From nobody Fri Aug 4 04:39:42 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHCgH4Cklz4Tt98 for ; Fri, 4 Aug 2023 04:39:55 +0000 (UTC) (envelope-from hiren.panchasara@gmail.com) Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHCgG5L3Sz3Lf1 for ; Fri, 4 Aug 2023 04:39:54 +0000 (UTC) (envelope-from hiren.panchasara@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of hiren.panchasara@gmail.com designates 209.85.167.51 as permitted sender) smtp.mailfrom=hiren.panchasara@gmail.com; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=strugglingcoder.info (policy=none) Received: by mail-lf1-f51.google.com with SMTP id 2adb3069b0e04-4fe4762173bso2823961e87.3 for ; Thu, 03 Aug 2023 21:39:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691123993; x=1691728793; h=to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3RqMOtZtIZbF+0yXRVt7kuOzQgKy7Lj+q3OlXJFIEEw=; b=D3sX6nup6ImMDbj3V/ZpmXEh7fBWIRAYGDEHFZm2Il6X0iy/6YcT/kxwzhKcMs9t5I pIAu7bGEhDrSuSqIyDdvvhWeNPJJRyD9YFyMrT0d1CTm8t83u3h3rjiOUobiAz1qfFlI 5BwP0N7TeaHry2sy6IS93jtSxsohXUaYOhHZcvUESeX7LvB73hfw0KnKNjCxexurWf4o NfZYZFfbRwCvA8vBp2xbLr0pBqGjRsVKKhVCIkSLUsE3+Dgpb3RWaTkXo6lZ44YMXFoQ /PJdyuPwJpN2f7n1O1LW2PpocWpzwLJ4ukvNWFJW7PCSjV0aQLwBoIBMMeoOqgikwjv9 MdmA== X-Gm-Message-State: AOJu0YwY78BMAg8996wUe/9jWoOfdjlAA9XEAbjotCOmT+EVYL9JlI/2 pFKkub4xURZczPQeXgN1b3zlQ1naNWNX7cZQ X-Google-Smtp-Source: AGHT+IEeU2akncxOXZkSxFruIrVxwc+a5+lW1YMM3QE/JFCErXtVL9hTNCSYMPmRnIlH/cqPCBpc9g== X-Received: by 2002:a19:5e57:0:b0:4fe:c6c:ac95 with SMTP id z23-20020a195e57000000b004fe0c6cac95mr357114lfi.35.1691123992649; Thu, 03 Aug 2023 21:39:52 -0700 (PDT) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com. [209.85.208.170]) by smtp.gmail.com with ESMTPSA id w3-20020a19c503000000b004fbb011c9bcsm213965lfe.161.2023.08.03.21.39.52 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 03 Aug 2023 21:39:52 -0700 (PDT) Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2b9a2033978so26511901fa.0 for ; Thu, 03 Aug 2023 21:39:52 -0700 (PDT) X-Received: by 2002:a2e:800a:0:b0:2b6:cff1:cd1c with SMTP id j10-20020a2e800a000000b002b6cff1cd1cmr486001ljg.34.1691123992433; Thu, 03 Aug 2023 21:39:52 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Reply-To: hiren@strugglingcoder.info From: Hiren Panchasara Date: Thu, 3 Aug 2023 21:39:42 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: unsubscribe To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000d71c910602117c56" X-Spamd-Result: default: False [1.60 / 15.00]; NEURAL_SPAM_SHORT(1.00)[1.000]; R_PARTS_DIFFER(0.50)[100.0%]; FORGED_SENDER(0.30)[hiren@strugglingcoder.info,hirenpanchasara@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[strugglingcoder.info : SPF not aligned (relaxed), No valid DKIM,none]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[209.85.167.51:from,209.85.208.170:received]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; TAGGED_FROM(0.00)[]; FROM_NEQ_ENVFROM(0.00)[hiren@strugglingcoder.info,hirenpanchasara@gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.167.51:from]; HAS_REPLYTO(0.00)[hiren@strugglingcoder.info] X-Spamd-Bar: + X-Rspamd-Queue-Id: 4RHCgG5L3Sz3Lf1 --000000000000d71c910602117c56 Content-Type: text/plain; charset="UTF-8" unsubscribe --000000000000d71c910602117c56 Content-Type: text/html; charset="UTF-8"
unsubscribe
