6d8574d14b
Update CPU microcode to mitigate 4 variants of the data sampling flaw: - CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling (MSBDS)) - CVE-2018-12127 (Microarchitectural Load Port Data Samping (MLPDS)) - CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling (MFBDS)) - CVE-2019-11091 (Microarchitectural Data Sampling Uncacheable Memory (MDSUM)) References: - https://seclists.org/bugtraq/2019/May/43 - https://security-tracker.debian.org/tracker/DSA-4447-1 - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS - https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
post-install --- Enabling Intel microcode updates Microcode must be loaded by the bootloader. These updates must be enabled by adding /boot/early-ucode.cpio as the *FIRST* initrd in the bootloader config file. This is in addition to the normal initrd file, if you are using one. GRUB2 --- - Automatic method grub-mkconfig will automatically detect the microcode update and configure GRUB appropriately. After installing the intel-ucode package, regenerate the GRUB config to activate loading the microcode update by running: # grub-mkconfig -o /boot/grub/grub.cfg - Manual method Alternatively, manually add /boot/early-ucode.cpio to grub.cfg, so it looks similar to below: echo 'Loading Linux 4.15.3 ...' linux /boot/vmlinuz-4.15.3 root=/dev/sdb1 ro rootfstype=ext4 rootfstype=ext4 quiet echo 'Loading intel microcode ...' initrd /boot/early-ucode.cpio $OTHER_INITRD You'll have to do it for every kernel you have, so the use of the automagic method is reccomended. OTHER BOOTLOADERS --- Patches to add them to the README welcome :)