Slashdot Mirror
Red Hat Reverts Spectre Patches to Address Boot Issues (bleepingcomputer.com)
An anonymous reader quotes BleepingComputer:
Red Hat is releasing updates for reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715) after customers complained that some systems were failing to boot. "Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said yesterday. "The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd," Red Had added.
Instead, Red Hat is recommending that each customer contact their OEM hardware provider and inquire about mitigations for CVE-2017-5715 on a per-system basis. Besides Red Hat Enterprise Linux, other RHEL-based distros like CentOS and Scientific Linux are also expected to be affected by Red Hat's decision to revert previous Spectre Variant 2 updates, so these users will also have to contact CPU/OEM vendors.
At least one site "characterized the move as Red Hat washing its hands of the responsibility to provide customers with firmware patches," writes Data Center Knowledge, arguing instead that Red Hat "isn't actually involved in writing the firmware updates. It passes the microcode created by chipmakers to its users 'as a customer convenience.'" "What I would have said if they'd asked us ahead of time is that microcode is something that CPU vendors develop," Jon Masters, chief ARM architect at Red Hat, told Data Center Knowledge in a phone interview Thursday. "It's actually an encrypted, signed binary image, so we don't have the capability, even if we wanted to produce microcode. It's a binary blob that we cannot generate. The only people who can actually generate that are the CPU vendors."
Instead, Red Hat is recommending that each customer contact their OEM hardware provider and inquire about mitigations for CVE-2017-5715 on a per-system basis. Besides Red Hat Enterprise Linux, other RHEL-based distros like CentOS and Scientific Linux are also expected to be affected by Red Hat's decision to revert previous Spectre Variant 2 updates, so these users will also have to contact CPU/OEM vendors.
At least one site "characterized the move as Red Hat washing its hands of the responsibility to provide customers with firmware patches," writes Data Center Knowledge, arguing instead that Red Hat "isn't actually involved in writing the firmware updates. It passes the microcode created by chipmakers to its users 'as a customer convenience.'" "What I would have said if they'd asked us ahead of time is that microcode is something that CPU vendors develop," Jon Masters, chief ARM architect at Red Hat, told Data Center Knowledge in a phone interview Thursday. "It's actually an encrypted, signed binary image, so we don't have the capability, even if we wanted to produce microcode. It's a binary blob that we cannot generate. The only people who can actually generate that are the CPU vendors."
As written in the summary, the CPU maker is the only entity who can create a fixed microcode, be it for inclusion into firmware (BIOS/UEFI) files or in Linux kernel microcode files. So asking the OEM vendors won't help one bit cause they can simply do nothing at all except use a file create by Intel. If RH is too small to force Intel to create working microcode without boot up bugs, then others aren't big enough either.
Then next thing is: what will RH do in the future? Never apply the Spectre microcodes due to instability? If so, what happens in the future when other microcode updates are needed, like before? Intel has afaik only a single microcode file for Linux for pretty much all CPUs together. There is no mix and match, no way for Linux to selectively choose what to load. That is why RH had to go back to an older version without the breakage for Spectre. they couldn't just disable the new buggy part of the microcode.
This file you can see and download here: https://downloadcenter.intel.c...
Normally it lives in your initrd.
Sooner or later RH has to include a current microcode file from Intel in RHEL again. Would have been nice if they had clearly communicated this to their customers. Not "wash their hands" but "we will continually work with Intel until this issue is resolved."