|
|
6c53eb |
The microcode_ctl package contains microcode files (vendor-provided binary data
|
|
|
6c53eb |
and/or code in proprietary format that affects behaviour of a device) for Intel
|
|
|
6c53eb |
CPUs that may be loaded into the CPU during boot.
|
|
|
6c53eb |
|
|
|
6c53eb |
The microcode_ctl package contains provisions for some issues related
|
|
|
6c53eb |
to microcode loading. While those provisions are expected to suit most users,
|
|
|
6c53eb |
several knobs are available in order to provide ability to override the default
|
|
|
6c53eb |
behaviour.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
General behaviour
|
|
|
4eb1a6 |
=================
|
|
|
742279 |
In RHEL 7, there are currently two main handlers for CPU microcode update:
|
|
|
4eb1a6 |
* Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
|
|
|
4eb1a6 |
placed at the beginning of an initramfs image
|
|
|
742279 |
(/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
|
|
|
742279 |
version in the same format as provided by "uname -r") as a source
|
|
|
742279 |
of microcode data, and is performed very early during the boot process
|
|
|
742279 |
(if the relevant microcode file is available in the aforementioned file).
|
|
|
4eb1a6 |
* On-demand (late) microcode update. It can be triggered by writing "1" to
|
|
|
4eb1a6 |
/sys/devices/system/cpu/microcode/reload file (provided my the "microcode"
|
|
|
742279 |
module). It relies on request_firmware infrastructure, which searches (and
|
|
|
742279 |
loads, if found) microcode from a file present in one of the following
|
|
|
742279 |
directories (in the search order):
|
|
|
4eb1a6 |
/lib/firmware/updates/KERNEL_VERSION/
|
|
|
4eb1a6 |
/lib/firmware/updates/
|
|
|
4eb1a6 |
/lib/firmware/KERNEL_VERSION/
|
|
|
4eb1a6 |
/lib/firmware/
|
|
|
4eb1a6 |
(there is also an additional directory that can be configured via the
|
|
|
4eb1a6 |
"fw_path_para" module option of the "firmware_class" module; as this module
|
|
|
4eb1a6 |
is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para"
|
|
|
4eb1a6 |
should be used for that purpose; this is out of the document's scope, however)
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for
|
|
|
4eb1a6 |
AMD CPUs, a file under "amd-ucode" is searched.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
For Intel CPUs, the name of the specific microcode file the kernel tries to load
|
|
|
4eb1a6 |
has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model
|
|
|
4eb1a6 |
number, and "SS" is the stepping. All those numbers are zero-filled to two digits
|
|
|
4eb1a6 |
and are written in hexadecimal (letters are in the lower case). For AMD CPUs,
|
|
|
4eb1a6 |
the file name has the format "microcode_amd_famFFh.bin", where "FF" is the
|
|
|
4eb1a6 |
family number, written in hexadecimal, letters are in the lower case, not
|
|
|
4eb1a6 |
zero-filled.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The early microcode is placed into initramfs image by the "dracut" script, which
|
|
|
4eb1a6 |
scans the aforementioned subdirectories of the configured list of firmware
|
|
|
742279 |
directories (by default, the list consists of two directories in RHEL 7,
|
|
|
4eb1a6 |
"/lib/firmware/updates" and "/lib/firmware").
|
|
|
4eb1a6 |
|
|
|
742279 |
In RHEL 7, AMD CPU microcode is shipped as a part of the linux-firmware package,
|
|
|
4eb1a6 |
and Intel microcode is shipped as a part of the microcode_ctl package.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The microcode_ctl package currently includes the following:
|
|
|
742279 |
* Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode
|
|
|
742279 |
directory (currently there are none);
|
|
|
4eb1a6 |
* A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override,
|
|
|
4eb1a6 |
that controls which additional firmware directories will be added to dracut's
|
|
|
4eb1a6 |
default configuration;
|
|
|
742279 |
* A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf,
|
|
|
742279 |
that enables inclusion of early microcode to the generated initramfs
|
|
|
742279 |
in dracut;
|
|
|
742279 |
* A dracut configuration file,
|
|
|
742279 |
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way
|
|
|
742279 |
to quickly disable 99microcode_ctl-fw_dir-override dracut module;
|
|
|
4eb1a6 |
* A systemd service file, microcode.service, that triggers microcode reload
|
|
|
4eb1a6 |
late during boot;
|
|
|
742279 |
* A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each
|
|
|
742279 |
of which contains configuration and related data for various caveats related
|
|
|
742279 |
to microcode:
|
|
|
742279 |
* readme - description of caveat and related information,
|
|
|
742279 |
* config - caveat configuration file, with syntax as described in "Caveat
|
|
|
742279 |
configuration" section below,
|
|
|
742279 |
* intel-ucode - directory containing microcode files related to the caveat;
|
|
|
4eb1a6 |
* A set of support scripts, placed in /usr/libexec/microcode_ctl:
