Home / ubuntu / Questions / 1016971
Accepted
MeltingPoint
Asked: 2018-03-19 03:32:04 +0800 CST

Why don't Intel microcode updates work on my system?

  • 772

I want to upgrade my system to mitigate Spectre and Meltdown exploits.

The relevant Ubuntu page states that I need to update microcodes: "From a guest and non-hypervisor bare-metal perspective, as of the Feb 21 kernel updates, as far as we are aware, the mitigations for Spectre and Meltdown on 64-bit amd64, ppc64el and s390x are feature-complete as long as all microcode, firmware and hypervisor updates underneath the system are done. ..."

I have intel-microcode and iucode-tool installed and updated, however running dmesg | grep -i microcode and grep -i microcode /var/log/syslog* return nothing which makes me think that either the cpu microcode doesn't get updated or something else is wrong.

Packages are up to date and there have been restarts since the last update.

operating system: Lubuntu 16.04

CPU: Intel N3700 (Braswell)

enabled software repos: main, universe

enabled updates: xenial-security

Edit:
The output of grep name /proc/cpuinfo | sort -u is
model name : Intel(R) Pentium(R) CPU N3700 @ 1.60GHz

My processor is not Skylake, nor Kaby lake.

In /proc/cpuinfo hyper-threading shows up as supported, but this Intel page says it is not supported:
https://ark.intel.com/products/87261/Intel-Pentium-Processor-N3700-2M-Cache-up-to-2_40-GHz

Edit 2:
I ran sudo update-initramfs -u and rebooted. The outputs are still the same.

Output of /usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*: 

/usr/sbin/iucode_tool: system has processor(s) with signature 0x000406c3
selected microcodes:

It seems that there is no updated microcode for my cpu, which is interesting since there was a selectable microcode in the Additional Drivers tab previously (late 2017); now, there isn't.

Edit 3:
Output of apt list --installed | grep intel-microcode: 

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

intel-microcode/xenial-security,now 3.20180108.0+really20170707ubuntu16.04.1 amd64 [installed]

Edit 4:
Now I understand that there is no update for the cpu microcode, which means that the original problem is solved, and I will leave it as it is.

However, dmesg and journalctl -b should still output lines about microcode version, I believe.
I also noticed that these boot logs start at "5" instead of the tipical 1 or 0, and that there is a repeating error message which makes them truncated (dmesg says nothing about truncation, but journalctl says there are 371635 missed kernel messages, see below). I will ignore this for now.

March 19 06:36:40 NN systemd-journald[266]: Runtime journal (/run/log/journal/) is 8.0M, max 78.9M, 70.9M free.
March 19 06:36:40 NN systemd-journald[266]: Missed 371635 kernel messages
March 19 06:36:40 NN kernel: handle_bad_irq+0x0/0x230
March 19 06:36:40 NN kernel: ->irq_data.chip(): ffffffffbb172c40, 
March 19 06:36:40 NN kernel: chv_gpio_irqchip+0x0/0x120
March 19 06:36:40 NN kernel: ->action():           (null)
March 19 06:36:40 NN kernel:    IRQ_NOPROBE set
March 19 06:36:40 NN kernel: irq 115, desc: ffff9b91f5df8200, depth: 1, count: 0, unhandled: 0
March 19 06:36:40 NN kernel: ->handle_irq():  ffffffffb9ee8f70, 
March 19 06:36:40 NN kernel: handle_bad_irq+0x0/0x230
March 19 06:36:40 NN kernel: ->irq_data.chip(): ffffffffbb172c40, 
March 19 06:36:40 NN kernel: chv_gpio_irqchip+0x0/0x120
March 19 06:36:40 NN kernel: ->action():           (null)
March 19 06:36:40 NN kernel:    IRQ_NOPROBE set
March 19 06:36:40 NN kernel: irq 115, desc: ffff9b91f5df8200, depth: 1, count: 0, unhandled: 0
March 19 06:36:40 NN kernel: ->handle_irq():  ffffffffb9ee8f70, 
March 19 06:36:40 NN kernel: handle_bad_irq+0x0/0x230
March 19 06:36:40 NN kernel: ->irq_data.chip(): ffffffffbb172c40, 
March 19 06:36:40 NN kernel: chv_gpio_irqchip+0x0/0x120
March 19 06:36:40 NN kernel: ->action():           (null)
March 19 06:36:40 NN kernel:    IRQ_NOPROBE set
March 19 06:36:40 NN kernel: irq 115, desc: ffff9b91f5df8200, depth: 1, count: 0, unhandled: 0
March 19 06:36:40 NN kernel: ->handle_irq():  ffffffffb9ee8f70, 
March 19 06:36:40 NN kernel: handle_bad_irq+0x0/0x230
March 19 06:36:40 NN kernel: ->irq_data.chip(): ffffffffbb172c40, 
March 19 06:36:40 NN kernel: chv_gpio_irqchip+0x0/0x120
microcode

3 Answers

  1. Best Answer

    Based on results of /usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/* no microcode is being loaded for your cpu because at the moment there is none. That doesn't mean that there won't be in the future. You can safely leave intel-microcode and iucode-tool installed, if there is an update containing microcode for your cpu's signature it will then be used.

    • 5

  2. Ubuntu had released fixed kernal update against this exploit. The new kernal have required changes.

    Reference: SecurityTeam/KnowledgeBase/SpectreAndMeltdown | Ubuntu Wiki

    I am in Ubuntu 16.04, Using Nouveau display driver. In my case, Intel-microcode got uninstalled after installing new kernel.

    This update is released right after intel had released bug fix for spectre bugs security vulnerability.

    This should solve your problem.

    If you got intel property driver replaced like in my place and still want intel-microcode property driver.

    Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs | bleepingcomputer.com

    Currently, the new drivers are not included in Ubuntu ppa. Users may have to download it manually from Intel website.

    Warning: This may cause driver conflict or instability in your Ubuntu. You have to install it on your own risk.

    Download Linux Processor Microcode Data File | downloadcenter.intel.com

    For me, I have no issue in my ubuntu laptop. So I don't want to take risk. I left Ubuntu team to decide what is best from my system. I am waiting update from Ubuntu driver team.

    • 2

  3. Bug in Meltdown/Spectre Intel Microcode

    There was a bug in early 2018 Intel Microcode update to address Meltdown/Spectre security holes. As such the microcode had to be rolled back to a previous version.

    Here is the microcode I'm using (having opted out of all updates starting January 2018):

    $ apt list --installed | grep intel-microcode

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

intel-microcode/now 3.20170707.1~ubuntu16.04.0 amd64 [installed,upgradable to: 3.20180108.0+really20170707ubuntu16.04.1]

    When you install Intel Microcode Update you will get this version or something similar:

    intel-microcode/3.20180108.0+really20170707ubuntu16.04.1

    Ubuntu 16.04 LTS Menu

    I'm not sure about Lubuntu menu structure but for regular Ubuntu this is how you access the Intel Microcode Update controls:

    Additional Drivers.png

    The bottom option controls Intel Microcode Updates.

    Install Intel Microcode from CLI

    To skip the GUI menus altogether you can install from command line:

    sudo apt update
sudo apt install intel-microcode

    dmesg now shows correct output

    After following the installation steps dmesg returns the desired output (unlike in your question where it shows nothing):

    $ dmesg | grep -i microcode
[    1.166542] microcode: sig=0x506e3, pf=0x20, revision=0xba
[    1.166993] microcode: Microcode Update Driver: v2.2.
[16082.584598] microcode: microcode updated early to revision 0xba, date = 2017-04-09
    • 2