Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- freebsd:freebsd_-_prozessor-microcode-update [2020-11-20 09:41:49] – manfred
+++ freebsd:freebsd_-_prozessor-microcode-update [2025-08-10 01:34:02] (aktuell) – manfred
@@ Zeile 1: / Zeile 1: @@
+====== FreeBSD - Prozessor-Microcode-Update ======
+[[https://www.thomas-krenn.com/de/wiki/Intel_Microcode_unter_FreeBSD_aktualisieren#Variante_2:_Update_via_cpupdate|Intel Microcode unter FreeBSD aktualisieren - Variante 2: Update via cpupdate]]
+===== FreeBSD 12.1 =====
+==== Installation von cpupdate ====
+''cpupdate'' installieren, Microcodes runterladen und konvertieren
+  > portsnap auto
+  ...
+  Building new INDEX files... done.
+  > cd /usr/ports
+  > make search name=cpupdate
+  Port:   cpupdate-g20180513_2
+  Path:   /usr/ports/sysutils/cpupdate
+  Info:   CPU microcode update utility for x86
+  Maint:  eugen@FreeBSD.org
+  B-deps:
+  R-deps:
+  WWW:    https://github.com/kernschmelze/cpupdate
+  > cd /usr/ports/sysutils/cpupdate/
+  > make clean
+  > make config-recursive
+  > make
+  > make install
+  > make install-microcodes
+''cpupdate'' benötigt das Kernel-Modul "cpuctl":
+  > kldload cpuctl
+  > kldstat | fgrep cpuctl
+  > echo 'cpuctl_load="YES"' >> /boot/loader.conf
+  > echo 'cpupdate_enable="YES"' >> /etc/rc.conf.d/cpupdate
+==== CPU-Überprüfung vor dem Patch ====
+CPU-Microcode-Infos:
+  > cpupdate -i
+  Found CPU(s) from Intel
+  Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000cc
+...es ist dieses CPU-Modell: "Fam 06  Mod a5  Step 03", demnach ist der Patch mit dem Namen ''06-a5-03'' der richtige für dieses CPU-Modell.
+Aktuell (//ungepatchte CPU//) wird die Microcode-Version **''0xcc''** ausgegeben.
+<file bash>
+# /root/spectre_meltdown_checker.sh
+Spectre and Meltdown mitigation detection tool v0.37+
+Checking for vulnerabilities on current system
+Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
+CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz
+Hardware check
+* Hardware support (CPU microcode) for mitigation techniques
+  * Indirect Branch Restricted Speculation (IBRS)
+    * SPEC_CTRL MSR is available:  YES
+    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
+  * Indirect Branch Prediction Barrier (IBPB)
+    * PRED_CMD MSR is available:  YES
+    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
+  * Single Thread Indirect Branch Predictors (STIBP)
+    * SPEC_CTRL MSR is available:  YES
+    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
+  * Enhanced IBRS (IBRS_ALL)
+    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES
+    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES
+/root/spectre_meltdown_checker.sh: else:: not found
+ YES  (But not in all CPUs)
+  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES
+  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xcc cpuid 0xa0653)
+* CPU vulnerability to the three speculative execution attack variants
+  * Vulnerable to Variant 1:  YES
+  * Vulnerable to Variant 2:  YES
+  * Vulnerable to Variant 3:  NO
+CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
+> STATUS:  VULNERABLE  (no mitigation for BSD yet)
+CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
+* Mitigation 1
+  * Kernel supports IBRS:  YES
+  * IBRS enabled and active:  NO
+* Mitigation 2
+  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
+> STATUS:  VULNERABLE  (IBRS is supported but administratively disabled on your system)
+> How to fix: To enable IBRS, use `sysctl hw.ibrs_disable=0`
+CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
+* Kernel supports Page Table Isolation (PTI):  YES
+  * PTI enabled and active:  NO
+  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
+> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
+A false sense of security is worse than no security at all, see --disclaimer
+</file>
+==== CPU-Überprüfung nach dem Patch ====
+  > /usr/local/etc/rc.d/cpupdate start
+  Starting cpupdate.
+  Found CPU(s) from Intel
+  No updating error. Registering CPU features
+  Successfully registered new CPU features
+  hw.ibrs_disable: 1 -> 0
+CPU-Microcode-Infos:
+  > cpupdate -i
+  Found CPU(s) from Intel
+  Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000e0
+Jetzt (//gepatchte CPU//) wird die aktuelle Microcode-Version **''0xe0''** ausgegeben.
+<file bash>
+# /root/bin/spectre_meltdown_checker.sh
+Spectre and Meltdown mitigation detection tool v0.37+
+Checking for vulnerabilities on current system
+Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
+CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz
+Hardware check
+* Hardware support (CPU microcode) for mitigation techniques
+  * Indirect Branch Restricted Speculation (IBRS)
+    * SPEC_CTRL MSR is available:  YES
+    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
+  * Indirect Branch Prediction Barrier (IBPB)
+    * PRED_CMD MSR is available:  YES
+    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
+  * Single Thread Indirect Branch Predictors (STIBP)
+    * SPEC_CTRL MSR is available:  YES
+    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
+  * Enhanced IBRS (IBRS_ALL)
+    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES
+    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES
+/root/bin/spectre_meltdown_checker.sh: else:: not found
+ YES  (But not in all CPUs)
+  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES
+  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xe0 cpuid 0xa0653)
+* CPU vulnerability to the three speculative execution attack variants
+  * Vulnerable to Variant 1:  YES
+  * Vulnerable to Variant 2:  YES
+  * Vulnerable to Variant 3:  NO
+CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
+> STATUS:  VULNERABLE  (no mitigation for BSD yet)
+CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
+* Mitigation 1
+  * Kernel supports IBRS:  YES
+  * IBRS enabled and active:  NO
+* Mitigation 2
+  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
+> STATUS:  VULNERABLE  (IBRS is supported by your kernel but your CPU microcode lacks support)
+> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. Availability of a microcode update for you CPU model depends on your CPU vendor.
+You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).
+To do a microcode update, you can search the ports for the `cpupdate` tool. Microcode updates done this way are not reboot-proof,
+so be sure to do it every time the system boots up.
+CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
+* Kernel supports Page Table Isolation (PTI):  YES
+  * PTI enabled and active:  NO
+  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
+> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
+A false sense of security is worse than no security at all, see --disclaimer
+</file>