|
|
|
4eb1a6 |
* "check_caveats" is an utility script that performs checks of the target
|
|
|
4eb1a6 |
kernel (and running CPU) in accordance with caveat configuration files
|
|
|
742279 |
in ucode_with_caveats directory and reports whether it passes them or not,
|
|
|
4eb1a6 |
* "reload_microcode" is a script that is called by microcode.service and
|
|
|
4eb1a6 |
triggers microcode reloading (by writing "1" to
|
|
|
4eb1a6 |
/sys/devices/system/cpu/microcode/reload) if the running kernel passes
|
|
|
742279 |
check_caveats checks,
|
|
|
4eb1a6 |
* "update_ucode" is a script that populates symlinks to microcode files
|
|
|
4eb1a6 |
in /lib/firmware, so it can be picked up by relevant kernels for the late
|
|
|
4eb1a6 |
microcode loading.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Also, microcode_ctl RPM includes triggers that run update_ucode script on every
|
|
|
4eb1a6 |
installation or removal of a kernel RPM in order to provide microcode files
|
|
|
4eb1a6 |
for newly installed kernels and cleanup symlinks for the uninstalled ones.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Caveat configuration
|
|
|
4eb1a6 |
--------------------
|
|
|
4eb1a6 |
There is a directory for each caveat under
|
|
|
4eb1a6 |
/usr/share/microcode_ctl/ucode_with_caveats, containing the following files:
|
|
|
4eb1a6 |
* "config", a configuration file for the caveat;
|
|
|
4eb1a6 |
* "readme", that contains description of the caveat;
|
|
|
4eb1a6 |
* set of related associated microcode files.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
"config" file is a set of lines each containing option name and its value,
|
|
|
4eb1a6 |
separated by white space. Currently, the following options are supported:
|
|
|
4eb1a6 |
* "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies
|
|
|
4eb1a6 |
to which CPU model the caveat is applicable (check_caveats ignores caveats
|
|
|
4eb1a6 |
with non-matching models if "-m" option is passed to it). Can be set
|
|
|
4eb1a6 |
in the configuration file only once (the last provided value is used).
|
|
|
4eb1a6 |
* "vendor" option specifies CPUs of which vendor (as provided
|
|
|
4eb1a6 |
in the /proc/cpuinfo file) the caveat is applicable to (check_caveats
|
|
|
4eb1a6 |
ignores caveats with non-matching models when it is invoked with "-m"
|
|
|
4eb1a6 |
option). Can be set in the configuration file only once.
|
|
|
4eb1a6 |
* "path" is a glob pattern that specifies set of microcode files associated
|
|
|
4eb1a6 |
with the caveat as a relative path to the caveat directory. This option
|
|
|
4eb1a6 |
is used for populating files in /lib/firmware by update_ucode script and
|
|
|
4eb1a6 |
for matching microcode file when dracut is run in host-only mode
|
|
|
4eb1a6 |
(as in that case it uses only the first directory in firmware directory list
|
|
|
4eb1a6 |
to look for the microcode file applicable to the host CPU). Can be set
|
|
|
4eb1a6 |
in the configuration file multiple times.
|
|
|
4eb1a6 |
* "kernel" is a minimal kernel version that supports proper handling
|
|
|
4eb1a6 |
of the related microcode files during late microcode load. It may be
|
|
|
4eb1a6 |
provided in one of the following formats that affect the way it is compared
|
|
|
4eb1a6 |
to the running kernel version:
|
|
|
4eb1a6 |
* A.B.C (where A, B, and C are decimal numbers), "upstream version". In this
|
|
|
4eb1a6 |
case, simple version comparison against the respective part of the running
|
|
|
4eb1a6 |
kernel version is used, and the running kernel version should be greater
|
|
|
4eb1a6 |
or equal than the version provided in the configuration option in order
|
|
|
4eb1a6 |
for comparison to succeed (that is, the first part, major version number,
|
|
|
4eb1a6 |
of the running kernel version should be greater than the value provided
|
|
|
4eb1a6 |
in the configuration option, or those should be equal and the second part,
|
|
|
4eb1a6 |
minor version number, should be greater than the minor version number
|
|
|
4eb1a6 |
of the kernel version provided in the configuration option, or the first
|
|
|
4eb1a6 |
two parts should be equal and the third part, patch level, should
|
|
|
4eb1a6 |
be greater or equal the patch level of the version in the configuration
|
|
|
4eb1a6 |
option).
|
|
|
4eb1a6 |
* A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version".
|
|
|
4eb1a6 |
In this case, A.B.C part should be equal, and Y part of the running kernel
|
|
|
4eb1a6 |
version should be greater or equal than the Y part of the configuration
|
|
|
4eb1a6 |
option version in order to satisfy the comparison requirement.
|
|
|
4eb1a6 |
* A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers),
|
|
|
4eb1a6 |
"Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2
|
|
|
4eb1a6 |
part of the running kernel should be greater or equal than the respective
|
|
|
4eb1a6 |
part of the configuration option version (when compared as a version)
|
|
|
4eb1a6 |
for comparison to succeed.
