psubdir=/Quirky7_64_lite pmedia=satahd pfix=fsckp
  initrd /Quirky7_64_lite/micd/microcode-update-20220207.cpio /Quirky7_64_lite/initrd.gz

Look about right to you?

Mike. ;)

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Re: Intel Microcode 64bit Updates & howto

Post by ozsouth »

@mikewalsh - that looks about right. BTW would you please delete my 3 empty posts on page 1 of the thread.
I'm adopting the standard 'see first post' format now.

User avatar
mikewalsh
Moderator
Posts: 6185
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 803 times
Been thanked: 1994 times

Re: Intel Microcode 64bit Updates & howto

Post by mikewalsh »

ozsouth wrote: Thu Feb 10, 2022 10:27 pm

@mikewalsh - that looks about right. BTW would you please delete my 3 empty posts on page 1 of the thread.
I'm adopting the standard 'see first post' format now.

Uh-huh. Okay; well, I'll fire it up with that modded initrd line tomorrow - I'll backup first, of course! - and we'll see what's what. :thumbup:

BTW; I've removed those three empty posts for you, as requested.

Mike. ;)

User avatar
mikewalsh
Moderator
Posts: 6185
Joined: Tue Dec 03, 2019 1:40 pm
Location: King's Lynn, UK
Has thanked: 803 times
Been thanked: 1994 times

Re: Intel Microcode 64bit Updates & howto

Post by mikewalsh »

@ozsouth :-

It's running fine, Oz. Seems quite happy. I enabled it & re-booted last night before turning-in, and I've just powered-up from an overnight suspend.....no issues.

Basically, nowt to report! As you say; I was pretty much covered anyway.....

Mike. :thumbup:

User avatar
Marv
Posts: 454
Joined: Fri Dec 20, 2019 3:09 am
Has thanked: 215 times
Been thanked: 122 times

Re: Intel Microcode 64bit Updates & howto

Post by Marv »

The early microcode loading should show up in dmesg:

Code: Select all

# dmesg | grep -i microcode
[    0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-02-17
[    0.895169] microcode: sig=0x206a7, pf=0x10, revision=0x2f
[    0.895241] microcode: Microcode Update Driver: v2.2.

That shows the actual code date on what intel has provided for your processor, not the overall code package date. The 2nd gen i5 hasn't been updated by intel since 2019 though there have been several package updates since then.

My pups: LxPupSc64 and Voidpup64 with LXDE ydrv and synaptics touchpad drivers, both using small savefiles for customizations. Ydrv based NoblePup64 and Fossapup64-small (both LXDE/PCManFM with no savefiles). No fdrvs throughout. :thumbup2:

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Update Intel Microcode 64bit

Post by ozsouth »

.

Last edited by ozsouth on Thu Feb 16, 2023 11:27 am, edited 1 time in total.
User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

Firstly, thanks for the update.

I am using your latest 6x kernel installed on a USB drive.

Last edited by Jasper on Thu Nov 10, 2022 4:34 pm, edited 2 times in total.
User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

Apologies, I did not follow your instructions correctly and read the thread again.

It works perfectly :thumbup2:

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Updt Intel Microcode 64bit

Post by ozsouth »

New intel microcode file released 15 Feb 2023 - see first post.

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

Thanks once again for the update :thumbup:

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

Any chance of an update?

microcode-20230512 Release

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Re: Intel Microcode 64bit Updates & howto

Post by ozsouth »

New version 16 May 2023. See first post.

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

Many thanks for this :thumbup:

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

@ozsouth

If you have some spare time, would it be possible to update this again please?

microcode-20230512-rev2 (Released 13-06-2023)

I have looked at the instructions at how to apply this previously but placing the bin files into the firmware file disappears each reboot.

Thanks in advance :thumbup:

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Intel Microcode 64bit Updates & howto

Post by ozsouth »

New microcode file 13/06/23 - see first post. @Jasper - check your pm.

User avatar
peebee
Posts: 1646
Joined: Mon Jul 13, 2020 10:54 am
Location: Worcestershire, UK
Has thanked: 158 times
Been thanked: 724 times
Contact:

Re: Intel Microcode 64bit Updates & howto

Post by peebee »

ozsouth wrote: Wed Nov 11, 2020 8:27 am

NOTE: As of 2023, many (all?) woof-ce built Puppies contain their own microcode files.

For clarification: not all - only 64-bit builds and only if _00build.conf contains UCODE_EXEC setting e.g.:
## ucode.cpio initial ram disk with CPU bugfixes
## build the microcode initrd to mitigate aganst cpu bugs like spectre/meltdown
## You can specify 'amd' or 'intel' as args to latest_microcode.sh
## comment out to exclude bulding ucode.cpio
#UCODE_EXEC=../support/latest_microcode.sh amd
#UCODE_EXEC=../support/latest_microcode.sh intel
UCODE_EXEC=../support/latest_microcode.sh

Builder of LxPups, SPups, UPup32s, VoidPups; LXDE, LXQt, Xfce addons; Chromium, Firefox etc. sfs; & Kernels

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

Thanks guys :thumbup2:

@peebee your rolling updates are amazing and always up to the minute. Thanks for the information, :oops: I haven't managed to compile a kernel or a Woof-CE build as of yet, so your input is welcome ........... my last attempt I did use your kernel configuration and it compiled successfully (took an hour) but I realised the output was for a full install.

Kudos to you and I do appreciate the work undertaken.

User avatar
peebee
Posts: 1646
Joined: Mon Jul 13, 2020 10:54 am
Location: Worcestershire, UK
Has thanked: 158 times
Been thanked: 724 times
Contact:

Re: Intel Microcode 64bit Updates & howto

Post by peebee »

Jasper wrote: Wed Jun 21, 2023 5:30 pm

I haven't managed to compile a kernel or a Woof-CE build as of yet, so your input is welcome ........... my last attempt I did use your kernel configuration and it compiled successfully (took an hour) but I realised the output was for a full install.

Perhaps needs to be taken to another thread....
You used the Woof-CE kernel-kit?
You should end up with a zdrv and vmlinuz although with different names (kernel-modules-xxxx.sfs & vmlinuz-xxxx)
Not sure what you mean by "for a full install".....

Builder of LxPups, SPups, UPup32s, VoidPups; LXDE, LXQt, Xfce addons; Chromium, Firefox etc. sfs; & Kernels

ozsouth
Posts: 1588
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 246 times
Been thanked: 711 times

Updt Intel Microcode 64bit

Post by ozsouth »

New microcode file 08/08/23 - see first post.

User avatar
Jasper
Posts: 2097
Joined: Wed Sep 07, 2022 1:20 pm
Has thanked: 858 times
Been thanked: 490 times

Re: Intel Microcode 64bit Updates & howto

Post by Jasper »

.

Last edited by Jasper on Tue Nov 12, 2024 5:33 am, edited 1 time in total.
Post Reply

Return to “Security/Privacy”