On Saturday, 13 July 2019 23:03:11 BST Mick wrote: > Unlike my old Intel which lights up like a christmas tree with "Vulnerable, > no microcode found" because Intel has thrown its users to the kerb, both > AMDs show "Not Vulnerable" and for some of the vulnerabilities it reports: > > (your CPU vendor reported your CPU model as not vulnerable)
This last line made me think a bit more. Scratching around I see there are separate patch files with AMD microcode updates offered for the various CPU families. My simplistic assumption so far has been *all* CPUs of a certain family will apply the corresponding patch file microcode update, either via a new UEFI/BIOS firmware, or via the OS. Clearly this is not so. If I remove 'amd-ucode/microcode_amd_fam15h.bin' from my kernel firmware directive completely, or add amd-ucode/ patch files for every family, or even try to manually reload the microcode: echo 1 > /sys/devices/system/cpu/microcode/reload there is no change in dmesg. Clearly my CPU does not load any microcode update, other than what might be already available in the old UEFI MoBo firmware and this is loaded before the OS starts booting. Then I came across this old message regarding Piledriver CPUs: https://lists.debian.org/debian-security/2016/03/msg00084.html The post refers to model 2 of cpu family 21. Not all models in the same family, only model 2. So I am thinking although patch files are named per CPU family, whether they are applicable and applied as an update to the CPU is probably determined by the particular CPU *model*. Logically, errata in previous CPU revisions may have been fixed in later models of the same family and therefore such microcode updates would not be needed. When offered by the OS the CPU won't select to have them applied. This explains why my AMD models, which are later revisions of the same 15h family do not apply any microcode updates - they don't need them. Please share if you know differently and thank you all for your responses. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
