![]() Sudo apt install intel-microcode – if you happen to use Intel CPU’s However the command you should launch to manually update just the microcode would be: Happily enough an update on microcode has landed today and when I launched a regular update on Ubuntu a package to update intel-microcode has appeared. Next, the desired update and hopefully the result will be in Intel’s parlance: “New Production MCU Rev”. So this CPU is behind the desired microcode version. If you check on the table the microcode in use now is what Intel calls “Pre-mitigation production MCU”. The CPU I am patching here is a i5-3320M from a happy Lenovo T430s. This is the link we’ll use to check our CPU and microcode: Launching commands does not guarantee the desired result necesseraly. This is a necessary step I haven’t seen on many guides to patch Spectre and Meltdown. It’s now time to grab the Intel’s latest manual (supposing you’re using that vendor instead of AMD) and compare the result we’ve received to what they’ve published. We will now check if it’s an updated one patching Spectre and Meltdown or not. Before doing anything we’ll first check the microcode version we are running. For intel the program to install is intel-microcode and for AMD the tool is named amd64-microcode. With Ubuntu, as with many other mainstream distributions, there are two tools to update CPU microcode updates. In some scenarios it would be desirable not to replace the whole BIOS but just update the microcode from the OS side. To make the search easy for you a news site collected the vendors list and linked the right support pages for anyone to look. They usually come accompanied with a “release notes” file where there are some explanatory notes on what is fixed, what is new, etc. ![]() If your hardware vendor has decided not to provide support on your hardware you are forced to use the latter solution. Download the most recent BIOS release from our vendor, provided it patches the Spectre and Meltdown vulnerabilities, or patch it from the OS. In order to update the microcode we’re faced with two options. OS vendors have resumed their microcode update releases so all seems to be fine now. Patching fast does always include risks, specially when dealing with hardware. First series did come with serious problems and some regressions, to the point GNU/Linux producers stopped releasing the microcode updates through their release channels for updates and placed the ball on Intel’s roof. Since there’s been some issues (namely Spectre and Meltdown) Intel and AMD respectively have released a series of microcode updates to address those problems. What is microcode? You can read the Wikipedia article but in short it is basically a layer of code that allows chip manufacturers to deal with modifications on the hardware they’ve produced and the operating systems that will manage that hardware. However there is one basic and common thing for all OS’s when dealing with Spectre and Meltdown and that is a microcode update is necessary for the OS patches to effectively work. I am not planning to do a guide on Windows systems since I believe someone else has or will do it and will do it better than me since I am not a pro Windows user. If you are a regular Windows user I find rare you to be here and many of the things you will read may be foreign to you. Patching these set of vulnerabilities implies some more steps and concerns than updating the operating system. If you find the articles in useful to you, please consider making a donation. Have you thought about CVE-2018-3639? This particular one could make your browser being a vector to get into your system. But have you done it to your system? I know you have a firewall. This is why big companies, governments and people in charge of big deployments are patching or have already patched their systems. The question is not if it will ever happen. There is still no known exploit around left out in the open hitting servers or desktops anywhere. And second because patching hardware is not as easy, for the manufacturer and for the users or administrators in charge of the systems. They are meaningful for several reasons among them the world wide impact since they affect Intel and AMD systems which are ubiquitous. Spectre and Meltdown are both hardware vulnerabilities. Nowadays it’s a no brainier and operating systems have provided the necessary tools for this to be easy and as smooth as possible. I never planned to do any article on patching anything. It is always a good and I hope a standard practice to have your systems patched and if they aren’t for whatever the reason (that legacy thing you’re carrying on for ages) you may take the necessary extra steps to protect your environment. As recently announced in a previous article I wanted to write a couple of guides on how to mitigate Spectre and Meltdown vulnerabilities in GNU/Linux and UNIX environments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |