Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Reverts Spectre Patches to Address Boot Issues (bleepingcomputer.com)

Posted by EditorDavid on from the on-second-thought dept.

An anonymous reader quotes BleepingComputer: Red Hat is releasing updates for reverting previous patches for the Spectre vulnerability (Variant 2, aka CVE-2017-5715) after customers complained that some systems were failing to boot. "Red Hat is no longer providing microcode to address Spectre, variant 2, due to instabilities introduced that are causing customer systems to not boot," the company said yesterday. "The latest microcode_ctl and linux-firmware packages are reverting these unstable microprocessor firmware changes to versions that were known to be stable and well tested, released prior to the Spectre/Meltdown embargo lift date on Jan 3rd," Red Had added.

Instead, Red Hat is recommending that each customer contact their OEM hardware provider and inquire about mitigations for CVE-2017-5715 on a per-system basis. Besides Red Hat Enterprise Linux, other RHEL-based distros like CentOS and Scientific Linux are also expected to be affected by Red Hat's decision to revert previous Spectre Variant 2 updates, so these users will also have to contact CPU/OEM vendors.
At least one site "characterized the move as Red Hat washing its hands of the responsibility to provide customers with firmware patches," writes Data Center Knowledge, arguing instead that Red Hat "isn't actually involved in writing the firmware updates. It passes the microcode created by chipmakers to its users 'as a customer convenience.'" "What I would have said if they'd asked us ahead of time is that microcode is something that CPU vendors develop," Jon Masters, chief ARM architect at Red Hat, told Data Center Knowledge in a phone interview Thursday. "It's actually an encrypted, signed binary image, so we don't have the capability, even if we wanted to produce microcode. It's a binary blob that we cannot generate. The only people who can actually generate that are the CPU vendors."

13 of 78 comments (clear)

  1. Bullshit advice by RH by klingens · · Score: 5, Informative

    As written in the summary, the CPU maker is the only entity who can create a fixed microcode, be it for inclusion into firmware (BIOS/UEFI) files or in Linux kernel microcode files. So asking the OEM vendors won't help one bit cause they can simply do nothing at all except use a file create by Intel. If RH is too small to force Intel to create working microcode without boot up bugs, then others aren't big enough either.

    Then next thing is: what will RH do in the future? Never apply the Spectre microcodes due to instability? If so, what happens in the future when other microcode updates are needed, like before? Intel has afaik only a single microcode file for Linux for pretty much all CPUs together. There is no mix and match, no way for Linux to selectively choose what to load. That is why RH had to go back to an older version without the breakage for Spectre. they couldn't just disable the new buggy part of the microcode.
    This file you can see and download here: https://downloadcenter.intel.c...
    Normally it lives in your initrd.
    Sooner or later RH has to include a current microcode file from Intel in RHEL again. Would have been nice if they had clearly communicated this to their customers. Not "wash their hands" but "we will continually work with Intel until this issue is resolved."

    1. Re:Bullshit advice by RH by ls671 · · Score: 3, Interesting

      Actually, here is the approach we have adopted with regards to this problem; Don't apply the patches until this is sorted out, I give it about 3 months before we can make up our minds but any guess is as good as mine.

      Something that critically linked to the hardware as to be tested with all available hardware and configurations which is pretty hard to do. So, as usual, let the users do the testing and the testing cycle isn't completed yet! ;-)

      --
      Everything I write is lies, read between the lines.
  2. I hope that RedHat start distributing it again by Alain+Williams · · Score: 5, Insightful

    I understand why they stopped distributing the microcode. It is something that they cannot test fully, cannot fix and which might brick customers' hardware. If something goes wrong I expect someone to try to sue them. Distributing the microcode bring little benefit (to RedHat) but brings potential risk/cost.

    The onus is really on AMD/Intel/... to test the new microcode on *every* CPU that they have produced and with a large selection of releases & configurations of operating systems (MS Windows, Linux, macOS, ...) with different support chips (RAM, USB, ...). Yes: a lot of work, but they are the ones who screwed up here. They have also known about these problems for some 6 months - so it is a complete disgrace that they have not already produced the microcode updates AND tested them.

    Hopefully in a month or two, when the testing has been done properly: RedHat, Microsoft, ... will push out the microcode updates. We need these distributors, or vendors, to do so because otherwise very few machines will end up patched. Large organisations might contact the CPU vendors, most SME or home users probably don't know what the machines contain and won't think to worry about the update... which would just leave them vulnerable for when someone works out how to produce a real Spectre cracker program. It is ''when'' not ''if''.

  3. Spectre Patches Anyone? by mschwanke97402 · · Score: 5, Funny

    Seems like there is more damage being done by the Meltdown / Spectre hysteria and attendant patch frenzy than by exploits of the vulnerabilities themselves.

    Friends don't let friends Spectre patch their computers!

    1. Re:Spectre Patches Anyone? by HiThere · · Score: 3, Insightful

      You've got a point. The question is, how would you know if you were penetrated by Meltdown? Spectre is something that needs to be dealt with carefully. Meltdown? That's a bit more dangerous.

      My personal suggestion is to start by blocking javascript execution. That's not enough, but it buys you some time. But beyond that, I don't know. I'm presuming that it will get sorted out, so buying yourself some time is valuable.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:Spectre Patches Anyone? by tlhIngan · · Score: 2

      Seems like there is more damage being done by the Meltdown / Spectre hysteria and attendant patch frenzy than by exploits of the vulnerabilities themselves.

      That's because the most serious vulnerabilities affect virtualized systems more, and given the popularity of the cloud, they are extremely affected because there is no control over what software is run.

      These attacks may seem theoretical, and for a desktop user, they mostly are. Even server users with dedicated machines are generally safe as they own the entire machine and thus control the software on it. Virtualized hosts, not so much, and this ranges from simple VPS hosting companies, to cloud service companies like Amazon and Google. In this case, accessing not-your-memory can be beneficial, like trying to find the encryption keys used by someone sharing your machine. Cloud providers are especially scared because during high peak retail times, encryption keys may be spun to many instances to handle the load, and crafty attackers may simply spin up instances to extract those keys.

  4. Microcode updates from OSes? by thegarbz · · Score: 2

    So Linux provides the ability to update the CPU microcode during boot. Does Windows do something similar? I know that Microsoft has control over their Surface devices and often rolls out UEFI / BIOS updates via Windows updates, but does the OS itself have this functionality too?

    It would seem there's a pretty big exposure if Linux is able to push out updates directly from Intel, but Microsoft says: Apply a BIOS update from your PC OEM. Last BIOS issued to my motherboard was in 2014 and it is listed as beta.

    1. Re:Microcode updates from OSes? by ELCouz · · Score: 2

      You can do it yourself...use the linux microcode file from Intel website and patch at startup the microcode with the vmware windows microcode update tool.

      I did this this summer when there was a bug regarding threads for the Skylake CPUs until I had the BIOS update available.

    2. Re:Microcode updates from OSes? by ELCouz · · Score: 2

      Here's the link ------>>>>https://labs.vmware.com/flings/vmware-cpu-microcode-update-driver

  5. I've said it before... by GerryGilmore · · Score: 5, Insightful

    ...and I'll say it again: there has been WAY too much hype and hysteria (Hhhhmmm: Hype and Hysteria would be a GREAT band name!) around these issues. A) The vulnerabilities are far too esoteric to be really useful when there are a gazillion very easy, well-worn paths to get at your systems. B) Yes, ultimately, these vulnerabilities need to be addressed, but in a much more reasoned, thoroughly tested fashion as opposed to the current "OMG! I must flash my BIOS, install the latest microcode and update the kernel AT ONCE or all my base are belong to them!!" mindset. Perspective, please.

  6. Intel by zdzichu · · Score: 4, Insightful

    Wow, few paragraphs about Intel's fuckup and the culprit name isn't mentioned even once. It's Intel. Red Hat merely retracted updates developed and provided by Intel.

    --
    :wq
  7. Thanks god my Sgi Octane is finally stable by ReneR · · Score: 2

    so I do not need to worry about Intel's f*ckups anymore: https://www.youtube.com/watch?... ;-)

  8. Signed microcode update by manu0601 · · Score: 2

    I wondered about CPU micrcode hacking and I got the answer here: the micrcode update is signed. That suggests modern Intel CPU have a crypto engine to verify the update. I wonder how long will we live before someone leaks private key.