USB Intel Microcode Boot Loader For Spectre Mitigation
Click Here >>> https://fancli.com/2teqcg
As well, without TSC_DEADLINE, there's no support for AHCI drivers, so Gparted becomes instantly unusable with the recent Linux kernels used in the currect version, that ensure that the mitigations are present. If you use a Linux kernel that includes the support for these hardware mitigations by microcode, you MUST provide these microcodes (updating the UEFI BIOS so that the UEFI platform will preload these microcode generally does not work for many and notably not by default when using secure boot mode as this changes the pre-boot platform measurement and would invalidate the existing secure boot installations): it's up to the bootloader (like EFI\\bootx64.efi) or to the OS loader to load these CPU microcodes (just like they can also load microcodes for other firmwares, including GPUs/GOPs, chipsets, SATA/SCSI/USB storage adapters, Ethernet/Wifi adapters from within the OS-level drivers).
These microcodes may sometimes be loaded in the pre-boot firmware, but it is known to cause problems for later loading secured OSes that use mesurement, for example with Bitlocker encryptrion: these mesurements are securely hashed within TCG registers PCR[0..15], and cannot be changed by the booloader or the OS, so loading microcodes can be done only once; if you move this loading from OS to BIOS, this may work except in secured OSes (and notably on almost all servers using hypervisors, or in Windows 7/8/10 for Bitlocker using PCR[7] attachment to certify the preboot environment, and PCR[11] measurements of the booloader (as long as UEFI boot services are running).
After the bootloader (e.g. Grub for UEFI or an UEFI Shell or the Windows booloader) has terminated loading the OS, and the OS is starting (e.g. a Linux kernel or a Windows image, or an hypervisor line VMware or Hyper-V implementing its own measurements for loading virtual OSes and securing them possibly by providing them a virtual TPM), it will send an order to the UEFI boot services to be definitely unloaded to reclaim all its resources and handover the control of devices (notably drivers for PCI, LPC and USB buses) from UEFI drivers to the OS-level drivers. When the UEFI Boot services are unloaded, there's no possibility to return to it: a device shutdown has to reboot completely and pass again via the firmware preboot to make new measurements: the microcodes will no longer be present in the CPU or in other criticial devices if they have been powered off to S4/S5 state or have been reset (S4 is a bit special and used only in OSes that have support for hibernation with a specific chain of mesurements for the resume, and this bootijng method has to load again the microcodes and firmware patches, as this won't be made again by the pre-boot UEFI or UEFI booloaders that have a very different context in memory.
As far as I know sleep level S4 is not used in Linux, at least not in LiveCD; but you still need to load the necessary microcodes if they are not already present: here the TSC mesurement is critical and is checked now by the current Linux kernel: if this fails, the PC will then enter in a final hang, and will not even reply to pressing the RESET button: you must shutdown it completely from the electrical plug and remain off for several minutes to force a complete erasure or invalidation of existing RAM contents, and all devices must be fully restarted from S5 state, not from S4 state: in summary you need a true cold boot, and \"fastboot\" is not honored by the UEFI, and a user must also be present: this is not acceptable for servers in hosted colocations: their OS MUST support and implement the microcode loaders, and the microcode files MUST be installed and secured as well).
So update your LiveCD images to include the microcode loader and make sure you include the relevant microcode from each processor manufacturer you want to support in, Gparted: Intel, AMD, ARM... possibly others (Sun/Oracle, MIPS, ...)
If a microcode update is necessary, the Intel microcode can be applied during the next boot. We decided to implement this functionality as a separate chained bootloader called microcode in order to not inflate each of our supported x86 kernels with additional management code for applying microcode patches on all CPUs. The microcode bootloader expects a module called micro.code which contains the specific Intel microcode from the microcode_intel port for the target CPU. The relevant excerpt of a Genode GRUB2 configuration looks like this:
The microcode update functionality has been integrated into the tool/run/boot_dir/nova support file and can be enabled by providing a apply_microcode TCL procedure as showcased in repos/ports/run/microcode.run.
We developed the microcode chained bootloader as part of the Morbo project. It checks for an Intel CPU and a valid micro.code module that matches the currently running CPU. Afterwards, the bootloader looks up all CPUs and some LAPIC information by parsing the relevant ACPI tables. With this information, the CPUs are booted to apply the microcode update to each processor. On CPUs with hyperthreading enabled, it is effectual to start a single hyperthread per CPU to apply the update. Finally, all previously started CPUs are halted and the microcode bootloader hands over control to the next module which is typically the x86 kernel.
I used a livecd and mounted luks/btrfs partitions manually. The /boot/loader enteries, /etc/fstab uuid references seem correct. I can boot manually fat32 partition as well. So the partition does not seem to be corrupt.
