From owner-freebsd-questions@freebsd.org Fri Nov 20 15:44:01 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A1BAA34E9D; Fri, 20 Nov 2015 15:44:01 +0000 (UTC) (envelope-from will.senn@gmail.com) Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C5A61D32; Fri, 20 Nov 2015 15:44:01 +0000 (UTC) (envelope-from will.senn@gmail.com) Received: by ykba77 with SMTP id a77so168000538ykb.2; Fri, 20 Nov 2015 07:44:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=aWD5Mw64ZEzqJgevBzTiVgJLNPGGK+Jo4l/I1Awnsaw=; b=aWCETSa1/WXnjrnSyK9SbQ0qgxS+9gOBkDPym7+XfkMidBxmmG9H+hzWKSHZ3z2P5O 67RZCS/jQZosmyDcebt0OuOpHYxIovv/HKT7gtnD1egQjFnQWc9JqQPG+6xaxQyme+63 rHr15fN7rYodybxFtpI154e0SAQTy3tsPCaPHjiY14Z+ln72FP9H8i1dmSwLE8fuHOc0 +Jd3H7wItU9BWE/4nld6WKgHLTogEMpxz3W40ddXsrV6wldinLkhu3CAJbiyNGSSKesi ZToAPZKYTi6yFyvyrI7PGs9SCjVGzn++5ObQq71t4qkeCs12NRswZSC2+EH1+6H+gCqU OyRQ== X-Received: by 10.129.87.67 with SMTP id l64mr14027204ywb.55.1448034240488; Fri, 20 Nov 2015 07:44:00 -0800 (PST) Received: from [192.168.0.4] ([206.251.219.82]) by smtp.gmail.com with ESMTPSA id v23sm137597ywa.30.2015.11.20.07.43.59 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Nov 2015 07:44:00 -0800 (PST) Subject: Re: Is processor microcode advised? To: grarpamp , freebsd-questions@freebsd.org References: Cc: freebsd-hardware@freebsd.org From: Will Senn Message-ID: <564F3FBF.8050603@gmail.com> Date: Fri, 20 Nov 2015 09:43:59 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 15:44:01 -0000 On 11/20/15 3:12 AM, grarpamp wrote: >> Is it important/necessary/advisable to install microcode for > Microcode are fixes, tweaks, new stuff and restrictions, some > documented, some not, it's all extremely closed source anyway (SHAME) > to due to marketing, embarrassment, recalls, the NSA, and so on... > so who knows. > > Examples.. > TSX-NI in Haswell is broken, microcode update > disables it so you don't fubar your databases, etc. > 32bit VM PAE, and so on. > >> Intel CPU's? > AMD and others too. > >> If so, how do you know which CPU's have updates? > devcpu-data and cpuctl and file access times will tell you. It's > resident on die until reboot, not flashed, and it's crypto signed, > versioned and model specific, so you can't screw it up unless Intel > does. > >> what do you look for in dmesg output? > There are messages from the tools and/or kernel, you might need > verbose, run them manually once, you'll see it. > >> Also, I see microcode_update has to load the cpuctl module. What are the >> implications of this WRT security? > It exposes /dev/cpuctl which may or may not have issues of its own. > If you've got monkeys running around in your system as root or > otherwise, whether or not you unload it is irrelavent. > You'd likely get more security mileage by taking care of these... > find -s / -perm +7022 -ls > > Until something bad hits the news, or your tinfoil hat starts arcing, > just apply them by default and forget about it. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Thank you for the reply and for covering so much territory. I checked dmesg for anything like cpu or micro and nothing about microcode updates was displayed. I did: ps aux|grep cpu and ps aux | grep micro and there were no processes running. I dug around and found the startup script: /usr/local/etc/rc.d/microcode_update I looked at it and ran it: sudo /usr/local/etc/rc.d/microcode_update start Updating cpucodes... Done. Still no processes. I looked at the microcode_update script again and thought about what you said about running with verbose, so working off of the script, I ran: sudo /usr/sbin/cpucontrol -v -u -d "/usr/local/share/cpucontrol/" /dev/cpuctl0 cpucontrol: skipping /usr/local/share/cpucontrol//m101067770A.fw of rev 0x70a: up to date cpucontrol: skipping /usr/local/share/cpucontrol/m101067770A.fw of rev 0x70a: up to date and the same for all 4 cpus What I infer from this is that my CPU's are already as up to date as the microcode database is and therefore no process is needed or kept resident. Am I understanding this correctly? Also, shouldn't there be messages in dmesg for the startup script? I have the /etc/rc.conf setting: microcode_update_enable="YES" and /usr/local/etc/rc.d/microcode_update has: ... microcode_update_start() { echo "Updating cpucodes..." ... I would think I would at lest see "Updating cpucodes..." with dmesg. What is going on? - Will