Description of problem: This issue was previously discussed in Bug 1707633 however I still don't see that it is resolved for Broadwell cpu types where manual steps are required to apply the ucode, even with the newer 20190618 microcode version. This makes Broadwell vulnerable by default when using RHCOS. Version-Release number of selected component (if applicable): Red Hat Enterprise Linux CoreOS 44.81.202002070530-0 (Ootpa) 4.18.0-147.5.1.el8_1.x86_64 microcode_ctl-20190618-1.20191115.3.el8_1.x86_64 How reproducible: Any RHCOS install on Broadwell nodes show the issue. Steps to Reproduce: Install latest RHCOS, check mitigations: grep . vulnerabilities/* vulnerabilities/itlb_multihit:KVM: Mitigation: Split huge pages vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled vulnerabilities/meltdown:Mitigation: PTI vulnerabilities/spec_store_bypass:Vulnerable vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling vulnerabilities/tsx_async_abort:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled Cannot apply the microcode following typical RHEL guidance, ex: # /usr/libexec/microcode_ctl/update_ucode mkdir: cannot create directory '/lib/firmware/intel-ucode': Read-only file system Actual results: Broadwell RHCOS nodes are vulnerable by default. Expected results: CVEs are all mitigated, or at least provide a process to apply ucode to be fully mitigated. Additional info: I also heard there may be upcoming Skylake ucode that requires manual steps as well so it would have the same issue..
2020-02-17 16:25:54 UTC
Well, being vulnerable by default is better than hanging on boot by default. There's also SNB, that can hang under some circumstances (presumably, under load), so its MDS-related microcode update is also disable by default. For SKX, it seems that it is possible to restrict the caveat only to the SKL-X/W CPUs, and it is likely that this refined caveat will be included into the next microcode_ctl package update; that doesn't solve the issue with the way RHCOS works, however. If RHCOS wants to risk stability of the nodes by default, it can supply /etc/microcode_ctl/ucode_with_caveats/force before the initramfs generation in order to enable all caveats.