Устанавливать firmware-intel-ucode из p10/сизифа в систему на p9, есть смысл
Текущее в системе на p9
# rpm -q firmware-intel-ucode
firmware-intel-ucode-8-alt1.20190312.noarch
# grep 'model name\|bugs' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
И с обновлением ревизии микрокода
# rpm -Uhv ./firmware-intel-ucode-16-alt1.20210608.noarch.rpm
Подготовка... ##### [100%]
Обновление / установка...
1: firmware-intel-ucode-2:16-alt1.20210608 ##### [ 50%]
Очистка / удаление...
2: firmware-intel-ucode-2:8-alt1.20190312 ##### [100%]
Running /usr/lib/rpm/posttrans-filetriggers
[00:00:00] Config file: /etc/initrd.mk
[00:00:00] Generating module dependencies on host ...
[00:00:05] Creating initrd image ...
[00:00:08] Putting modules ...
[00:00:08] Generating module dependencies in image ...
[00:00:09] Sorting sysvinit services ...
[00:00:09] Packing image to archive ...
[00:00:09] Writing build info files ...
[00:00:09] Compressing image ...
[00:00:21] Adding CPU microcode ...
[00:00:21] Used features: add-modules buildinfo cleanup compress depmod-image kbd network rdshell rootfs system-glibc ucode
[00:00:21] Packed modules: af_packet ahci crc16 crc32c_generic crc32c-intel crc-ccitt drm drm_kms_helper evdev ext4 hid hid-generic i2c-algo-bit i915 input-leds intel-gtt ipv6 jbd2 libahci libata mbcache scsi_mod sd_mod serio_raw uas usb-storage video xhci-hcd xhci-pci
[00:00:21] Installing image ...
[00:00:21] Unpacked size: 36M
[00:00:21] Image size: 9,0M
[00:00:21] Removing work directory ...
[00:00:21] Image is saved as /boot/initrd-5.4.128-std-def-alt1.img
# reboot
некоторые уязвимости смягчаются пакетом из p10/сизифа (в p9 она уже устаревшая, несмотря на то, что поддержка p9 заканчивается 20 декабря 2022 года)
# grep -A9 'grep . /sys' firmware-intel-ucode.txt # до обновления
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
# grep . /sys/devices/system/cpu/vulnerabilities/* # после обновления сизифным микрокодом
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
# diff firmware-intel-ucode-20190312.txt firmware-intel-ucode-20210608.txt
3c3
< /sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
---
> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT vulnerable
8c8
< /sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
---
> /sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
# grep PRETTY -B1 /etc/os-release
VERSION_ID=p9
PRETTY_NAME="ALT Starterkit (Hypericum)"
$ grep 'model name\|microcode' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
microcode : 0x2f
# dmesg | grep microcode: | grep revision
[ 0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-11-12
[ 0.675889] microcode: sig=0x306d4, pf=0x40, revision=0x2f
Но если это лайв, то заметно хуже, - микрокода-то в full.cz нет и ревизия микрокода не 0x2f (p10/sisyphus), а 0x1d
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX unsupported
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ dmesg | grep microcode: | grep revision
[ 1.255356] microcode: sig=0x306d4, pf=0x40, revision=0x1d
$ grep 'model name\|microcode' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
microcode : 0x1d