Estávamos discutindo sobre upgrade de firmware no grupo Linux Brasil eu resolvi dar uma revisitada no artigo que escrevi sobre vulnerabilidades de CPU: falhas de segurança em CPU nas distros com linux-libre.

Olhando aqui meu desktop, estou até que bem protegido.

  
root@goosfraba ~# for v in /sys/devices/system/cpu/vulnerabilities/*
                      echo -n "$v:"; cat $v
                  end
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Not affected
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: untrained return thunk; SMT disabled
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Retpolines; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
    
  

Eu fiz recentemente um upgrade de firmware aqui usando o fwupgrmgr. Não salvei o resultando, mas salvei o que fiz no sh1bb0l33t.

E falando sh1bb0l33t:

  
root@sh1bb0l33t ~# for v in /sys/devices/system/cpu/vulnerabilities/*
                                             echo -n "$v:"; cat $v
                                         end
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: VMX disabled
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT vulnerable
/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling:Not affected
/sys/devices/system/cpu/vulnerabilities/retbleed:Mitigation: IBRS
/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: IBRS; IBPB: conditional; STIBP: conditional; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
/sys/devices/system/cpu/vulnerabilities/srbds:Mitigation: Microcode
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Mitigation: TSX disabled
  

Se estranharem a sintaxe do comando no shell, é porque estou usando fish pra shell interativo. Adotei e não largo mais.

Voltando ao assunto de updates de firmwares, fwupdmgr faz tudo pra você hoje em dia. Os tempos de ter um disco com Windows ou Dos ou FreeDOS pra atualizar são coisa do passado.

Existe a possibilidade de dar algo errado? Claro. Sempre. Estamos falando de firmware de placa-mãe e HDDs/SSDs. Se o processo parar no meio pode dar errado. E alguns updates acabam provocando efeitos indesejados como lentidão (exemplo de correções pra ataques de side channel de processador). Então algumas pessoas preferem escolher mais meticulosamente os updates antes de aplicar.

Mas se esse não é seu caso, eu fortemente recomendo usar o fwupdmgr e atualizar os firmwares de seu computador.

E deixo aqui a frase dita e escrita pelo grande Kevlin Henney durante uma palestra em Estocolmo na Ericsson, e registrada muito péssimamente pela minha câmera do celular (Kevlin, se estiver lendo isso aqui, eu peço desculpas pela fotografia tão borrada).