BIOS and microcode on Debian

If none of the more specific forums is the right place to ask

BIOS and microcode on Debian

Postby Wheelerof4te » 2018-01-19 13:57

I am currently using Windows 10 and have updated BIOS for the Meltdown from my device manufacturer. Now, if I were to reinstall Debian again in the future, will I need to apply microcode update again?
Do I need firmware update from Intel on Debian, or will Debian use existing microcode in previously updated BIOS?
User avatar
Wheelerof4te
 
Posts: 999
Joined: 2015-08-30 20:14

Re: BIOS and microcode on Debian

Postby bw123 » 2018-01-19 17:06

I think the answer would depend on how the microcode is implemented. If it's a new firmware flashed into a physical bios chip then I think it would be 'permanent' no matter what os was installed. If it's some kind of hack and has a loader made specifically for windows then, yeah that would be a problem.

https://duckduckgo.com/html/?q=differen ... +microcode
User avatar
bw123
 
Posts: 3079
Joined: 2011-05-09 06:02
Location: TN_USA

Re: BIOS and microcode on Debian

Postby Wheelerof4te » 2018-01-19 17:37

I have used a installer made for Windows to re-flash BIOS to a new version. I remember Debian complaining at the first boot about realtek and radeon graphics formware, but not intel microcode. So I guess it doesn't need installing any microcode.
User avatar
Wheelerof4te
 
Posts: 999
Joined: 2015-08-30 20:14

Re: BIOS and microcode on Debian

Postby bw123 » 2018-01-19 17:54

Wheelerof4te wrote:I have used a installer made for Windows to re-flash BIOS to a new version. I remember Debian complaining at the first boot about realtek and radeon graphics formware, but not intel microcode. So I guess it doesn't need installing any microcode.


The way I understand it, the cpu has no way of knowing if it "needs" to load a piece of microcode. Unlike a firmware file for a peripheral, the cpu won't request it, because it doesn't know anything about it. I guess there could be exceptions.

I have played with the intel ucode tool for debian once or twice and found it really unhelpful. Do all cpus need this? If not, then which ones? How do you tell?


https://wiki.debian.org/Microcode
User avatar
bw123
 
Posts: 3079
Joined: 2011-05-09 06:02
Location: TN_USA

Re: BIOS and microcode on Debian

Postby pylkko » 2018-01-19 20:16

If you changed the BIOS/firmware, then that part is OS independent, you can always boot a machine to it's BIOS or UEFI even if there is no kernel/operating system. A true BIOS is on a seperate ROM chip, so it will be up to date even if you pull out the hard drive and boot it without it. An UEFI is partially on in the motherboard NVRAM and mostly on disk.

Microcode, on the other hand, can be given either via firmware or as a image that the kernel or bootloader hands to the CPU at boot. This is just a package that you install on Debian.
User avatar
pylkko
 
Posts: 1296
Joined: 2014-11-06 19:02

Re: BIOS and microcode on Debian

Postby stevepusser » 2018-01-19 20:20

The Linux kernel has a way to load new microcode at boot, such as from the "intel-microcode" package. Currently Windows depends on the BIOS instead, though apparently it also has the feature that Linux has. It's just not used at the moment.

Source: about 80% through the last Security Now podcast: https://www.grc.com/sn/sn-646.txt

STEVE: Now, here's one of the really interesting things, speaking of Linux, is the way microcode is updated. When we talk about updating our microcode or needing like a microcode patch or a microcode fix, notice that it always comes in the form of a BIOS update.

LEO: It's firmware, yeah.

STEVE: Well, yes. But it's not written into the processor. And that's the key is that it is dynamically loaded by the BIOS every time you boot. So if you look at the second link here at the end of the show notes, Leo, this is Intel has published the Linux processor microcode data file. Linux has the ability to load updated microcode for, I mean, to me it looks like every processor Intel has ever made.

LEO: Yeah. It's a modular kernel. So I'm sure it's part - it's a kernel mod, probably.

STEVE: Well, it turns out if it's - I think it was under, god, it was in the - if you place this file in a certain directory in Linux...

LEO: Oh, how interesting.

STEVE: ...it will dynamically...

LEO: Oh, that's awesome.

STEVE: Yes.

LEO: I need this. Because I'll tell you what, none of my Linux machines are mitigated as far as I can tell. There's been many patches and updates to Arch Linux and to Ubuntu and to Debian. But none of them have received firmware updates. So this is going to be a boon.

STEVE: Yes.

LEO: If you figure out what processor you have.

STEVE: Yes.

LEO: That's nice. You just put this file in the right spot, and you're good to go.

STEVE: Yes.

LEO: Love that.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.2, Pale Moon 27.9.3, wine-staging 3.10, QuiteRSS 0.18.11, Linux kernel 4.17, Krita 4.0.4
User avatar
stevepusser
 
Posts: 9637
Joined: 2009-10-06 05:53

Re: BIOS and microcode on Debian

Postby bw123 » 2018-01-19 20:33

Before installing intel-microcode, be sure and read the bug reports. There is a newer version in sid, but it has some issues. I haven't tried it, and it looks like the only way to tell if you need it is to install it and see if one of the blobs is loaded.

https://bugs.debian.org/intel-microcode
User avatar
bw123
 
Posts: 3079
Joined: 2011-05-09 06:02
Location: TN_USA

Re: BIOS and microcode on Debian

Postby dotlj » 2018-01-20 01:05

As mentioned above, there are the two methods of microcode updates for CPUs.
If you have an Intel processor, as I do, you can apply the update from Intel. https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
Check your CPU with the list on the Intel site first, mine is i7 6th generation and the update worked and continues to work.
BUT, please see also:
https://www.bleepingcomputer.com/news/hardware/intel-broadwell-and-haswell-cpus-experiencing-reboots-after-firmware-updates/
https://www.bleepingcomputer.com/news/security/red-hat-will-revert-spectre-patches-after-receiving-reports-of-boot-issues/

Applying the update once means its done and works whatever OS you boot (if you boot different OSs), or like me boot more than one Debian from different disks by choosing Boot Menu during startup.

