Intel firmware now unredistributable by OS vendors

Debian Bug report logs -#906158

intel-microcode: Update intel-microcode to 20180807

Package:intel-microcode; Maintainer forintel-microcode is Henrique de Moraes Holschuh <[email protected]> ; Source forintel-microcode issrc:intel-microcode ( PTS , buildd ,popcon).

Reported by: Markus Schade <[email protected]>

Date: Wed, 15 Aug 2018 07:15:04 UTC

Severity: grave

Tags: security

Merged with906160

Found in versions intel-microcode/3.20180425.1, intel-microcode/3.20180703.1

Reply orsubscribe to this bug.

Toggle useless messages

View this report as anmbox folder, status mbox , maintainer mbox

received at [email protected] (full text, mbox , reply ):

Package: intel-microcode
Version: 3.20180425.1
Severity: grave
Tags: security

Dear Maintainer,

Intel has released a new microcode version which includes updates for
further CPU models providing the necessary code for SSBD as well as the
recently disclosed L1TF vulnerability

<a href="https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File">https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File</a>


Please consider packaging this version to enable mitigations.

Thanks!

Markus

received at [email protected] (full text, mbox , reply ):

On Wed, 15 Aug 2018, Markus Schade wrote:
> Intel has released a new microcode version which includes updates for
> further CPU models providing the necessary code for SSBD as well as the
> recently disclosed L1TF vulnerability
> 
> <a href="https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File">https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File</a>

Unfortunately, that release is undistributable (refer to the new
"license" file that was added by Intel to the microcode data file pack
version 20180807).

Packages have been ready since 2018-08-08, but could not be uploaded (or
even pushed to public git trees) for that reason.

Intel has been made aware of the issue and pestered by just about
everyone, and should get it straightened up soon.

-- 
  Henrique Holschuh

received at [email protected] (full text, mbox , reply ):

On Wed, Aug 15, 2018 at 09:08:15AM +0200, Markus Schade wrote:
> Package: intel-microcode
> Version: 3.20180425.1
> Severity: grave
> Tags: security
> 
> Dear Maintainer,
> 
> Intel has released a new microcode version which includes updates for
> further CPU models providing the necessary code for SSBD as well as the
> recently disclosed L1TF vulnerability
>
> <a href="https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File">https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File</a>

Hi Markus,
This microcode release happened a week before the disclosure of L1TF and with
all previous CPU bugs, Intel initially only shipped updates to OEMs and only
released general microcode updates weeks/months later.

Have you been able to confirm (e.g. by testing) that 20180807 implements changes
necessary for L1TF (such as L1D_FLUSH) or is there some official statement
by Intel on this?

Cheers,
        Moritz

received at [email protected] (full text, mbox , reply ):

Am 17.08.2018 um 09:54 schrieb Moritz Mühlenhoff:
> This microcode release happened a week before the disclosure of L1TF and with
> all previous CPU bugs, Intel initially only shipped updates to OEMs and only
> released general microcode updates weeks/months later.
> 
> Have you been able to confirm (e.g. by testing) that 20180807 implements changes
> necessary for L1TF (such as L1D_FLUSH) or is there some official statement
> by Intel on this?

Actually Intel is a bit better prepared this time.
20170703 already contained l1d_flush (in addition to ssbd) for most
server CPUs. 20180807 just added more CPU models (mostly desktop products).

So yes, I have tested and can confirm this MCU will provide ssbd and
l1d_flush on kernels that have support for these features (e.g latest
Ubuntu or vanilla)

Actual mitigation results may vary as outlined in [1].

Tested models include: Core i/Xeon E3 (SNB, IVB, SKL), Xeon E5 (SNB,
IVB, HSW, BDW), Xeon SP (SKL)

Best regards,
Markus



[1] <a href="https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF">https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF</a>

received at [email protected] (full text, mbox , reply ):

On Fri, 17 Aug 2018, Moritz Mühlenhoff wrote:
> Have you been able to confirm (e.g. by testing) that 20180807 implements changes
> necessary for L1TF (such as L1D_FLUSH) or is there some official statement
> by Intel on this?

It does (privately tested on a few processor models).  Exposes L1D_FLUSH
flags, and the MSRs.

The L1D flush fixes are present on release 20180703, btw.  As far as I
can tell, 20180807 builds on 20180703 by adding more processors and
fixing the single microcode update that regressed -- but not present in
20180703 anyway -- (sig 0x706a1).

This can be inferred from the microcode guidance tables Intel has
published for SA-00115 and SA-00161.

As far as I can tell, Intel knew about L1TF early enough that they fixed
the whole thing along with SSBD.  They just did not disclose anything
about it outside of the embargo group, apparently.

-- 
  Henrique Holschuh

received at [email protected] (full text, mbox , reply ):

Hi,

On Fri, Aug 17, 2018 at 08:22:47AM -0300, Henrique de Moraes Holschuh wrote:
> On Fri, 17 Aug 2018, Moritz Mühlenhoff wrote:
> > Have you been able to confirm (e.g. by testing) that 20180807 implements changes
> > necessary for L1TF (such as L1D_FLUSH) or is there some official statement
> > by Intel on this?
> 
> It does (privately tested on a few processor models).  Exposes L1D_FLUSH
> flags, and the MSRs.
> 
> The L1D flush fixes are present on release 20180703, btw.  As far as I
> can tell, 20180807 builds on 20180703 by adding more processors and
> fixing the single microcode update that regressed -- but not present in
> 20180703 anyway -- (sig 0x706a1).
> 
> This can be inferred from the microcode guidance tables Intel has
> published for SA-00115 and SA-00161.
> 
> As far as I can tell, Intel knew about L1TF early enough that they fixed
> the whole thing along with SSBD.  They just did not disclose anything
> about it outside of the embargo group, apparently.

Fantastic! I'll update the Debian Security Tracker later on. Those are
somewhat tricky to track since it obviously depends on the CPU in use,
but I'll clarify with some notes.

Do we have also indication whether the 20180703 release also fixed the
SGX angle?

Cheers,
        Moritz

received at [email protected] (full text, mbox , reply ):

Hi,

Am 18.08.2018 um 13:39 schrieb Moritz Mühlenhoff:
> Do we have also indication whether the 20180703 release also fixed the
> SGX angle?

No sure, if you are asking Henrique or me, but yes, the microcode does
include the mitigation for SGX aka Foreshadow.

It is also explicitly stated by Intel in [1]

"This method affects select microprocessor products supporting Intel®
Software Guard Extensions (Intel® SGX)" ...

"Microcode updates (MCUs) we released earlier this year are an important
component of the mitigation strategy for all three applications of L1TF"

Best regards,
Markus

[1]
<a href="https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/">https://newsroom.intel.com/editorials/protecting-our-customers-through-lifecycle-security-threats/</a>

received at [email protected] (full text, mbox , reply ):

    Hello.

    Do you have confirmation that they will change the license?

    Should we contact (pester) them or do you think this is not more 
necessary now?

    Hey! Thanks a lot for the great work and service you are doing with 
this updates! Very appreciated!

    Have a great day.


-- 
Ivan Baldo - [email protected] - <a href="http://ibaldo.codigolibre.net/">http://ibaldo.codigolibre.net/</a>
Freelance C++/PHP programmer and GNU/Linux systems administrator.
The sky is not the limit!

received at [email protected] (full text, mbox , reply ):

On Sat, 18 Aug 2018, Ivan Baldo wrote:
>     Do you have confirmation that they will change the license?

No.  And apparently both SuSE and RedHat decided they are OK with the
new license or something (since they have updates on the works or
already available), so I will just ask them if they can share their
analysis.

>     Should we contact (pester) them or do you think this is not more
> necessary now?

Please don't.  It is unlikely to help.

-- 
  Henrique Holschuh

received at [email protected] (full text, mbox , reply ):

Henrique,

could you please clarify what concerns Debian has with the license?

Other distros seem to have no problems. I see updated packages from
Fedora, OpenSUSE, Gentoo and Archlinux.

Best regards,
Markus

Send a report that this bug log contains spam .

Debian bug tracking system administrator < [email protected] >. Last modified:Mon Aug 20 17:30:16 2018; Machine Name:buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/ .

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.