|
|
|
4eb1a6 |
Kernel version check passed if at least one comparison of the running kernel
|
|
|
4eb1a6 |
version against a kernel version provided in a configuration option
|
|
|
4eb1a6 |
succeeded. The "kernel" configuration option can be provided
|
|
|
4eb1a6 |
in the configuration file multiple times.
|
|
|
4eb1a6 |
* "kernel_early" is a minimal kernel version that supports proper handling
|
|
|
4eb1a6 |
of the related microcode during early microcode load. The format of the
|
|
|
4eb1a6 |
option and its semantics is similar to the "kernel" configuration options.
|
|
|
4eb1a6 |
This option can be provided multiple times as well.
|
|
|
4eb1a6 |
* "mc_min_ver_late" is the minimal version of the currently loaded microcode
|
|
|
4eb1a6 |
on the CPU (as reported in /proc/cpuinfo) that supports late microcode
|
|
|
4eb1a6 |
update. Microcode update will be attempted only if the currently loaded
|
|
|
4eb1a6 |
microcode version is greater or equal the microcode version provided
|
|
|
4eb1a6 |
in the configuration option. Can be set in the configuration file only once.
|
|
|
4eb1a6 |
* "disable" is a way to disable a specific caveat from inside its
|
|
|
4eb1a6 |
configuration. Argument for the argument is a list of stages ("early",
|
|
|
4eb1a6 |
"late") for which the caveat should be disable. The configuration option
|
|
|
4eb1a6 |
can be provided multiple times in a configuration file.
|
|
|
4eb1a6 |
* "blacklist" is a marker for a start of list of blacklisted model names,
|
|
|
4eb1a6 |
one model name per line. The model name of the running CPU (as reported
|
|
|
4eb1a6 |
in /proc/cpuinfo) is compared against the names in the provided list, and,
|
|
|
4eb1a6 |
if there is a match, caveat check fails.
|
|
|
347126 |
* "pci_config_val" performs check for specific values in selected parts
|
|
|
347126 |
of configuration space of specified PCI devices. If "-m" option
|
|
|
347126 |
is not specified, then the actual check is skipped, and the check returns
|
|
|
347126 |
result in accordance with the provided "mode" option (se below). Check
|
|
|
347126 |
arguments are a white-space-separated list of "key=value" pairs.
|
|
|
347126 |
The following keys are supported:
|
|
|
347126 |
* "domain" - PCI domain number, or "*" (an asterisk) for any domain.
|
|
|
347126 |
Default is "*".
|
|
|
347126 |
* "bus" - PCI bus number, or "*" (an asterisk) for any bus. Default is "*".
|
|
|
347126 |
* "device" - PCI device number, or "*" (an asterisk) for any device.
|
|
|
347126 |
Default is "*".
|
|
|
347126 |
* "function" - PCI function number, or "*" (an asterisk) for any function.
|
|
|
347126 |
Default is "*".
|
|
|
347126 |
* "vid" - PCI vendor ID, or empty string for any vendor ID. Default
|
|
|
347126 |
is empty string.
|
|
|
347126 |
* "did" - PCI device ID, or empty string for any device ID. Default
|
|
|
347126 |
is empty string.
|
|
|
347126 |
* "offset" - offset in device's configuration space where the value resides.
|
|
|
347126 |
Default is 0.
|
|
|
347126 |
* "size" - field size. Possible values are 1, 2, 4, or 8. Default is 4.
|
|
|
347126 |
* "mask" - mask applied to the values during the check. Default is 0.
|
|
|
347126 |
* "val" - comma-separated list of matching values. Default is 0.
|
|
|
347126 |
* "mode" - check mode, the way matches are interpreted:
|
|
|
347126 |
* "success-any" - check succeeds if there was at least one match,
|
|
|
347126 |
otherwise it fails.
|
|
|
347126 |
* "success-all" - check succeeds if there was at least one device checked
|
|
|
347126 |
and all the checked devices have matches, otherwise the check fails.
|
|
|
347126 |
* "fail-any" - check fails if there was at least one match, otherwise
|
|
|
347126 |
it succeeds.
|
|
|
347126 |
* "fail-all" - check fails if there was at least one device checked
|
|
|
347126 |
and all the checked devices have matches, otherwise the check succeeds.
|
|
|
347126 |
An example of a check:
|
|
|
347126 |
pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
|
|
|
347126 |
It interprets 4 bytes at offset 0x84 of special files "config" under
|
|
|
347126 |
directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3"
|
|
|
347126 |
as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3
|
|
|
347126 |
of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111,
|
|
|
347126 |
0b011, or 0b001 in bits 5..3, respectively); if there are such files,
|
|
|
347126 |
and all the checked values in every checked file has matched at least one
|
|
|
347126 |
of the aforementioned value, then the check is successful, otherwise
|
|
|
347126 |
it fails (in accordance with "mode=success-all" semantics). This check fails
|
|
|
347126 |
if "-m" option is not specified.
