patching your Intel CPU Microcode using FreeBSD ports

Today this Nagios alert showed up:

Checking for security vulnerabilities in base (userland & kernel):
Host system:
Database fetched: Tue Nov 26 18:23:07 UTC 2019
FreeBSD-kernel-12.0_10 is vulnerable:
FreeBSD -- Intel CPU Microcode Update
CVE: CVE-2017-5715
CVE: CVE-2018-11091
CVE: CVE-2018-12130
CVE: CVE-2018-12127
CVE: CVE-2018-12126
CVE: CVE-2019-11139
CVE: CVE-2019-11135
WWW: https://vuxml.FreeBSD.org/freebsd/fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9.html

FreeBSD-kernel-12.0_10 is vulnerable:
FreeBSD -- Machine Check Exception on Page Size Change
CVE: CVE-2018-12207
WWW: https://vuxml.FreeBSD.org/freebsd/edc0bf7e-05a1-11ea-9dfa-f8b156ac3ff9.html

2 problem(s) in 1 installed package(s) found.
0 problem(s) in 0 installed package(s) found.

I admit it. I have not patched my micro code before. I’m doing it only because it turned up in Nagios.

Browsing to that URL, I found “Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model).”.

Looking on FreshPorts, I found that port.

I built it. I installed it on all hosts. I followed the description the package gave me. I enabled both the boot loader and the service options.

I started the service, but saw nothing. I concluded the patch was not available.

Later, I saw this in the logs:

Nov 26 20:25:27 r720-01 pkg[49860]: devcpu-data-1.27 installed
Nov 26 20:27:38 r720-01 dan[50615]: /usr/local/etc/rc.d/microcode_update: WARNING: Can't load cpuctl module.
Nov 26 20:27:45 r720-01 microcode_update[50673]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl0 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50677]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl2 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50681]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl4 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50685]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl6 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50689]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl8 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50693]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl10 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50697]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl12 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50701]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl14 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50705]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl16 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50709]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl18 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50713]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl20 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50717]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl22 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50721]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl24 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50725]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl26 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50729]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl28 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50733]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl30 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50737]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl32 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:45 r720-01 microcode_update[50741]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl34 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:46 r720-01 microcode_update[50745]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl36 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:46 r720-01 microcode_update[50749]: /usr/local/share/cpucontrol/06-3e-04.ed: updating cpu /dev/cpuctl38 from rev 0x42d to rev 0x42e... done.
Nov 26 20:27:46 r720-01 kernel: CPU: Intel(R) Xeon(R) CPU E5-2690 v2 @ 3.00GHz (3000.06-MHz K8-class CPU)
Nov 26 20:27:46 r720-01 kernel:   Origin="GenuineIntel"  Id=0x306e4  Family=0x6  Model=0x3e  Stepping=4
Nov 26 20:27:46 r720-01 kernel:   Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Nov 26 20:27:46 r720-01 kernel:   Features2=0x7fbee3ff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
Nov 26 20:27:46 r720-01 kernel:   AMD Features=0x2c100800
Nov 26 20:27:46 r720-01 kernel:   AMD Features2=0x1
Nov 26 20:27:46 r720-01 kernel:   Structured Extended Features=0x281
Nov 26 20:27:46 r720-01 kernel:   Structured Extended Features3=0x9c000400
Nov 26 20:27:46 r720-01 kernel:   XSAVE Features=0x1
Nov 26 20:27:46 r720-01 kernel:   VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr
Nov 26 20:27:46 r720-01 kernel:   TSC: P-state invariant, performance statistics

Well, that was interesting.

Looking back at a previous dmesg I can see what’s missing:

  • SDBG
  • FMA
  • MOVBE

That is reproduced here for easier viewing:

[dan@dent:~/tmp] $ diff -ruN  before after
--- before	2019-11-26 16:50:20.000000000 -0500
+++ after	2019-11-26 16:47:17.000000000 -0500
@@ -1,2 +1,2 @@
 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
-Features2=0x7ffefbff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
+Features2=0x7fbee3ff<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,         CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,      POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,AVX,F16C,RDRAND>
[dan@dent:~/tmp] $ 

I have added spaces to make the differences easier to review.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top