--000000000000d71c910602117c56-- From nobody Tue Aug 8 11:18:55 2023 X-Original-To: freebsd-security+bounces-digest-pmelo=fe.uc.pt@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RKrKx05ZFz4mC3f for ; Tue, 8 Aug 2023 11:19:01 +0000 (UTC) (envelope-from admin@fe.uc.pt) Received: from smtp-int.ci.uc.pt (smtp-int.uc.pt [193.137.200.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.uc.pt", Issuer "TERENA SSL CA 3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RKrKt66vlz4Znk for ; Tue, 8 Aug 2023 11:18:58 +0000 (UTC) (envelope-from admin@fe.uc.pt) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of admin@fe.uc.pt designates 193.137.200.41 as permitted sender) smtp.mailfrom=admin@fe.uc.pt; dmarc=none Received: from mbx-h.ci.uc.pt (mbx.ci.uc.pt [193.137.200.76]) by smtp-int.ci.uc.pt (Postfix) with ESMTP id 27B0740C9A87 for ; Tue, 8 Aug 2023 12:18:55 +0100 (WEST) Received: by mbx-h.ci.uc.pt (Postfix, from userid 205) id 23A9953EB06; Tue, 8 Aug 2023 12:18:55 +0100 (WEST) From: =?utf-8?Q?Manuel Paulo Albuquerque Melo?= To: srs0=6g3w=dz=freebsd.org=freebsd-security+bounces-digest-pmelo=fe.uc.pt@uc.pt X-mailer: GNARWL List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: Subject: =?utf-8?q?Digest_of_freebsd-security=40FreeBSD.org_issue_47_=28189-193=29?= Message-Id: <20230808111855.23A9953EB06@mbx-h.ci.uc.pt> Date: Tue, 8 Aug 2023 12:18:55 +0100 (WEST) X-Spamd-Result: default: False [2.49 / 15.00]; SUBJ_EXCESS_QP(1.20)[]; FROM_EXCESS_QP(1.20)[]; FAKE_REPLY(1.00)[]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.92)[-0.921]; XM_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:193.137.200.0/25]; RWL_MAILSPIKE_GOOD(-0.10)[193.137.200.41:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[193.137.200.41:from]; XM_UA_NO_VERSION(0.01)[]; TAGGED_RCPT(0.00)[bounces-digest-pmelo=fe.uc.pt]; FORGED_RECIPIENTS_FORWARDING(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DMARC_NA(0.00)[uc.pt]; R_DKIM_NA(0.00)[]; FORGED_SENDER_FORWARDING(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:1930, ipnet:193.136.0.0/15, country:PT]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; FORWARDED(0.00)[srs0=6g3w=dz=freebsd.org=freebsd-security@uc.pt]; FREEFALL_USER(0.00)[admin]; FORGED_SENDER(0.00)[pmelo@fe.uc.pt,admin@fe.uc.pt]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; FROM_NEQ_ENVFROM(0.00)[pmelo@fe.uc.pt,admin@fe.uc.pt]; FORGED_RECIPIENTS(0.00)[m:srs0=6g3w=dz=freebsd.org=freebsd-security+bounces-digest-pmelo=fe.uc.pt@uc.pt,m:srs0=6g3w=dz=freebsd.org=freebsd-security@uc.pt,s:freebsd-security@freebsd.org]; RCVD_COUNT_TWO(0.00)[2] X-Spamd-Bar: ++ X-Rspamd-Queue-Id: 4RKrKt66vlz4Znk I'll be away, sometimes with limited access to email, until the 27th. Estarei ausente, algumas vezes com acesso limitado ao mail, até dia 27. Best regards, Paulo From nobody Wed Aug 9 07:30:54 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLMDS35jTz4mLP1 for ; Wed, 9 Aug 2023 07:31:04 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [212.12.50.234]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "gilb.zs64.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLMDR4wjZz4SRy for ; Wed, 9 Aug 2023 07:31:03 +0000 (UTC) (envelope-from stb@lassitu.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of stb@lassitu.de designates 212.12.50.234 as permitted sender) smtp.mailfrom=stb@lassitu.de; dmarc=none Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id ECFA65431D7 for ; Wed, 9 Aug 2023 07:30:54 +0000 (UTC) From: Stefan Bethke Content-Type: multipart/signed; boundary="Apple-Mail=_272FD8A3-EE26-4106-8340-EC5AC5A72307"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Downfall microcode update Message-Id: Date: Wed, 9 Aug 2023 09:30:54 +0200 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3731.700.6) X-Spamd-Result: default: False [-4.78 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.982]; MV_CASE(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; ONCE_RECEIVED(0.10)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:13135, ipnet:212.12.48.0/21, country:DE]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[lassitu.de]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[stb]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_COUNT_ONE(0.00)[1] X-Spamd-Bar: ---- X-Rspamd-Queue-Id: 4RLMDR4wjZz4SRy --Apple-Mail=_272FD8A3-EE26-4106-8340-EC5AC5A72307 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii https://downfall.page/#faq Apparently, Intel will be issuing a microcode update for this. What is = the recommended way to automatically apply these during boot? I see that = I have cpupdate-g20180513_4 installed, which appears to be maintained = despite the scarily old date in the version number :-) = https://www.freshports.org/sysutils/cpupdate/ The servers I'm concerned about are old enough to not receive BIOS = updates ever again. Thanks, Stefan -- Stefan Bethke Fon +49 151 14070811 --Apple-Mail=_272FD8A3-EE26-4106-8340-EC5AC5A72307 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEJ+hF98o4r3eU/HiPD885WK4W4sEFAmTTQK4ACgkQD885WK4W 4sFXjwgAh8Ej1/h4BFPH8T5QXOgPIVGnemr7PN/yVGbLglsG4SYtRkdseNivn46P MX6hNnS5a5CX4fE0QyTpMZFYsF6ZHnh9OKVVkliKIbqcA0bEEgLbu+QQp8bMQlJ1 WeiQeZQxN4qr/pteJHvmyUxe25prdyscMdhjNMwgI+EvaM89roY61Qqw5407NxsE zdssXWhii7agYzT/0cNXyl+2LZpX/rnzCQYHjbb2okHlMfoo2M7W7PsPR6m3cJJb KAXY7QtzeUh3fUgtazCXofx2aNA9T4vxRl3Na9dueBawi8XcFqFDO+URKOQFrLeW IkIYTrQ27n8HNzOM3dJ0FS+eppG/aA== =FvnA -----END PGP SIGNATURE----- --Apple-Mail=_272FD8A3-EE26-4106-8340-EC5AC5A72307-- From eugen@grosbein.net Wed Aug 9 07:40:04 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLMRX0xP9z4mLtT for ; Wed, 9 Aug 2023 07:40:40 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLMRW5YYHz4V6K for ; Wed, 9 Aug 2023 07:40:39 +0000 (UTC) (envelope-from eugen@grosbein.net) Authentication-Results: mx1.freebsd.org; none Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.17.1/8.17.1) with ESMTPS id 3797eToX026724 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 9 Aug 2023 07:40:30 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: stb@lassitu.de Received: from [10.58.0.11] (dadvw [10.58.0.11] (may be forged)) by eg.sd.rdtc.ru (8.17.1/8.17.1) with ESMTPS id 3797eReD070634 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 9 Aug 2023 14:40:28 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: Downfall microcode update To: Stefan Bethke , freebsd-security@freebsd.org References: From: Eugene Grosbein Message-ID: <66285345-7ab9-931a-fbb4-fd988f629e74@grosbein.net> Date: Wed, 9 Aug 2023 14:40:04 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT autolearn=disabled version=3.4.6 X-Spam-Report: * -0.0 SHORTCIRCUIT No description available. * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on hz.grosbein.net X-Rspamd-Queue-Id: 4RLMRW5YYHz4V6K X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE] 09.08.2023 14:30, Stefan Bethke wrote: > https://downfall.page/#faq > > Apparently, Intel will be issuing a microcode update for this. What is the recommended way to automatically apply these during boot? I see that I have cpupdate-g20180513_4 installed, which appears to be maintained despite the scarily old date in the version number :-) https://www.freshports.org/sysutils/cpupdate/ > > The servers I'm concerned about are old enough to not receive BIOS updates ever again. Hi! I maintain the port of cpupdate. Mentioned date corresponds to the version of the utility itself, not to microcodes it uses that are not part of the port/package. Ports users can use one-time "make install-microcodes" convenience helper to download whole bunch of microcode updates for various Intel CPUs. Package users can use one-time "service cpupdate download" that does the same. cpupdate_enable="YES" # in /etc/rc.conf should be enough From nobody Wed Aug 9 07:41:07 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLMT36DPlz4mM0l for ; Wed, 9 Aug 2023 07:41:59 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLMT24llsz4WdX for ; Wed, 9 Aug 2023 07:41:58 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none Received: from remote (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: Alexander@Leidinger.net) by outgoing.leidinger.net (Postfix) with ESMTPSA id 7604C68E; Wed, 9 Aug 2023 09:41:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1691566904; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=+70hdErTi41IJ14KdP4ASzM4dyi/zPPUEKrTRHRhPH0=; b=zfpcE4wgsu38l9zlNhT8jSMrSmpKMwqds+5W8w0ddbmCK/JeU5OHTTx/vu+xPKsdrdIaqm GRBkZu+t8/ZAWvJcxDXxpjNpysQcHI13/Pwd6TWUHcMYZBHFi3eBMjzcz7zO1xzTQr0wNX jkqGz93+4nIlYvcSmE8FHiGiCLgZPyVq8vz5kTpVMI3JfAFewC6LQvMvYLNpUjogOnLlG3 wbUjfHFZAwjuLULyvdqTGXvlk5kHOcph589QW5z7x7BIRmekbqTHXeYHN2dpiOitwM59Zi UtyKpd6pWdARyq9g35ZDqDJsLBwzDjF8s8LWV3lJmmEllXTHK0Rw1wUOtkYelQ== From: Alexander Leidinger To: Stefan Bethke , Date: Wed, 09 Aug 2023 09:41:07 +0200 Message-ID: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> In-Reply-To: References: Subject: Re: Downfall microcode update List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="189d93e03245ded2805a8ef6d0" X-Rspamd-Queue-Id: 4RLMT24llsz4WdX X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE] This is a multi-part message in MIME format. --189d93e03245ded2805a8ef6d0 Content-Type: text/plain; format=flowed; charset="us-ascii" Content-Transfer-Encoding: 8bit Hi, The real microcode is in sysutils/devcpu-data-intel and updated much more recently. You can load the microcode from loader, or from a rc.d service. Bye, Alexander. -- Send from a mobile device, please forgive brevity and misspellings. Am 9. August 2023 09:33:06 schrieb Stefan Bethke : > https://downfall.page/#faq > > Apparently, Intel will be issuing a microcode update for this. What is the > recommended way to automatically apply these during boot? I see that I have > cpupdate-g20180513_4 installed, which appears to be maintained despite the > scarily old date in the version number :-) > https://www.freshports.org/sysutils/cpupdate/ > > The servers I'm concerned about are old enough to not receive BIOS updates > ever again. > > > Thanks, > Stefan > > -- > Stefan Bethke Fon +49 151 14070811 --189d93e03245ded2805a8ef6d0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hi, 

The real microcode is in sysutils/devcpu-data-intel and updated much mo= re recently. 

You c= an load the microcode from loader, or from a rc.d service. 

Bye, 
= Alexander. 

-- 
Send from a mobile device, please forgive brevity and misspell= ings.

Am 9. August 2023 09:33:06 schrieb Stefan Bethke <stb@= lassitu.de>:

https://downfall.page/#faq

Apparently, Intel will be issuing a microcode update for = this. What is the recommended way to automatically apply these during boot?= I see that I have cpupdate-g20180513_4 installed, which appears to be main= tained despite the scarily old date in the version number :-) https://www.f= reshports.org/sysutils/cpupdate/

The servers I'm concerned about are old enough to not rec= eive BIOS updates ever again.


Thanks,
Stefan

--
Stefan Bethke <stb@lassitu.de>   Fon +49 151 1= 4070811

--189d93e03245ded2805a8ef6d0-- From nobody Wed Aug 9 08:27:38 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLNTy4X39z4mPBc for ; Wed, 9 Aug 2023 08:27:50 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "gilb.zs64.