Re: [elrepo] kernel-lt and microcode updates

Wed, 01 Jul 2020 12:39:09 -0700 

On 01/07/2020 19:18, John Pilkington wrote:

On 01/07/2020 18:01, Phil Perry wrote:

On 01/07/2020 17:49, Orion Poplawski wrote:


I just re-installed kernel-lt on my laptop:

# grep -i microcode dmesg-3.10.0-1127.13.1.el7.x86_64

[    0.000000] microcode: microcode updated early to revision 0xd6, 
date = 2020-04-27

[    0.021352] SRBDS: Mitigation: Microcode
[    1.542686] microcode: sig=0x806ea, pf=0x80, revision=0xd6

[    1.542918] microcode: Microcode Update Driver: v2.01 
<tig...@aivazian.fsnet.co.uk>, Peter Oruba


# grep -i microcode dmesg-4.4.228-2.el7.elrepo.x86_64
[    0.035312] SRBDS: Vulnerable: No microcode
[    0.992458] microcode: CPU0 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992471] microcode: CPU1 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992491] microcode: CPU2 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992511] microcode: CPU3 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992530] microcode: CPU4 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992550] microcode: CPU5 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992569] microcode: CPU6 sig=0x806ea, pf=0x80, revision=0xb4
[    0.992588] microcode: CPU7 sig=0x806ea, pf=0x80, revision=0xb4

[    0.992673] microcode: Microcode Update Driver: v2.01 
<tig...@aivazian.fsnet.co.uk>, Peter Oruba


and /proc/cpuinfo indicates that microcode is not updated

Orion


turning on dracut logging it apprears that:


I:     microcode_ctl: kernel version "4.4.228-2.el7.elrepo.x86_64" 
failed early load check for "intel", skipping


I: *** Generating early-microcode cpio image contents ***
I: *** No early-microcode cpio image needed ***

that check is done in /usr/libexec/microcode_ctl/check_caveats


that is for early loading.  not sure why the microcode.service also 
seems to fail to load the firmware.






Interesting. Any idea why early updating appears to work on the distro 
kernel, but not for kernel-lt? I wonder what check it is failing.



I will try to run some more tests on my hardware to find out if it's 
specific to you/your hardware.


For info:

[john@HP_Box ~]$ uname -r
4.4.228-2.el7.elrepo.x86_64
[john@HP_Box ~]$ dmesg | grep -i microcode
[    0.008291] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    1.551836] microcode: CPU0 sig=0x1067a, pf=0x1, revision=0xa0e
[    1.551843] microcode: CPU1 sig=0x1067a, pf=0x1, revision=0xa0e

[    1.551888] microcode: Microcode Update Driver: v2.01 
<tig...@aivazian.fsnet.co.uk>, Peter Oruba

[john@HP_Box ~]$

John P





And I see the same thing on my el8 box with kernel-ml. Can't even 
manually load the new firmware with:


echo 1 > /sys/devices/system/cpu/microcode/reload

I did find the answer in /var/log/messages though.


Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: This kernel doesn't handle 
early microcode load properly (it tries to load
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: microcode even in 
virtualised environment, which may lead to a panic on some
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: hypervisors), thus the 
microcode files have not been added to the initramfs
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: image.  Please update your 
kernel to one of the following:
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]:  RHEL 7.5: 
kernel-3.10.0-862.14.1 or newer;
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]:  RHEL 7.4: 
kernel-3.10.0-693.38.1 or newer;
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]:  RHEL 7.3: 
kernel-3.10.0-514.57.1 or newer;
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]:  RHEL 7.2: 
kernel-3.10.0-327.73.1 or newer.
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: Please refer to 
/usr/share/doc/microcode_ctl/caveats/intel_readme
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: and 
/usr/share/doc/microcode_ctl/README.caveats for details.
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: MDS-related microcode update 
for Intel Sandy Bridge-EP (family 6, model 45,
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: stepping 7; CPUID 0x206d7) 
CPUs is disabled.
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: Please refer to 
/usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
Jul  1 20:02:56 sm7047at DISCLAIMER[66335]: and 
/usr/share/doc/microcode_ctl/README.caveats for details.
Jul  1 20:02:56 sm7047at journal: This kernel doesn't handle early 
microcode load properly (it tries to load#012microcode even in 
virtualised environment, which may lead to a panic on 
some#012hypervisors), thus the microcode files have not been added to 
the initramfs#012image.  Please update your kernel to one of the 
following:#012  RHEL 7.5: kernel-3.10.0-862.14.1 or newer;#012  RHEL 
7.4: kernel-3.10.0-693.38.1 or newer;#012  RHEL 7.3: 
kernel-3.10.0-514.57.1 or newer;#012  RHEL 7.2: kernel-3.10.0-327.73.1 
or newer.#012Please refer to 
/usr/share/doc/microcode_ctl/caveats/intel_readme#012and 
/usr/share/doc/microcode_ctl/README.caveats for details.
Jul  1 20:02:56 sm7047at journal: MDS-related microcode update for Intel 
Sandy Bridge-EP (family 6, model 45,#012stepping 7; CPUID 0x206d7) CPUs 
is disabled.#012Please refer to 
/usr/share/doc/microcode_ctl/caveats/06-2d-07_readme#012and 
/usr/share/doc/microcode_ctl/README.caveats for details.


Reinstalling microcode_ctl will generate those messages for you.


Reading the docs (/usr/share/doc/microcode_ctl/caveats/intel_readme) 
tells us how to force the firmware update:


If you want to enforce early load of microcode for a specific kernel, please

create "force-early-intel" file inside /lib/firmware/<kernel_version> 
directory

and run dracut -f --kver "<kernel_version>":

    touch /lib/firmware/3.10.0-862.9.1/force-early-intel
    dracut -f --kver 3.10.0-862.9.1


After performing the above (you will need to append the .arch) I see the 
microcode firmware is now included in the initramfs:


# lsinitrd -k $(uname -r) |grep -i microcode
drwxr-xr-x   2 root     root            0 Feb 28 13:30 kernel/x86/microcode

-rw-r--r--   1 root     root        19456 Feb 28 13:30 
kernel/x86/microcode/GenuineIntel.bin

microcode_ctl-fw_dir_override

and the microcode is loaded upon reboot:

[root@sm7047at ~]# dmesg | grep -i microcode

[    0.000000] microcode: microcode updated early to revision 0x714, 
date = 2018-05-08

[    0.103355] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    1.724141] microcode: sig=0x206d7, pf=0x1, revision=0x714
[    1.724498] microcode: Microcode Update Driver: v2.2.
[    7.479059] microcode: updated to revision 0x71a, date = 2020-03-24

[    7.479151] x86/CPU: CPU features have changed after loading 
microcode, but might not take effect.

[    7.479153] microcode: Reload completed, microcode revision: 0x71a



So for kernel-lt and kernel-ml packages, please read the documentation 
and either force loading on a kernel-by-kernel basis, or globally 
depending upon your preference.


Phil


_______________________________________________
elrepo mailing list
elrepo@lists.elrepo.org
http://lists.elrepo.org/mailman/listinfo/elrepo






















					Reply via email to