intel microcode false positive

[mgondium]

For intel microcode, in my case processor signature 0x6fb with pf_mask 0x10, the most recent available microcode is rev 0xba, which the early update applied. However needrestart reports:

Processor microcode update
│ The currently running processor microcode revision is 0xba which is not the expected microcode revision 0xa4.
│ Restarting the system to load the new processor microcode will not be handled automatically, so you should
│ consider rebooting.

$dmesg | grep -i microcode
[ 0.000000] microcode: microcode updated early to revision 0xba, date = 2010-10-03
[ 2.904281] microcode: sig=0x6fb, pf=0x10, revision=0xba
[ 2.904326] microcode: Microcode Update Driver: v2.2.

$/usr/sbin/iucode_tool -tb -lS /lib/firmware/intel-ucode/*
...
selected microcodes:
001/001: sig 0x000006f2, pf_mask 0x20, 2010-10-02, rev 0x005c, size 4096
001/002: sig 0x000006f2, pf_mask 0x01, 2010-10-02, rev 0x005d, size 4096
002/001: sig 0x000006f6, pf_mask 0x20, 2010-10-01, rev 0x00d1, size 4096
002/002: sig 0x000006f6, pf_mask 0x04, 2010-10-01, rev 0x00d2, size 4096
002/003: sig 0x000006f6, pf_mask 0x01, 2010-09-30, rev 0x00d0, size 4096
003/001: sig 0x000006f7, pf_mask 0x40, 2010-10-02, rev 0x006b, size 4096
003/002: sig 0x000006f7, pf_mask 0x10, 2010-10-02, rev 0x006a, size 4096
004/001: sig 0x000006fa, pf_mask 0x80, 2010-10-02, rev 0x0095, size 4096
005/001: sig 0x000006fb, pf_mask 0x80, 2010-10-03, rev 0x00ba, size 4096
005/002: sig 0x000006fb, pf_mask 0x40, 2010-10-03, rev 0x00bc, size 4096
005/003: sig 0x000006fb, pf_mask 0x20, 2010-10-03, rev 0x00ba, size 4096
005/004: sig 0x000006fb, pf_mask 0x10, 2010-10-03, rev 0x00ba, size 4096
005/005: sig 0x000006fb, pf_mask 0x08, 2010-10-03, rev 0x00bb, size 4096
005/006: sig 0x000006fb, pf_mask 0x04, 2010-10-03, rev 0x00bc, size 4096
005/007: sig 0x000006fb, pf_mask 0x01, 2010-10-03, rev 0x00ba, size 4096
006/001: sig 0x000006fd, pf_mask 0x80, 2010-10-02, rev 0x00a4, size 4096
006/002: sig 0x000006fd, pf_mask 0x20, 2010-10-02, rev 0x00a4, size 4096
006/003: sig 0x000006fd, pf_mask 0x01, 2010-10-02, rev 0x00a4, size 4096

I guess needrestart 3.1 on debian is just looking at the end of the list of the last command, without considering signature or pf_mask.

[liske]

I did expect iucode_tool to consider pf_mask while listing microcode updates and so needrestart does not care about it, yet. Thanks for pointing out!

[liske]

The script /usr/lib/needrestart/iucode-scan-versions has been improved to filter for CPU signature and flags. Can you please give it a try?

[mgondium]

Sorry for the delay, I didn't yet have a chance to use "offending" system. I replaced the script but the iucode tool seems to be ignoring the filter?... Needrestart still reports that a reboot is needed.