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLNTy2XfHz4b0p for ; Wed, 9 Aug 2023 08:27:50 +0000 (UTC) (envelope-from stb@lassitu.de) Authentication-Results: mx1.freebsd.org; none Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id D85A95434A9; Wed, 9 Aug 2023 08:27:41 +0000 (UTC) Content-Type: multipart/signed; boundary="Apple-Mail=_7548FB61-D00B-4014-995B-3AFE22C9C6B6"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Re: Downfall microcode update From: Stefan Bethke In-Reply-To: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> Date: Wed, 9 Aug 2023 10:27:38 +0200 Cc: freebsd-security@freebsd.org Message-Id: <6492527E-625A-416F-9681-09D8EF54C949@lassitu.de> References: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> To: Alexander Leidinger X-Mailer: Apple Mail (2.3731.700.6) X-Rspamd-Queue-Id: 4RLNTy2XfHz4b0p X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:13135, ipnet:2a00:14b0::/32, country:DE] --Apple-Mail=_7548FB61-D00B-4014-995B-3AFE22C9C6B6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Thank you! > Am 09.08.2023 um 09:41 schrieb Alexander Leidinger = : >=20 > Hi, >=20 > The real microcode is in sysutils/devcpu-data-intel and updated much = more recently. >=20 > You can load the microcode from loader, or from a rc.d service. >=20 > Bye, > Alexander. >=20 > -- > Send from a mobile device, please forgive brevity and misspellings. >=20 > Am 9. August 2023 09:33:06 schrieb Stefan Bethke : >=20 >> https://downfall.page/#faq >>=20 >> Apparently, Intel will be issuing a microcode update for this. What = is the recommended way to automatically apply these during boot? I see = that I have cpupdate-g20180513_4 installed, which appears to be = maintained despite the scarily old date in the version number :-) = https://www.freshports.org/sysutils/cpupdate/ >>=20 >> The servers I'm concerned about are old enough to not receive BIOS = updates ever again. >>=20 >>=20 >> Thanks, >> Stefan >>=20 >> -- >> Stefan Bethke Fon +49 151 14070811 >=20 -- Stefan Bethke Fon +49 151 14070811 --Apple-Mail=_7548FB61-D00B-4014-995B-3AFE22C9C6B6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEJ+hF98o4r3eU/HiPD885WK4W4sEFAmTTTfoACgkQD885WK4W 4sG0JAgAuyrdUVARGvA1GBX2kManaKwKa1Wv2uzQdAypXnt5rVnDvHRPSmcKfOCc 8v0vgpe6HODCwyUI+zykt/0+g5vWH7z8wAf7Ez0zIfjEO/9pnCkUCbA1pAXXcP9T TAjPGPRolKWoeM5xCOeiTL6gxIO/c9PyNIYMW7RNBTj33c6JJTEmYitfv2Asfw8+ TKcfg32qUXUEAzLwEEkPSX6wuxZ7HMytgkji55Ppe6ZNWKKu2JIbdtNWa3NodgSh Woj7ryzi2tCjogQKIiCsJCBRBFD1pTHPGIGE6dKVKC/F+dKFwWu4pXK3JPbHcln5 KspyWnh7drACbklKLcZCu55QcDglQw== =4Mua -----END PGP SIGNATURE----- --Apple-Mail=_7548FB61-D00B-4014-995B-3AFE22C9C6B6-- From nobody Wed Aug 9 09:46:10 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLQDP3gRZz4mVJs for ; Wed, 9 Aug 2023 09:46:13 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLQDP2zsDz3FvZ; Wed, 9 Aug 2023 09:46:13 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691574373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=44GfJSUjIUoLO57f0VzkqxkU6sJjxBPfiOZi1ISPbLw=; b=QUWAiyKcS2rgbvXkqxXqcvbp/8i07Xl8fxPrk0V+7StxM7qZI3tf/OQxNKaG7k0gkmqkQc iBw8BOo72CiG0cd7a3KMaArrRrrAijmsqypXDuN93hnAN7RNDkxuBrNglb3g0Q7Jvc+I2d sed8JI3PsMtSQXq1SgEcsVUZBHKCdXw1rYHPP4t+DCwuPDs2HH5VWr9UhsN5iln/UaNwP7 1KijvGBvGaS7NNqyL2pOSiXVis0nrX5dUmA+3Y1knAQbdWXgdv0smCAUIKsqy+uKJReHVH TGxBen1PNZpXtMXp+s9jh+7W6mRuj3FcoITbzxssJJY1UMbXsRiVhpxr78xSNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691574373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=44GfJSUjIUoLO57f0VzkqxkU6sJjxBPfiOZi1ISPbLw=; b=utr9WfimzKhG7hYCbNMn+P4bwOYC2Tp9CaiaTIs3UgoDd/wg4l2gJyXzBBqqM3DbKvJR2n 2ImFZ3S8OPKM4CCUze4XHS4tOMULTNn73koF2LvmioPikaKfpj9S5EVJW2offloFQKGQ14 4JAB8Lltu+/vHL9Vv/CtrHOHV/8P2BgLWJN4v1NDyqD0AbBH/jgi1xjUPkMqH583uDghgZ YuV1fUFij4HeNIZqyEK3BqNIE3TzK5VcFNdRMWn7Kh1y0OTeWWfcvbmulrhTWVIbw20N7T MDOPV03RhvGX+no+vw0YVxLuPHZ3qe705Sr4lfgq7KnqjFYAY4FJ69VGTjW84A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691574373; a=rsa-sha256; cv=none; b=emTMH50K5jQ7yYUzRhHzNLUIbuzL3zKZ59yvjlRzOJqbR6y8R3IVPVbTSsyHTQYlmsid8f FTMFZs5x2bfOcYOykFljCFXNBMI4gq5kTBgJM1BU3VYMb/4+l+lpRLvY6uX5qLN+cWter1 BWeothJ4IfYYuWfTO1XrleFd11NeLo5lLNLq+dugzkG6hSzoXT2BdMkeuDRJmY4Ac0JQNK