Intel Microcode Updates
-
On linux e.g. ubuntu, there is regularly intel/amd microcode updates for security vulnerabilities. I don't think i have ever seen a microcode update on pfsense, although this week there have been 3 alone on linux.
Is the code not updated? if not, why is there not a package for the microcode updates?
-
The microcode in the CPU is updated at boot, for example:
Launching the init system...Updating CPU Microcode... CPU: Intel(R) Core(TM) i3-6100T CPU @ 3.20GHz (3192.16-MHz K8-class CPU) Origin="GenuineIntel" Id=0x506e3 Family=0x6 Model=0x5e Stepping=3 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Features2=0x7ffafbbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND> AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM> AMD Features2=0x121<LAHF,ABM,Prefetch> Structured Extended Features=0x29c67af<FSGSBASE,TSCADJ,SGX,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,NFPUSG,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PROCTRACE> Structured Extended Features3=0x9c002400<MD_CLEAR,TSXFA,IBPB,STIBP,L1DFL,SSBD> XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES> VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID TSC: P-state invariant, performance statistics Done. .... done.Most security updates for microcode are not directly applicable to a bare metal firewall.
Is there a specific update you're looking for?
Steve
-
@stephenw10 i don't see any microcode for the J1900 loaded. But it was more of a general question
-
It only shows the 'microcode' log at the console or message buffer. Or you can see it in the CPU capabilities list if that particular CPU is actually updated. If you have a newer BIOS there may not be an update for J1900 over what's already loaded.
Steve
-
@stephenw10 I don't have "Launching the init system...Updating CPU Microcode..." in my log. don't know how to see CPU capabilities other than the boot.mesg. Qotom 1900 has bios of 2018...but is fake, it is the same bios as the original 2015 version inc. ACPI bugs.
-
@stephenw10 said in Intel Microcode Updates:
It only shows the 'microcode' log at the console or message buffer.
To be clear it does not log that message in the system log or dmesg output.
Steve
-
@stephenw10 how can i see if the microcode is loaded and the version / or fixes covered
-
[2.4.5-RELEASE][root@pfSense.trmultiservice.lab]/root: service microcode_update onestart Updating CPU Microcode... Done.tail -n20 /var/log/dmesg.boot -
@stephenw10 What about ARM Cortex-A53 r0p4??
Does pfSense update the Arm "custom instructions" that might fix the compex issues right?
-
Nope, because there are none AFAIK. https://www.freshports.org/search.php?query=microcode
-
@stephenw10 arm doesn’t use microcode it would be called Arm "custom instructions"
-
Well still no but I don't think that's that's same thing. They appear to be available only for Cortex-M CPUs and it's not clear to me if they can be updated after build.