|
|
|
347126 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
check_caveats script
|
|
|
4eb1a6 |
--------------------
|
|
|
4eb1a6 |
"check_caveats" is an utility script (called by update_ucode, reload_microcode,
|
|
|
4eb1a6 |
dracut module) that performs checks of the target kernel (and running CPU)
|
|
|
4eb1a6 |
in accordance with caveat configuration files in directory
|
|
|
4eb1a6 |
"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether
|
|
|
4eb1a6 |
the system passes the checks, or not.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Usage:
|
|
|
4eb1a6 |
check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]'
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Options:
|
|
|
4eb1a6 |
-e - check for early microcode load possibility (instead of late microcode
|
|
|
4eb1a6 |
load). "kernel_early" caveat configuration options are used for checking
|
|
|
4eb1a6 |
instead of "kernel", and "mc_min_ver_late" is not checked.
|
|
|
4eb1a6 |
-k - target kernel version to check against, $(uname -r) is used otherwise.
|
|
|
4eb1a6 |
-c - caveat(s) to check, all caveat configurations found inside
|
|
|
4eb1a6 |
$MC_CAVEATS_DATA_DIR are checked otherwise.
|
|
|
4eb1a6 |
-m - ignore caveats that do not apply to the current CPU model.
|
|
|
4eb1a6 |
-v - verbose output.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Environment:
|
|
|
742279 |
MC_CAVEATS_DATA_DIR - directory that contains caveats configurations,
|
|
|
742279 |
"/usr/share/microcode_ctl/ucode_with_caveats"
|
|
|
742279 |
by default.
|
|
|
4eb1a6 |
FW_DIR - directory containing firmware files (per-kernel configuration
|
|
|
742279 |
overrides are checked there), "/lib/firmware" by default.
|
|
|
742279 |
CFG_DIR - directory containing global caveats overrides,
|
|
|
742279 |
"/etc/microcode_ctl/ucode_with_caveats" by default.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Output:
|
|
|
4eb1a6 |
Script returns information about caveats check results. Output has a format
|
|
|
4eb1a6 |
of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs.
|
|
|
4eb1a6 |
Currently, the following data is issued:
|
|
|
4eb1a6 |
- "cfgs" - list of caveats that have been processed (and not skipped
|
|
|
4eb1a6 |
due to missing "config", "readme", or a disallow-* override described
|
|
|
4eb1a6 |
below);
|
|
|
4eb1a6 |
- "skip_cfgs" - list of caveats that have been skipped (due to missing
|
|
|
4eb1a6 |
config/readme file, or because of overrides);
|
|
|
4eb1a6 |
- "paths" - list of glob patterns matching files associated with caveats
|
|
|
4eb1a6 |
that have been processed;
|
|
|
4eb1a6 |
- "ok_cfgs" - list of caveat configurations that have all the checks passed
|
|
|
4eb1a6 |
(or have enforced by one of force-* overrides described below);
|
|
|
4eb1a6 |
- "ok_paths" - list of glob patterns associated with caveat files from
|
|
|
4eb1a6 |
the "ok_cfgs" list;
|
|
|
4eb1a6 |
- "fail_cfgs" - list of caveats that have one of the checks failed.
|
|
|
4eb1a6 |
- "fail_paths" - list of glob patterns associated with caveats from the
|
|
|
4eb1a6 |
"fail_cfgs" list.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Return value:
|
|
|
4eb1a6 |
- 0 in case caveats check has passed, 1 otherwise.
|
|
|
4eb1a6 |
- In "-d" mode, 0 is always returned.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Overrides:
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
When check_caveats perform its checks, it also checks for presence of files
|
|
|
4eb1a6 |
in specific places, and, if they exist, check_caveats skips a caveat or ignores
|
|
|
4eb1a6 |
its checks; that mechanism allows overriding the information provided
|
|
|
4eb1a6 |
in configuration on local systems and affect the behaviour of the microcode
|
|
|
4eb1a6 |
update process.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Current list of overrides (where $FW_DIR and $CFG_DIR are the environment
|
|
|
4eb1a6 |
options described earlier; $kver - the currently processed kernel version,
|
|
|
4eb1a6 |
$s is the requested stage ("early" or "late"), $cfg is the caveat directory
|
|
|
4eb1a6 |
name):
|
|
|
4eb1a6 |
$FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for
|
|
|
4eb1a6 |
a specific kernel version..
|
|
|
4eb1a6 |
$FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific
|
|
|
4eb1a6 |
kernel version for the requested stage without
|
|
|
4eb1a6 |
performing any checks.
|
|
|
4eb1a6 |
$FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific
|
|
|
4eb1a6 |
kernel version.
|
|
|
4eb1a6 |
$FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage
|
|
|
4eb1a6 |
for a specific kernel version without checks.
