ANNOUNCEMENT: Intel processor microcode security update

To: debian-user@lists.debian.org, debian-security@lists.debian.org

Subject: ANNOUNCEMENT: Intel processor microcode security update

From: Henrique de Moraes Holschuh <hmh@debian.org>

Date: Tue, 3 Sep 2013 09:05:29 -0300

Message-id: <[🔎] 20130903120529.GA19328@khazad-dum.debian.net>

THIS ANNOUNCEMENT IS ONLY RELEVANT TO SYSTEMS THAT HAVE INTEL MICROPROCESSORS. Intel has released a microcode update that fixes at least one severe fault on every desktop and mobile Intel Core i* and server Intel Xeon system processor models since (and including) the 1st generation Core-i3/i5/i7 and Xeon 3500/5500. Updated microcode packages are available for Debian unstable, Debian testing, Debian "wheezy-backports", and Debian "stable-proposed-updates". == What is a processor microcode update? == Microcode is a control sequence/program that implements several internal functions of the system processor (CPU). A microcode update can fix many classes of processor defects. The Linux kernel can send a microcode update to the processor when one is supplied by the operating system (Debian). The microcode update has to be applied every time the processor is reset or powered off: it doesn't "stick". Therefore, Debian has to install this microcode update to the initramfs, so as to apply it every time the computer boots. Note: the microcode update is applied immediately when you install the packages, you do not need to reboot. Howerver, we need to install the update to the initramfs so that the update will not be _lost_ when you reboot or power off the computer. == Installing the Intel microcode update packages == Please install the "iucode-tool" package (from contrib) and the "intel-microcode" package (from non-free). http://packages.debian.org/search?keywords=iucode-tool http://packages.debian.org/search?keywords=intel-microcode This will be enough for Debian testing and Debian unstable users, but see below about multiple kernels. DEBIAN STABLE USERS NEED TO GET THE UPDATE FROM "PROPOSED-UPDATES" OR FROM "BACKPORTS", SEE BELOW FOR STABLE UPDATE INSTRUCTIONS. You must also update the initramfs so that the processor microcode will be updated after a reboot/power off. The packages will try to do it automatically for the running kernel and that should be enough for most users. However, if you use several different kernels, please update all the initramfs images running "update-initramfs -k all -u" as root. == Installing updated packages for Debian Stable == The updated intel-microcode package will be automatically available to all Debian Stable users (that enabled "contrib" and "non-free" packages) only after the next Debian Stable point release, which might happen in a couple weeks. However, Debian Stable users can receive the updates scheduled for the next Stable point release early, and that includes this intel-microcode update. The preferred way to get early stable updates is to configure the package management system to use the "stable-proposed-updates" distribution. To enable the "stable-proposed-updates", please read about it here: http://www.debian.org/releases/proposed-updates.html https://wiki.debian.org/StableProposedUpdates Alternatively, you can install the packages manually. To get the updated packages directly, please install the current "intel-microcode" and "iucode-tool" packages normally, then download and install the updated "intel-microcode" package directly: apt-get install iucode-tool intel-microcode For 64-bit installs, download: http://http.debian.net/pool/non-free/i/intel-microcode_1.20130808.0+deb7u1_amd64.deb For 32-bit installs, download: http://http.debian.net/pool/non-free/i/intel-microcode_1.20130808.0+deb7u1_i386.deb use "dpkg -i" to install the correct .deb file. You need to be root. == Installing the update through backported packages (Linux 3.10+) == If you use Debian wheezy/stable *and* also a custom Linux kernel 3.10 or later, please use the backported packages for enhanced functionality. You *must* make sure to enable CONFIG_MICROCODE_EARLY and CONFIG_MICROCODE_INTEL_EARLY "CONFIG_MICROCODE_EARLY" when you build the Linux kernel. How to enable the backports repository in Debian Wheezy: http://backports.debian.org/Instructions/ To update/install iucode-tool from backports: apt-get update apt-get install -t wheezy-backports iucode-tool intel-microcode amd64-microcode Updated backports of "amd64-microcode" were also provided to avoid bad interactions with intel-microcode. The up-to-date amd64-microcode package will be inactive in a system with an Intel processor, and it is very small. == What do we know about this specific Intel microcode update (20130808)? == Intel doesn't publish to the general public much data about microcode updates, therefore we only have very spotty information about update 20130808, gathered from several sources: 1. It fixes a critical erratum, classified by Intel as a security issue, that affects any server running 32-bit VMs in PAE mode. Erratum AAK167/BT248: "If a logical processor has EPT (Extended Page Tables) enabled, is using 32-bit PAE paging, and accesses the virtual-APIC page then a complex sequence of internal processor micro-architectural events may cause an incorrect address translation or machine check on either logical processor. This erratum may result in unexpected faults, an uncorrectable TLB error logged in IA32_MCI_STATUS.MCACOD bits [15:0], a guest or hypervisor crash, or other unpredictable system behavior" 2. It might fix other errata. For example, it might fix erratum AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used with 32-bit paging. 3. It recently came to my attention that this microcode update might forbid unsupported (by Intel) overclocking on 4th gen Core "K" processors installed on motherboards that lack a Z-series chipset. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh