Linux
英特爾微碼未更新
嘗試使用以下過程將 Intel 微碼更新到 03/12/2018 版本(版本:20180312):
1. extract files from downloaded tarball 2. cp -v intel-ucode/* /lib/firmware/intel-ucode/ 3. echo 1 > /sys/devices/system/cpu/microcode/reload 4. dracut -vvf 5. reboot但沒有任何改變。更新前:
# cat /proc/cpuinfo | grep microcode microcode : 0x13更新後:
# dmesg | grep microcode [ 1.096790] microcode: CPU0 sig=0x206c2, pf=0x1, revision=0x13 [ 1.096829] microcode: CPU1 sig=0x206c2, pf=0x1, revision=0x13 [ 1.096851] microcode: CPU2 sig=0x206c2, pf=0x1, revision=0x13 [ 1.096875] microcode: CPU3 sig=0x206c2, pf=0x1, revision=0x13 [ 1.096965] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba我這樣做是為了修復“幽靈變體 2”。spectre-meltdown-checker.sh 顯示以下內容:
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Kernel is compiled with IBRS/IBPB support: YES * Currently enabled features * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * IBPB enabled: NO * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (Your kernel is compiled with IBRS but your CPU microcode is lacking support to successfully mitigate the vulnerability)CPU 如下: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
自 2017 年 11 月上一次發布以來,最新的微碼包不包含針對您的Westmere EP CPU的任何更新;有關詳細資訊,請參閱更改日誌。因此,它不包含針對您的特定 CPU 的任何 Spectre 修復程序。
根據英特爾的溝通,可以使用針對 Spectre v2的Westmere 修復程序,但推測他們正在遵循之前建立的模式,將它們運送給 OEM,然後再以微碼包的形式提供它們。最新的微碼修訂指南(從 4 月 2 日起)表明 Westmere EP 將獲得修訂版 0x1E,大概在下一次微碼包更新中。之前的指南將 Westmere EP 列為測試版,修訂版 0x1D。