[CentOS] /lib/firmware/microcode.dat update on CentOS 6

Thu Jan 18 16:27:55 UTC 2018
Peter Kjellström <cap at nsc.liu.se>

On Thu, 18 Jan 2018 04:03:48 -0600
Johnny Hughes <johnny at centos.org> wrote:

> On 01/18/2018 03:41 AM, Pete Biggs wrote:
> >   
> >> Look at:
> >>
> >> https://t.co/6fT61xgtGH
> >>
> >> Get the latest microcode.dat file from here:
> >>
> >> https://t.co/zPwagbeJFY
> >>
> >> See how to update the microcode from the links at the bottom of
> >> this page:
> >>
> >> https://t.co/EOgclWdHCw
> >>
> >> An before anyone asks .. I have no idea why Red Hat chose this
> >> path, they did.  It doesn't matter if I (or anyone else) agrees
> >> with the decision.  It is what it is.
> >>  
> > **I'm not blaming you.**
> > 
> > But can I just clarify. We have to *manually* install the microcode
> > update an EL7 in order to be protected against Spectre? EL6 as well?
> > 
> > Presumably this is to remove RH from the loop and to stop people
> > blaming them - i.e. this is between Intel and the customer, it's
> > nothing to do with them.
> >   
> 
> No, this is because at least one major CPU (Intel type 79) is
> completely broken by the Intel Microcode Update.  Those machines
> can't boot after the microcode rpm is installed.  It impacts at least
> these processors:
> 
> Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz
> Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz
> Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz
> Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz
> 
> There may be others.

As a data point, we have the updated microcode running on 600+ Haswell
servers and so far no indication of problems.

We'll keep the ibrs/spectre mitigation this gives us and not revert
(unless it turns out it does cause problems).

/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20180118/e770e9a8/attachment-0005.sig>