diff options
Diffstat (limited to '')
| -rw-r--r-- | debian/README.Debian | 239 |
1 files changed, 239 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..220932d --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,239 @@ +intel-microcode for Debian +-------------------------- + +Introduction: + +IntelĀ® 64 and IA-32 processors (x86_64 and i686 processors) are capable of +field-upgrading their control program (microcode) as well as parameters +for other on-chip subsystems (power management, interconnects, etc). +These microcode updates correct processor errata, and are important for +safe, stable and correct system operation. + +While most of the microcode updates fix problems that happen extremely +rarely, they also fix high-profile, high-hitting issues. There are enough +microcode updates fixing processor errata that would cause system lockup, +memory corruption, or unpredictable system behavior, to warrant taking +firmware updates and microcode updates seriously. + +Microcode updates are ephemeral: they will be lost after a processor hard +reset or after the processor is powered off. They must be reapplied at +every boot, as well as after the system wakes up from suspend to RAM or +disk. + +Updating the processor microcode is the responsibility of the system +firmware (BIOS, UEFI). However, not all vendors will release timely +updates for their firmware when Intel releases updated microcode, and most +users don't update their system firmware in a timely fashion (or at all) +anyway. + +The end result is that, unless the operating system picks up the slack and +tries to deliver microcode updates, the processor in many systems will be +running with outdated microcode, increasing the chances of incorrect +system operation. + + +Using Debian to apply microcode updates: + +Debian can apply microcode updates to the system processors during the +operating system boot when a correctly configured Linux kernel (such as +the standard Debian Linux kernels), and a small set of extra packages from +"non-free" and "contrib" are installed. + +You must have "contrib" and "non-free" repositories enabled in apt's +sources list (either in /etc/apt/sources.list, or in a file inside +/etc/apt/sources.list.d/). + +On a default Debian system (which uses a Debian kernel, the grub +bootloader, and initramfs-tools to create the initramfs for the kernel), +install the "intel-microcode" package and its dependencies, and reboot. + +Users of custom configurations should note that microcode update support +for Debian 8 "Jessie" changed from previous Debian stable releases. + +Custom Linux kernels must be built with initramfs support enabled (Kconfig +option CONFIG_BLK_DEV_INITRD=y), as well as early microcode support +enabled (Kconfig options CONFIG_MICROCODE=y, CONFIG_MICROCODE_INTEL=y, +CONFIG_MICROCODE_INTEL_EARLY=y). An initramfs image *must* be used. + +The use of "dracut" to generate the initramfs is not yet supported, but it +should work if you have a new enough version of dracut that is compatible +with the kernel you are using (i.e. it might require the use of +backports). Dracut will have to be manually configured to enable early +microcode updates. Better dracut support is planned for a future version +of the intel-microcode package. + +NOTE: It is not impossible for an operating-system supplied microcode +update to cause boot issues. Should that happen, please refer to the +"RECOVERY PROCEDURE" section of this document. + + +Caveats: + +Please keep your UEFI/BIOS up-to-date. Assuming your motherboard vendor +does a good job of updating system firmware components, an up-to-date +version of the firmware will negate most of the caveats listed here. + +Some features added to the processor post-launch, such as Intel SGX for +"Skylake", are likely to require a full firmware update to work. Some +issues and errata can only be fixed by a full firmware update should they +require fixes and workarounds outside of the processor microcode update +(typically: ME firmware, SMM code, platform MSR setup, ACPI data, Intel +TXT/SGX modules). + +A microcode update may enable functionality or change the behavior of +weakly-defined functionality (such as the effect of model-dependent CPU +power-management MSRs). This can (very rarely) interact badly with +outdated BIOS/UEFI. + +A microcode update can revoke the signatures of vulnerable Intel TXT ACMs +(refer to security advisory INTEL-SA-00035) and Intel SGX system modules. +This will disable Intel TXT and Intel SGX in a system that still has the +vulnerable components in firmware (the only way to really fix the +vulnerabilities is to update the firmware). + +Microcode updates often do not go well with overclocking and similar +tuning (such as underclocking, "undervolting", etc). Reset the system to +Intel's *up-to-date* recommended values should a microcode update seem to +be causing trouble, and search for a less aggressive, stable operating +point for the new microcode. + +A microcode update can (very rarely) interact badly with, or expose +software bugs in the kernel and on frequency/thermal control daemons. + + +RECOVERY PROCEDURE: + +It is possible for a microcode update to not work well, or to not work at +all on specific system models. This is very rare when using early +microcode