Microcode update from AMD available - possible to include in coreboot build? #75
Comments
fhloston
changed the title
|
There is updated microcode from AMD and it can be found in the wild: I have successfully loaded that microcode in my debian installation. Can you include that into the coreboot builds, please? |
|
@fhloston thanks for this information. We will try to address that in next release although I have to consult if using microcode published "in the wild" would be ok. Have you got any pointers, if anyone tried it and can confirm that issues were mitigated? |
|
@pietrushnic I tried loading it during initrd and in a live system myself and it does contain some microcode enhancements which weren't there before:
Can't you just request the microcode from AMD? |
|
I should add, the raw microcode needs to be formatted properly into microcode_amd_fam16h.bin https://github.com/groeck/amd-ucodegen (link fixed) |
|
@fhloston could you possibly post the commands .. script you are using to load the firmware at runtime? regards |
|
@gretel easy: amd-ucodegen cpu00730F01_ver07030106_2018-02-09_88EDFAA0.bin -o microcode_amd_fam16h.bin backup old file in /lib/firmware/amd-ucode (linux) or /usr/local/share/cpucontrol (freebsd) you might have to install devcpu-data on freebsd first, and activate the respective service |
|
@fhloston thanks! for freebsd this is what i did: |
|
@fhloston decision was made to not include unofficial microcode binaries in official PC Engines firmware releases. I believe we can prepare unofficial firmware release based on Meanwhile, we are in contact with AMD and trying to obtain official microcode release. |
|
@pietrushnic thanks - i am interested. |
|
@pietrushnic thanks for the update! also interested! |
|
@pietrushnic cool. |
|
@fhloston we have been able to include microcode updates in coreboot, yet we still need some information about new microcode features You listed: Indirect Branch Prediction Barrier (IBPB)
Where did You get these information from? Is there any possibility to verify these features? |
|
@miczyg1 I loaded the updated microcode on a Debian Stretch Installation and used spectre-meltdown-checker to verify changes. It is also packaged in stretch-backports. |
|
@miczyg1 please publish here links to custom binaries tomorrow EOD. |
|
@miczyg1 thanks for getting back to us! going to be back from travels on friday and report back. |
|
The latest AMD microcode/ucode is available from a reputable source: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/amd-ucode |
|
Could this be built in to 4.6.10? |
|
@nicklowe unfortunately linux demands microcode in special container designed for kernel. We could use only raw binaries delivered by AMD. Second thing is we finished development cycle for v4.6.10 last Friday, the binaries should be available soon. Depending on result of our negotiations with AMD we may obtain the raw microcode binary, however we cannot assure the microcode will be included in next release. |
|
still didnt get a chance to uprade mine :( |
|
Couldn't you use the appropriate file from linux-firmware.git and use https://github.com/platomav/MCExtractor to strip the container? |
|
guys, what is the issue with the container? @gretel posted on April 24th how that container is built from raw microcode. |
|
I flashed the APU2 4.6.9 ucode image supplied by @miczyg1 and observed the following: root@OpenWrt:~# dmesg | grep microcode I don't think this is working currently therefore. |
|
@nicklowe it may be that kernel is overriding the microcode patchlevel. I am 100% sure that MSR register responsible for storing current patch level reported 0x07030106 in coreboot. I would have to investigate it. |
|
Hmm, well, OpenWRT's amd64-microcode package is not installed so there would be nothing to downgrade it with. |
|
That git log from linux-firmware above shows commits back in May 2018 with microcode updates, but if you look closer these were just for families 15h/17h. The log for 16h (which the APU2 uses) is: @miczyg1 if you're in contact with AMD, it might be worth to ask them to also update linux-firmware like they've done with the other families and/or get the person who made those commits there (who seems to have an @amd.com email address :) in the loop. Thanks for your responsiveness here and your efforts in general regardless! |
|
@kolargol the microcode update has been changed since it did not patch all cores previously. Current microcode update procedure works well for all cores. The guide is available in https://github.com/pcengines/apu2-documentation/blob/master/docs/microcode_patching.md Please do not follow @Firefishy guide since it is wrong way to do that. There is a special Kconfig option under microcode inclusion menu: |
|
@miczyg1 Try follow https://github.com/pcengines/apu2-documentation/blob/master/docs/microcode_patching.md with v4.9.0.2. The |
|
@miczyg1 the menu option you mention vanished from v4.9.0.2 and @Firefishy seems right. I am building firmware right now and will let you know if all cores are patched. |
|
Something may have changed in upstream repository and probably we did not notice. I will check that. |
|
I confirm correct microcode loaded after @Firefishy suggested fix: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,IBPB,XSAVEOPT on all 4 cores I have pushed bin if someone want to test: https://github.com/kolargol/apu2_firmware |
|
Microcode inclusion Kconfig settings changed upstream, which led to unavailability to patch the microcode for apu. Fix will be included in v4.9.0.3: pcengines/coreboot#271 |
It works... On FreeBSD, I get this additional line in CPU features:
and
|
|
If anybody wants to build fresh v4.9.0.3 with microcode update, it is now possible. Fix for menuconfig has been applied. |
|
yes i confirm it works - i have uploaded bin's for testing. You can close this issue. |
|
What is the drawback or consequence if the microcode is not updated via the BIOS (via coreboot binary), but rather updated via the OS / kernel during boot or after boot? |
|
@soder10 it depends on Your threat model. The earlier the microcode is updated the better. If You are afraid of attacks during boot time, then the consequences may be high. Let's say somebody has installed malicious service on Your system which executes before the microcode updater does its job. Then it could use the vulnerability to read personal data and leak it via network etc. You may also find my blog post interesting: |
|