You might also want to check your /etc/modprobe.d/intel-microcode-blacklist.conf if you have one, as it probably blacklists the microcode.
User avatar
dotlj
 
Posts: 591
Joined: 2009-12-25 17:21

Re: BIOS and microcode on Debian

Postby Head_on_a_Stick » 2018-01-20 15:22

I have no idea how Debian will handle the microcode updates, especially given that the intel-microcode package is not part of the official release.

The sid & buster versions have the 2018-01-08 fixes but not the other branches, AFAICT.

I download the Arch Linux intel-ucode package, unpack that and place their intel-ucode.img into /boot and preload it in GRUB (immediately before initrd.img), this is a pre-prepared initramfs image that will apply the microcode to the processor before booting Debian's initrd.img.
"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher."
— Antoine de Saint Exupéry, Terre des Hommes (1939).
User avatar
Head_on_a_Stick
 
Posts: 7557
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: BIOS and microcode on Debian

Postby Wheelerof4te » 2018-01-21 11:03

bw123 wrote:Before installing intel-microcode, be sure and read the bug reports. There is a newer version in sid, but it has some issues. I haven't tried it, and it looks like the only way to tell if you need it is to install it and see if one of the blobs is loaded.

https://bugs.debian.org/intel-microcode


Debian 9, codename "Stretch" is supported, and will receive updates both through the stretch-backports official backports repository (faster than point-releases), and through Debian stable point-releases.


This answers my question. As always, Debian wiki has the info. Thanks.
I will reinstall Debian when 9.4 comes out with fixed microcode and linux updates.
User avatar
Wheelerof4te
 
Posts: 999
Joined: 2015-08-30 20:14

Re: BIOS and microcode on Debian

Postby bw123 » 2018-01-23 01:35

Wheelerof4te wrote:I am currently using Windows 10 and have updated BIOS for the Meltdown from my device manufacturer. Now, if I were to reinstall Debian again in the future, will I need to apply microcode update again?
Do I need firmware update from Intel on Debian, or will Debian use existing microcode in previously updated BIOS?


https://www.computerworld.com/article/3 ... fixes.html

in english:

belay-that-order-intel-says you-should-not-install-its meltdown-firmware-fixes.html

Of course this is just -one- source, and there were dozens that said, "...apply all updates," as soon as available.

I Wonder Sometimes...
User avatar
bw123
 
Posts: 3079
Joined: 2011-05-09 06:02
Location: TN_USA

Re: BIOS and microcode on Debian

Postby stevepusser » 2018-01-23 01:49

So...what does that mean for the 20180108 version in Debian testing? Don't touch it with a 10-meter pole? (microcode does nuthin' for Meltdown, at least that's what I thought)
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: GIMP 2.10.2, Pale Moon 27.9.3, wine-staging 3.10, QuiteRSS 0.18.11, Linux kernel 4.17, Krita 4.0.4
User avatar
stevepusser
 
Posts: 9637
Joined: 2009-10-06 05:53

Re: BIOS and microcode on Debian

Postby bw123 » 2018-01-23 01:56

stevepusser wrote:So...what does that mean for the 20180108 version in Debian testing? Don't touch it with a 10-meter pole? (microcode does nuthin' for Meltdown, at least that's what I thought)


From what I can tell, it means that while you can remove the microcode on debian if it hoses your system, if you flashed your BIOS from the mfg, you're up the creek until they get a new fix for the fix that causes all the reboots.
User avatar
bw123
 
Posts: 3079
Joined: 2011-05-09 06:02
Location: TN_USA

Re: BIOS and microcode on Debian

Postby Head_on_a_Stick » 2018-01-23 06:33

stevepusser wrote:So...what does that mean for the 20180108 version in Debian testing? Don't touch it with a 10-meter pole?

The 2018-01-08 version causes Haswell machines to crash.

The Debian sid intel-microcode package has been downgraded to 2017-11-17, that contains fixes for Spectre v1 but not v2 (AFAIUI).

I'm relying on OpenBSD and that is now applying 2017-11-17 on every boot (reverted from 2018-01-08).
"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher."
— Antoine de Saint Exupéry, Terre des Hommes (1939).
User avatar
Head_on_a_Stick
 
Posts: 7557
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: BIOS and microcode on Debian

Postby Wheelerof4te » 2018-01-23 16:15

bw123 wrote:belay-that-order-intel-says you-should-not-install-its meltdown-firmware-fixes.html


I haven't experienced any problems so far after the BIOS update (F.24 Rev.A), and my notebook doesn't auto-reboot (it's Broadwell). Granted, I'm still on fully updated Windows 10, but that might change so it's good Debian is being careful. I wonder with what microcode version will Debian 9.4 ship?
User avatar
Wheelerof4te
 
Posts: 999
Joined: 2015-08-30 20:14


Return to General Questions

Who is online

Users browsing this forum: No registered users and 6 guests

fashionable