Pete Geenhuizen
2018-Jan-18 16:01 UTC
[CentOS] /lib/firmware/microcode.dat update on CentOS 6
On 01/18/18 09:01, Johnny Hughes wrote:> On 01/18/2018 07:51 AM, Phelps, Matthew wrote: >> On Thu, Jan 18, 2018 at 5:03 AM, Johnny Hughes <johnny at centos.org> wrote: >> >> So, if we applied the previous microcode update, and all our machines >> rebooted OK, then we don't need to fallback? >> >> Also, do we know if the updated CentOS microcode RPM reverted the microcode >> for *all* Intel CPUs, or just the ones that had issues? In other words, if >> I apply the latest microcode update to our 100+ machines (which all have >> the previous update, and are OK) will they revert to a vulnerable state? >> >> > It reverted for all .. but, your machines may or may not be protected as > only a subset of machines were updated with the original microcode from > Intel. > > It is your call as to what you install .. but the correct method is to > install the current microcode_ctl .. and then research your specific > machine, its CPU, chipset, firmware .. go to the vendor and make sure > you get all the things necessary to mitigate the issues. It will be > different for each CPU vendor (Intel or AMD), each CPU / Chipset combo, > and even each vendor (Dell may have new firmware for x and y but not z > models, etc.) > > There is no one size fits all update for this issue. >OK, so color me confused about the timing in all this. Do we update the microcode now or do we wait until the latest microcode_ctl rpm is available and then tackle this issue? -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Matthew Miller
2018-Jan-18 16:31 UTC
[CentOS] /lib/firmware/microcode.dat update on CentOS 6
On Thu, Jan 18, 2018 at 11:01:18AM -0500, Pete Geenhuizen wrote:> Do we update the microcode now or do we wait until the latest > microcode_ctl rpm is available and then tackle this issue?Check with your hardware vendor for BIOS/EFI firmware updates. Apply those. -- Matthew Miller <mattdm at fedoraproject.org> Fedora Project Leader
> OK, so color me confused about the timing in all this. > > Do we update the microcode now or do we wait until the latest microcode_ctl > rpm is available and then tackle this issue?The message is: stay away from microcode updates because they're broken right now. Intel may or may not release fixes next week to be tested by OEMs. Once working updates are available, OEMs will integrate them into their firmware/BIOS releases. That is one method to avail of microcode updates. The other method is loading during OS boot (via udev rule), with codes provided by the microcode_ctl rpm. It looks like Red Hat are now staying away from that; in any case, their previous rpm only included ucodes for three cpus. I did not check if the microcode.dat included more updates than that. Method number 2b is to download the firmware from Intel directly and provide it in the locations defined by the microcode_ctl rpm. Then it's up to you to do the QA. If your RHEL/CentOS is fully up to date, you're protected against variant 1/Spectre and Meltdown. Red Hat have done a pretty good job to backport those patches from upstream. GKH's blog is worth a read.
Pete Geenhuizen
2018-Jan-18 16:45 UTC
[CentOS] /lib/firmware/microcode.dat update on CentOS 6
On 01/18/18 11:31, Matthew Miller wrote:> On Thu, Jan 18, 2018 at 11:01:18AM -0500, Pete Geenhuizen wrote: >> Do we update the microcode now or do we wait until the latest >> microcode_ctl rpm is available and then tackle this issue? > Check with your hardware vendor for BIOS/EFI firmware updates. Apply > those. > > >Thanks for the reply, but you missed what I was asking.? I've already downloaded the appropriate files from the links that Johnny provided in a previous posting. My question is, do we wait until the latest microcode_ctl rpm is installed or do it now?? My concern is that if I do it now the new rpm might undo what I've done. -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Pete Geenhuizen
2018-Jan-18 17:44 UTC
[CentOS] /lib/firmware/microcode.dat update on CentOS 6
On 01/18/18 11:31, Matthew Miller wrote:> On Thu, Jan 18, 2018 at 11:01:18AM -0500, Pete Geenhuizen wrote: >> Do we update the microcode now or do we wait until the latest >> microcode_ctl rpm is available and then tackle this issue? > Check with your hardware vendor for BIOS/EFI firmware updates. Apply > those. > > >Thanks for the reply, but you missed what I was asking.? I've already downloaded the appropriate files from the links that Johnny provided in a previous posting. My question is, do we wait until the latest microcode_ctl rpm is installed or do it now?? My concern is that if I do it now the new rpm might undo what I've done. Pete -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.