We moved this page to our Documentation Portal. You can find the latest updates here. |
Question
Is kernel update enough to mitigate security vulnerabilities in OnApp?
Environment
CentOS 6/7 static compute resources
Answer
No, kernel update is not enough. Due to the increasing number of speculative execution attacks on Intel processors, we highly recommend running CPU microcode update on every server boot. The best practice is updating the microcode on an early stage by using extra initrd, but it assumes a reboot of the server.
If you want to update the microcode during each boot without server reboot, perform the following:
For CentOS 6 compute resources
1. Install microcode_ctl utility from Intel's side:
# yum install microcode_ctl
2. Restart microcode_ctl to load microcode shipped with microcode_ctl utility:
# microcode_ctl -u
# dmesg | tail -f
For CentOS 7 compute resources
1. Install microcode_ctl utility and iucode_tool from EPEL repo:
# yum install microcode_ctl # yum install iucode-tool
2. Restart microcode_ctl to load microcode shipped with microcode_ctl utility:
# systemctl restart microcode # dmesg | tail -f [7936965.675820] microcode: updated to revision 0x1d, date = 2018-05-11 [7936965.686019] FEATURE SPEC_CTRL Present [7936965.686026] FEATURE IBPB_SUPPORT Present [7936965.686160] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp [7936965.688720] Spectre V2 : Mitigation: Full retpoline
3. Get the latest microcodes:
# git clone https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
4. Copy necessary microcode and apply it:
# iucode_tool -S -k -K Intel-Linux-Processor-Microcode-Data-Files/intel-ucode/ iucode_tool: system has processor(s) with signature 0x000106a5 iucode_tool: Uploading selected microcodes to: /dev/cpu/microcode iucode_tool: Writing microcode firmware file(s) into /lib/firmware/intel-ucode
Additional Info
Another way of CPU microcode update is via BIOS or UEFI, but not all BIOS/Server Platform vendors include microcode upgrades into their BIOS/UEFI.