You are not logged in.

Pages: 1

#1 2024-03-16 09:18:08

fixi
Member
Registered: 2023-04-24
Posts: 6

[SOLVED] questions about early microcode update

Ahoi there.

This is my first post, so I hope I get this right.

I configured my system to utilize the new mkinitcpio microcode hook, but after regenerating initramfs and rebooting, it seems that no microcode was loaded.

uname -r
6.7.9-zen1-1-zen

I added the new hook:

grep -v '^#' /etc/mkinitcpio.conf
MODULES=()
BINARIES=()
FILES=()
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt btrfs filesystems fsck)

This confuses me. I never touched the preset files as suggested by the wiki.
Aren't they auto-generated during the pacman hook in /usr/share/libalpm/hooks/60-mkinitcpio-remove.hook using /usr/share/mkinitcpio/hook.present?

grep -v '^#' /etc/mkinitcpio.d/linux-zen.preset 
ALL_kver="/boot/vmlinuz-linux-zen"
PRESETS=('default' 'fallback')
default_image="/boot/initramfs-linux-zen.img"
fallback_image="/boot/initramfs-linux-zen-fallback.img"
fallback_options="-S autodetect"

Generating initramfs reports success and the log entry for the prepended microcode image is also there.

sudo mkinitcpio -P
...
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux-zen -g /boot/initramfs-linux-zen.img
==> Starting build: '6.7.9-zen1-1-zen'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [microcode]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
  -> Running build hook: [keyboard]
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [block]
  -> Running build hook: [sd-encrypt]
  -> Running build hook: [btrfs]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-zen.img'
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
...

This is also confirmed by:

lsinitcpio --early --list /boot/initramfs-linux-zen.img
early_cpio
kernel/
kernel/x86/
kernel/x86/microcode/
kernel/x86/microcode/GenuineIntel.bin

Here is my boot partition:

tree /boot
/boot
├── EFI
│   ├── BOOT
│   │   └── BOOTX64.EFI
│   ├── Linux
│   └── systemd
│       └── systemd-bootx64.efi
├── initramfs-linux-fallback.img
├── initramfs-linux.img
├── initramfs-linux-lts-fallback.img
├── initramfs-linux-lts.img
├── initramfs-linux-zen-fallback.img
├── initramfs-linux-zen.img
├── intel-ucode.img
├── loader
│   ├── entries
│   │   ├── arch.conf
│   │   ├── arch-fallback.conf
│   │   ├── arch-lts.conf
│   │   └── arch-zen.conf
│   ├── entries.srel
│   ├── loader.conf
│   └── random-seed
├── vmlinuz-linux
├── vmlinuz-linux-lts
└── vmlinuz-linux-zen

I also deleted the initrd line regarding /boot/intel-ucode.img

cat /boot/loader/entries/arch-zen.conf
title Arch Linux (Zen)
linux /vmlinuz-linux-zen
initrd /initramfs-linux-zen.img
options rd.luks.uuid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx root=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx rootflags=subvol=@ rw quiet splash

But when I check after reboot:

journalctl -k --grep=microcode
Mar 16 07:41:53 archlinux kernel: SRBDS: Mitigation: Microcode
Mar 16 07:41:53 archlinux kernel: GDS: Vulnerable: No microcode
Mar 16 07:41:53 archlinux kernel: microcode: Current revision: 0x000000f0

Last edited by fixi (2024-03-16 12:24:00)

Offline

#2 2024-03-16 09:54:35

fixi
Member
Registered: 2023-04-24
Posts: 6

Re: [SOLVED] questions about early microcode update

Hm, right after posting I started questioning myself.

Have I misinterpreted the output from journaltctl -k --grep=microcode?
Does it actually mean that a microcode, with revision 0x000000f0, was applied, but it has no mitigation for GDS in it?

