我有一台 braswell 处理器,一台英特尔 N3150。根据微码修订指南,应该有一个微码更新:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf
Cherry View (Cherry Trail, Braswell) Intel® Atom® x5-Zxxxx CPU 406C3 01 Production --- --- 00000367
Cherry View (Cherry Trail,Braswell) Intel® Celeron® Processor Jxxxx, Intel® Celeron® Processor N3xxx, Intel® Pentium® Processor J3xxx, Intel® Pentium® Processor N3xxx, Intel® Atom® x5-E8000 Processor 406C4 01 Production --- --- 00000410
我的 CPUID 是 406C3 ... 我不知道为什么它不是 406C4,但两者都有英特尔确认的更新。但如果我查看最新的微码数据文件(12-03-2018),该文件也是来自 ubuntu 存储库的 intel-microcode 包的基础,则不包含这些更新:
microcode-20180312$ iucode_tool -tb -l ./intel-ucode
selected microcodes:
001: sig 0x00000650, pf mask 0x01, 1999-05-25, rev 0x0040, size 2048
002: sig 0x00000650, pf mask 0x02, 1999-05-25, rev 0x0041, size 2048
003: sig 0x00000650, pf mask 0x08, 1999-05-25, rev 0x0045, size 2048
004: sig 0x00000651, pf mask 0x01, 1999-05-25, rev 0x0040, size 2048
005: sig 0x00000652, pf mask 0x01, 1999-05-12, rev 0x002a, size 2048
006: sig 0x00000652, pf mask 0x02, 1999-05-17, rev 0x002c, size 2048
007: sig 0x00000652, pf mask 0x04, 1999-05-12, rev 0x002b, size 2048
008: sig 0x00000653, pf mask 0x01, 1999-06-28, rev 0x0010, size 2048
009: sig 0x00000653, pf mask 0x02, 1999-05-18, rev 0x000c, size 2048
010: sig 0x00000653, pf mask 0x04, 1999-05-20, rev 0x000b, size 2048
011: sig 0x00000653, pf mask 0x08, 1999-05-18, rev 0x000d, size 2048
012: sig 0x00000660, pf mask 0x01, 1999-05-05, rev 0x000a, size 2048
013: sig 0x00000665, pf mask 0x10, 1999-05-05, rev 0x0003, size 2048
014: sig 0x0000066a, pf mask 0x02, 1999-05-05, rev 0x000c, size 2048
015: sig 0x0000066a, pf mask 0x08, 1999-05-05, rev 0x000d, size 2048
016: sig 0x0000066a, pf mask 0x20, 1999-05-05, rev 0x000b, size 2048
017: sig 0x0000066d, pf mask 0x02, 1999-03-12, rev 0x0005, size 2048
018: sig 0x0000066d, pf mask 0x08, 1999-03-12, rev 0x0006, size 2048
019: sig 0x0000066d, pf mask 0x20, 1999-05-05, rev 0x0007, size 2048
020: sig 0x00000671, pf mask 0x04, 1998-08-11, rev 0x0014, size 2048
021: sig 0x00000672, pf mask 0x04, 1999-09-22, rev 0x0038, size 2048
022: sig 0x00000673, pf mask 0x04, 1999-09-10, rev 0x002e, size 2048
023: sig 0x00000681, pf mask 0x01, 1999-09-21, rev 0x000d, size 2048
024: sig 0x00000681, pf mask 0x04, 1999-09-21, rev 0x0010, size 2048
025: sig 0x00000681, pf mask 0x08, 1999-09-21, rev 0x000f, size 2048
026: sig 0x00000681, pf mask 0x10, 1999-09-21, rev 0x0011, size 2048
027: sig 0x00000681, pf mask 0x20, 1999-09-21, rev 0x000e, size 2048
028: sig 0x00000683, pf mask 0x08, 1999-10-15, rev 0x0008, size 2048
029: sig 0x00000683, pf mask 0x20, 1999-10-15, rev 0x0007, size 2048
030: sig 0x00000686, pf mask 0x01, 2000-05-05, rev 0x0007, size 2048
031: sig 0x00000686, pf mask 0x02, 2000-05-04, rev 0x000a, size 2048
032: sig 0x00000686, pf mask 0x04, 2000-05-04, rev 0x0002, size 2048
033: sig 0x00000686, pf mask 0x10, 2000-05-05, rev 0x0008, size 2048
034: sig 0x00000686, pf mask 0x80, 2000-05-04, rev 0x000c, size 2048
035: sig 0x0000068a, pf mask 0x10, 2000-11-02, rev 0x0001, size 2048
036: sig 0x0000068a, pf mask 0x20, 2000-12-07, rev 0x0004, size 2048
037: sig 0x0000068a, pf mask 0x80, 2000-12-07, rev 0x0005, size 2048
