FreeBSD Errata Notices
2021-Feb-24 06:05 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-21:06.microcode
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-EN-21:06.microcode Errata Notice The FreeBSD Project Topic: Boot-time microcode loading causes a boot hang Category: core Module: x86 Announced: 2021-02-24 Affects: FreeBSD 12.2 Corrected: 2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE) 2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background CPU microcode updates may include security fixes or mitigations. The boot-time microcode loader applies CPU microcode as early in the boot process as possible, minimizing the amount of code executed without updated microcode. Microcode updates for many different CPU types are concatenated into one file and loaded by the boot loader. After the kernel has determined the correct update to apply, it frees the memory containing unused microcode updates, keeping only the update for the CPU on which the kernel is running. II. Problem Description An interaction between the code which frees the unused portions of the microcode file and the rest of the system can cause boot hangs. III. Impact The kernel may hang during boot if boot-time microcode updates are configured. IV. Workaround Systems not configured to load microcode at boot-time are unaffected. Boot-time microcode loading is currently only supported with Intel CPUs. On systems that are configured to load microcode at boot-time, setting the "debug.ucode.release" loader tunable to 0 will prevent the microcode update file from being freed, working around the problem. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch # fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc # gpg --verify microcode.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r369310 releng/12.2/ r369355 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n 5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3 /A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7 6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0=j/+s -----END PGP SIGNATURE-----