user@debian-c2q-x64:/usr/lib/needrestart$ sudo ./iucode-scan-versions 1

+ iucode_tool --scan-system
+ grep -oE [^[:space:]]+$
+ filter=0x000006fb
+ [ -r /sys/devices/system/cpu/cpu0/microcode/processor_flags ]
+ cat /sys/devices/system/cpu/cpu0/microcode/processor_flags
+ filter=0x000006fb,0x10
+ type bsdtar
+ IUCODE_TOOL_EXTRA_OPTIONS=
+ test -r /etc/default/intel-microcode
+ . /etc/default/intel-microcode
+ IUCODE_TOOL_INITRAMFS=auto
+ IUCODE_TOOL_SCANCPUS=yes
+ test auto = no
+ [ -r /usr/share/misc/intel-microcode* ]
+ exec iucode_tool -Sl -s 0x000006fb,0x10 -tb /lib/firmware/intel-ucode
iucode_tool: system has processor(s) with signature 0x000006fb
microcode bundle 1: /lib/firmware/intel-ucode/06-3f-04.initramfs
microcode bundle 2: /lib/firmware/intel-ucode/06-17-0a
microcode bundle 3: /lib/firmware/intel-ucode/0f-06-02
microcode bundle 4: /lib/firmware/intel-ucode/06-55-03
microcode bundle 5: /lib/firmware/intel-ucode/06-1d-01
microcode bundle 6: /lib/firmware/intel-ucode/06-5c-09
microcode bundle 7: /lib/firmware/intel-ucode/06-56-05
microcode bundle 8: /lib/firmware/intel-ucode/06-0f-07
microcode bundle 9: /lib/firmware/intel-ucode/06-17-06
microcode bundle 10: /lib/firmware/intel-ucode/06-56-02.initramfs
microcode bundle 11: /lib/firmware/intel-ucode/06-3d-04.initramfs
microcode bundle 12: /lib/firmware/intel-ucode/06-55-04
microcode bundle 13: /lib/firmware/intel-ucode/06-3f-02.initramfs
microcode bundle 14: /lib/firmware/intel-ucode/0f-04-08
microcode bundle 15: /lib/firmware/intel-ucode/06-3e-04
microcode bundle 16: /lib/firmware/intel-ucode/06-9e-0b
microcode bundle 17: /lib/firmware/intel-ucode/0f-04-04
microcode bundle 18: /lib/firmware/intel-ucode/06-2a-07
microcode bundle 19: /lib/firmware/intel-ucode/06-45-01.initramfs
microcode bundle 20: /lib/firmware/intel-ucode/06-47-01.initramfs
microcode bundle 21: /lib/firmware/intel-ucode/06-0f-0d
microcode bundle 22: /lib/firmware/intel-ucode/0f-04-01
microcode bundle 23: /lib/firmware/intel-ucode/06-25-05
microcode bundle 24: /lib/firmware/intel-ucode/06-3a-09.initramfs
microcode bundle 25: /lib/firmware/intel-ucode/06-25-02
microcode bundle 26: /lib/firmware/intel-ucode/06-1c-02
microcode bundle 27: /lib/firmware/intel-ucode/06-7a-01
microcode bundle 28: /lib/firmware/intel-ucode/06-46-01.initramfs
microcode bundle 29: /lib/firmware/intel-ucode/06-4f-01.initramfs
microcode bundle 30: /lib/firmware/intel-ucode/0f-06-08
microcode bundle 31: /lib/firmware/intel-ucode/06-1a-04
microcode bundle 32: /lib/firmware/intel-ucode/06-56-03
microcode bundle 33: /lib/firmware/intel-ucode/06-2d-07
microcode bundle 34: /lib/firmware/intel-ucode/06-1a-05
microcode bundle 35: /lib/firmware/intel-ucode/06-0f-06
microcode bundle 36: /lib/firmware/intel-ucode/06-4e-03
microcode bundle 37: /lib/firmware/intel-ucode/06-2f-02
microcode bundle 38: /lib/firmware/intel-ucode/06-16-01
microcode bundle 39: /lib/firmware/intel-ucode/06-56-04
microcode bundle 40: /lib/firmware/intel-ucode/0f-04-03
microcode bundle 41: /lib/firmware/intel-ucode/06-8e-0a
microcode bundle 42: /lib/firmware/intel-ucode/06-1e-05
microcode bundle 43: /lib/firmware/intel-ucode/06-9e-0a
microcode bundle 44: /lib/firmware/intel-ucode/0f-06-04
microcode bundle 45: /lib/firmware/intel-ucode/06-5e-03
microcode bundle 46: /lib/firmware/intel-ucode/0f-06-05
microcode bundle 47: /lib/firmware/intel-ucode/06-8e-09
microcode bundle 48: /lib/firmware/intel-ucode/06-0f-02
microcode bundle 49: /lib/firmware/intel-ucode/0f-04-0a
microcode bundle 50: /lib/firmware/intel-ucode/06-0f-0b
microcode bundle 51: /lib/firmware/intel-ucode/06-0f-0a
microcode bundle 52: /lib/firmware/intel-ucode/06-3e-06
microcode bundle 53: /lib/firmware/intel-ucode/0f-04-07
microcode bundle 54: /lib/firmware/intel-ucode/0f-04-09
microcode bundle 55: /lib/firmware/intel-ucode/06-3c-03.initramfs
microcode bundle 56: /lib/firmware/intel-ucode/06-2d-06
microcode bundle 57: /lib/firmware/intel-ucode/06-1c-0a
microcode bundle 58: /lib/firmware/intel-ucode/06-9e-09
microcode bundle 59: /lib/firmware/intel-ucode/06-3e-07
microcode bundle 60: /lib/firmware/intel-ucode/0f-03-04
microcode bundle 61: /lib/firmware/intel-ucode/06-17-07
selected microcodes:
  048/001: sig 0x000006f2, pf_mask 0x20, 2010-10-02, rev 0x005c, size 4096
  048/002: sig 0x000006f2, pf_mask 0x01, 2010-10-02, rev 0x005d, size 4096
  035/001: sig 0x000006f6, pf_mask 0x20, 2010-10-01, rev 0x00d1, size 4096
  035/002: sig 0x000006f6, pf_mask 0x04, 2010-10-01, rev 0x00d2, size 4096
  035/003: sig 0x000006f6, pf_mask 0x01, 2010-09-30, rev 0x00d0, size 4096
  008/001: sig 0x000006f7, pf_mask 0x40, 2010-10-02, rev 0x006b, size 4096
  008/002: sig 0x000006f7, pf_mask 0x10, 2010-10-02, rev 0x006a, size 4096
  051/001: sig 0x000006fa, pf_mask 0x80, 2010-10-02, rev 0x0095, size 4096
  050/001: sig 0x000006fb, pf_mask 0x80, 2010-10-03, rev 0x00ba, size 4096
  050/002: sig 0x000006fb, pf_mask 0x40, 2010-10-03, rev 0x00bc, size 4096
  050/003: sig 0x000006fb, pf_mask 0x20, 2010-10-03, rev 0x00ba, size 4096
  050/004: sig 0x000006fb, pf_mask 0x10, 2010-10-03, rev 0x00ba, size 4096
  050/005: sig 0x000006fb, pf_mask 0x08, 2010-10-03, rev 0x00bb, size 4096
  050/006: sig 0x000006fb, pf_mask 0x04, 2010-10-03, rev 0x00bc, size 4096
  050/007: sig 0x000006fb, pf_mask 0x01, 2010-10-03, rev 0x00ba, size 4096
  021/001: sig 0x000006fd, pf_mask 0x80, 2010-10-02, rev 0x00a4, size 4096
  021/002: sig 0x000006fd, pf_mask 0x20, 2010-10-02, rev 0x00a4, size 4096
  021/003: sig 0x000006fd, pf_mask 0x01, 2010-10-02, rev 0x00a4, size 4096

