From 3bf6c4cdb30df7aa46dd69867e7eb0be7b3c7339 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 15 2020 15:59:41 +0000 Subject: import microcode_ctl-20200609-2.20201112.1.el8_3 --- diff --git a/.gitignore b/.gitignore index 7a6b0b6..5eb5de5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,4 @@ SOURCES/06-55-04 SOURCES/06-5e-03 SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20191115.tar.gz -SOURCES/microcode-20201027.tar.gz +SOURCES/microcode-20201112.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 7bb7733..0367497 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz -8036bee2e4aa101bdb41a96ea051d91d357df514 SOURCES/microcode-20201027.tar.gz +010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme index 016364f..49373e2 100644 --- a/SOURCES/06-4e-03_readme +++ b/SOURCES/06-4e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index 7b8051a..5df5775 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -41,6 +41,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme index 9255d3f..9e21ac0 100644 --- a/SOURCES/06-5e-03_readme +++ b/SOURCES/06-5e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config new file mode 100644 index 0000000..c7c5d65 --- /dev/null +++ b/SOURCES/06-8c-01_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-8c-01 +path intel-ucode/06-8c-01 +disable early late diff --git a/SOURCES/06-8c-01_disclaimer b/SOURCES/06-8c-01_disclaimer new file mode 100644 index 0000000..6e02fa6 --- /dev/null +++ b/SOURCES/06-8c-01_disclaimer @@ -0,0 +1,4 @@ +Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1; +CPUID 0x806c1) are disabled as they may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme new file mode 100644 index 0000000..16afb9b --- /dev/null +++ b/SOURCES/06-8c-01_readme @@ -0,0 +1,40 @@ +Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) +have reports of system hangs when a microcode update, that is included +since microcode-20201110 update, is applied[1]. In order to address this, +microcode update has been disabled by default on these systems. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel +version, please create a file "force-intel-06-8c-01" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme index ef90fdb..cef8e9b 100644 --- a/SOURCES/06-8e-9e-0x-0xca_readme +++ b/SOURCES/06-8e-9e-0x-0xca_readme @@ -104,6 +104,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme index d74c679..94b9bb6 100644 --- a/SOURCES/06-8e-9e-0x-dell_readme +++ b/SOURCES/06-8e-9e-0x-dell_readme @@ -104,6 +104,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 2220a09..d18c2a5 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -630,6 +630,26 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used as a convenience for the cases where it was working well before. +Intel Tiger Lake-UP3/UP4 caveat +------------------------------- +Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, +stepping 1) have reports of system hangs when a microcode update, +that is included since microcode-20201110 release, is applied[1]. +In order to address this, microcode update to a newer revision has been disabled +by default on these systems; the newer microcode file, however, is still shipped +as a part of microcode_ctl package and can be used for performing a microcode +update if it is enforced via the aforementioned overrides. (See the sections +"check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Caveat names: intel-06-8c-01 + +Affected microcode: intel-ucode/06-8c-01. + +Mitigation: microcode loading is disabled for the affected CPU model. + + Additional information ====================== @@ -658,3 +678,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list index 502fc92..be1f3d2 100644 --- a/SOURCES/codenames.list +++ b/SOURCES/codenames.list @@ -297,6 +297,7 @@ Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; # sources: # https://en.wikichip.org/wiki/intel/cpuid diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index b514f7e..826f1d7 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20201027 +%define intel_ucode_version 20201112 %global debug_package %{nil} %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats @@ -17,8 +17,7 @@ Release: 2.%{intel_ucode_version}.1%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files -#Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz -Source0: microcode-%{intel_ucode_version}.tar.gz +Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 @@ -112,6 +111,10 @@ Source170: 06-8e-9e-0x-dell_readme Source171: 06-8e-9e-0x-dell_config Source172: 06-8e-9e-0x-dell_disclaimer +# TGL-UP3/UP4 (CPUID 06-8c-01) hangs +Source180: 06-8c-01_readme +Source181: 06-8c-01_config +Source182: 06-8c-01_disclaimer # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -173,6 +176,9 @@ tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \ '*/intel-ucode/06-[89]e-0*' popd +# Moving 06-8c-01 microcode to intel-ucode-with-caveats +mv intel-ucode/06-8c-01 intel-ucode-with-caveats/ + : %install @@ -222,6 +228,7 @@ install -m 644 releasenote.md \ # caveats install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \ + "%{SOURCE180}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -291,6 +298,14 @@ install -m 644 "%{SOURCE170}" "%{dell_latest_inst_dir}/readme" install -m 644 "%{SOURCE171}" "%{dell_latest_inst_dir}/config" install -m 644 "%{SOURCE172}" "%{dell_latest_inst_dir}/disclaimer" +# TGL caveat +%define tgl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8c-01/ +install -m 755 -d "%{tgl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-8c-01 -t "%{tgl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme" +install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config" +install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer" + # SUMMARY.intel-ucode generation # It is to be done only after file population, so, it is here, # at the end of the install stage @@ -528,6 +543,16 @@ rm -rf %{buildroot} %changelog +* Fri Nov 13 2020 Eugene Syromiatnikov - 4:20200609-2.20201112.1 +- Update Intel CPU microcode to microcode-20201112 release (#1897187): + - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28; + - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x32 up + to 0x34; + - Updated releasenote file. + +* Fri Nov 13 2020 Eugene Syromiatnikov - 4:20200609-2.20201027.2 +- Disable 06-8c-01 (TGL-UP3/UP4 B1) microcode update by default. + * Thu Oct 29 2020 Eugene Syromiatnikov - 4:20200609-2.20201027.1 - Update Intel CPU microcode to microcode-20201027 release, addresses CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698