尝试使用以下过程将 Intel 微码更新到 03/12/2018 版本(版本:20180312):
1. extract files from downloaded tarball
2. cp -v intel-ucode/* /lib/firmware/intel-ucode/
3. echo 1 > /sys/devices/system/cpu/microcode/reload
4. dracut -vvf
5. reboot
但没有任何改变。更新前:
# cat /proc/cpuinfo | grep microcode
microcode : 0x13
更新后:
# dmesg | grep microcode
[ 1.096790] microcode: CPU0 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096829] microcode: CPU1 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096851] microcode: CPU2 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096875] microcode: CPU3 sig=0x206c2, pf=0x1, revision=0x13
[ 1.096965] microcode: Microcode Update Driver: v2.01 <[email protected]>, Peter Oruba
我这样做是为了修复“幽灵变体 2”。spectre-meltdown-checker.sh 显示以下内容:
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (Your kernel is compiled with IBRS but your CPU microcode is lacking support to successfully mitigate the vulnerability)
CPU 如下: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
自 2017 年 11 月上一次发布以来,最新的微码包不包含针对您的Westmere EP CPU的任何更新;有关详细信息,请参阅更改日志。因此,它不包含针对您的特定 CPU 的任何 Spectre 修复程序。
根据英特尔的沟通,可以使用针对 Spectre v2的Westmere 修复程序,但推测他们正在遵循之前建立的模式,将它们运送给 OEM,然后再以微码包的形式提供它们。最新的微码修订指南(从 4 月 2 日起)表明 Westmere EP 将获得修订版 0x1E,大概在下一次微码包更新中。之前的指南将 Westmere EP 列为测试版,修订版 0x1D。