Intel Microcode Updates

4o4rh · Nov 12, 2020, 5:47 AM

On linux e.g. ubuntu, there is regularly intel/amd microcode updates for security vulnerabilities. I don't think i have ever seen a microcode update on pfsense, although this week there have been 3 alone on linux.

Is the code not updated? if not, why is there not a package for the microcode updates?

stephenw10 · Nov 12, 2020, 8:41 PM

The microcode in the CPU is updated at boot, for example:

Launching the init system...Updating CPU Microcode...
CPU: Intel(R) Core(TM) i3-6100T CPU @ 3.20GHz (3192.16-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0x506e3  Family=0x6  Model=0x5e  Stepping=3
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x7ffafbbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
  AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM>
  AMD Features2=0x121<LAHF,ABM,Prefetch>
  Structured Extended Features=0x29c67af<FSGSBASE,TSCADJ,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PROCTRACE>
  Structured Extended Features3=0x9c002400<MD_CLEAR,TSXFA,IBPB,STIBP,L1DFL,SSBD>
  XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES>
  VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID
  TSC: P-state invariant, performance statistics
Done.
.... done.

Most security updates for microcode are not directly applicable to a bare metal firewall.

Is there a specific update you're looking for?

Steve

4o4rh · Nov 13, 2020, 6:04 AM

@stephenw10 i don't see any microcode for the J1900 loaded. But it was more of a general question

stephenw10 · Nov 13, 2020, 2:17 PM

It only shows the 'microcode' log at the console or message buffer. Or you can see it in the CPU capabilities list if that particular CPU is actually updated. If you have a newer BIOS there may not be an update for J1900 over what's already loaded.

Steve

4o4rh · Nov 13, 2020, 2:43 PM

@stephenw10 I don't have "Launching the init system...Updating CPU Microcode..." in my log. don't know how to see CPU capabilities other than the boot.mesg. Qotom 1900 has bios of 2018...but is fake, it is the same bios as the original 2015 version inc. ACPI bugs.

stephenw10 · Nov 14, 2020, 12:42 AM

@stephenw10 said in Intel Microcode Updates:

It only shows the 'microcode' log at the console or message buffer.

To be clear it does not log that message in the system log or dmesg output.

Steve

4o4rh · Nov 14, 2020, 10:09 AM

@stephenw10 how can i see if the microcode is loaded and the version / or fixes covered

kiokoman · Nov 14, 2020, 10:47 AM

[2.4.5-RELEASE][root@pfSense.trmultiservice.lab]/root: service microcode_update onestart
Updating CPU Microcode...
Done.

tail -n20 /var/log/dmesg.boot

JonathanLee · May 11, 2024, 12:45 AM

@stephenw10 What about ARM Cortex-A53 r0p4??

Does pfSense update the Arm "custom instructions" that might fix the compex issues right?

stephenw10 · May 11, 2024, 2:37 AM

Nope, because there are none AFAIK. https://www.freshports.org/search.php?query=microcode

JonathanLee · May 11, 2024, 2:37 AM

@stephenw10 arm doesn’t use microcode it would be called Arm "custom instructions"

stephenw10 · May 11, 2024, 12:26 PM

Well still no but I don't think that's that's same thing. They appear to be available only for Cortex-M CPUs and it's not clear to me if they can be updated after build.