D8t0kiTtQEUhvjfguTOQTNe+ZkldwZSPV1toghGqhMKyJCyRAArmd6wUhWGJP5aXZAudgK uhlAm5vYFZHX5tiRTcL2UiPCSwVMhBtmNJ3B619Jinzw/8rN6WGkr72CXhAoAg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from ltc.des.no (unknown [IPv6:2001:4647:d671:0:36e8:94ff:feca:9834]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RLQDP15H4z10wF; Wed, 9 Aug 2023 09:46:13 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.no (Postfix, from userid 1001) id 9996818412; Wed, 9 Aug 2023 11:46:10 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Eugene Grosbein Cc: Stefan Bethke , freebsd-security@freebsd.org Subject: Re: Downfall microcode update In-Reply-To: <66285345-7ab9-931a-fbb4-fd988f629e74@grosbein.net> (Eugene Grosbein's message of "Wed, 9 Aug 2023 14:40:04 +0700") References: <66285345-7ab9-931a-fbb4-fd988f629e74@grosbein.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (berkeley-unix) Date: Wed, 09 Aug 2023 11:46:10 +0200 Message-ID: <867cq4tuot.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Eugene Grosbein writes: > cpupdate_enable=3D"YES" # in /etc/rc.conf should be enough You mean microcode_update_enable=3D"yes" DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org From nobody Wed Aug 9 13:08:46 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLVlr3qMHz4pxZG for ; Wed, 9 Aug 2023 13:10:16 +0000 (UTC) (envelope-from naddy@mips.inka.de) Received: from mail.inka.de (mail.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLVlp0qvKz4JYC for ; Wed, 9 Aug 2023 13:10:13 +0000 (UTC) (envelope-from naddy@mips.inka.de) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of naddy@mips.inka.de has no SPF policy when checking 2a04:c9c7:0:1073:217:a4ff:fe3b:e77c) smtp.mailfrom=naddy@mips.inka.de; dmarc=none Received: from mips.inka.de (naddy@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1qTiwv-008cEM-9g; Wed, 09 Aug 2023 15:10:05 +0200 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.17.1/8.17.1) with ESMTP id 379D8kEs082588 for ; Wed, 9 Aug 2023 15:08:46 +0200 (CEST) (envelope-from naddy@lorvorc.mips.inka.de) Received: (from naddy@localhost) by lorvorc.mips.inka.de (8.17.1/8.17.1/Submit) id 379D8kgQ082587 for freebsd-security@freebsd.org; Wed, 9 Aug 2023 15:08:46 +0200 (CEST) (envelope-from naddy) Date: Wed, 9 Aug 2023 15:08:46 +0200 From: Christian Weisgerber To: freebsd-security@freebsd.org Subject: Re: Downfall microcode update Message-ID: References: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> X-Spamd-Result: default: False [-1.94 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.99)[-0.988]; NEURAL_HAM_LONG(-0.85)[-0.851]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[inka.de]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; ARC_NA(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:202113, ipnet:2a04:c9c0::/29, country:DE]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[naddy]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[] X-Spamd-Bar: - X-Rspamd-Queue-Id: 4RLVlp0qvKz4JYC Alexander Leidinger: > The real microcode is in sysutils/devcpu-data-intel and updated much more > recently. > > You can load the microcode from loader, Specifically, I have this in /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" > or from a rc.d service. Updating the CPU microcode _after_ the kernel has started seems questionable. -- Christian "naddy" Weisgerber naddy@mips.inka.de From nobody Thu Aug 10 00:13:00 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLnSd5N34z4mVWh for ; Thu, 10 Aug 2023 00:13:05 +0000 (UTC) (envelope-from void@f-m.fm) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLnSc21MZz4Vts for ; Thu, 10 Aug 2023 00:13:04 +0000 (UTC) (envelope-from void@f-m.fm) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=f-m.fm