@miczyg1: well, I am not having any exotic threat model. I am more worried about the difference between early microcode update (before the kernel boots) vs late microcode update (after the kernel has loaded). Others have posted earlier, that the results are not exactly the same in the 2 methods. Because the kernel does not dynamically re-detect for example the CPU flags after the boot, the output of dmesg differs. And god knows what else will behave differently as well. |
|
@soder10 the kernel is much more complicated than firmware and this is the problem here. I also would like to say that we have sent a request to AMD in order to encourage them to publish the newest microcode. Although it has been over a month and processing from AMD side is slow, we constantly push them to make up a decision. When the microcode will be public, we will include it natively in our builds. |
|
@miczyg1: Thanks very much to keep pushing AMD in this topic. Even if its very unlikely they change their minds. It would be the most clean solution to have the microcode update included in the firmware/bios, and no need to implement it into OS-dependent solutions. What I dont really understand, why their stubborn secrecy and restriction? There are many public instances of their binary blob downloadable on the internet (e.g. freebsd port "devcpu-data" contains a combined intel+amd microcode binary blob). |
|
@soder10 on the other side linux-firmware has not the latest microcode present for family 16h. AFAIK FreeBSD grabs the same package as Linux: |
personally, i would not like to let the firmware update application code. so i dislike letting application code update firmware, regardless of any threat model. both approaches should render the same result but actually they do not. from my experience i feel something dangerous lurking there. @soder10 having current microcode being part of the actual firmware would get closer to my requirements. |
|
@miczyg1 Pragmatically, as this is still outstanding from the official firmware in 2021, can two firmware files be produced for each release, one including the microcode alongside a disclaimer and explanation, one not including it. It seems a rather ridiculous and silly situation to still be in. The microcode file itself should already be internally signed by AMD with an integrity check present which would be tested for before the CPU will accept it. An arbitrarily modified microcode should not practically be feasible and it seems, on balance of the probabilities, also infeasible that the files we have have been tampered with given the distribution sources we already have. |
|
@nicklowe it is not about being signed by AMD or not being possible to tamper with. These files from the repo have been extracted from firmware images of firmware updates most likely. These microcode files have been distributed to firmware vendors under a certain license which probably does not allow redistribution. As a company that cooperates with AMD, we cannot integrate it in our public builds as there is a risk of violating such a license. I will try to gain permission to the microcode update file. AMD is doing some moves into open-source, so maybe they will reconsider it. However, the platform is so old that the matter has a very low priority to AMD. |
|
@miczyg1 these AMD SoCs are still not end-of-life, if I can trust this page: "AMD’s commitment to long-term availability and support (5-10 years) maximizes ROI Footnote7" |
|
@soder10 I did not say end-of-life, but a low priority. By low priority, it means the support is probably just "best effort". Issuing a license or permission on any component involves many legal issues and a huge process even for a small thing like a microcode file. Please understand it is a high cost for a relatively small matter. Also the support means how long the product is being manufactured. Thanks to that PC Engines is still able to sell their apu products today. |
|
@soder10 there are a couple of issues:
Feel free to jump on the 3mdeb vPub event or some conferences where we are available and I would tell more stories about brain damage in the industry we are in. |
|
Thanks very much for the explanation! Surely there is, in practice, close to zero chance that AMD will or might conceivably care about its stable and for a long time available microcode being included in a BIOS image for these to better address a well publicised class of security vulnerabilities? This seems a far far too hypothetical, abstract and honestly rather incredulous and nebulous concern and worry to have, a storm in a tea cup to use a British expression. What another company may have technically agreed to or not around the distribution for a well publicised security fix with AMD is surely not directly a PC Engines or 3mdeb direct legal concern? The reality is these other companies have distributed and AMD do not seem in practice to have cared, it is still available and distributed publicly, It is far more likely they have not given it any thought or attention, and have no real concern about it at all. The bad publicity that could also flow from being seen to restrict distribution of a well publicised security fix is not territory any reasonable company such as AMD would engage in or actually want to go anywhere near. Again, to use a another British expression, they would not touch this situation with a barge pole. |
Do you have any such event in the near future? Probably virtual one, I cannot travel... |
I dont think AMD cares at all. Its sad to see, that the Rzyen product became so popular and hyped by the media. On the other hand, less popular / less known niche products like a lame SoC, gets near 0 treatment from AMD. Thatswhy its no logic behind praising AMD, favoring them in contrast with Intel. These 2 companies work with the exact same principles behind the curtains. Like any country with only 2 political parties: no matter if a political puppet person belongs to the left-wing or the right-wing party. They both are same kind of criminals, who should all sit in prison, life sentenced. |
Definitely a virtual event. review of the last one is here. Please watch our social media. We working on announcing the date of the next event. |
|
Feel invited to an upcoming event, where you can hear more horror stories from 3mdeb: https://twitter.com/3mdeb_com/status/1387017457118875651 |
No description provided.
The text was updated successfully, but these errors were encountered: