====== FreeBSD - Prozessor-Microcode-Update ======

[[https://www.thomas-krenn.com/de/wiki/Intel_Microcode_unter_FreeBSD_aktualisieren#Variante_2:_Update_via_cpupdate|Intel Microcode unter FreeBSD aktualisieren - Variante 2: Update via cpupdate]]


===== FreeBSD 12.1 =====


==== Installation von cpupdate ====

''cpupdate'' installieren, Microcodes runterladen und konvertieren
  > portsnap auto
  ...
  Building new INDEX files... done.
  
  > cd /usr/ports
  > make search name=cpupdate
  Port:   cpupdate-g20180513_2
  Path:   /usr/ports/sysutils/cpupdate
  Info:   CPU microcode update utility for x86
  Maint:  eugen@FreeBSD.org
  B-deps:
  R-deps:
  WWW:    https://github.com/kernschmelze/cpupdate
  
  > cd /usr/ports/sysutils/cpupdate/
  > make clean
  > make config-recursive
  > make
  > make install
  > make install-microcodes

''cpupdate'' benötigt das Kernel-Modul "cpuctl":
  > kldload cpuctl
  > kldstat | fgrep cpuctl
  
  > echo 'cpuctl_load="YES"' >> /boot/loader.conf

  > echo 'cpupdate_enable="YES"' >> /etc/rc.conf.d/cpupdate


==== CPU-Überprüfung vor dem Patch ====

CPU-Microcode-Infos:
  > cpupdate -i
  Found CPU(s) from Intel
  Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000cc

...es ist dieses CPU-Modell: "Fam 06  Mod a5  Step 03", demnach ist der Patch mit dem Namen ''06-a5-03'' der richtige für dieses CPU-Modell.

Aktuell (//ungepatchte CPU//) wird die Microcode-Version **''0xcc''** ausgegeben.

<file bash>
# /root/spectre_meltdown_checker.sh 
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES 
/root/spectre_meltdown_checker.sh: else:: not found
 YES  (But not in all CPUs)
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xcc cpuid 0xa0653)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> STATUS:  VULNERABLE  (no mitigation for BSD yet)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel supports IBRS:  YES 
  * IBRS enabled and active:  NO 
* Mitigation 2
  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS:  VULNERABLE  (IBRS is supported but administratively disabled on your system)

> How to fix: To enable IBRS, use `sysctl hw.ibrs_disable=0`

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
</file>


==== CPU-Überprüfung nach dem Patch ====

  > /usr/local/etc/rc.d/cpupdate start
  Starting cpupdate.
  Found CPU(s) from Intel
  No updating error. Registering CPU features
  Successfully registered new CPU features
  hw.ibrs_disable: 1 -> 0

CPU-Microcode-Infos:
  > cpupdate -i
  Found CPU(s) from Intel
  Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000e0

Jetzt (//gepatchte CPU//) wird die aktuelle Microcode-Version **''0xe0''** ausgegeben.

<file bash>
# /root/bin/spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES 
/root/bin/spectre_meltdown_checker.sh: else:: not found
 YES  (But not in all CPUs)
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xe0 cpuid 0xa0653)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> STATUS:  VULNERABLE  (no mitigation for BSD yet)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel supports IBRS:  YES 
  * IBRS enabled and active:  NO 
* Mitigation 2
  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS:  VULNERABLE  (IBRS is supported by your kernel but your CPU microcode lacks support)

> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. Availability of a microcode update for you CPU model depends on your CPU vendor.
You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).
To do a microcode update, you can search the ports for the `cpupdate` tool. Microcode updates done this way are not reboot-proof,
so be sure to do it every time the system boots up.

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
</file>