Offline

#3 2024-03-16 10:16:57

-thc
Member
Registered: 2017-03-15
Posts: 801

Re: [SOLVED] questions about early microcode update

No this just reports the current microcode version.
For the update itself you should see something like this:

Mar 16 07:46:19 box kernel: microcode: Updated early from: 0x00000XXX

Offline

#4 2024-03-16 10:26:56

progandy
Member
Registered: 2012-05-17
Posts: 5,280

Re: [SOLVED] questions about early microcode update

Have you checked an old log to ensure you previously had a microcode update?

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#5 2024-03-16 10:48:52

fixi
Member
Registered: 2023-04-24
Posts: 6

Re: [SOLVED] questions about early microcode update

No, i haven't thought about that.

Good catch! There never was any update applied:

journalctl -k -b -9 --grep=microcode
Feb 22 17:00:15 archlinux kernel: SRBDS: Mitigation: Microcode
Feb 22 17:00:15 archlinux kernel: GDS: Vulnerable: No microcode
Feb 22 17:00:16 archlinux kernel: microcode: Current revision: 0x000000f0

Do you have an idea why this could be?

Offline

#6 2024-03-16 10:53:15

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,452

Re: [SOLVED] questions about early microcode update

The bottom of the microcode wiki page tell you how to determine what version is available in the package.

Online

#7 2024-03-16 11:00:41

fixi
Member
Registered: 2023-04-24
Posts: 6

Re: [SOLVED] questions about early microcode update

Yep, I just saw it. But I have a hard time interpreting it:

bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -lS -                                               
iucode_tool: system has processor(s) with signature 0x000506e3
microcode bundle 1: (stdin)
selected microcodes:
  001/174: sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568

Maybe this is also helpful:

lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         39 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  8
  On-line CPU(s) list:   0-7
Vendor ID:               GenuineIntel
  Model name:            Intel(R) Xeon(R) CPU E3-1240 v5 @ 3.50GHz
    CPU family:          6
    Model:               94
    Thread(s) per core:  2
    Core(s) per socket:  4
    Socket(s):           1
    Stepping:            3
    CPU(s) scaling MHz:  53%
    CPU max MHz:         3900,0000
    CPU min MHz:         800,0000
    BogoMIPS:            6999,82
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht t
                         m pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpui
                         d aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 
                         x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb pti ssb
                         d ibrs ibpb stibp tpr_shadow flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid mpx
                          rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act
                         _window hwp_epp vnmi md_clear flush_l1d arch_capabilities
Virtualization features: 
  Virtualization:        VT-x
Caches (sum of all):     
  L1d:                   128 KiB (4 instances)
  L1i:                   128 KiB (4 instances)
  L2:                    1 MiB (4 instances)
  L3:                    8 MiB (1 instance)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-7
Vulnerabilities:         
  Gather data sampling:  Vulnerable: No microcode
  Itlb multihit:         KVM: Mitigation: VMX disabled
  L1tf:                  Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
  Mds:                   Mitigation; Clear CPU buffers; SMT vulnerable
  Meltdown:              Mitigation; PTI
  Mmio stale data:       Mitigation; Clear CPU buffers; SMT vulnerable
  Retbleed:              Mitigation; IBRS
  Spec rstack overflow:  Not affected
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; IBRS, IBPB conditional, STIBP conditional, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Mitigation; Microcode
  Tsx async abort:       Mitigation; TSX disabled

Offline

#8 2024-03-16 11:06:04

Scimmia
Fellow
Registered: 2012-09-01
Posts: 12,452

Re: [SOLVED] questions about early microcode update

That says that the latest version is 0x00f0, which is what you already have.

Online

#9 2024-03-16 11:15:20

fixi
Member
Registered: 2023-04-24
Posts: 6

Re: [SOLVED] questions about early microcode update

I see.
Is that the reason why the early microcode update doesn't get applied during boot?
Because the version from my firmware is already the newest one?

Offline

#10 2024-03-16 12:13:59

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 24,094

Re: [SOLVED] questions about early microcode update

yes

Offline

#11 2024-03-16 12:20:19

fixi
Member
Registered: 2023-04-24
Posts: 6

Re: [SOLVED] questions about early microcode update

Alright, that concludes the matter smile

Thank you all so much!

Offline

Pages: 1

Board footer

Powered by FluxBB