Re: Intel Microcode (was: Testing report for IPFire 2.21 - Core Update 123)

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3618 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

On Wed, 2018-08-22 at 19:36 +0200, Peter Müller wrote:
> Hello,
> 
> since yesterday Core Update 123 is running on one of my firewall systems.
> After a reboot, I noticed average load has decreased a little bit (RAM
> consumption stays the same).

That should only be caused by the reboot itself...

> Further, CPU frequency graphs are now working again (Thanks to Arne) and
> show some flapping freqs between 1.2kHz and 2.0kHz for each core. Before
> Core Update 121/122, idle frequencies were about 700MHz - not sure what
> this means.
> 
> IDS, squid proxy (with URL filter and upstream proxy enabled), fireinfo
> and IPsec (N2N connections only) work fine.
> 
> The OpenVPN WebUI page now displays a warning about a host certificate
> being not compliant to RFC3280, saying all host and root certificates
> should be replaced as soon as possible. This is probably related to
> https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=400c8afd9841bed350c192099a34bc84f3a04535 .

Yes. I asked Erik to add some documentation about it.

> GeoIP database results in WebUI are now as expected.
> 
> A check script for CPU vulnerabilities (Spectre, Meltdown, ...) claims
> system is still vulnerable against CVE-2018-3640 (Spectre v3a), which
> requires up-to-date µ-codes. The overall results do not differ from a
> system running 121/122, which surprises me as new microcodes are shipped
> with this update.

It looks like we have to rollback the microcode update. Intel has
changed the licensing terms in such a way that we won't be able (and no
third party either) to provide any performance benchmarks.

So if someone says on the forum that IPFire is "a little bit slower
since the last update", that would violate that license.

Testing the throughput of your firewall is a common thing to do and
would probably not be possible anymore either.

Basically, it isn't an option to ship this. Other distributions think
the same.

> > [root(a)firewall ~]# grep "." /sys/devices/system/cpu/vulnerabilities/*
> > /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
> > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected
> > /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
> > /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
> 
> Besides of the microcode issue, I did not notice any issues. Output of
> "uname -a" is:
> 
> > Linux firewall 4.14.50-ipfire #1 SMP Fri Jun 29 16:40:29 GMT 2018 x86_64 Intel(R) Celeron(R) CPU N3150 @ 1.60GHz GenuineIntel GNU/Linux
> 
> Thanks, and best regards,
> Peter Müller

Best,
- -Michael
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlt+t/wACgkQgHnw/2+Q
CQfHUw//Sx8APljvN3yr9omypRFjttHO1R3tMpUkCb7ZdCcQgdX2U07d2HxqWPhL
J0RAFWA1BHUy7qs3Cz9nLqTO53NXyRgLmMQXNBj2dKagW1jv7OGV613pXYYSw+vQ
QS8ggvxa8MpEGBU+pKGxUmW5e3b16OGjShAW9tdSXIanIs8GUHV+ywXZXy47H5cx
4lBi+lLIlSihPx//HYT2JQFDBnv+OUFgUstBvfrhK8kjW/4EeRrUhpD8dsrC9L/f
ZqCyY8cRueacq+qDuvheKgEQxDY54Wd1I8rpwQxcRXKhi4lYHgKdRowOnYzUBl7z
qlWcERF59cddKSvIKS7miGY9B8YRqX/wpS95FwkpZGNO529vk0tuN0DjUGbZGZGR
qnyikLKwr+PFtfC+BJ3CyuTc4rE89qmLJyBKMs208P2xuQqm4f58deKUt91bCiG2
L9D6yWokmXf/rQIn8zbsiWw6ACO71cNb0ybz8uspgVYhEZJOH/rPK5py5I7IME3g
+Wcr2N5k7OB34B2mdpA/NFCWxKuzakjY+aTKP6q40h7qOK5oc97umL0qJPaOsAJv
yeYx3ikSBFRKw5dclVtF2HXZOjfZA/BIm8gH1MCyGuUtNBPhiRTAwANRtkI/1ZKN
nidjVLrJGZv4l7gynarWoQ5Pgr0W7y/oNGPKoscpoBoaz2ddrmA=
=tg4M
-----END PGP SIGNATURE-----