microcode: Update amd and intel ucode and remove indirection #3340
Conversation
|
Cancelled the checks workflow. I have not uploaded the new sources to the lookaside cache for now. Given that we are changing who our upstream is, I did not want to go ahead and push it to the cache, just in case this gets vetoed. |
There was a problem hiding this comment.
I agree with the move to consume microcode straight from the upstream sources for recency and completeness. Since microcode updates are vendor-signed blobs, I don't see a benefit of using an intermediary as our upstream here.
Fun fact about the size considerations: Some Intel family/model/stepping combinations use the same microcode files:
$ sha256sum * | awk '$0 !~ /DUPLICATE/ { ucode[$1] += 1 } END { for (hash in ucode) { if (ucode[hash] > 1) { print ucode[hash] " " hash } } }'
2 5ea325315da51857c900a658590653a51e4ccf0c7a6d542a07459320f1e592d4
4 5d8d4a4d5456c43b7cc04937c80aec094ccbf3bd89f34ffa5182913ef944a9f9
4 3ecd7fa0f93cf78e3e3cac5af3225402d21fb528b1480a5363c556ffbd76b7b2
These turn out to be the chunkier ones even:
$ sha256sum * | grep -e 5d8d4a4d5456c43b7cc04937c80aec094ccbf3bd89f34ffa5182913ef944a9f9 -e 3ecd7fa0f93cf78e3e3cac5af3225402d21fb528b1480a5363c556ffbd76b7b2 -e 5ea325315da51857c900a658590653a51e4ccf0c7a6d542a07459320f1e592d4 | awk '!ucode[$1] { ucode[$1] = $2; system("ls -lh " $2) }'
-rw-rw-r-- 1 markus users 1.2M Aug 8 20:04 06-8f-04
-rw-rw-r-- 1 markus users 215K Aug 8 20:04 06-97-02
-rw-rw-r-- 1 markus users 211K Aug 8 20:04 06-ba-02
The size increase could therefore be counteracted somewhat (~ 5 MiB) by symlinking true duplicates. Another day... :-)
foersleo
force-pushed
the
microcode_update_2023-08-11
branch
from
4771edf
to
f92a5ca
Compare
|
⬆️ force push fixed the two comments by Markus. |
Update microcode for Intel and AMD processors in face of recent processor vulnerabilities. In the process cut out the indirection step through Amazon Linux. They do not change the microcode between getting it from upstream and us consuming it, so it is an extra step of indirection. Signed-off-by: Leonard Foerster <[email protected]>
With the move to upstream sources for microcode the helper script `latest-srpm-urls.sh` is not applicable anymore. Remove it and references to it. Signed-off-by: Leonard Foerster <[email protected]>
foersleo
force-pushed
the
microcode_update_2023-08-11
branch
from
f92a5ca
to
f791708
Compare
|
⬆️ force push rebased on top of latest develop branch. Going to abort the checks running because I have not yet uploaded the artifacts to the lookaside cache. |
|
Uploaded the source artifacts to lookaside cache and checked the automated test builds succeed. Merging. |
Issue number: -
Description of changes:
There is one caveat to this change, and that is increased space needed in the images. Amazon Linux reduces the
provided Intel microcode down to the platforms it will encounter in EC2. We had carried that gap of not shipping
microcode for potential target platforms for a while now since we introduced metal variants and were in need to fix
that gap. However, now that we take the upstream Intel package completely we carry a lot more microcode binaries,
which leads to a quite steep increase in space needed (11M vs 235K for the intel microcode rpm size, see below).
But given that this is cutting out an indirection that can introduce additional head ache I think this is a worthwhile
tradeoff for closing the coverage gap. If we have to, we can later thin out the microcode we ship to not include super
binaries for obsolete technology or platforms that are unlikely to run Bottlerocket (Intel Atom platforms come to mind).
Testing done:
Booted
aws-k8s-1.27with the new microcode package on c5.metal host and checked microcode version. Expected according to release notes is05003604(Search for ProcessorCLX-SPfor that platform):Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.