-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-21:06.microcode Errata Notice
The FreeBSD Project
Topic: Boot-time microcode loading causes a boot hang
Category: core
Module: x86
Announced: 2021-02-24
Affects: FreeBSD 12.2
Corrected: 2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE)
2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
CPU microcode updates may include security fixes or mitigations. The
boot-time microcode loader applies CPU microcode as early in the boot process
as possible, minimizing the amount of code executed without updated
microcode.
Microcode updates for many different CPU types are concatenated into one file
and loaded by the boot loader. After the kernel has determined the correct
update to apply, it frees the memory containing unused microcode updates,
keeping only the update for the CPU on which the kernel is running.
II. Problem Description
An interaction between the code which frees the unused portions of the
microcode file and the rest of the system can cause boot hangs.
III. Impact
The kernel may hang during boot if boot-time microcode updates are configured.
IV. Workaround
Systems not configured to load microcode at boot-time are unaffected.
Boot-time microcode loading is currently only supported with Intel CPUs.
On systems that are configured to load microcode at boot-time, setting the
"debug.ucode.release" loader tunable to 0 will prevent the microcode update
file from being freed, working around the problem.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch
# fetch https://security.FreeBSD.org/patches/EN-21:06/microcode.patch.asc
# gpg --verify microcode.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/12/ r369310
releng/12.2/ r369355
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-21:06.microcode.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmA15bwACgkQ05eS9J6n
5cLgbg//cottS8aQLl6YmSFs6JIyZwE4RutM2tSrkwkdQmuYLfba3tEyYs3R2iAK
x9y5bf9jFG5m7mUVr9QhEPRGrFlKTdTtW682T5ClLrZO1TIWwTUZlEC9omIpAPV3
/A2tFFK253Zhufh2bKol8y8LwEle9MrO2xURj8KOo5dFa0HxSrMeCb+YlINV/iCy
hEJPuGvVWr+1rTP0hbKT+lHwtsgV2yB73FuG85p3FtJ4nr7OBlrzDnVgAKANvGTG
VTE/g/mqKfQlYqrNccw8Si/K5vh9PNiFjXiercSyMWV1eaYT6WU/a3x94RlISvR7
6t56uWyJ9YTs3+E1bwplIZ/0qrCOvcgYqsv6ANu5/2gysFCNaNACDcAtidcly2UB
AL0hDjEQ7sAmsGmjAXfg7bbgUD/1h3saTmI3UmuWayZodMt1w6A0d/3A4bb/yZid
rF3gVvgmLBSjsgSXSqYtnS3N+af/rr01/tLaZh/yvO8d0EwFteyGar/dduSCoXbU
EK636ZNy+df7k6eCfqeh2/WixqSE7pKw2anQXmn11vHMBWDyuF919jMxrm64OdzT
sLlVrGOH8FHbUwnTsNUAfggqO7VUowvfRnYk+CzDElpXqn0Pteq8UCGABLmRKW9u
kISBhJwAjnnybyZ5/nvFaAN5UtvG5he0qhpbvArposyvqLdsgZ0=
=j/+s
-----END PGP SIGNATURE-----