How to enable automatic microcode updates

[olmari]

And indeed in BIOS itself there is this line:

Ucode Patch Version                        810100B

So that answers that :D

[franco]

@olmari: here's the latest microcode package to test with

# opnsense-revert -z cpu-microcode-amd

# pkg query %v cpu-microcode-amd
20240810


Cheers,
Franco

[meyergru]

Fixing Sinkclose (CVE-2023-31315), I presume?

[franco]

Probably. Haven't double-checked.


Cheers,
Franco

[2HgRyz13]

I, too, would like to know the estimated fix date for the SinkClose vulnerability in the EPYC 3201 in my OpnSense DEC850.

My DEC850 is new. I configured it but haven't deployed it yet. I'll wait until SinkClose is patched.

AMD's advisory seems to list the Embedded EPYC 3000 [series] "target" as Oct 2024, if I read it correctly:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Then I assume OpnSense will need X weeks to incorporate the fix.

So maybe Oct at the earliest but Nov or Dec more likely.

I can wait but was looking forward to installing the DEC850 this week. :(

[franco]

> I, too, would like to know the estimated fix date

To be frank same as any other vulnerability... likely next minor release.

As for the previous one not fixing it. I can't ship a fix that I didn't have last week.


Cheers,
Franco

[meyergru]

FWIW, I doubt that this new update has addressed CVE-2023-31315 yet. E.g., Debian will do this for Bookworm with a point release, which is due in a few months and has only updated Debian Sid so far. I have tested that update and found that the microcode version did not change for my AMD Ryzen 5700G from the previous version. Yet, the bulletin states that this CPU is affected.

Also, Platomav has only one update from last week for AMD - there should be more than that if the fixes had been published.

Thus, I am not even sure if it will be a microcode update alone that will fix it. AFAIK, AGESA is a little bit more than just the microcode.

AMD has chosen to name the due update 1.2.0.cb while most OEMs still have 1.2.0.C in their BIOSes. Asus really calls it 1.2.0.ca, but I failed to find any BIOS update with 1.2.0.cb from the big OEMs.

So, I guess we will have to wait.

[franco]

The ports vulnerability database says https://vuxml.freebsd.org/freebsd/7d631146-5769-11ef-b618-1c697a616631.html


Cheers,
Franco

[meyergru]

Interesting. The Debian version for Sid is 3.20240710.1, so obviously a month too early. So FreeBSD seems ahead this time... ;-)

[franco]

While we are at it... https://github.com/opnsense/plugins/commit/77ecf1eb8


Cheers,
Franco

[olmari]

Maybe I'm dense, but on 24.7.1 (stock and amd-early kernel) I get no updated cpu-microcode-amd package..

Code Select Expand

root@router:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
root@router:~ # pkg search cpu-microcode
cpu-microcode-1.0_1            Meta-package for CPU microcode updates
cpu-microcode-amd-20240116     AMD CPU microcode updates
cpu-microcode-intel-20240531   Intel CPU microcode updates
cpu-microcode-rc-1.0_2         RC script for CPU microcode updates
root@router:~ # pkg query %v cpu-microcode-amd
root@router:~ #

[newsense]

It will be available in 24.7.2, likely next week.

[franco]

That's why I said use opnsense-revert to grab the snapshot:

# opnsense-revert -z cpu-microcode-amd

# pkg query %v cpu-microcode-amd
20240810

:)


Cheers,
Franco

[olmari]

Code Select Expand

root@router:~ # opnsense-revert -z cpu-microcode-amd
Package 'cpu-microcode-amd' is not installed
root@router:~ # pkg query %v cpu-microcode-amd
root@router:~ # pkg install cpu-microcode-amd
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
cpu-microcode-amd: 20240116
cpu-microcode-rc: 1.0_2

Number of packages to be installed: 2

60 KiB to be downloaded.

Proceed with this action? [y/N]:
root@router:~ # pkg install cpu-microcode-amd
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
cpu-microcode-amd: 20240116
cpu-microcode-rc: 1.0_2

Number of packages to be installed: 2

60 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/2] Fetching cpu-microcode-rc-1.0_2.pkg: 100%    3 KiB   2.6kB/s    00:01   
[2/2] Fetching cpu-microcode-amd-20240116.pkg: 100%   58 KiB  59.4kB/s    00:01   
Checking integrity... done (0 conflicting)
[1/2] Installing cpu-microcode-rc-1.0_2...
[1/2] Extracting cpu-microcode-rc-1.0_2: 100%
[2/2] Installing cpu-microcode-amd-20240116...
[2/2] Extracting cpu-microcode-amd-20240116: 100%
=====
Message from cpu-microcode-rc-1.0_2:

--
This port includes an RC script, which is one of two methods to update
the CPU microcode on a FreeBSD system.

1. Early loading.
   This method does not use the RC script included here.
   This is the preferred method, because it ensures that any CPU features
   added or removed by a microcode update are visible to the kernel by
   applying the update before the kernel performs CPU feature detection.

   To enable updates using early loading, add the following lines to
   /boot/loader.conf:

   cpu_microcode_load="YES"

   and the appropriate one of these lines:

   cpu_microcode_name="/boot/firmware/intel-ucode.bin"
   cpu_microcode_name="/boot/firmware/amd-ucode.bin"

   The microcode update will be loaded when the system is rebooted.

   AMD systems running FreeBSD prior to 2024-02-22 snapshot
   34467bd76 only support late loading.


2. Late loading.
   This method, which does use the RC script included here, is enabled by
   adding the following line to /etc/rc.conf:

   microcode_update_enable="YES"

   The microcode update is then applied upon reboot or when the microcode
   update service is run via:

   # service microcode_update start

   If the CPU requires a microcode update, a console message such as the
   following will appear:

   Updating CPU Microcode...
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl0 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl2 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl4 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl6 from rev 0x17 to rev 0x22... done.
   Done.

It is safe to enable both methods.
=====
Message from cpu-microcode-amd-20240116:

--
Refer to the cpu-microcode-rc installation notes to enable AMD microcode
updates.
root@router:~ # opnsense-revert -z cpu-microcode-amd
Fetching cpu-microcode-amd.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20240611... done
cpu-microcode-amd-20240116: already unlocked
Installing cpu-microcode-amd-20240810...
package cpu-microcode-amd is already installed, forced install
Extracting cpu-microcode-amd-20240810: 100%
=====
Message from cpu-microcode-amd-20240810:

--
Refer to the cpu-microcode-rc installation notes to enable AMD microcode
updates.
root@router:~ # pkg query %v cpu-microcode-amd
20240810

Dmesg: CPU microcode: no matching update found

root@router:~ # kldload -q cpuctl; x86info -a | fgrep -i microcode
Microcode patch level: 0x810100b

So, either something does not load correctly, or for Ryzen v1500b there is no microcode update in this round. My bet is in the latter by preliminary looks.

[meyergru]

Indeed. This CVE-2023-31315 info page says that Ryzen Embedded V1000 series and the V1500b, also dubbed YE1500C4T4MFB is expected to get an update with a target date of Oct. 2024.