5 Replies Latest reply on Jan 14, 2018 10:19 PM by pgzh

    Intel Linux Microcode Data file incomplete

    pgzh

      Since the recent disclosure of the Meltdown and Spectre vulnerabilities Intel released new microcode update data in the download center (Download Linux* Processor Microcode Data File ).

      The description states that it also applies to one of my processors: Intel® Celeron® Processor N3150 (2M Cache, up to 2.08 GHz)

      I'd like to get the most recent update (probably from 2018-01-08) to get the new instructions introduced for CPUs by Intel released in the last 5 years in order to secure my CPU against the vulnerabilities.

       

        Vendor:       GenuineIntel
        Brandstring:  Intel® Celeron® CPU N3150 @ 1.60GHz
        Identified as:Braswell, C0 (14nm)

        Signature: 0x406C3

      Family:0x6   (extended 0x0, base 0x6)
      Model: 0x4C  (extended 0x4, base 0xC)
      Stepping:  0x3

        4 cores, 4 threads

        µcode rev: 0x363

        platform : 0x01

        Tjmax: 90 C

        Cache information:

      L1 DATA  cache: 4x   24 kB
      L1 INSTR cache: 4x   32 kB
      L2 UNI   cache: 1x  1.0 MB

       

      My CPU is at microcode revision 0x33c with the latest available BIOS from from the mainboard manufacturer (Asus) and there is no update for my CPU in the download provided by Intel.

      There is however a newer microcode available for my CPU, the U-Boot project has revision 0x363 in its repository (u-boot/arch/x86/dts/microcode at master · trini/u-boot · GitHub ).

       

      Sadly this data is in dtsi format and needs to be converted to binary and compressed into a cpio archive and passed to the linux kernel via initrd command when booting.

      Here's the relevant dmesg output after this procedure:

      [0.000000] microcode: microcode updated early to revision 0x363, date = 2015-12-18
      [1.137958] microcode: sig=0x406c3, pf=0x1, revision=0x363

       

      I double-checked the Intel Linux Microcode Data file and there is definitely no update for my CPU with signature 0x406C3.

       

      Where can I find microcode updates for my CPU provided by Intel? Why are certain updates not available in the download center?

       

      Best regards,

      Peter

        • 1. Re: Intel Linux Microcode Data file incomplete
          N.Scott.Pearson

          You, as an individual, should be getting your microcode update via a BIOS update from your board manufacturer. It is also true that Intel releases microcode updates to the OS community for inclusion into OS (and distro) releases.

          ...S

          • 2. Re: Intel Linux Microcode Data file incomplete
            pgzh

            Well, this isn't particularly helpful since Asus does not support Linux and I am sure they won't release a update as they haven't done so since mid-2015.

             

            This microcode data file contains the latest microcode definitions for all Intel processors. Intel releases these updates periodically. These microcode data files correct processor behavior as documented in the respective processor specification guidelines.

            While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system.“

            Source: Download Linux* Processor Microcode Data File

            The download should contain the updates for all CPUs and I should not have to rely on mainboard manufacturers to be able to get support for my Intel CPU.

            • 3. Re: Intel Linux Microcode Data file incomplete
              Steveis2

              Hi, I agree with you. I have computers that are not going to get a BIOS update any time soon if ever. I'd like to be able to download the microcode for my CPU direct from intel. I can't see why that doesn't happen.

               

              Steve

              • 4. Re: Intel Linux Microcode Data file incomplete
                N.Scott.Pearson

                First of all, Intel will be releasing microcode updates for every processor affected. They have committed publicly to doing so - and by the end of the month.

                 

                Secondly, any board manufacturer who refuses to release a BIOS update is not one that I would ever purchase anything from again. Security is an absolute requirement; anyone not prioritizing that is not someone that I will deal with. If a board can accommodate a processor that is affected, it better get a BIOS that provides the necessary microcode updates -- and this update better close the ME vulnerabilities as well.

                 

                Finally, while it is true that you can get microcode updates via various O/Ss, I absolutely insist that this be at the BIOS level. I want all security holes (and all errata) closed before any O/S starts to load. I do not consider any O/S to be fully secure if it is not until part way through the O/S load that the microcode gets updated.

                 

                ...S

                • 5. Re: Intel Linux Microcode Data file incomplete
                  pgzh

                  What I am more concerned about is that Intel didn't release any microcode updates for my CPU directly ever as far as I can tell, but several updates exist.

                  There's at least revisions 0x33c, 0x343, 0x353 and 0x363.

                  I found those in various BIOS files from different manufacturers and from the U-Boot project (they probably got out of BIOS update files too).

                   

                  I am used to poor support from mainboard manufacturers and if you don't buy anything server-grade, it's the same after a few months no matter what brand you choose.

                   

                  Really annoying is that Intel advertises that the download contains updates for my CPU (it's explicitly listed!) but there is no update in any data file released in the last 2 years (probably not in any). The fact that you find the updates in BIOS updates mean that there have been updates and Intel kept those already from me as customer.

                  So this would mean I shouldn't buy from Intel anymore as well...