From owner-freebsd-hardware@freebsd.org Fri Nov 20 09:13:09 2015 Return-Path: Delivered-To: freebsd-hardware@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7136CA3317C; Fri, 20 Nov 2015 09:13:09 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3ADFC1AD3; Fri, 20 Nov 2015 09:13:09 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by ioc74 with SMTP id 74so117244787ioc.2; Fri, 20 Nov 2015 01:13:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=fVxNc5avoZO+pSxBCzqhTgFq6Rpx9gNmISkco9TRh2g=; b=VRUGDEIhg/QaeLG+8RACpIuiF/Ix/Ojr7gkWKsT5eQ6eCvV/hWdSRg70FHAHFDFR7d FOrB2LN1BZAsc3hT9fFHCSmtVcX0yQrZEfpnxhsio2hjh7ChDrYoTRrHGjcIA7GiHooP d14MjZI8L4qasKz5WYPMZU/jXuzrLhwFZ60XwxStq5tTLQcGxAkZR4paL10T2Lo9N08e WxPX5RsSId3DRttcHPr8/kTqBUtpVV9SqcyvmL3GA8qTN5wedwOlFtgcFx4umu8y4tjj 35ptlMiez5mZpe3EWl3g2PDfDUlSqMqJ0NUkE9HlNOSjgIdaZrFaV5Xce4y0lk43hUzr gicg== X-Received: by 10.107.164.154 with SMTP id d26mr12916686ioj.111.1448010787974; Fri, 20 Nov 2015 01:13:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.137.197 with HTTP; Fri, 20 Nov 2015 01:12:28 -0800 (PST) From: grarpamp Date: Fri, 20 Nov 2015 04:12:28 -0500 Message-ID: Subject: Is processor microcode advised? To: freebsd-questions@freebsd.org Cc: freebsd-hardware@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hardware@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: General discussion of FreeBSD hardware List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 09:13:09 -0000 > Is it important/necessary/advisable to install microcode for Microcode are fixes, tweaks, new stuff and restrictions, some documented, some not, it's all extremely closed source anyway (SHAME) to due to marketing, embarrassment, recalls, the NSA, and so on... so who knows. Examples.. TSX-NI in Haswell is broken, microcode update disables it so you don't fubar your databases, etc. 32bit VM PAE, and so on. > Intel CPU's? AMD and others too. > If so, how do you know which CPU's have updates? devcpu-data and cpuctl and file access times will tell you. It's resident on die until reboot, not flashed, and it's crypto signed, versioned and model specific, so you can't screw it up unless Intel does. > what do you look for in dmesg output? There are messages from the tools and/or kernel, you might need verbose, run them manually once, you'll see it. > Also, I see microcode_update has to load the cpuctl module. What are the > implications of this WRT security? It exposes /dev/cpuctl which may or may not have issues of its own. If you've got monkeys running around in your system as root or otherwise, whether or not you unload it is irrelavent. You'd likely get more security mileage by taking care of these... find -s / -perm +7022 -ls Until something bad hits the news, or your tinfoil hat starts arcing, just apply them by default and forget about it. From owner-freebsd-hardware@freebsd.org Fri Nov 20 15:44:01 2015 Return-Path: Delivered-To: freebsd-hardware@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A1BAA34E9D; Fri, 20 Nov 2015 15:44:01 +0000 (UTC) (envelope-from will.senn@gmail.com) Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C5A61D32; Fri, 20 Nov 2015 15:44:01 +0000 (UTC) (envelope-from will.senn@gmail.com) Received: by ykba77 with SMTP id a77so168000538ykb.2; Fri, 20 Nov 2015 07:44:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=aWD5Mw64ZEzqJgevBzTiVgJLNPGGK+Jo4l/I1Awnsaw=; b=aWCETSa1/WXnjrnSyK9SbQ0qgxS+9gOBkDPym7+XfkMidBxmmG9H+hzWKSHZ3z2P5O 67RZCS/jQZosmyDcebt0OuOpHYxIovv/HKT7gtnD1egQjFnQWc9JqQPG+6xaxQyme+63 rHr15fN7rYodybxFtpI154e0SAQTy3tsPCaPHjiY14Z+ln72FP9H8i1dmSwLE8fuHOc0 +Jd3H7wItU9BWE/4nld6WKgHLTogEMpxz3W40ddXsrV6wldinLkhu3CAJbiyNGSSKesi ZToAPZKYTi6yFyvyrI7PGs9SCjVGzn++5ObQq71t4qkeCs12NRswZSC2+EH1+6H+gCqU