Welcome, Guest Login

Support Center

CVE-2017-5715: How to update microcode manually?

Last Updated: Jul 26, 2018 03:33PM UTC


To address CVE-2017-5715, also known as Spectre variant 2, it is needed to install new microcode on the hardware nodes. Some microcodes are shipped with the `microcode_ctl` package, some are not. This article helps to understand whether it is needed to download and install new microcode.

How to verify if new microcode is needed?

If all needed updates are installed, Indirect Branch Restricted Speculation and Indirect Branch Prediction Barriers should be enabled:

~# dmesg | grep FEATURE
[ 1846.004085] FEATURE SPEC_CTRL Present
[ 1846.004092] FEATURE IBPB_SUPPORT Present

~# grep . /sys/kernel/debug/x86/i*enabled

For AMD processors, the values are different.
If ibpb and ibrs are enabled, there is no need to update microcode manually.

A server without microcode update:

~# dmesg | grep FEATURE
[ 1846.004085] FEATURE SPEC_CTRL Not Present
[ 1846.004092] FEATURE IBPB_SUPPORT Not Present

~# grep . /sys/kernel/debug/x86/ib*enabled

If ibpb and ibrs are not enabled, continue reading this article.

Note: on Virtuozzo 6 servers, 'debugfs' is not mounted by default. You may need to mount it:

~# mount -t debugfs debugfs /sys/kernel/debug

Is there a supported way to update microcode?

The easiest way to update microcode is to install BIOS update. Contact hardware manufacturer to check whether BIOS update for your server exists and whether it has microcode update that mitigates CVE-2017-5715. If there is no BIOS update, continue reading the article.

NOTE: Virtuozzo does not guarantee that the method described below works on your installations. Please apply it to a test server first.

How to determine the current microcode version and whether it can be updated?

To check what microcode is needed, take signature from `dmesg` and convert it to the format of family-model-stepping:

~# dmesg | grep "microcode: CPU0"
[ 7.713307] microcode: CPU0 sig=0x306e4, pf=0x1, revision=0x428
~# awk -v s=0x306e4 'BEGIN{split(sprintf("%06x",strtonum(s)),v,//);printf"%s%s-%s%s-%s%s\n",v[1],v[4],v[2],v[5],v[3],v[6];exit}'

Download the needed microcode from the CPU manufacturer's site. In this particular example the needed file is "intel-ucode/06-3e-04". Check its release date:

~# f=intel-ucode/06-3e-04; od -t x4 -N 8 -j 4 -A n $f | { read r d; printf 'File: %s\nRev: %s\nDate: %s\n' $f $r $d; }
File: intel-ucode/06-3e-04
Rev: 0000042a
Date: 12012017

For Intel microcodes, date later than 16.11.2017 usually means that the fixes are present.

How to update microcode manually?

For Virtuozzo 7:

Check if loading new binary microcode (a file in format of family-model-stepping) in runtime works:

~# ​dd bs=1M of=/dev/cpu/microcode if=FF-MM-SS

Confirm that features were enabled:

​~# dmesg | tail -3
[ 1846.004067] microcode: CPU15 updated to revision 0xb000025, date = 2017-11-18
[ 1846.004085] FEATURE SPEC_CTRL Present
[ 1846.004092] FEATURE IBPB_SUPPORT Present

If everything is correct, replace the old microcode in "/lib/firmware/intel-ucode/" or "/lib/firmware/amd-ucode/" to apply it on every reboot.

For Virtuozzo 6 and earlier versions:

Check if loading new text format microcode in runtime works:

~# microcode_ctl -f microcode.dat

​If ibpb and ibrs were enabled (check `dmesg` as shown above), copy "microcode.dat" to "/lib/firmware/" in order to load the new microcode on the next reboot.

Please note that updating package "microcode_ctl" can overwrite mentioned files, that is why check if updated files contain microcode for your CPU after system update.

Open a new case

  • You can call our Support Team:

     +1 855-466-6670  Toll-free
     +1 425-689-7142  US
     +44 203-389-8331  UK
     +49 8914-379-4365  DE
     +7 499-609-2754  RU
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found