header.s=fm3 header.b=XnmSM8lJ; dkim=pass header.d=messagingengine.com header.s=fm3 header.b="V IT1K/7"; spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.26 as permitted sender) smtp.mailfrom=void@f-m.fm; dmarc=pass (policy=none) header.from=f-m.fm Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 726885C0048 for ; Wed, 9 Aug 2023 20:13:03 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Wed, 09 Aug 2023 20:13:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1691626383; x=1691712783; bh=mFWfuLI3c+OTJqUW5+TfL655bxFSPZUAFtk 69FZvN8g=; b=XnmSM8lJh4acFi7c1Tryb04sTvmgd7vmSGdast3CnKdNWeUVToX fZVAXbFRxljyOv9dfY1gBot0T7CQ5j+aF46dST8xDeR7LXgTafW1wux5kznAPBMh F1rEJZAm8AHpHA/ijbuELbRiM97boPHMo0/095mT6QkNCszrOnn9NieqGT5KsLRw GFJk9mWIGcNfEv75nryqKcSgwcHC3XPHmQeBCyKhCYtzww0qiPH2M9Fgf7hFxPl0 lU+9Jrta+xDT5xndIlrPCGeAnF2SdycoRTpV3mbTffKPnIbJtpz/iYF4udup8tkJ 2iFlFXgLOTmQBfYo+K3oQBWD2RdENDj2iKQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1691626383; x= 1691712783; bh=mFWfuLI3c+OTJqUW5+TfL655bxFSPZUAFtk69FZvN8g=; b=V IT1K/7fiYoaqFlB2rWkdEByV3qt3QFkQPLM2VtQdjdsDTe0jXrs/qlc90yXw47Qh tEyOFl5XPu9PbIMLxd4H+UnLH0O0QaBUMI1go6sixylDq/BzcA98PtaC8nqZ2v8M ynHYV0v0xZHk2RfioMXqZ0Tw13Kj2Xh6w0QDYAd1hEQQHsyBgqkjAjTJ4awUbiGq ITyRfUvHjwHwz+ZMgKju3TGx83lLUir6lgouUkwhg6BTciFIQBM0W8opkBpDLkqj 9wvbpUaaF/DxwPDst1qKGphwAmS1FQ6i7gL4unTxJxQ2tXRhziarSwvZeKriDthH 6AmO427PQ0luIakA5Jt2A== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrleehgdeftdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesthekre dttddtudenucfhrhhomhepvhhoihguuceovhhoihgusehfqdhmrdhfmheqnecuggftrfgr thhtvghrnhepkedvjeeitdejheekieekkeeiuddtffdvudetheevgeeijeehtdfffeegge ektdefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep vhhoihgusehfqdhmrdhfmh X-ME-Proxy: Feedback-ID: i2541463c:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Wed, 9 Aug 2023 20:13:02 -0400 (EDT) Date: Thu, 10 Aug 2023 01:13:00 +0100 From: void To: freebsd-security@freebsd.org Subject: Re: Downfall microcode update Message-ID: Mail-Followup-To: freebsd-security@freebsd.org References: <66285345-7ab9-931a-fbb4-fd988f629e74@grosbein.net> <867cq4tuot.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <867cq4tuot.fsf@ltc.des.no> X-Spamd-Result: default: False [-3.63 / 15.00]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3]; RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.26:from]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_MEDIUM(0.07)[0.067]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[f-m.fm]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[f-m.fm]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Spamd-Bar: --- X-Rspamd-Queue-Id: 4RLnSc21MZz4Vts On Wed, Aug 09, 2023 at 11:46:10AM +0200, Dag-Erling Smørgrav wrote: >Eugene Grosbein writes: >> cpupdate_enable="YES" # in /etc/rc.conf should be enough > >You mean > >microcode_update_enable="yes" > >DES What's the proper way then, for intel? 1. install sysutils/cpupdate and enable it in rc.conf ? 2. microcode_update_enable="yes" in rc.conf ? 3. in /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" ? All 3 ? Just 1 & 2? Is just #3 sufficient? Make cron attempt to download updates daily, via service cpupdate download ? Is CPM needed? The manpage for cpupdate has this: CPUPDATE(8) FreeBSD System Manager's Manual CPUPDATE(8) NAME cpupdate TO BE DONE: MANPAGE FreeBSD 13.2-STABLE January 15, 2018 FreeBSD 13.2-STABLE -- From nobody Thu Aug 10 05:26:32 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RLwQM3QqLz4q6rg for ; Thu, 10 Aug 2023 05:26:35 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RLwQL3sZlz3c1V for ; Thu, 10 Aug 2023 05:26:34 +0000 (UTC) (envelope-from grarpamp@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=NiT1Jxck; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e29 