LL v2.8 Kernel and Intel Processor Microcode Updates

[Lex24]

I have LL v2.8, it runs without any problems and I intend to keep it until it reaches end-of-life in April of 2019. But I'm considering kernel and processor microcode updates.

As it turns out, intel-microcode package has never been installed, although the machine has an Intel processor (old Core2Duo). The kernel is 3.19.0-33-generic:

Code:

cat /etc/lsb-release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Linux Lite 2.8"

Code:

inxi -C

CPU:   Dual core Intel Core2 CPU 6300 (-MCP-) cache: 2048 KB flags: (lm nx sse sse2 sse3 ssse3 vmx)
       Clock Speeds: 1: 1596.00 MHz 2: 1596.00 MHz

Code:

uname -r

3.19.0-33-generic

Code:

apt-cache policy intel-microcode

intel-microcode:
  Installed: (none)
  Candidate: 3.20180108.0+really20170707ubuntu14.04.1
  Version table:
     3.20180108.0+really20170707ubuntu14.04.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.20140122.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/multiverse amd64 Packages

I have two questions:

1) The latest kernel that includes spectre mitigation updates recommended for Ubuntu v14.04 is 3.13.0-141.190 and it can be pulled from LL repos:

https://launchpad.net/ubuntu/+source/lin....0-141.190

https://wiki.ubuntu.com/SecurityTeam/Kno...ndMeltdown

Code:

apt-cache policy linux-headers-3.13.0-14

linux-headers-3.13.0-141-lowlatency:
  Installed: (none)
  Candidate: 3.13.0-141.190
  Version table:
     3.13.0-141.190 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
linux-headers-3.13.0-141-generic:
  Installed: (none)
  Candidate: 3.13.0-141.190
  Version table:
     3.13.0-141.190 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
linux-headers-3.13.0-141:
  Installed: (none)
  Candidate: 3.13.0-141.190
  Version table:
     3.13.0-141.190 0
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages

Are the following commands correct to install kernel and microcode updates? Has anyone tried that, have there been any problems reported anywhere?

Code:

sudo apt-get update
sudo apt-get -y install linux-headers-3.13.0-141 linux-headers-3.13.0-141-generic linux-image-3.13.0-141-generic linux-image-extra-3.13.0-141-generic

sudo apt-get install intel-microcode

2) Does intel-microcode need to be loaded ahead of initial ram disk, which would require initrd line in the bootloader to look as follows:

Code:

initrd /boot/intel-microcode.img /boot/initrd.img-3.13.0-141-generic

I have replaced Grub2 bootloader with Grub4Dos (because of its simplicity), so I have to create menu.lst manually:

Code:

title Linux Lite
root (hd1,4)
kernel /boot/vmlinuz-3.13.0-141-generic root=UUID=c0af9bh9-39c8-519g-cz4j-87684beg7958 ro
# intel processors only
initrd /boot/intel-microcode.img /boot/initrd.img-3.13.0-141-generic

-----
For the record:

a) according to ArchWiki loading processor microcode very early in the boot process and ahead of initial ram disk is only required with Intel processors. In case of AMD processors the microcode does not need to be loaded by the bootloader, at least for now:

https://wiki.archlinux.org/index.php/microcode

b) the new versions of Grub4Dos can handle two image files placed on initrd line, as confirmed here:

http://reboot.pro/topic/21397-intel-proc...itrd-line/

[trinidad]

install the new kernel first. Update the system afterwards. The microcode available will be in the Linux firmware package in synaptic. Install the package and then use driver search to select the microcode if you like. There will be microcode there but none updated against Spectre and Meltdown. The core2 duo CPU is not yet supported against Spectre and Meltdown by Intel and may never be. The new kernel will contain the Linux mitigations, and yes that is how microcode works with Deb systems - a load early function at boot. Loads new each time you boot.

TC

[Ottawagrant]

Have to agree with Trinidad. I have an HP computer with a Core 2 Duo. As the computer is 9 years old it is doubtful that HP will release firmware. I swap the hard drive between Windows 10 & Linux Lite on it. (It's a compaq 7900 SFF). Windows 10 in device manager is already starting to show 'missing drivers'. I suspect either this Spring's Windows 10 update, or next Fall will give me the dreaded "This computer does not support Windows 10". The computer works great with LL.

[Lex24]

trinidad: The microcode available will be in the Linux firmware package in synaptic. Install the package and then use driver search to select the microcode if you like.

I actually have linux-firmware installed, only intel-microcode is not installed.

I have assumed that intel-microcode is automatically installed by Ubiquity if an Intel processor has been detected, but it doesn't seem to be the case. It looks like intel-microcode is considered to be an optional package that must be installed by the user.

In the end I got kernel 3.13.0-141.190 and then intel-microcode installed. On my system it didn't work too well, I had experienced freeze-ups, so I booted to my Clonezilla disk image backup and rolled back to kernel 3.19.0-33 and no intel-microcode. I only have 2 GB of RAM on this machine so it could be the problem.

In case anyone else is considering trying this update I had to do the following to get the final initrd.img-3.13.0-141-generic built properly:

- install kernel 3.13.0-141
- purge kernel 3.19.0-33
- purge kernel 3.19.0-80 (which for some reason was auto-installed after 3.19.0-33 was purged)
- reboot
- install intel-microcode

Make sure that the last line in terminal output refers to kernel 3.13.0-141-generic:

Code:

sudo apt-get install intel-microcode

Reading package lists... Done
Building dependency tree
.....
intel-microcode: microcode will be updated at next boot
Processing triggers for initramfs-tools (0.103ubuntu4.10) ...
update-initramfs: Generating /boot/initrd.img-3.13.0-141-generic

[trinidad]

Update drivers GUI would have accomplished the same thing, as well as Lite Tweaks for the kernel updation. Also you can install or remove microcode via update drivers GUI. FYI: The so called Intel microcode you are opting to use is the same old core2 duo blob that was available 10 years ago. It is not an update with any S-M mitigations. The S-M mitigations are built into the Linux kernel not the microcode and Intel is unlikely to ever update the old mc. The microcode offers you NO improvement in security against S-M and it can mess up your graphics handling depending on your OEM. Linux is free. Intel microcode is never installed as a default. The new kernel is the way to go, but the mc does not matter. If your system was sluggish just use update drivers to opt out of the microcode usage. The GUI tools in Linux Lite are among the best available anywhere in the Linux world. Turn to them first unless you are really aware of the processes backgrounding in your command line structure. Ubuntu and Debian are not exactly the same in some cases, and file managers across distros do not always use the same placements.

TC

[Lex24]

Thanks for clarifying this.

[Lex24]

Update:

I have found Linux Lite Kernel thread and installed the custom LL kernel v4.15.0 (without installing intel-microcode). The kernel seems to be working fine in LL 2.8 and it resolved Meltdown vulnerability on my system.

Code:

sudo apt-get update && sudo apt-get install linux-headers-linuxlite-4.15.0 linux-image-linuxlite-4.15.0 -y

Ref: https://www.freecinema2022.gq/forums/linux.../#msg38277

[trinidad]

I believe 4.15 retpoline will soon be the new LTS UBU kernel. That should resolve most vulnerabilities. Retpoline is already backported to 4.9 Deb stretch.

TC