On Thu, 18 Jan 2018 04:03:48 -0600 Johnny Hughes <johnny at centos.org> wrote: > On 01/18/2018 03:41 AM, Pete Biggs wrote: > > > >> Look at: > >> > >> https://t.co/6fT61xgtGH > >> > >> Get the latest microcode.dat file from here: > >> > >> https://t.co/zPwagbeJFY > >> > >> See how to update the microcode from the links at the bottom of > >> this page: > >> > >> https://t.co/EOgclWdHCw > >> > >> An before anyone asks .. I have no idea why Red Hat chose this > >> path, they did. It doesn't matter if I (or anyone else) agrees > >> with the decision. It is what it is. > >> > > **I'm not blaming you.** > > > > But can I just clarify. We have to *manually* install the microcode > > update an EL7 in order to be protected against Spectre? EL6 as well? > > > > Presumably this is to remove RH from the loop and to stop people > > blaming them - i.e. this is between Intel and the customer, it's > > nothing to do with them. > > > > No, this is because at least one major CPU (Intel type 79) is > completely broken by the Intel Microcode Update. Those machines > can't boot after the microcode rpm is installed. It impacts at least > these processors: > > Intel(R) Xeon(R) CPU E5-2637 v4 @ 3.50GHz > Intel(R) Xeon(R) CPU E5-2643 v4 @ 3.40GHz > Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz > Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.50GHz > > There may be others. As a data point, we have the updated microcode running on 600+ Haswell servers and so far no indication of problems. We'll keep the ibrs/spectre mitigation this gives us and not revert (unless it turns out it does cause problems). /Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20180118/e770e9a8/attachment-0005.sig>