|
|
|
4eb1a6 |
$FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage
|
|
|
4eb1a6 |
for a specific kernel version.
|
|
|
4eb1a6 |
$CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all
|
|
|
4eb1a6 |
kernel versions.
|
|
|
4eb1a6 |
$FW_DIR/$kver/force-$s - apply all caveats for a specific stage
|
|
|
4eb1a6 |
for a specific kernel version without checks.
|
|
|
4eb1a6 |
$CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for
|
|
|
4eb1a6 |
all kernel versions without checks.
|
|
|
4eb1a6 |
$FW_DIR/$kver/disallow - skip all caveats for all stages for a specific
|
|
|
4eb1a6 |
kernel version.
|
|
|
4eb1a6 |
$CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel
|
|
|
4eb1a6 |
versions.
|
|
|
4eb1a6 |
$FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel
|
|
|
4eb1a6 |
version without checks.
|
|
|
4eb1a6 |
$CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions
|
|
|
4eb1a6 |
without checks.
|
|
|
4eb1a6 |
$CFG_DIR/disallow-$s - skip all caveat for all kernel versions
|
|
|
4eb1a6 |
for a specific stage.
|
|
|
4eb1a6 |
$CFG_DIR/force-$s - apply all caveats for all kernel versions for specific
|
|
|
4eb1a6 |
stage without checks.
|
|
|
4eb1a6 |
$CFG_DIR/disallow - skip all caveats for all stages for all kernel versions
|
|
|
4eb1a6 |
(disable everything).
|
|
|
4eb1a6 |
$CFG_DIR/force - force all caveats for all stages for all kernel versions
|
|
|
4eb1a6 |
(enable everything).
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The "apply" action above means creating symlinks in /lib/firmware by
|
|
|
4eb1a6 |
update_ucode in case of the "late" stage and adding caveat directory to the list
|
|
|
4eb1a6 |
of firmware directories by dracut plugin in case of the "early" stage.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The files are checked for existence until the first match, so more specific
|
|
|
4eb1a6 |
overrides can override more broad ones.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Also, a caveat is ignored if it lacks either config or readme file.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
update_ucode script
|
|
|
4eb1a6 |
-------------------
|
|
|
4eb1a6 |
"update_ucode" populates symlinks to microcode files in accordance with caveats
|
|
|
4eb1a6 |
configuration. It enables late microcode loading that is invoked by triggering
|
|
|
4eb1a6 |
/sys/devices/system/cpu/microcode/reload file. Since caveats depend
|
|
|
4eb1a6 |
on the kernel version, symlinks are populated inside
|
|
|
4eb1a6 |
"/lib/firmware/KERNEL_VERSION" directory for each installed kernel.
|
|
|
4eb1a6 |
As a consequence, this script is triggered upon each kernel package installation
|
|
|
4eb1a6 |
and removal.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The script has two parts: common and kernel-version-specific.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
During the common part, files are populated from
|
|
|
4eb1a6 |
/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are
|
|
|
4eb1a6 |
several possibilities to affect the process:
|
|
|
4eb1a6 |
* Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping
|
|
|
4eb1a6 |
the common part of the script.
|
|
|
4eb1a6 |
* The same for "/lib/firmware/intel-ucode-disallow".
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
During the kernel-version-specific part, each caveat is checked against every
|
|
|
4eb1a6 |
kernel version, and those combinations, for which caveat check succeeds,
|
|
|
4eb1a6 |
gets the symlinks to the associated microcode files populated.
|
|
|
4eb1a6 |
* Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode
|
|
|
4eb1a6 |
from removing symlinks related to the caveat for specific kernel version.
|
|
|
4eb1a6 |
* Since the check is being done by check_caveats, all the overrides that
|
|
|
4eb1a6 |
described there also stay.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Usage:
|
|
|
4eb1a6 |
update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]*
|
|
|
4eb1a6 |
[--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode]
|
|
|
4eb1a6 |
[--skip-common] [--skip-kernel-specific]
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Options:
|
|
|
4eb1a6 |
--action - action to perform. Currently, the following actions are supported:
|
|
|
4eb1a6 |
* "add" - create new symlinks.
|
|
|
4eb1a6 |
* "remove" - remove old symlinks that are no longer needed.
|
|
|
4eb1a6 |
* "refresh" - re-populate symlinks.
|
|
|
4eb1a6 |
* "list" - list files under control of update_ucode.
|
|
|
4eb1a6 |
By default, "refresh" action is executed.
|
|
|
4eb1a6 |
--kernel - kernel version to process. By default, list of kernel versions
|
|
|
4eb1a6 |
is formed based on contents of /lib/firmware and /lib/modules
|
|
|
4eb1a6 |
directories.
|
|
|
4eb1a6 |
--verbose - verbose output.
|
|
|
4eb1a6 |
--dry-run - do not call commands, just print the invocation lines.
