From owner-freebsd-hardware@freebsd.org Fri Nov 20 09:13:09 2015 Return-Path: Delivered-To: freebsd-hardware@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7136CA3317C; Fri, 20 Nov 2015 09:13:09 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3ADFC1AD3; Fri, 20 Nov 2015 09:13:09 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by ioc74 with SMTP id 74so117244787ioc.2; Fri, 20 Nov 2015 01:13:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=fVxNc5avoZO+pSxBCzqhTgFq6Rpx9gNmISkco9TRh2g=; b=VRUGDEIhg/QaeLG+8RACpIuiF/Ix/Ojr7gkWKsT5eQ6eCvV/hWdSRg70FHAHFDFR7d FOrB2LN1BZAsc3hT9fFHCSmtVcX0yQrZEfpnxhsio2hjh7ChDrYoTRrHGjcIA7GiHooP d14MjZI8L4qasKz5WYPMZU/jXuzrLhwFZ60XwxStq5tTLQcGxAkZR4paL10T2Lo9N08e WxPX5RsSId3DRttcHPr8/kTqBUtpVV9SqcyvmL3GA8qTN5wedwOlFtgcFx4umu8y4tjj 35ptlMiez5mZpe3EWl3g2PDfDUlSqMqJ0NUkE9HlNOSjgIdaZrFaV5Xce4y0lk43hUzr gicg== X-Received: by 10.107.164.154 with SMTP id d26mr12916686ioj.111.1448010787974; Fri, 20 Nov 2015 01:13:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.137.197 with HTTP; Fri, 20 Nov 2015 01:12:28 -0800 (PST) From: grarpamp Date: Fri, 20 Nov 2015 04:12:28 -0500 Message-ID: Subject: Is processor microcode advised? To: freebsd-questions@freebsd.org Cc: freebsd-hardware@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hardware@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: General discussion of FreeBSD hardware List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 09:13:09 -0000 > Is it important/necessary/advisable to install microcode for Microcode are fixes, tweaks, new stuff and restrictions, some documented, some not, it's all extremely closed source anyway (SHAME) to due to marketing, embarrassment, recalls, the NSA, and so on... so who knows. Examples.. TSX-NI in Haswell is broken, microcode update disables it so you don't fubar your databases, etc. 32bit VM PAE, and so on. > Intel CPU's? AMD and others too. > If so, how do you know which CPU's have updates? devcpu-data and cpuctl and file access times will tell you. It's resident on die until reboot, not flashed, and it's crypto signed, versioned and model specific, so you can't screw it up unless Intel does. > what do you look for in dmesg output? There are messages from the tools and/or kernel, you might need verbose, run them manually once, you'll see it. > Also, I see microcode_update has to load the cpuctl module. What are the > implications of this WRT security? It exposes /dev/cpuctl which may or may not have issues of its own. If you've got monkeys running around in your system as root or otherwise, whether or not you unload it is irrelavent. You'd likely get more security mileage by taking care of these... find -s / -perm +7022 -ls Until something bad hits the news, or your tinfoil hat starts arcing, just apply them by default and forget about it.