OyRQ== X-Received: by 10.129.87.67 with SMTP id l64mr14027204ywb.55.1448034240488; Fri, 20 Nov 2015 07:44:00 -0800 (PST) Received: from [192.168.0.4] ([206.251.219.82]) by smtp.gmail.com with ESMTPSA id v23sm137597ywa.30.2015.11.20.07.43.59 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 20 Nov 2015 07:44:00 -0800 (PST) Subject: Re: Is processor microcode advised? To: grarpamp , freebsd-questions@freebsd.org References: Cc: freebsd-hardware@freebsd.org From: Will Senn Message-ID: <564F3FBF.8050603@gmail.com> Date: Fri, 20 Nov 2015 09:43:59 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hardware@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: General discussion of FreeBSD hardware List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 15:44:01 -0000 On 11/20/15 3:12 AM, grarpamp wrote: >> Is it important/necessary/advisable to install microcode for > Microcode are fixes, tweaks, new stuff and restrictions, some > documented, some not, it's all extremely closed source anyway (SHAME) > to due to marketing, embarrassment, recalls, the NSA, and so on... > so who knows. > > Examples.. > TSX-NI in Haswell is broken, microcode update > disables it so you don't fubar your databases, etc. > 32bit VM PAE, and so on. > >> Intel CPU's? > AMD and others too. > >> If so, how do you know which CPU's have updates? > devcpu-data and cpuctl and file access times will tell you. It's > resident on die until reboot, not flashed, and it's crypto signed, > versioned and model specific, so you can't screw it up unless Intel > does. > >> what do you look for in dmesg output? > There are messages from the tools and/or kernel, you might need > verbose, run them manually once, you'll see it. > >> Also, I see microcode_update has to load the cpuctl module. What are the >> implications of this WRT security? > It exposes /dev/cpuctl which may or may not have issues of its own. > If you've got monkeys running around in your system as root or > otherwise, whether or not you unload it is irrelavent. > You'd likely get more security mileage by taking care of these... > find -s / -perm +7022 -ls > > Until something bad hits the news, or your tinfoil hat starts arcing, > just apply them by default and forget about it. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Thank you for the reply and for covering so much territory. I checked dmesg for anything like cpu or micro and nothing about microcode updates was displayed. I did: ps aux|grep cpu and ps aux | grep micro and there were no processes running. I dug around and found the startup script: /usr/local/etc/rc.d/microcode_update I looked at it and ran it: sudo /usr/local/etc/rc.d/microcode_update start Updating cpucodes... Done. Still no processes. I looked at the microcode_update script again and thought about what you said about running with verbose, so working off of the script, I ran: sudo /usr/sbin/cpucontrol -v -u -d "/usr/local/share/cpucontrol/" /dev/cpuctl0 cpucontrol: skipping /usr/local/share/cpucontrol//m101067770A.fw of rev 0x70a: up to date cpucontrol: skipping /usr/local/share/cpucontrol/m101067770A.fw of rev 0x70a: up to date and the same for all 4 cpus What I infer from this is that my CPU's are already as up to date as the microcode database is and therefore no process is needed or kept resident. Am I understanding this correctly? Also, shouldn't there be messages in dmesg for the startup script? I have the /etc/rc.conf setting: microcode_update_enable="YES" and /usr/local/etc/rc.d/microcode_update has: ... microcode_update_start() { echo "Updating cpucodes..." ... I would think I would at lest see "Updating cpucodes..." with dmesg. What is going on? - Will