This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spectre, etc: Would installing the Linux processor microcode (/etc/firmware) break UTM?

Hi

I'm running 9.506-2 home edition on a fanless mini PC (based on an Intel j1900 and with a big SSD and 4 GB of RAM). I sourced the hardware - advertised as an 'industrial router ' - from a Chinese supplier, and whilst I am totally delighted with it, they have just informed me that they will not be producing any BIOS updates (to patch the microcode) and obviously, we are all now aware of this Spectre and Meltdown stuff, so my curiosity was piqued when just watching the 'Security Now!' podcast (SN-646) and Steve Gibson mentioning that Linux based machines can patch the microcode on the fly (by simply placing it in the /etc/firmware directory) and I was just curious to know whether anybody had tried this (or had any thoughts on trying this) with a Sophos UTM installation (and, of course, whether the UTM build would even implement it)?

Looking at the UTM installation, I see there's no firmware directory in /etc, but it would be easy enough to create one and copy the code from a USB stick. Whether there would be any benefit in doing so is not something I have yet looked into (though I strongly suspect not, for Sophos installation) but the idea of it intrigued me enough to post this question (and also just to make Linux users aware of this).

Below is the text from the Intel page and below that is the URL to that page:

Purpose

This microcode data file contains the latest microcode definitions for all Intel processors. Intel releases these updates periodically. These microcode data files correct processor behavior as documented in the respective processor specification guidelines.

While the regular approach to getting this microcode update is via a BIOS update, Intel realizes that this can be an administrative hassle. The Linux* operating system has a mechanism to update the microcode after booting. For example, this file will be used by the operating system mechanism if the file is placed in the /etc/firmware directory of the Linux system.

downloadcenter.intel.com/.../Linux-Processor-Microcode-Data-File

All the best
Briain :-)


This thread was automatically locked due to age.
  • Well I didn't try this with the UTM. In general this is normal behavior for an OS, Windows does this too. But as you stated there is no directory for that, so maybe this will not be loaded.

    And more important Intel draw the Updates back and a lot of companies too. VMware for example, after I finished patching the hosts :-)

    So wait before you get more problems then before.

    -

  • At the top of all Community pages is currently a link to your answer, Briain [:)]:

    PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Folks

    Thank you both for responding and yes, I had read that advisory, and whilst a lot of it refers to MS endpoints, I noted the below paragraph:

    Products under investigation
    Sophos is currently investigating the kernel updates for Linux and other operating systems (as they are being made available by the vendors) that are the basis of the firmware of our network security appliances. If required, any necessary fixes (updated firmware, BIOS updates or equivalent images, etc.) will be made available to the latest versions of the network security products or applied before a product is shipped.


    Interesting that it mentions the possible need for BIOS updates and that again raises the question on whether depositing the appropriate (for your CPU) microcode file in /etc/firmware might be an alternative (where using UTM on a device with no BIOS updates available), but last night, I watched Tuesday's 'Security Now!' and there was a discussion about Intel releasing buggy microcode (causing some systems to 're-boot more than usual', or as they stated on the programme; to crash)! :-P They also commented on Intel telling OEM's remove any [recently released] BIOS updates that included their microcode patch, so it all sounds like it's in a bit of a jolly old mess, to put it mildly!

    Looking deeper into it, the Spectre aspect does look like it would have to be leveraged as part of a spear phishing attempt on someone's PC (as in a high profile user) so I'm starting to think this is a bit of a red herring when it comes to a UTM box (particularly so for a 'low profile' user like me; AKA a nobody living in the wilderness :D ) as it would be difficult to install anything onto it, so I'll just sit on the sidelines and watch how it all develops - in terms of PC users - over the next few months (with great interest, of course).

    Kind regards, and once again, thank you both for taking the time to respond,
    Briain
  • Dear Briain,

    I agree with you, but some of us do use the Sophos UTM for business purposes to protect their networks. You also pay quite a decent fee for this. I therefore expect quality from a supplier like Sophos.
    Personally, I can't estimate the effort involved, but I find it amazing that there are still no further results from Sophos. I also know that other security solution providers are not really any further along.
    So I think we will all have to wait and see.

    Best
    Alex

    -

  • Hi Alex

    Yes, I fully understand and appreciate what you are saying about the enterprise deployment scenarios (and also the prices involved). To my [very limited] understanding, for this to impact a UTM would first require the installation of a malicious package into the underlying Linux build, then even if - to ponder something drastic - the RSA key was somehow extracted, the person wishing to access the UTM would also require remote SSH access to be available. As you say, we will just have to wait and see what the next few weeks reveal about it all.

    In case you are interested, I have just found the two links to the recent Intel announcements about the problems with the microcode updates (from the show notes at the twit.tv site):

    newsroom.intel.com/.../
    security-center.intel.com/advisory.aspx

    I'll read through them both later (as it is now time for me leave my warm firewall and instead slave over a hot stove). :-)

    Kind regards,
    Briain