038: sig 0x00000695, pf mask 0x10, 2004-11-09, rev 0x0007, size 2048
039: sig 0x00000695, pf mask 0x20, 2004-11-09, rev 0x0007, size 2048
040: sig 0x00000695, pf mask 0x80, 2004-11-09, rev 0x0047, size 2048
041: sig 0x000006a0, pf mask 0x04, 2000-01-10, rev 0x0003, size 2048
042: sig 0x000006a1, pf mask 0x04, 2000-03-06, rev 0x0001, size 2048
043: sig 0x000006b1, pf mask 0x10, 2001-02-15, rev 0x001c, size 2048
044: sig 0x000006b1, pf mask 0x20, 2001-02-20, rev 0x001d, size 2048
045: sig 0x000006b4, pf mask 0x10, 2002-01-10, rev 0x0001, size 2048
046: sig 0x000006b4, pf mask 0x20, 2002-01-11, rev 0x0002, size 2048
047: sig 0x000006d6, pf mask 0x20, 2004-10-17, rev 0x0018, size 2048
048: sig 0x000006e8, pf mask 0x20, 2005-11-15, rev 0x0039, size 4096
049: sig 0x000006ec, pf mask 0x20, 2006-05-01, rev 0x0054, size 4096
050: sig 0x000006ec, pf mask 0x80, 2006-09-12, rev 0x0059, size 4096
051: sig 0x000006f2, pf mask 0x01, 2010-10-02, rev 0x005d, size 4096
052: sig 0x000006f2, pf mask 0x20, 2010-10-02, rev 0x005c, size 4096
053: sig 0x000006f6, pf mask 0x01, 2010-09-30, rev 0x00d0, size 4096
054: sig 0x000006f6, pf mask 0x04, 2010-10-01, rev 0x00d2, size 4096
055: sig 0x000006f6, pf mask 0x20, 2010-10-01, rev 0x00d1, size 4096
056: sig 0x000006f7, pf mask 0x10, 2010-10-02, rev 0x006a, size 4096
057: sig 0x000006f7, pf mask 0x40, 2010-10-02, rev 0x006b, size 4096
058: sig 0x000006fa, pf mask 0x80, 2010-10-02, rev 0x0095, size 4096
059: sig 0x000006fb, pf mask 0x01, 2010-10-03, rev 0x00ba, size 4096
060: sig 0x000006fb, pf mask 0x04, 2010-10-03, rev 0x00bc, size 4096
061: sig 0x000006fb, pf mask 0x08, 2010-10-03, rev 0x00bb, size 4096
062: sig 0x000006fb, pf mask 0x10, 2010-10-03, rev 0x00ba, size 4096
063: sig 0x000006fb, pf mask 0x20, 2010-10-03, rev 0x00ba, size 4096
064: sig 0x000006fb, pf mask 0x40, 2010-10-03, rev 0x00bc, size 4096
065: sig 0x000006fb, pf mask 0x80, 2010-10-03, rev 0x00ba, size 4096
066: sig 0x000006fd, pf mask 0x01, 2010-10-02, rev 0x00a4, size 4096
067: sig 0x000006fd, pf mask 0x20, 2010-10-02, rev 0x00a4, size 4096
068: sig 0x000006fd, pf mask 0x80, 2010-10-02, rev 0x00a4, size 4096
069: sig 0x00000f07, pf mask 0x01, 2002-07-16, rev 0x0012, size 2048
070: sig 0x00000f07, pf mask 0x02, 2000-11-15, rev 0x0008, size 2048
071: sig 0x00000f0a, pf mask 0x01, 2002-07-16, rev 0x0013, size 2048
072: sig 0x00000f0a, pf mask 0x02, 2002-08-21, rev 0x0015, size 2048
073: sig 0x00000f0a, pf mask 0x04, 2002-07-16, rev 0x0014, size 2048
074: sig 0x00000f12, pf mask 0x04, 2003-05-02, rev 0x002e, size 2048
075: sig 0x00000f24, pf mask 0x02, 2003-06-05, rev 0x001f, size 2048
076: sig 0x00000f24, pf mask 0x04, 2003-06-05, rev 0x001e, size 2048
077: sig 0x00000f24, pf mask 0x10, 2003-06-10, rev 0x0021, size 2048
078: sig 0x00000f25, pf mask 0x01, 2004-08-11, rev 0x0029, size 2048
079: sig 0x00000f25, pf mask 0x02, 2004-08-11, rev 0x002a, size 2048
080: sig 0x00000f25, pf mask 0x04, 2004-08-11, rev 0x002b, size 2048
081: sig 0x00000f25, pf mask 0x10, 2004-08-26, rev 0x002c, size 2048
082: sig 0x00000f26, pf mask 0x02, 2004-08-05, rev 0x0010, size 2048
083: sig 0x00000f27, pf mask 0x02, 2003-06-04, rev 0x0038, size 2048