[liske]

Using the old iucode_tool command line:

# iucode_tool -Sl -tb /lib/firmware/intel-ucode
iucode_tool: system has processor(s) with signature 0x000306c3
...
selected microcodes:
  003/001: sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552

Using the new command line and forging the filter on the same host:

# iucode_tool -Sl -s 0x000006fb,0x10 -tb /lib/firmware/intel-ucode
iucode_tool: system has processor(s) with signature 0x000306c3
...
selected microcodes:
  015/004: sig 0x000006fb, pf_mask 0x10, 2010-10-03, rev 0x00ba, size 4096
  003/001: sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552

This looks really weird!

[mgondium]

the iucode_tool manpage says that the -s option adds signatures to the ones already detected, that's why the extra one shows up on your system.

i've been trying the --scan-system=0|1|2, but can't get it to list only the 0x000006fb/0x10 pair.
perhaps it's a iucode bug? this quad core is quite old (Q6600).

[liske]

The description of -s does not look like it adds a signature, but -S|--scan-system does. Using the command:

1. without -S or -s: dumps all microcode updates on disk
2. with -S: should show only microcode updates for the host but seems to have some false positives (Bug?), at least on your system
3. combining -S with -s does to help as it just adds more updates matching the -s option (since -S seems to be broken)
4. using -s only should work but requires the microcode module to be loaded so that needrestart can retrieve the pf_mask value - looks like a valid workaround

Could you please try iucode_tool -l -s 0x000006fb,0x10 -tb /lib/firmware/intel-ucode?

[mgondium]

Worked like a charm.

user@debian-c2q-x64:~$ sudo iucode_tool -l -s 0x000006fb,0x10 -tb /lib/firmware/intel-ucode

microcode bundle 1: /lib/firmware/intel-ucode/06-3f-04.initramfs
(...)
microcode bundle 61: /lib/firmware/intel-ucode/06-17-07
selected microcodes:
  050/004: sig 0x000006fb, pf_mask 0x10, 2010-10-03, rev 0x00ba, size 4096

Thanks!

[mgondium]

Just ran iucode_tool -l -s 0x000006fb,0x10 -tb /lib/firmware/intel-ucode on a different system and got the same result (it listed only that microcode).

This means that it's just filtering the microcode files, so a multi step procedure may be required. Something like, system detection, available firmware sorting and then a version check.
I would expect iucode_tool to be able to do all that in one call, but i guess not.
The early updater somehow gets it right.

[liske]

I did already fear this behavior (or bug?) of iucode_tool. I've patched the script again to use the CPU signature and pf_mask if available and fallback to --scan-system otherwise. Could you please give it a try?

Disclaimer: although it looks like a bug in iucode_tool and I dislike to add workarounds in needrestart for bugs in other's packages I've decided to add this workaround due to the importance of microcode updates nowadays.

[mgondium]

It looks good.
The script picks one microcode and needrestart reports that it's up to date. I also tested by removing the microcode package, rebooting, and then reinstalling, to force an actual available update. Needrestart correctly notified the need to reboot. All good on a different system too.

Thank you!

[monochromec]

Facing the same problem. Any idea how to go about this if the stock OS installed (Bionic in this case) is missing the apparently required microcode.ko kernel module?