On Sat, 2018-01-13 at 14:20 +0100, Thomas Liske wrote: > during adding the feature in needrestart I've looked more closely at the > uicode-tool stuff. I don't think we need to examine the initrd since > the following command should give already the required informations: > > # iucode_tool -Sl /lib/firmware/intel-ucode/
That would give false positives when the system has disabled adding the microcode to the initrd, since rebooting will not give the new ucode. This could happen if the sysadmin experienced issues with new ucodes. > The processor is running a microcode with signature 0x000306c3 and the > last line after 'selected microcodes:' should contain the most recent > signature value, shouldn't it? I think so, yes. > I wonder if it is still required to look at the revision value for each > CPU/Core (grep microcode /proc/cpuinfo). For single socket systems each > core should report the same version. I do not now if it would possible > to run different microcode releases on multi socket systems. It should be enough, but it would be better to handle all cases IMO. I have no idea if iucode-tool handles systems with multiple sockets, so I am CCing Debian's Intel/AMD microcode maintainer. > For the check in needrestart it should be enough to compare the current > running microcode signature with the latest available one. This would > also handle outdated initrd images gracefuly. I think on Debian at least, outdated microcode in the initrd could only be intentional on the part of the sysadmin. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
