Author Topic: fw-v1.trid.xml for binary Intel CPU Microcode  (Read 4714 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
fw-v1.trid.xml for binary Intel CPU Microcode
« on: February 12, 2018, 10:36:30 PM »
Hello,

some days ago i checked my systems for spectre and meltdown vulnerability.
To protect me i follow instructions to install CPU microcodes.

When i run trid on such microcode files found for examples downloaded as
Linux Processor Microcode Data File on Intel site these examples are
described wrong like as "Unknown!" (see appended output/trid-old.txt).

A patched file(2) command identifies such files correctly as "Intel CPU
microcode" ( see output/file-new.txt).

Unfortunately there exist at least 3 different file format. So i started
to handle binary Intel CPU microcode here. Luckily this file format is
described as "Microcode Update" in Section 9.11 of Volume 3a, IA-32
Intel Architecture Software Developer's Manual found as PDF with name
like 64-ia-32-architectures-software-developer-vol-3a-part-1-manual.pdf
on Intel site.
Alternative the file format can be seen in source file intel_microcode.c
of software iucode-tool found for example at github. So i add this URL
as reference by line
<RefURL>
https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c
</RefURL>

According to documentation file start with Header Version variable. At
the moment this is always one. This is expressed by XML construct:

   <Bytes>01000000</Bytes>
   <Pos>0</Pos>

Unfortunately this magic is not unique enough. To skip bad example
AMPBOOT.SYS16 look for reserved 12 bytes at end of header, which are nulls
for microcode examples. This is expressed by XML construct:
   <Bytes>000000000000000000000000</Bytes>
   <Pos>36</Pos>

At this point identification is still not unique enough. To skip bad
examples like PUZ10, MAP2.9, etc. test for valid loader version number.
At the moment this seems to be always one. This is expressed by:
   <Bytes>01000000</Bytes>
   <Pos>20</Pos>
   

The total size of micro code entry is stored as 4 byte little endian at
offset 32. According to manual this value is always a multiple of
1024. This is expressed by construct:
   <Bytes>00</Bytes>
   <Pos>32</Pos>


The processor flags mask is stored as 4 byte little endian at offset
24. According to manual platform type information is encoded in the lower 8
bits of this field. The other bits seems to be unused (that are
null-bits). This is expressed by construct:

   <Bytes>000000</Bytes>
   <Pos>25</Pos>

Mention these facts in remark line.

The microcode file have no name extension or "fw" for firmware i assume.
This is expressed by
   <Ext>/FW</Ext>

More information about such files can be obtained by executing command like
   iucode_tool --verbose --list *.fw

With new trid definition files now all inspected microcode firmware files are
now recognized (see appended output/trid-new.txt). TrID definition, some
examples and output are stored in archive fw.zip. I hope that the XML file
can be used in future version of triddefs.

With best wishes
J?rg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: fw-v1.trid.xml for binary Intel CPU Microcode
« Reply #1 on: February 13, 2018, 05:31:23 PM »
Hi!

It seems that the XML definitions are missing from the ZIP archive.

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Re: fw-v1.trid.xml for binary Intel CPU Microcode
« Reply #2 on: February 13, 2018, 05:38:37 PM »
ops!

sorry! i forgot to add trid definition fw-v1.trid.xml.

Appended now!

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: fw-v1.trid.xml for binary Intel CPU Microcode
« Reply #3 on: February 16, 2018, 03:14:46 PM »
Perfect, thanks!