084: sig 0x00000f27, pf mask 0x04, 2003-06-04, rev 0x0037, size 2048
085: sig 0x00000f27, pf mask 0x08, 2003-06-04, rev 0x0039, size 2048
086: sig 0x00000f29, pf mask 0x02, 2004-08-11, rev 0x002d, size 2048
087: sig 0x00000f29, pf mask 0x04, 2004-08-11, rev 0x002e, size 2048
088: sig 0x00000f29, pf mask 0x08, 2004-08-11, rev 0x002f, size 2048
089: sig 0x00000f32, pf mask 0x0d, 2004-05-11, rev 0x000a, size 2048
090: sig 0x00000f33, pf mask 0x0d, 2005-04-21, rev 0x000c, size 2048
091: sig 0x00000f34, pf mask 0x1d, 2005-04-21, rev 0x0017, size 7168
092: sig 0x00000f41, pf mask 0x02, 2005-04-21, rev 0x0016, size 5120
093: sig 0x00000f41, pf mask 0xbd, 2005-04-22, rev 0x0017, size 5120
094: sig 0x00000f43, pf mask 0x9d, 2005-04-21, rev 0x0005, size 2048
095: sig 0x00000f44, pf mask 0x9d, 2005-04-21, rev 0x0006, size 3072
096: sig 0x00000f47, pf mask 0x9d, 2005-04-21, rev 0x0003, size 3072
097: sig 0x00000f48, pf mask 0x01, 2006-05-08, rev 0x000c, size 3072
098: sig 0x00000f48, pf mask 0x02, 2008-01-15, rev 0x000e, size 3072
099: sig 0x00000f48, pf mask 0x5f, 2005-06-30, rev 0x0007, size 3072
100: sig 0x00000f49, pf mask 0xbd, 2005-04-21, rev 0x0003, size 2048
101: sig 0x00000f4a, pf mask 0x5c, 2005-12-14, rev 0x0004, size 2048
102: sig 0x00000f4a, pf mask 0x5d, 2005-06-10, rev 0x0002, size 2048
103: sig 0x00000f62, pf mask 0x04, 2005-12-15, rev 0x000f, size 3072
104: sig 0x00000f64, pf mask 0x01, 2005-12-15, rev 0x0002, size 3072
105: sig 0x00000f64, pf mask 0x34, 2005-12-23, rev 0x0004, size 3072
106: sig 0x00000f65, pf mask 0x01, 2006-04-26, rev 0x0008, size 2048
107: sig 0x00000f68, pf mask 0x22, 2006-07-14, rev 0x0009, size 2048
108: sig 0x00001632, pf mask 0x00, 1998-06-10, rev 0x0002, size 2048
109: sig 0x00010661, pf mask 0x01, 2010-10-04, rev 0x0043, size 4096
110: sig 0x00010661, pf mask 0x02, 2010-10-04, rev 0x0042, size 4096
111: sig 0x00010661, pf mask 0x80, 2010-10-04, rev 0x0044, size 4096
112: sig 0x00010676, pf mask 0x01, 2010-09-29, rev 0x060f, size 4096
113: sig 0x00010676, pf mask 0x04, 2010-09-29, rev 0x060f, size 4096
114: sig 0x00010676, pf mask 0x10, 2010-09-29, rev 0x060f, size 4096
115: sig 0x00010676, pf mask 0x40, 2010-09-29, rev 0x060f, size 4096
116: sig 0x00010676, pf mask 0x80, 2010-09-29, rev 0x060f, size 4096
117: sig 0x00010677, pf mask 0x10, 2010-09-29, rev 0x070a, size 4096
118: sig 0x0001067a, pf mask 0x11, 2010-09-28, rev 0x0a0b, size 8192
119: sig 0x0001067a, pf mask 0x44, 2010-09-28, rev 0x0a0b, size 8192
120: sig 0x0001067a, pf mask 0xa0, 2010-09-28, rev 0x0a0b, size 8192
121: sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336
122: sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240
123: sig 0x000106c2, pf mask 0x01, 2009-04-10, rev 0x0217, size 5120
124: sig 0x000106c2, pf mask 0x04, 2009-04-10, rev 0x0218, size 5120
125: sig 0x000106c2, pf mask 0x08, 2009-04-10, rev 0x0219, size 5120
126: sig 0x000106ca, pf mask 0x01, 2009-08-25, rev 0x0107, size 5120
127: sig 0x000106ca, pf mask 0x04, 2009-08-25, rev 0x0107, size 5120
128: sig 0x000106ca, pf mask 0x08, 2009-08-25, rev 0x0107, size 5120
129: sig 0x000106ca, pf mask 0x10, 2009-08-25, rev 0x0107, size 5120
