尝试通过以下过程将 Intel 微码更新到 03/12/2018 版本(版本:20180312):
1. extract files from downloaded tarball
2. cp -v intel-ucode/* /lib/firmware/intel-ucode/
3. echo 1 > /sys/devices/system/cpu/microcode/reload
4. dracut -vvf
5. reboot
但没有任何改变。更新前:
# cat /proc/cpuinfo | grep microcode
microcode : 0x13
更新后:
# dmesg | grep microcode
[ 1.096790] microcode: CPU0 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096829] microcode: CPU1 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096851] microcode: CPU2 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096875] microcode: CPU3 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096965] microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
我这样做是为了修复“幽灵变体 2”。 spectre-meltdown-checker.sh 显示以下内容:
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (Your kernel is compiled with IBRS but your CPU microcode is lacking support to successfully mitigate the vulnerability)
CPU 如下: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
答案1
最新的微代码包不包含任何针对您的更新Westmere EP CPU自 2017 年 11 月发布上一个版本以来;看变更日志了解详情。因此,它不包含针对您的特定 CPU 的任何 Spectre 修复。
根据英特尔的通讯, Westmere 修复了 Spectre v2是可用,但想必他们正在遵循之前建立的模式,将它们运送给 OEM,然后再将它们放入微代码包中。最新的微码修订指南(从 4 月 2 日起)表明 Westmere EP 将获得修订版 0x1E,大概是在下一个微代码包更新中。以前的指导将 Westmere EP 列为测试版,修订版为 0x1D。