updates, but it has happened at least once. + +Should you experience problems because of the microcode update, you will +have to bypass the microcode update process that happens during operating +system startup (boot), and remove (or install an older version of) the +intel-microcode package. + +To bypass the microcode update during system startup, you must instruct the +boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter +(without the quotes) to the kernel. + +If your system uses grub (the default bootloader in Debian): + + 1. Access the grub menu during boot (press and hold the left "Shift" + key right after starting the system up if you don't see a grub menu + during boot); + + 2. Move the highlight/cursor to the kernel/boot option you want to + use, and press the "e" key to edit it; + + 3. Locate the line that starts with "linux" using the cursor + keys. You must add the word "dis_ucode_ldr" (without the quotes) to + the end of that line; + + 4. Press "Ctrl+X" to start (boot) the system. The microcode updates + will be skipped. + +After the system is running, remove or purge the intel-microcode package, +or alternatively install an older version of the intel-microcode package. + +If removing or purging the intel-microcode package fails to do it for some +reason, please refresh the initramfs using the "update-initramfs -u" +command (as the root user), and possibly "update-initramfs -u -k <desired +kernel version>" or "update-initramfs -u -k all". + +Please report any issues caused by microcode updates to the Debian bug +tracker, e.g. using the "reportbug" tool. + + +Microcode update details: + +The "early mode" of the Linux kernel microcode update driver will apply +the microcode updates as soon as possible, before making use of the more +complex modes and functionality of the system processors. This greatly +reduces the chances of system malfunction due to any issues that are +corrected by the microcode update. + +It will update the CPU core that boots the system (known as BSP, for +"bootstrap processor") as one of the first things it does. It will also +update the microcode on the other CPU cores (known as AP, for "application +processor") while enabling them, before they can be used. + +In some cases, early microcode updates will allow the kernel to sidestep +the need to disable functionality, as an example, there's the "Atom PSE +erratum". + +In other cases, it will be the only safe way to apply a microcode update. +For example, the Intel TSX errata in Intel Haswell and Broadwell processors +required a microcode update that entirely disables Intel TSX. Applying the +microcode update will crash anything that might be using Intel TSX at that +time. + +The initramfs helpers will attempt to restrict the number of microcode +updates added to the initramfs to the bare minimum through the use of +iucode_tool. This behavior can be changed and fine-tuned through the +/etc/default/intel-microcode file. + +Also, microcode from files matching /usr/share/misc/intel-microcode* will +be considered. This allows the easy use of microcode.dat files distributed +directly by Intel. Be careful to not leave old files there, or you may end +up using microcode that Intel stopped distributing on purpose for unknown +reasons. + + +Downloading new microcode data from Intel: + +A new version of the microcode bundle can be downloaded directly from +Intel (through their GitHub project): +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files + + +To manually install the downloaded microcode bundle, unpack the archive you +got from Intel and copy the microcode-*.dat file from the archive to +/usr/share/misc/intel-microcode.dat. + +You should make sure the microcode data file is owned by root, and that it +can only be written to by root (e.g. mode 0644) for security reasons: + + chown root:root /usr/share/misc/intel-microcode.dat + chmod 0644 /usr/share/misc/intel-microcode.dat + +After you install the updated intel-microcode.dat file, run as root: + + update-initramfs -u + +The intel-microcode package supports "extra" microcode data in the +following files (and will warn you if it detects and use them): + + /usr/share/misc/intel-microcode* + +both .dat and .bin formats are supported. + + +Triggering an immediate microcode update (without a reboot): + + **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** + + This procedure used to be safe before microcode update 20140913. + It is not safe anymore in the general case. + + While it is likely to continue to be safe for the Intel micro- + architectures that preceded Haswell and Silvermont, this is not + in any way assured. + + You have been warned. Do not do this unless you really know + what you are doing. + + **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** + +The microcode kernel module will attempt to apply a microcode update when +loaded by "modprobe". If the module is already loaded or compiled-in (it +cannot be a module anymore in recent Linux kernels), run this command (as +root): + + echo -n 1 >/sys/devices/system/cpu/microcode/reload + +For kernels before Linux v3.6, refer to the iucode_tool(8) manpage. + + +* Note: Intel is a registered trademark of Intel Corporation. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Apr 2016 16:32:09 -0300 |