as permitted sender) smtp.mailfrom=grarpamp@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-vs1-xe29.google.com with SMTP id ada2fe7eead31-4475df91bb1so230154137.3 for ; Wed, 09 Aug 2023 22:26:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691645193; x=1692249993; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=bDVkavpcSHM4ySsb7A6RGAYA2SQIPxg3UNKInYe1Kl0=; b=NiT1JxcknZEw2HJDlPaCZfe5aIj6b0N9VFzZ8HfINVyUb3ckjBUo48JRNZBOy3qT5/ h6eFnRzQXOZKByoaZxEwBTs+ZL60NcUDWSbgWwFNcVY4mTiNxCNzT7d2r4tm9sDQHkND a+86Ed6Sh78cgjR3h93Kx5BBhi3+/3n7ItsjOYdBWjYbPuilGNTy5yxJCF4rpgBXi8AR Xw24KLs6mXzkGGwOFTJKlwpnY4PxiG1I5frRZktEy0iTkC8vbMIqy5n7RG5GAJrp0x6L YRx6tZWmly4parnLYSvBUDwrA1E17hipJ62+yRA9wlEwbpaFywsglwsikfXqpt40+oiY /+oA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691645193; x=1692249993; h=to:subject:message-id:date:from:references:in-reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bDVkavpcSHM4ySsb7A6RGAYA2SQIPxg3UNKInYe1Kl0=; b=HLVjoCxyVDN+yhqTsiKZTO5oLi0ORUEOtiPLdA1jHFILSyAk3AOH0eSqjGJw4YHGWy kUgDFDzS5l25Y4CgM6osJwHF23spHJhMUCL5TzavZPMS5ls785MrViY2i2ghWjUeSt9j OeJURw6EhOo74Dl83cfQuSpi/XEpuTs5mCWPjl6YcsFqODvh8VUcPKDV1IeK22+Cb5hk Clc3FBM/ibhSgVS2RgVfOXgKjLl55lGR3h/DP14St94l7wzWForEc8g3e/aRXO+xGHmF GxPORp6EL2olvNzs2ktLU2fWopEzvEAW6kILUikHPZ2CcykgidP5vlLau1dIK7VpgoAO VGHA== X-Gm-Message-State: AOJu0Ywr2Vt4wnRYUz3cliKaheUaMjeEsNImJDuTk/fx3LX8eo7xFI2J Uk1xAHG8rfzLW1gEQOwVJAIOtNRKZWY/+CQtCGYfArfP+Qcq4PHt X-Google-Smtp-Source: AGHT+IFak3S9ozXl+qojGWVvJZ/BAlK/EQzGK2345+k7nBFVCc6o8R9w3+4d9QOxVfNZ3HFD0kXBuyd659hfd/th670= X-Received: by 2002:a67:d00a:0:b0:443:69fd:3628 with SMTP id r10-20020a67d00a000000b0044369fd3628mr926155vsi.13.1691645193385; Wed, 09 Aug 2023 22:26:33 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:b907:0:b0:3ed:209f:4d2d with HTTP; Wed, 9 Aug 2023 22:26:32 -0700 (PDT) In-Reply-To: References: <189d93e0238.2805.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> From: grarpamp Date: Thu, 10 Aug 2023 01:26:32 -0400 Message-ID: Subject: Re: Downfall microcode update To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-2.69 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.962]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_SPAM_MEDIUM(0.27)[0.274]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e29:from]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_FROM(0.00)[gmail.com]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4RLwQL3sZlz3c1V > Updating the CPU microcode _after_ the kernel has started Kernel does lot of stuff "after it starts" running, after it gets loaded, before userland, so really your note means next possible place to "updating" is after kernel hands off to init. > seems questionable. Yes it's supposed to go in from bios before executing any other code (ie from disk). So unless you able to rebuild your own bios images on old boards whose makers are too lame to support updates from upstream cpu vendor, then the next earliest and thus most correct way is have loader load it into cpu first... in case kernel does use the cpu ops that the ucode modifies. The rc way could be there for easier config switch from bad ucode in single user mode. At least Intel has revoked at least one ucode for problems before, but probably not yet for one that locked up anyone's basic kernel load, boot, or user shell. So rc kindof doesn't need to exist given loader way, and that reboot repair methods still exist. > cron >From the HW vendors cpu repos could work, no need to hammer fbsd site for that, but a bit overkill unless you're a shared hosting service, the big guys get advance notice anyway. Nor is anyone sane doing cron fetch and installworld to apply new code either like that.