3

I have installed the latest BIOS on my notebook. The manufacturer of the notebook states that the BIOS update will include corrections regarding Spectre/Meltdown vulnerabilities.

  • What microcode does Ubuntu 14.04 LTS use?
  • Does it load the microcode from BIOS or does it load the microcode from the system files on the HD?
  • When it uses the microcode from the HD, I am afraid it could be an older version which is not Spectre/Meltdown proof.
  • How to check which microcode is loaded and used by the system and how to check which one is a newer version?
muru
  • 207,228
Barbara
  • 39

2 Answers2

3

Ubuntu does not use microcode (in the sense you are talking about) at all. Your CPU, however, does use microcode -- that is the code it needs to function.

Ubuntu provides amd- and intel-microcode packages, which provide updated firmware for that hardware. These packages are fully updated with all Spectre/Meltdown patches in all supported releases of Ubuntu.

Ongoing patches for vulnerabilities are handled by the Ubuntu Security Team. It's a normal part of support in a supported release of Ubuntu. You receive those patches routinely when you upgrade from Ubuntu's -security repository.

If you have questions about specific vulnerabilities, feel free to search the database of vulnerabilities and patches.

Determine which version of firmware your CPU is using with grep microcode /proc/cpuinfo

Finally, be aware that version numbers can misleading when checking for vulnerabilities: A patched package may not have a higher upstream version number (since it's not a new upstream version), but is still fixed and tested and no longer vulnerable. In these cases, Debian and Ubuntu add their own supplementary version numbers so you can tell the difference.

user535733
  • 68,493
2

The answer is:
It first loads the Microcode from the BIOS and then, while loading the OS, the newest Microcode is loaded again by the OS. Both are signed binary files which are supposedly impossible to tamper.

So if the version of the BIOS/UEFI is older than the version provided to the Operating System, the MicroCode is loaded/updated by the OS via a system update. Otherwise the BIOS/UEFI version is used.

The Operating System does load microcode during the booting process as mentioned in this WiKi:

The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.

For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.

Community
  • 1
zx485
  • 2,865