Автор Тема: При загрузке [Firmware Bug]: TSC_DEADLINE please update microcode to 0x22  (Прочитано 1791 раз)

Оффлайн Speccyfighter

  • Мастер
  • ***
  • Сообщений: 9 953
Устанавливать firmware-intel-ucode из p10/сизифа в систему на p9, есть смысл

Текущее в системе на p9
# rpm -q firmware-intel-ucode
firmware-intel-ucode-8-alt1.20190312.noarch
# grep 'model name\|bugs' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

И с обновлением ревизии микрокода
# rpm -Uhv ./firmware-intel-ucode-16-alt1.20210608.noarch.rpm
Подготовка...                              ##### [100%]
Обновление / установка...
1: firmware-intel-ucode-2:16-alt1.20210608 ##### [ 50%]
Очистка / удаление...
2: firmware-intel-ucode-2:8-alt1.20190312  ##### [100%]
Running /usr/lib/rpm/posttrans-filetriggers
[00:00:00] Config file: /etc/initrd.mk
[00:00:00] Generating module dependencies on host ...
[00:00:05] Creating initrd image ...
[00:00:08] Putting modules ...
[00:00:08] Generating module dependencies in image ...
[00:00:09] Sorting sysvinit services ...
[00:00:09] Packing image to archive ...
[00:00:09] Writing build info files ...
[00:00:09] Compressing image ...
[00:00:21] Adding CPU microcode ...
[00:00:21] Used features:  add-modules buildinfo cleanup compress depmod-image kbd network rdshell rootfs system-glibc ucode
[00:00:21] Packed modules: af_packet ahci crc16 crc32c_generic crc32c-intel crc-ccitt drm drm_kms_helper evdev ext4 hid hid-generic i2c-algo-bit i915 input-leds intel-gtt ipv6 jbd2 libahci libata mbcache scsi_mod sd_mod serio_raw uas usb-storage video xhci-hcd xhci-pci
[00:00:21] Installing image ...
[00:00:21] Unpacked size: 36M
[00:00:21] Image size: 9,0M
[00:00:21] Removing work directory ...
[00:00:21] Image is saved as /boot/initrd-5.4.128-std-def-alt1.img
# reboot

некоторые уязвимости смягчаются пакетом из p10/сизифа (в p9 она уже устаревшая, несмотря на то, что поддержка p9 заканчивается 20 декабря 2022 года)
# grep -A9 'grep . /sys' firmware-intel-ucode.txt # до обновления
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
# grep . /sys/devices/system/cpu/vulnerabilities/* # после обновления сизифным микрокодом
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
# diff firmware-intel-ucode-20190312.txt firmware-intel-ucode-20210608.txt
3c3
< /sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
---
> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT vulnerable
8c8
< /sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
---
> /sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
# grep PRETTY -B1 /etc/os-release
VERSION_ID=p9
PRETTY_NAME="ALT Starterkit (Hypericum)"

$ grep 'model name\|microcode' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
microcode : 0x2f
# dmesg | grep microcode: | grep revision
[    0.000000] microcode: microcode updated early to revision 0x2f, date = 2019-11-12
[    0.675889] microcode: sig=0x306d4, pf=0x40, revision=0x2f


Но если это лайв, то заметно хуже, - микрокода-то в full.cz нет и ревизия микрокода не 0x2f (p10/sisyphus), а 0x1d
# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX unsupported
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Vulnerable: No microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ dmesg | grep microcode: | grep revision
[    1.255356] microcode: sig=0x306d4, pf=0x40, revision=0x1d
$ grep 'model name\|microcode' /proc/cpuinfo | head -n 2
model name : Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
microcode : 0x1d

Оффлайн Skull

  • Глобальный модератор
  • *****
  • Сообщений: 19 174
    • Домашняя страница
    • Email
288217 BUILDING #1 [locked] p9 firmware-intel-ucode.git=16-alt1.20210608
Андрей Черепанов (cas@)

Оффлайн Speccyfighter

  • Мастер
  • ***
  • Сообщений: 9 953
288217 BUILDING #1 [locked] p9 firmware-intel-ucode.git=16-alt1.20210608

Спасибо, Андрей.
Вижу:
http://git.altlinux.org/tasks/288217/
« Последнее редактирование: 27.10.2021 15:55:38 от Speccyfighter »

Оффлайн trs

  • Давно тут
  • **
  • Сообщений: 194
При загрузке системы выдает    [0.038898] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode to version: 0x22 (or later)

На что это влияет, можно посмотреть командой
dmesg | egrep 'clocksource|tsc'Вероятно, в выводе будет что-то вроде
tsc: Marking TSC unstabletime stamp counter (счётчик тактов процессора) и без того нередко помечается как нестабильный, а когда-то и без него прекрасно жили. Он обеспечивает "микроскопическую" точность часов, которая в быту не требуется.

Оффлайн yaleks

  • Мастер
  • ***
  • Сообщений: 6 115
Он обеспечивает "микроскопическую" точность часов, которая в быту не требуется.
а как же утечки по сторонним каналам и отравление кэша? Для них он очень нужен  ;-)