Wissen

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Sie befinden sich hier: Start » freebsd » freebsd_-_prozessor-microcode-update
Zuletzt angesehen: java javascript freebsd_-_prozessor-microcode-update
freebsd:freebsd_-_prozessor-microcode-update

Inhaltsverzeichnis

FreeBSD - Prozessor-Microcode-Update

Intel Microcode unter FreeBSD aktualisieren - Variante 2: Update via cpupdate

FreeBSD 12.1

Installation von cpupdate

cpupdate installieren, Microcodes runterladen und konvertieren 

> portsnap auto
...
Building new INDEX files... done.

> cd /usr/ports
> make search name=cpupdate
Port:   cpupdate-g20180513_2
Path:   /usr/ports/sysutils/cpupdate
Info:   CPU microcode update utility for x86
Maint:  eugen@FreeBSD.org
B-deps:
R-deps:
WWW:    https://github.com/kernschmelze/cpupdate

> cd /usr/ports/sysutils/cpupdate/
> make clean
> make config-recursive
> make
> make install
> make install-microcodes

cpupdate benötigt das Kernel-Modul "cpuctl": 

> kldload cpuctl
> kldstat | fgrep cpuctl

> echo 'cpuctl_load="YES"' >> /boot/loader.conf
> echo 'cpupdate_enable="YES"' >> /etc/rc.conf.d/cpupdate

CPU-Überprüfung vor dem Patch

CPU-Microcode-Infos: 

> cpupdate -i
Found CPU(s) from Intel
Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000cc

…es ist dieses CPU-Modell: "Fam 06 Mod a5 Step 03", demnach ist der Patch mit dem Namen 06-a5-03 der richtige für dieses CPU-Modell.

Aktuell (ungepatchte CPU) wird die Microcode-Version 0xcc ausgegeben. 

# /root/spectre_meltdown_checker.sh 
Spectre and Meltdown mitigation detection tool v0.37+
 
Checking for vulnerabilities on current system
Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz
 
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES 
/root/spectre_meltdown_checker.sh: else:: not found
 YES  (But not in all CPUs)
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xcc cpuid 0xa0653)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> STATUS:  VULNERABLE  (no mitigation for BSD yet)
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel supports IBRS:  YES 
  * IBRS enabled and active:  NO 
* Mitigation 2
  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS:  VULNERABLE  (IBRS is supported but administratively disabled on your system)
 
> How to fix: To enable IBRS, use `sysctl hw.ibrs_disable=0`
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
 
A false sense of security is worse than no security at all, see --disclaimer

CPU-Überprüfung nach dem Patch

> /usr/local/etc/rc.d/cpupdate start
Starting cpupdate.
Found CPU(s) from Intel
No updating error. Registering CPU features
Successfully registered new CPU features
hw.ibrs_disable: 1 -> 0

CPU-Microcode-Infos: 

> cpupdate -i
Found CPU(s) from Intel
Core 0 to 11: CPUID: a0653  Fam 06  Mod a5  Step 03  Flag 02 uCode 000000e0

Jetzt (gepatchte CPU) wird die aktuelle Microcode-Version 0xe0 ausgegeben. 

# /root/bin/spectre_meltdown_checker.sh
Spectre and Meltdown mitigation detection tool v0.37+
 
Checking for vulnerabilities on current system
Kernel is FreeBSD 12.1-RELEASE-p10 FreeBSD 12.1-RELEASE-p10 #6 r366792M: Sun Oct 18 15:17:47 MEST 2020     root@freebsd12.lan:/usr/obj/usr/src/amd64.amd64/sys/MYKERNEL  amd64
CPU is Intel(R) Core(TM) i5-10600T CPU @ 2.40GHz
 
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES 
/root/bin/spectre_meltdown_checker.sh: else:: not found
 YES  (But not in all CPUs)
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  YES 
  * CPU microcode is known to cause stability problems:  NO  (model 165 stepping 3 ucode 0xe0 cpuid 0xa0653)
* CPU vulnerability to the three speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> STATUS:  VULNERABLE  (no mitigation for BSD yet)
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel supports IBRS:  YES 
  * IBRS enabled and active:  NO 
* Mitigation 2
  * Kernel compiled with RETPOLINE:  UNKNOWN  (couldn't check (couldn't find your kernel image in /boot, if you used netboot, this is normal))
> STATUS:  VULNERABLE  (IBRS is supported by your kernel but your CPU microcode lacks support)
 
> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. Availability of a microcode update for you CPU model depends on your CPU vendor.
You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section).
To do a microcode update, you can search the ports for the `cpupdate` tool. Microcode updates done this way are not reboot-proof,
so be sure to do it every time the system boots up.
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
 
A false sense of security is worse than no security at all, see --disclaimer
/home/http/wiki/data/pages/freebsd/freebsd_-_prozessor-microcode-update.txt · Zuletzt geändert: von manfred