130: sig 0x000106d1, pf mask 0x08, 2010-09-30, rev 0x0029, size 4096
131: sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168
132: sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192
133: sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072
134: sig 0x00020661, pf mask 0x01, 2009-10-23, rev 0x0104, size 5120
135: sig 0x00020661, pf mask 0x02, 2011-07-18, rev 0x0105, size 5120
136: sig 0x000206a7, pf mask 0x12, 2018-02-07, rev 0x002d, size 12288
137: sig 0x000206d6, pf mask 0x6d, 2018-01-30, rev 0x061c, size 18432
138: sig 0x000206d7, pf mask 0x6d, 2018-01-26, rev 0x0713, size 19456
139: sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312
140: sig 0x000306a9, pf mask 0x12, 2018-02-07, rev 0x001f, size 13312
141: sig 0x000306c3, pf mask 0x32, 2018-01-21, rev 0x0024, size 23552
142: sig 0x000306d4, pf mask 0xc0, 2018-01-18, rev 0x002a, size 18432
143: sig 0x000306e4, pf mask 0xed, 2018-01-25, rev 0x042c, size 15360
144: sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264
145: sig 0x000306e7, pf mask 0xed, 2018-02-16, rev 0x0713, size 16384
146: sig 0x000306f2, pf mask 0x6f, 2018-01-19, rev 0x003c, size 33792
147: sig 0x000306f4, pf mask 0x80, 2018-01-22, rev 0x0011, size 17408
148: sig 0x00040651, pf mask 0x72, 2018-01-18, rev 0x0023, size 21504
149: sig 0x00040661, pf mask 0x32, 2018-01-21, rev 0x0019, size 25600
150: sig 0x00040671, pf mask 0x22, 2018-01-21, rev 0x001d, size 12288
151: sig 0x000406e3, pf mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
152: sig 0x000406f1, pf mask 0xef, 2017-03-01, rev 0xb000021, size 26624
153: sig 0x00050653, pf mask 0x97, 2018-01-29, rev 0x1000140, size 30720
154: sig 0x00050654, pf mask 0xb7, 2018-01-26, rev 0x2000043, size 28672
155: sig 0x00050662, pf mask 0x10, 2018-01-22, rev 0x0015, size 31744
156: sig 0x00050663, pf mask 0x10, 2018-01-22, rev 0x7000012, size 22528
157: sig 0x00050664, pf mask 0x10, 2018-01-22, rev 0xf000011, size 22528
158: sig 0x00050665, pf mask 0x10, 2018-01-22, rev 0xe000009, size 18432
159: sig 0x000506c9, pf mask 0x03, 2017-03-25, rev 0x002c, size 16384
160: sig 0x000506e3, pf mask 0x36, 2017-11-16, rev 0x00c2, size 99328
161: sig 0x000706a1, pf mask 0x01, 2017-10-31, rev 0x001e, size 72704
162: sig 0x000806e9, pf mask 0xc0, 2018-01-21, rev 0x0084, size 98304
163: sig 0x000806ea, pf mask 0xc0, 2018-01-21, rev 0x0084, size 97280
164: sig 0x000906e9, pf mask 0x2a, 2018-01-21, rev 0x0084, size 98304
165: sig 0x000906ea, pf mask 0x22, 2018-01-21, rev 0x0084, size 96256
166: sig 0x000906eb, pf mask 0x02, 2018-01-21, rev 0x0084, size 98304
我在 community.intel.com 上询问过...他们告诉我,并非所有可用的微码更新都会包含在微码数据文件中并提供,制造商应该通过 bios 更新提供更新。但我的主板是技嘉的,在微码修订指南确认微码更新后,他们已经超过 1 个月没有更新了。
现在的情况是,内核通过 retpoline 提供缓解措施,但不通过微码更新提供缓解措施。
我的问题是,通过 retpoline 提供的保护是否与通过微码更新提供的保护一样好?
答案1
retpoline 速度更快,但功能不够全面。使用 IBRS+IBPB(仅在新微代码上可用)可能会关闭尚未发现的 spectre v2 变体。使用 STIBP(Linux 尚未提供,即使在新微代码中也是如此)可使超线程对 spectre v2 更加安全(但真实的使用超线程的安全方法是保持它处于禁用状态,或者仅使用它来运行同一个可执行文件/进程的线程——除了在非常有限的情况下,Linux 还不能被告知这样做)。
所以,retpoline 可以保护你的核心(以及启用 retpoline 编译的任何其他程序)足以抵御 Spectre v2。
但是,新的微码允许内核帮助保护用户空间免受用户空间攻击,即使对于尚未进行 retpoline 的内容也是如此。从这个意义上讲,它比仅仅使用 retpoline 要好得多。
到目前为止,还没有一个 Ubuntu 或 Debian 版本是完全 retpoline 的,因为这几乎需要重新编译一切, 顺便提一句。