Description of problem:

This issue was previously discussed in Bug 1707633 however I still don't see that it is resolved for Broadwell cpu types where manual steps are required to apply the ucode, even with the newer 20190618 microcode version. This makes Broadwell vulnerable by default when using RHCOS.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux CoreOS 44.81.202002070530-0 (Ootpa)


How reproducible:
Any RHCOS install on Broadwell nodes show the issue. 

Steps to Reproduce:
Install latest RHCOS, check mitigations:

grep . vulnerabilities/*
vulnerabilities/itlb_multihit:KVM: Mitigation: Split huge pages
vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
vulnerabilities/meltdown:Mitigation: PTI
vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
vulnerabilities/tsx_async_abort:Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled

Cannot apply the microcode following typical RHEL guidance, ex:
# /usr/libexec/microcode_ctl/update_ucode
mkdir: cannot create directory '/lib/firmware/intel-ucode': Read-only file system

Actual results:
Broadwell RHCOS nodes are vulnerable by default.

Expected results:
CVEs are all mitigated, or at least provide a process to apply ucode to be fully mitigated. 

Additional info:
I also heard there may be upcoming Skylake ucode that requires manual steps as well so it would have the same issue..

Comment 1

Eugene Syromiatnikov

2020-02-17 16:25:54 UTC

Well, being vulnerable by default is better than hanging on boot by default.

There's also SNB, that can hang under some circumstances (presumably, under load), so its MDS-related microcode update is also disable by default.

For SKX, it seems that it is possible to restrict the caveat only to the SKL-X/W CPUs, and it is likely that this refined caveat will be included into the next microcode_ctl package update; that doesn't solve the issue with the way RHCOS works, however.

If RHCOS wants to risk stability of the nodes by default, it can supply /etc/microcode_ctl/ucode_with_caveats/force before the initramfs generation in order to enable all caveats.

Source link

Write a comment:

Your email address will not be published.