Microcode updates

security
meltdown
spectre

#1

Hello,

will Univention provide microcode updates?

Kind regards,
SirTux


#2

The microcode updates for debian are already available only for Testing (Buster) right now. https://packages.debian.org/search?keywords=intel-microcode&searchon=names&suite=testing&section=all


#3

I know, but Univention is not Debian. It’s only based on Debian. Ubuntu has provided already an update officially.


#4

Univention will probably provide microcode updates when they are ready, but they alone are not sufficient:

  • The Linux kernel (both host and guest) must be patched to use the new CPU feature
  • QEMU/KVM must be patched to pass the new CPU feature to any guest virtual machine
  • libvirt must be updated to enable this new feature

There are also reports that the microcode update provided by Intel “breaks” some CPU models: the reboot immediately. This is currently investigated (by others). To my knowledge this problem is restricted to some models with large caches.