Ubuntu and Spectre Meltdown
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I have installed the latest BIOS on my notebook. The manufacturer of the notebook states that the BIOS update will include corrections regarding Spectre/Meltdown vulnerabilities.
My question is:
What microcode does Ubuntu 14.04 LTS use?
Does it load the microcode from BIOS or does it load the microcode from the system files on the HD?
When it uses the microcode from the HD, I am afraid it could be an older version which is not Spectre/Meltdown proof.
My subsequent question is:
How to check which microcode is loaded and used by the system and how to check which one is a newer version?
security bios microcode
New contributor
add a comment |Â
up vote
2
down vote
favorite
I have installed the latest BIOS on my notebook. The manufacturer of the notebook states that the BIOS update will include corrections regarding Spectre/Meltdown vulnerabilities.
My question is:
What microcode does Ubuntu 14.04 LTS use?
Does it load the microcode from BIOS or does it load the microcode from the system files on the HD?
When it uses the microcode from the HD, I am afraid it could be an older version which is not Spectre/Meltdown proof.
My subsequent question is:
How to check which microcode is loaded and used by the system and how to check which one is a newer version?
security bios microcode
New contributor
1
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
2
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have installed the latest BIOS on my notebook. The manufacturer of the notebook states that the BIOS update will include corrections regarding Spectre/Meltdown vulnerabilities.
My question is:
What microcode does Ubuntu 14.04 LTS use?
Does it load the microcode from BIOS or does it load the microcode from the system files on the HD?
When it uses the microcode from the HD, I am afraid it could be an older version which is not Spectre/Meltdown proof.
My subsequent question is:
How to check which microcode is loaded and used by the system and how to check which one is a newer version?
security bios microcode
New contributor
I have installed the latest BIOS on my notebook. The manufacturer of the notebook states that the BIOS update will include corrections regarding Spectre/Meltdown vulnerabilities.
My question is:
What microcode does Ubuntu 14.04 LTS use?
Does it load the microcode from BIOS or does it load the microcode from the system files on the HD?
When it uses the microcode from the HD, I am afraid it could be an older version which is not Spectre/Meltdown proof.
My subsequent question is:
How to check which microcode is loaded and used by the system and how to check which one is a newer version?
security bios microcode
security bios microcode
New contributor
New contributor
edited 2 hours ago
zx485
1,1321014
1,1321014
New contributor
asked 2 hours ago
Barbara
111
111
New contributor
New contributor
1
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
2
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago
add a comment |Â
1
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
2
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago
1
1
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
2
2
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.
So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.
The Operating System does load microcode during the booting process as mentioned in this WiKi:
The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.
For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
 |Â
show 1 more comment
up vote
1
down vote
Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.
Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.
Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.
If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.
Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo
Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.
So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.
The Operating System does load microcode during the booting process as mentioned in this WiKi:
The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.
For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
 |Â
show 1 more comment
up vote
2
down vote
The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.
So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.
The Operating System does load microcode during the booting process as mentioned in this WiKi:
The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.
For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
 |Â
show 1 more comment
up vote
2
down vote
up vote
2
down vote
The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.
So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.
The Operating System does load microcode during the booting process as mentioned in this WiKi:
The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.
For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.
The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.
So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.
The Operating System does load microcode during the booting process as mentioned in this WiKi:
The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.
For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.
edited 1 hour ago
answered 2 hours ago
zx485
1,1321014
1,1321014
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
 |Â
show 1 more comment
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
What happens if there are conflicts (older vs newer versions of a fix, for example)?
â Chai T. Rex
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
I honestly don't know (Ask Intel), but the sane approach would be to only use the newest version.
â zx485
2 hours ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
OK. but is there a method to check the version of the microcode Ubuntu is loading from the OS? There is still a chance the microcode in the BIOS is newer than that of the OS if the microcode shipped by Intel is not Linux conform e.g.
â Barbara
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
@user535733: Ubuntu does load microcode to the processor if desired. See the edit of my answer.
â zx485
1 hour ago
1
1
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
@user535733: To complete our discussion: there are two ways of delivering a MicroCode update: First the BIOS/UEFI, second the OS. So if the first way doesn't work, the second has to do...
â zx485
1 hour ago
 |Â
show 1 more comment
up vote
1
down vote
Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.
Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.
Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.
If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.
Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo
Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.
add a comment |Â
up vote
1
down vote
Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.
Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.
Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.
If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.
Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo
Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.
Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.
Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.
If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.
Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo
Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.
Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.
Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.
Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.
If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.
Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo
Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.
edited 1 hour ago
answered 1 hour ago
user535733
6,20422537
6,20422537
add a comment |Â
add a comment |Â
Barbara is a new contributor. Be nice, and check out our Code of Conduct.
Barbara is a new contributor. Be nice, and check out our Code of Conduct.
Barbara is a new contributor. Be nice, and check out our Code of Conduct.
Barbara is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1083993%2fubuntu-and-spectre-meltdown%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Are you regularly upgrading from the -security repository? If so, then you have all released patches for Spectre/Meltdown. The Ubuntu Security Team is quite prompt about pushing those patches out to all supported released of Ubuntu. If you are not regularly upgrading from the -security repository, then begin doing so, of course.
â user535733
2 hours ago
2
Possible duplicate of What is Ubuntu's status on the Meltdown and Spectre vulnerabilities?
â N0rbert
2 hours ago
I think that the BIOS loads its modifications first since it runs first and then the OS loads its modifications. I assume there's some versioning or something that tells it which takes priority.
â Chai T. Rex
2 hours ago
@N0rbert I don't think that's a duplicate. That's more about whether and how far along Ubuntu is in solving the problem and won't answer at all what the situation is when both BIOS and Ubuntu try to solve the problem.
â Chai T. Rex
2 hours ago