|
|
|
4eb1a6 |
--cleanup - cleanup mode. Used by post-uninstall script during package
|
|
|
4eb1a6 |
upgrades. Removes excess files in accordance to the contents
|
|
|
4eb1a6 |
of the files provided in the arguments to the option.
|
|
|
4eb1a6 |
--skip-common - do not process /lib/firmware directory.
|
|
|
4eb1a6 |
--skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION
|
|
|
4eb1a6 |
directories.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Return value:
|
|
|
4eb1a6 |
0 on success, 1 on error.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
reload_microcode script
|
|
|
4eb1a6 |
-----------------------
|
|
|
4eb1a6 |
"reload_microcode" is a script that is called by microcode.service and
|
|
|
4eb1a6 |
triggers late microcode reloading (by writing "1" to
|
|
|
742279 |
/sys/devices/system/cpu/microcode/reload) if the following check are passed:
|
|
|
742279 |
* the microcode update performed not in a virtualised environment;
|
|
|
742279 |
* running kernel passes "check_caveats" checks that applicable to the current
|
|
|
742279 |
CPU model.
|
|
|
4eb1a6 |
|
|
|
742279 |
For a virtualised environment check, the script searches the "/proc/cpuinfo"
|
|
|
742279 |
file for presence of the "hypervisor" flag among CPU features (it corresponds
|
|
|
742279 |
to a CPUID feature bit set by hypervisors in order to inform that the kernel
|
|
|
742279 |
operates inside a virtual machine). This check can be overridden and skipped
|
|
|
742279 |
by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag".
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The script has no options and always returns 0.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
99microcode_ctl-fw_dir_override dracut module
|
|
|
4eb1a6 |
---------------------------------------------
|
|
|
4eb1a6 |
This dracut module injects directories with microcode files for caveats
|
|
|
4eb1a6 |
that pass "early" check_caveats check (with "-e" flag). In addition
|
|
|
742279 |
to "check_caveats" overrides, the following abilities to control module's
|
|
|
742279 |
behaviour are present:
|
|
|
4eb1a6 |
* Presence of one of the following files:
|
|
|
4eb1a6 |
- /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check
|
|
|
4eb1a6 |
- /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg
|
|
|
4eb1a6 |
- /lib/firmware/$kver/skip-host-only-check
|
|
|
4eb1a6 |
- /lib/firmware/$kver/skip-host-only-check-$cfg
|
|
|
4eb1a6 |
(where "$kver" is the kernel version in question and "$cfg" is the caveat
|
|
|
4eb1a6 |
directory name) allows skipping matching of microcode file name when dracut's
|
|
|
4eb1a6 |
Host-Only mode is enabled.
|
|
|
4eb1a6 |
|
|
|
742279 |
When caveats_check succeeds, caveats directory (not its possibly populated
|
|
|
742279 |
version for late microcode update: "/lib/firmware/KERNEL_VERSION";
|
|
|
742279 |
it is done so in order
|
|
|
742279 |
to have ability to configure list of caveats enabled for early and late
|
|
|
742279 |
microcode update, independently) is added to dracut's list of firmware search
|
|
|
742279 |
directories.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
The module can be disabled by running dracut with
|
|
|
742279 |
"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can
|
|
|
742279 |
be disabled permanently by uncommenting string
|
|
|
742279 |
"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in
|
|
|
742279 |
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file.
|
|
|
742279 |
|
|
|
742279 |
See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable
|
|
|
742279 |
"omit_dracutmodules" for additional information.
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Caveats
|
|
|
4eb1a6 |
=======
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat
|
|
|
4eb1a6 |
----------------------------------------------
|
|
|
742279 |
Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0,
|
|
|
742279 |
family 6, model 79, stepping 1) has issues that lead to system instability.
|
|
|
742279 |
A series of changes for the Linux kernel has been developed in order to work
|
|
|
742279 |
around those issues; however, as it turned out, some systems have issues even
|
|
|
742279 |
when a microcode update performed on a kernel that contains those changes.
|
|
|
742279 |
As a result, microcode update for this CPU model is disabled by default;
|
|
|
742279 |
the microcode file, however, is still shipped as a part of microcode_ctl
|
|
|
742279 |
package and can be used for performing a microcode update if it is enforced
|
|
|
f3c512 |
via the aforementioned overrides. (See the sections "check_caveats script"
|
|
|
ee041c |
and "reload_microcode script" for details.)
|
|
|
4eb1a6 |
|
|
|
f3c512 |
Caveat name: intel-06-4f-01
|
|
|
f3c512 |
|
|
|
4eb1a6 |
Affected microcode: intel-ucode/06-4f-01.
|
|
|
4eb1a6 |
|
|
|
6c53eb |
Mitigation: microcode loading is disabled for the affected CPU model.
