Page MenuHomeVyOS Platform

Include microcode update packages for both intel and amd64 cpus
Open, NormalPublicFEATURE REQUEST

Description

According to forum thread over at https://forum.vyos.io/t/add-intel-microcode-to-included-packages/6223 the microcode updates packages for intel and amd64 cpus are still not included in VyOS.

These should be included for security purposes:

https://packages.debian.org/bookworm/admin/intel-microcode

https://packages.debian.org/bookworm/admin/amd64-microcode

Note however that the kernel itself includes mitigations (which can through VyOS config be disabled) and another workaround in the meantime is to update the motherboard BIOS which should also include needed microcode updates (however that method will probably lack 6-12 months if ever updated by the motherboard manufacturer).

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability

Event Timeline

syncer triaged this task as Normal priority.May 8 2024, 9:41 PM

Please consider making the microcode updates optional, and possible to load a specified file downloaded separately from the CPU vendor, independent of VyOS updates.
Some possible edge cases:

  • running VyOS in a VM (microcode update has no effect in the guest anyway, needs to be done in the hypervisor)
  • microcode update released in a hurry breaks something, need to revert to an older one
  • microcode update reduces performance, doesn't improve security of VyOS (because it's not a typical multi-user system with untrusted users who can run any programs)
  • microcode update has important fixes, but it will take time before a new LTS is released, or VyOS can't be updated because the subscription has expired

It can be handy to have the option to have it disabled (or you can just in bash-mode do "apt-get remove intel-microcode --purge" if you dont want it after install) but it should be enabled by default due to security reasons.

If you are for whatever reason worried about the microcode updates and performance you can still disable mitigations through system option kernel disable-mitigations in VyOS config.

Here are for example not less than 5 CVE's fixed in may update of intel-microcode package for Debian:

https://lists.debian.org/debian-lts-announce/2024/05/msg00003.html

As you can see the microcode update packages for Debian isnt "realeased in a hurry".

By having the microcode updates being part of the VyOS releases even older LTS releases will benefit from the security fixes which the microcode updates brings us (Debian backports current microcode packages back to old-old-stable).

Hard agree with the points Apachez made above, the packages should be added. I tried adding the packages to vyos-1x/debian/control and vyos-build/data/live-build-config/archives/trixie.list.chroot + vyos-build/data/live-build-config/archives/trixie.pref.chroot without any luck. Perhaps it was an issue with my docker setup or something similarly silly (I am very new to VyOS) but I am not sure how to add these packages. Any ideas?

@aidan-gibson You can build current with the microcode packages included by passing the following to the build script:

sudo ./build-vyos-image \
  --architecture amd64 \
  --build-by [email protected] \
  --custom-apt-entry 'deb http://deb.debian.org/debian bookworm non-free-firmware' \
  --custom-apt-entry 'deb http://deb.debian.org/debian-security bookworm-security non-free-firmware' \
  --custom-apt-entry 'deb http://deb.debian.org/debian bookworm-updates non-free-firmware' \
  --custom-package intel-microcode \
  --custom-package amd64-microcode \
  generic

I also strongly believe that these microcode update packages should be included in VyOS as standard. The Debian project itself touts the benefits:

Processors from Intel and AMD may need updates to their microcode to operate correctly. These updates fix bugs/errata that can cause anything from incorrect processing, to code and data corruption, and system lockups.

It is very difficult to know for sure whether you need a microcode update or not, but it is not safe at all to just ignore them. You might not notice their effect and have precious data silently corrupted, or an important program silently misbehave. Or you could experience one of those unexplainable and infrequent software issues (such as kernel oops, application segfaults) or hardware issues (including sudden reboots and hangs).