...PurposeRecent microcode updates by Intel and AMD provide hardware support for branch target injection mitigation (Spectre v2). In order to use this new hardware feature within virtual machines, Hypervisor-Assisted Guest Mitigation must be enabled.
64-bit AMD, Intel and ARM systems and IBM Power Systems servers have the ability to boot using a PXE server. When you configure the PXE server, you can add the boot option into the boot loader configuration file, which in turn allows you to start the installation automatically. Using this approach, it is possible to automate the installation completely, including the boot process. For information about setting up a PXE server, see Preparing for a Network Installation.
The following procedure explains how to completely automate the Kickstart installation, using a network boot (PXE) server and a properly configured boot loader. If you follow this procedure, you only need to turn on the system; no other interaction will be required from that moment until the installation finishes.
On systems using the GRUB2 boot loader (64-bit AMD, Intel, and ARM systems with UEFI firmware and IBM Power Systems servers), the file name will be grub.cfg. In this file, append the inst.ks= option to the kernel line in the installation entry. A sample kernel line in the configuration file will look similar to the following:
In some cases, a special partition is required to install the boot loader on 64-bit AMD, Intel, and ARM systems. The type and size of this partition depends on whether the disk you are installing the boot loader to uses the Master Boot Record (MBR) or a GUID Partition Table (GPT) schema. For more information, see Boot Loader Installation (x86).
This option is useful for disabling mechanisms which were implemented to mitigate the Meltdown and Spectre speculative execution vulnerabilities found in most modern processors (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715). In some cases, these mechanisms may be unnecessary, and keeping them enabled causes decreased performance with no improvement in security. To disable these mechanisms, add the options to do so into your Kickstart file - for example, bootloader --append=\"nopti noibrs noibpb\" on AMD64/Intel 64 systems.
--boot-drive= - Specifies which drive the boot loader should be written to, and therefore which drive the computer will boot from. If you use a multipath device as the boot drive, specify the device using its disk/by-id/dm-uuid-mpath-WWID name.
--password= - If using GRUB2, sets the boot loader password to the one specified with this option. This should be used to restrict access to the GRUB2 shell, where arbitrary kernel options can be passed.
--iscrypted - Normally, when you specify a boot loader password using the --password= option, it is stored in the Kickstart file in plain text. If you want to encrypt the password, use this option and an encrypted password.
The partition will be used for a BIOS Boot partition. A 1 MiB BIOS boot partition is necessary on BIOS-based AMD64 and Intel 64 systems using a GUID Partition Table (GPT); the boot loader will be installed into it. It is not necessary on UEFI systems. See also the bootloader command.
Boot parameters pass settings to the kernel at boot using your bootloader. Some settings can be used to increase security, similar to sysctl. Bootloaders often differ in how boot parameters are set. A few examples are listed below, but you should research the required steps for your specific bootloader.
You must research the CPU vulnerabilities that your system is affected by and apply a selection of the above mitigations accordingly. Keep in mind that you will need to install microcode updates to be fully protected from these vulnerabilities. All of these may cause a significant performance decrease.
Full-disk encryption ensures that all data on your drive is encrypted and cannot be read by a physical attacker. Most distributions support enabling encryption during installation. Make sure you set a strong password. You can also encrypt your drive manually with dm-crypt. Be aware that full-disk encryption does not cover /boot. As such, it is still possible to modify the kernel, bootloader and other critical files. To fully protect against tampering, you must also implement verified boot.
A cold boot attack occurs when an attacker analyses the data in RAM before it is erased. When using modern RAM, cold boot attacks aren't very practical, as RAM usually clears within a few seconds or minutes unless it has been placed inside a cooling solution, such as liquid nitrogen or a freezer. An attacker would have to rip out the RAM sticks from your device and expose it to liquid nitrogen all within a few seconds and without the user noticing. If cold boot attacks are part of your threat model, then guard your computer for a few minutes after shutdown to ensure that nobody has access to your RAM sticks. You could also solder the RAM sticks into your motherboard to make it harder for them to be seized. If using a laptop, take out the battery and run directly off the charging cable. Pull out the cable after shutdown to ensure that the RAM has no access to more power to stay alive. In the kernel self-protection boot parameters section, the zeroing of memory at free time option will overwrite sensitive data in memory with zeroes. Furthermore, the hardened memory allocator can purge sensitive data within user space heap memory via the CONFIG_ZERO_ON_FREE configuration option. Despite these though, some data may still remain in memory. Additionally, modern kernels include a reset attack mitigation, which commands the firmware to erase data upon shutdown, although this requires firmware support. Make sure that you shutdown your computer normally, so the mitigations explained above can kick in. If none of the above are adequate for your threat model, you can implement Tails' memory erasure process, which erases the majority of memory (with the exception of video memory) and has been proven to be effective. 153554b96e