CPU Microcode

2026-02-11T21:02:51Z

Ckujau: with grep it shows the name of the vulnerability too

CPU '''microcode''' is a form of firmware that controls the processor's internals.

In modern processors, the microcode handles execution of complex and highly specialized instructions. Parts of the microcode also act as firmware for the processor's embedded controllers, and it is even used to fix or to mitigate '''processor design/implementation errata/bugs'''. Given the complexity of modern processors, a CPU may have over a hundred such errata.

Recently, microcode updates have become mandatory for security due to [https://en.wikipedia.org/wiki/Side-channel_attack side-channel attacks] against CPUs.

== Obtaining microcode updates on Alpine ==

{{Warning| Certain Intel CPUs, such Intel Atom with PSE errata, and Intel Haswell + Broadwell with TSX errata, can only be fixed via BIOS or UEFI update (which includes microcode); if you are using one of these CPUs, please do not use the instructions below}}

On Alpine Linux, CPU microcode is loaded early via initrd images, premade images are available from packages:

To obtain the microcode update package for AMD processors:
{{cmd|apk add {{pkg|amd-ucode}}}}

To obtain the microcode update package for Intel processors:
{{cmd|apk add {{pkg|intel-ucode}}}}

If you are using syslinux or grub in a typical setup, the packages will automatically append your {{path|extlinux.conf}} or {{path|grub.conf}} file and merely a reboot will be required to run the new microcode. Users using UEFI's built-in boot manager will have to use efibootmgr to add a second initrd line. Likewise if you are using the limine bootoader will need to add a 2nd MODULE_PATH directive in {{path|limine.cfg}} pointing to the ucode file.

== Verifying that the microcode image has loaded ==
Run the command:
{{cmd|dmesg | grep microcode}}
If the microcode initrd image was loaded, the microcode update driver will print a signature and revision

Example for Intel:
<pre>
[ 2.198775 ] microcode: sig=0x6fd, pf=0x80, revision=0xa4
</pre>

Example for AMD:
<pre>
[ 11.442146] microcode: Current revision: 0x0a0011d5
[ 11.447027] microcode: Updated early from: 0x0a0011d3
</pre>

{{Todo|Example needed for VIA CPUs, they seem to print slightly differently.}}

== Check if CPU mitigation is working ==
This command not only shows if microcode is working, but other CPU vulnerabilities affected:
{{cmd|grep -r . /sys/devices/system/cpu/vulnerabilities/}}

[[Category:Security]]

Setting up a OpenVPN server

2022-05-29T10:33:36Z

Ckujau: use {{cmd}} template

{{TOC right}}

This article describes how to set up an OpenVPN server with the Alpine Linux.
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality.

It is recommended you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]

If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.

= Set up Alpine =
== Initial Set up ==
Follow [[Installing_Alpine]] to set up Alpine Linux.

== Install programs ==
Install openvpn
{{Cmd|apk add openvpn}}

Prepare autostart of OpenVPN

{{Cmd|rc-update add openvpn default}}

{{Cmd|modprobe tun
echo "tun" >> /etc/modules-load.d/tun.conf}}

Enable IP Forwarding

{{Cmd|echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/ipv4.conf}}
{{Cmd|sysctl -p /etc/sysctl.d/ipv4.conf}}

= Certificates =
One of the first things that needs to be done is to make sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.

You will need to create a server (ssl_server_cert) certificate for the server and one client certificate (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.

To extract the three parts of each .pfx file, use the following commands:

To get the ca cert out:
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}

To get the cert file out:
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}

To get the private key file out: (Make sure the key stays private)

{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}

On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie-Hellman parameters.

If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]

= Configure OpenVPN server =
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:
local "Public Ip address"
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Server.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Server.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.0.0.1"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')

== Test your configuration ==
Test configuration and certificates

{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}

= Configure OpenVPN client =
Example client.conf:
client
dev tun
proto udp
remote "public IP" 1194
resolv-retry infinite
nobind
ns-cert-type server # This means the certificate on the openvpn server needs to have this field. Prevents MitM attacks
persist-key
persist-tun
ca client-ca.pem
cert client-cert.pem
key client-key.pem
comp-lzo
verb 3

(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')

= Save settings =
Don't forget to save all your settings if you are running a RAM-based system.
{{Cmd|lbu commit}}

= More than one server or client =

If you want more than one server or client running on the same Alpine box, use the standard [[Multiple Instances of Services]] process.

For example, to create a config named "AlphaBravo":

* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf"
* create a new symlink of the init.d script:
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}
* Have the new service start automatically
{{Cmd|rc-update add openvpn.AlphaBravo}}

= Alternate Certificate Method =
== Manual Certificate Commands ==
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')

=== Initial setup for administrating certificates ===
The following instructions assume you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR>
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands
{{Cmd|apk add easy-rsa # from the community repo
cd /usr/share/easy-rsa}}
If not already done, create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR>
{{Cmd|mkdir /etc/openvpn/keys
cp ./vars.example ./vars #easy-rsa v3
cp ./vars /etc/openvpn/keys #easy-rsa v2}}

For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA

The instructions below are for EasyRSA v2:

If not already done, edit '''/etc/openvpn/keys/vars'''<BR>
(''This file is used for defining paths and other standard settings'')
{{Cmd|vim /etc/openvpn/keys/vars}}
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.
source the '''vars''' to set properties
{{Cmd|source /etc/openvpn/keys/vars}}
{{Cmd|touch /etc/openvpn/keys/index.txt
echo 00 > /etc/openvpn/keys/serial}}

=== Set up a 'Certificate Authority' (CA) ===
Clean up the '''keys''' folder.

{{Cmd|./clean-all}}

Generate Diffie-Hellman parameters

{{Cmd|./build-dh}}

To make the CA certificates and keys

{{Cmd|./build-ca}}

=== Set up an 'OpenVPN Server' ===
Create server certificates

{{Cmd|./build-key-server <commonname>}}

=== Set up an 'OpenVPN Client' ===
Create client certificates
{{Cmd|./build-key <commonname>}}

=== Revoke a certificate ===
To revoke a certificate

{{Cmd|./revoke-full <commonname>}}

The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

{{Cmd|crl-verify crl.pem}}

= OpenVPN and LXC =

Let's call this LXC "mylxc"...

On the host <pre>
modprobe tun
mkdir /var/lib/lxc/mylxc/rootfs/dev/net
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun
</pre>

In /var/lib/lxc/mylxc/config <pre>
lxc.cgroup.devices.allow = c 10:200 rwm
</pre>

On the guest <pre>
apk add openvpn
</pre> Then config as usual.

This should work both as server and as client.

== persistent devices ==
lxc guest have their dev recreated on each restart in a tmpfs. This means all devices are reset and are not read from the rootfs dev directory.
To make it persistent you can use an autodev script by adding the following to your lxc guest config:

<pre>
# tun (openvpn)
lxc.cgroup.devices.allow = c 10:200 rwm
# audodev script to add devices
lxc.hook.autodev=/var/lib/lxc/CONTAINER/autodev
</pre>

The autodev script:

<pre>
#!/bin/sh
# dev is populated on earch container start.
# to make devices persistence we need to recreate them on each start.

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun
</pre>

[[category: VPN]]

User:Ckujau

2019-01-11T23:38:11Z

Ckujau: Oh, hai!

Alpine Linux - User contributions [en]

CPU Microcode

Setting up a OpenVPN server

User:Ckujau