I have a Purism 13v2 that I have already updated for both Meltdown and Spectre using the information listed in the Meltdown and Spectre Variant 2 blog post.
But now I am installing a new hard drive and I will have to install a fresh copy of PureOS. I see current PureOS images are ready to go with Meltdown, but do I need to run the Spectre microcode update again?
Maybe someone can correct me if I am wrong. Microcode is applied once, like firmware. If you have already applied it you can delete your OS and start over again or install a new hard drive and you will not need to apply the Spectre patch again.
I read it that way that yes, you have to install the microcode package. If it were a one-time thing, it was a script, not a package. Package suggests that the microcode has to be loaded to the CPU on every boot.
Microcode updates don’t change the CPU permanently, it just changes the CPU at run time. They are applied either by the BIOS or by the kernel each time the system boots. We have applied the microcode updates to our latest version of our BIOS (https://puri.sm/posts/february-2018-coreboot-update/) so if you have the latest BIOS you don’t need to do anything.
If you are running an older BIOS you’ll want to install that above microcode package to a new version of PureOS.
That’s not true. Microcode updates are stored in volatile memory and disappear as soon as you power off. They must be applied on every boot.
Yes, you need to reinstall the intel-microcode package to remain protected.
Does this mean that if someone is using PureOS on hardware other than Librem 13 or 15, they are not protected from Spectre?
Correct, if they use PureOS on other hardware, they wouldn’t get the microcode updates as those are non-free. Those users would need to pull down the Purism non-free repo and install the microcode updates from there, or update their hardware’s BIOS to one that has microcode updates on it.
I know that it was over five years ago since the Meltdown and Spectre Variant 2 microprocessor vulnerabilities, but I have no current solution to the Spectre problem.
The current repository is (not [supposed to be ‘now’, typographical error]) now non-existent. I know that the microcode fix is proprietary and we may need to put the blame on proprietary companies, but until there are non-proprietary firmware, we are stuck with finding the copies.
Do you guys still have a workaround with these microprocessor vulnerability fixes? I tried removing my failed attempt, only to get my update command to fail on me due to unintentional tampering with the GnuPG certification. I eventually got the certification fixed. link for reference
Oh yeah, I almost forgot. I notice that most of Purism’s products, use the Intel microprocessor. The Meltdown and Spectre microprocessor vulnerability may apply to older computers. For other non-Purism computer products, the fix may be still required.
Can you clarify what you mean by this? Are you getting an error message? If so, what’s the message?
What Intel CPU are we actually talking about here? What computer (make/model) are we talking about? What operating system (distro) are we talking about?
As far as I know, the intel-microcode package is still around. While it doesn’t necessarily cover all Intel CPUs known to mankind or all Intel CPUs that are vulnerable, it does go back a fairly long way in time i.e. to some fairly ancient Intel CPUs, if memory serves.
While the intel-microcode package contents may well be completely proprietary and blackbox, I doubt that any better alternative is going to come into existence i.e. I think that no one is going to provide open source microcode for Intel CPUs.
Sorry about that typographical error. I was in a hurry, didn’t took my time with possible bricking errors with microprocessor (including possible firmware) security patches.
The correct sentence is: “The current repository is now non-existent.”
The webpage, Purism patches Meltdown and Spectre variant 2, both included in all new Librem laptops – Purism , be outdated for the Spectre variant 2 vulnerability. The non-free Purism repo for microcode ‘deb http://deb.wp.puri.sm/pureos/ green contrib non-free’ repository, seems to be now non-existent. I am not sure if there is a feasible solution from Intel either.
The Intel CPU we are talking about could be any Intel CPU brand. I am not sure if all of Purism’s computer products underwent microprocessor firmware patching. However, if we want to be specific for a case scenario, the CPU in question is a Intel Core i5-3470. The computer model is a Dell OptiPlex 7010. The original operating system software was a Microsoft Windows 10 PRO. The computer underwent refurnishing, the current operating system software is PureOS v10.2 or PureOS v10.3.
In speculation, your thoughts about the intel-microcode package being specific for certain brands is most likely true.
Actually that’s not what I meant. I just meant that the contents of the package are completely opaque, and proprietary to Intel.
If that package no longer exists in the standard PureOS repo then you should ask Purism Support about that. From the sounds of it though that package never did exist in the standard PureOS repo, if the only place that it existed is the repo that you mention. Of course, the release called green is long gone.
Getting the package is actually not a problem. You could download the package from another, more permissive, Linux distro. Knowing what to do with the package is another question.
That CPU model should easily be recent enough to be covered by updated microcode from Intel but I admit that I didn’t actually check that.