|
|
|
4eb1a6 |
|
|
|
742279 |
Minimum versions of the kernel package that contain the aforementioned patch
|
|
|
742279 |
series:
|
|
|
742279 |
- Upstream/RHEL 8: 4.17.0
|
|
|
742279 |
- RHEL 7.6 onwards: 3.10.0-894
|
|
|
4eb1a6 |
- RHEL 7.5: 3.10.0-862.6.1
|
|
|
4eb1a6 |
- RHEL 7.4: 3.10.0-693.35.1
|
|
|
4eb1a6 |
- RHEL 7.3: 3.10.0-514.52.1
|
|
|
4eb1a6 |
- RHEL 7.2: 3.10.0-327.70.1
|
|
|
4eb1a6 |
- RHEL 6.10: 2.6.32-754.1.1
|
|
|
4eb1a6 |
- RHEL 6.7: 2.6.32-573.58.1
|
|
|
4eb1a6 |
- RHEL 6.6: 2.6.32-504.71.1
|
|
|
4eb1a6 |
- RHEL 6.5: 2.6.32-431.90.1
|
|
|
4eb1a6 |
- RHEL 6.4: 2.6.32-358.90.1
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
|
|
|
4eb1a6 |
Early microcode load inside a virtual machine
|
|
|
4eb1a6 |
---------------------------------------------
|
|
|
742279 |
RHEL 7 kernel supports performing microcode update during early boot stage
|
|
|
742279 |
from a cpio archive placed at the beginning of the initramfs image. However,
|
|
|
742279 |
when an early microcode update is attempted inside some virtualised
|
|
|
742279 |
environments, that may result in unexpected system behaviour.
|
|
|
4eb1a6 |
|
|
|
f3c512 |
Caveat name: intel
|
|
|
f3c512 |
|
|
|
4eb1a6 |
Affected microcode: all.
|
|
|
4eb1a6 |
|
|
|
f3c512 |
Mitigation: early microcode loading is disabled for all CPU models on kernels
|
|
|
f3c512 |
without the fix.
|
|
|
4eb1a6 |
|
|
|
6c53eb |
Minimum versions of the kernel package that contain the fix:
|
|
|
742279 |
- Upstream/RHEL 8: 4.10.0
|
|
|
742279 |
- RHEL 7.6 onwards: 3.10.0-930
|
|
|
4eb1a6 |
- RHEL 7.5: 3.10.0-862.14.1
|
|
|
4eb1a6 |
- RHEL 7.4: 3.10.0-693.38.1
|
|
|
4eb1a6 |
- RHEL 7.3: 3.10.0-514.57.1
|
|
|
6c53eb |
- RHEL 7.2: 3.10.0-327.73.1
|
|
|
742279 |
|
|
|
742279 |
|
|
|
ee041c |
Intel Sandy Bridge-E/EN/EP caveat
|
|
|
ee041c |
---------------------------------
|
|
|
9db7ba |
Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6,
|
|
|
9db7ba |
model 45, stepping 7), that was released to address MDS vulnerability,
|
|
|
9db7ba |
and was available from microcode-20190618 up to microcode-20190508 release)
|
|
|
9db7ba |
could lead to system instability[1][2]. In order to address this,
|
|
|
9db7ba |
this microcode update was not used and the previous microcode revision
|
|
|
9db7ba |
was provided instead by default; the microcode file, however, was still shipped
|
|
|
9db7ba |
as part of microcode_ctl package and could be used for performing a microcode
|
|
|
9db7ba |
update if it is enforced via the aforementioned overrides. With the release
|
|
|
9db7ba |
of 0x71a revision of the microcode (as art of microcode-20200520 release)
|
|
|
9db7ba |
that aims at fixing the aforementioned stability issue, the latest microcode
|
|
|
9db7ba |
revision is again used by default; it is still provided via the caveat
|
|
|
9db7ba |
mechanism, hovewer, in order to enable ability to disable it in case such
|
|
|
9db7ba |
a need arises. (See the sections "check_caveats script" and "reload_microcode
|
|
|
9db7ba |
script" for details regarding caveats mechanism operation.)
|
|
|
f3c512 |
|
|
|
347126 |
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
|
|
|
347126 |
[2] https://access.redhat.com/solutions/4593951
|
|
|
347126 |
|
|
|
f3c512 |
Caveat name: intel-06-2d-07
|
|
|
ee041c |
|
|
|
ee041c |
Affected microcode: intel-ucode/06-2d-07.
|
|
|
ee041c |
|
|
|
9db7ba |
Mitigation: None; the latest revision of the microcode file is used by default;
|
|
|
9db7ba |
previously published microcode revision 0x714 is still available as a fallback
|
|
|
9db7ba |
as part of "intel" caveat.
