Received: from trent.utfs.org (trent.utfs.org [94.185.90.103]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 0105B7819C2 for ; Mon, 21 Oct 2019 10:19:15 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by trent.utfs.org (Postfix) with ESMTPS id 439746012D for ; Mon, 21 Oct 2019 12:19:15 +0200 (CEST) Date: Mon, 21 Oct 2019 03:19:15 -0700 (PDT) From: Christian Kujau To: alpine-user@lists.alpinelinux.org Subject: Syslinux & Xen & microcode updates Message-ID: User-Agent: Alpine 2.21.99999 (DEB 352 2019-06-22) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Hello, I'm having trouble applying CPU microcode updates to this system running a Xen dom0. Lots of internet resources appear to recommend to add "ucode=early_ucode.cpio" to the EFI xen.cfg configuration file and it will magically work, but even though EFI support is now available[0], this system of mine is using Syslinux to boot: LABEL xen-vanilla MENU LABEL Xen + Linux vanilla COM32 mboot.c32 APPEND xen.gz dom0_mem=512M,max:1024M ucode=scan --- vmlinuz-vanilla \ root=[...] modules=ext4 --- initramfs-vanilla "xl dmesg" sees that command line, but nothing gets loaded: ====================================================================== # xl dmesg | grep -i code (XEN) Command line: dom0_mem=512M,max:1024M ucode=scan # dmesg | grep -i micro [ 0.602101] MDS: Vulnerable: Clear CPU buffers attempted, no microcode ====================================================================== Hm. So, the intel-ucode package installed a file called /boot/intel-ucode.img, where a single file kernel/x86/microcode/GenuineIntel.bin is stored. Specifying "ucode=intel-ucode.img" or "ucode=GenuineIntel.bin" (after extracting it) only confused the microcode loader: ====================================================================== $ sudo xl dmesg | grep intel (XEN) parameter "ucode" has invalid value "intel-ucode.img", rc=-22! ====================================================================== I even tried to re-generate the microcode package from the firmware files: $ iucode_tool -v -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/[0-9]* But passing this early_ucode.cpio to "ucode=" didn't work either, same error as above. This Arch Linux posting[2] ("Advice: Where to capture custom Microcode system requirements/setup?") looked promising, but did not work for me (see above), maybe because I don't have an EFI system here. As mentioned there, according to the kernel documentation[1], the microcode can just be added to the standard initrd - tried that, but nothing happened. Also, combining microcode+intrd on the Syslinux command line[3] didn't work either: [...] APPEND xen.gz dom0_mem=512M,max:1024M ucode=scan --- vmlinuz-vanilla root=[...] early_ucode.cpio,initramfs-vanilla Booting this failed with: Loading xen.gz.... ok Loading vmlinuz-vanilla... ok Loading early_ucode.cpio,initramfs-vanilla... failed! No files found! Anybody got any ideas how to proceed here? Thanks, Christian. [0] https://wiki.alpinelinux.org/wiki/Alpine_and_UEFI [1] https://www.kernel.org/doc/html/latest/x86/microcode.html [2] https://bbs.archlinux.org/viewtopic.php?pid=1814472#p1814472 [3] https://wiki.gentoo.org/wiki/Intel_microcode#Syslinux -- BOFH excuse #200: The monitor needs another box of pixels.