|
|
|
ee041c |
|
|
|
ee041c |
|
|
|
f3c512 |
Intel Skylake-SP/W/X caveat
|
|
|
f3c512 |
---------------------------
|
|
|
9db7ba |
Microcode revision 0x2000065 (that was provided with microcode releases
|
|
|
9db7ba |
microcode-20191112 up to microcode-20200520) for some CPU models that belong
|
|
|
9db7ba |
to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4,
|
|
|
9db7ba |
Workstation/HEDT segments) could lead to hangs during reboot[1]. In order
|
|
|
9db7ba |
to address this, by default this microcode update was disabled by default and
|
|
|
9db7ba |
and the previous 0x2000064 microcode revision was used instead; the microcode
|
|
|
9db7ba |
file with, however, is still shipped as part of microcode_ctl package and can
|
|
|
9db7ba |
be used for performing a microcode update if it is enforced
|
|
|
9db7ba |
via the aforementioned overrides. With the availability of 0x2006906 revision
|
|
|
9db7ba |
of the microcode (in the microcode-20200609 release) that fixes
|
|
|
9db7ba |
the aforementioned issue, the latest microcode revision is again used
|
|
|
9db7ba |
by default; it is still provided via caveat mechanism, hovewer, in order
|
|
|
9db7ba |
to enable ability to disable it in case such a need arises. (See the sections
|
|
|
9db7ba |
"check_caveats script" and "reload_microcode script" for details regarding
|
|
|
9db7ba |
caveats mechanism operation.)
|
|
|
347126 |
|
|
|
347126 |
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
|
|
f3c512 |
|
|
|
f3c512 |
Caveat name: intel-06-55-04
|
|
|
f3c512 |
|
|
|
f3c512 |
Affected microcode: intel-ucode/06-55-04.
|
|
|
f3c512 |
|
|
|
9db7ba |
Mitigation: None; the latest revision of the microcode file is used by default;
|
|
|
9db7ba |
previously published microcode revision 0x2000064 is still available
|
|
|
9db7ba |
as a fallback as part of "intel" caveat.
|
|
|
9db7ba |
|
|
|
9db7ba |
|
|
|
9db7ba |
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
|
|
|
9db7ba |
----------------------------------------
|
|
|
9db7ba |
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
|
|
|
9db7ba |
and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
|
|
|
9db7ba |
hangs when revision 0xdc of microcode, that is included in microcode-20200609
|
|
|
9db7ba |
update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
|
|
|
9db7ba |
is applied[1][2]. In order to address this, microcode update to the newer
|
|
|
9db7ba |
revision has been disabled by default on these systems, and the previously
|
|
|
9db7ba |
published microcode revision 0xd6 is used instead; the newer microcode files,
|
|
|
9db7ba |
however, are still shipped as part of microcode_ctl package and can be used
|
|
|
9db7ba |
for performing a microcode update if they are enforced via the aforementioned
|
|
|
9db7ba |
overrides. (See the sections "check_caveats script" and "reload_microcode
|
|
|
9db7ba |
script" for details.)
|
|
|
9db7ba |
|
|
|
9db7ba |
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
|
|
|
9db7ba |
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
|
|
|
9db7ba |
|
|
|
9db7ba |
Caveat names: intel-06-4e-03, intel-06-5e-03
|
|
|
9db7ba |
|
|
|
9db7ba |
Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
|
|
|
9db7ba |
|
|
|
9db7ba |
Mitigation: previously published microcode revision 0xd6 is used by default.
|
|
|
f3c512 |
|
|
|
f3c512 |
|
|
|
ee041c |
|
|
|
742279 |
Additional information
|
|
|
742279 |
======================
|
|
|
ee041c |
Red Hat provides updated microcode, developed by its microprocessor partners,
|
|
|
ee041c |
as a customer convenience. Please contact your hardware vendor to determine
|
|
|
ee041c |
whether more recent BIOS/firmware updates are recommended because additional
|
|
|
ee041c |
improvements may be available.
|
|
|
6c53eb |
|
|
|
6c53eb |
Information regarding microcode revisions required for mitigating specific
|
|
|
f3c512 |
Intel CPU vulnerabilities is available in the following knowledge base articles:
|
|
|
742279 |
* CVE-2017-5715 ("Spectre"):
|
|
|
742279 |
https://access.redhat.com/articles/3436091
|
|
|
742279 |
* CVE-2018-3639 ("Speculative Store Bypass"):
|
|
|
742279 |
https://access.redhat.com/articles/3540901
|
|
|
742279 |
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
|
|
742279 |
https://access.redhat.com/articles/3562741
|
|
|
6c53eb |
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
|
|
6c53eb |
("Microarchitectural Data Sampling"):
|
|
|
6c53eb |
https://access.redhat.com/articles/4138151
|
|
|
f3c512 |
* CVE-2019-0117 (Intel SGX Information Leak),
|
|
|
f3c512 |
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
|
|
f3c512 |
CVE-2019-11135 (TSX Asynchronous Abort),
|
|
|
f3c512 |
CVE-2019-11139 (Voltage Setting Modulation):
|
|
|
f3c512 |
https://access.redhat.com/solutions/2019-microcode-nov
|
|
|
9db7ba |
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
|
|
9db7ba |
CVE-2020-0548 (Vector Register Data Sampling),
|
|
|
9db7ba |
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
|
|
9db7ba |
https://access.redhat.com/solutions/5142751
|