From 74227907abcc71ac58ef0a65b0ffa8950cbf2800 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 14 2019 17:24:37 +0000 Subject: import microcode_ctl-2.1-47.2.el7_6 --- diff --git a/.gitignore b/.gitignore index 6d0223b..5a813eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/microcode-20180807a.tgz +SOURCES/microcode-20190507_Public_DEMO.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 8ab3274..1f020cb 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,2 +1,2 @@ -20001bc89a46a40015d12f329910e4eb263d4e82 SOURCES/microcode-20180807a.tgz +e4348dac784e84458d1972c356ce772d58ce6b0e SOURCES/microcode-20190507_Public_DEMO.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index 1eaa758..f79f58d 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -1,52 +1,73 @@ -The microcode for Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, -stepping 1) processors requires a kernel with specific commits present, -otherwise it might result in unexpected system behaviour. In order -to handle this, /usr/libexec/microcode_ctl/update_ucode script creates -necessary symlinks to make it available only on kernels with the aforementioned -patches present. The required patches are present in the following versions -of the kernel package: - RHEL 7.6: kernel-3.10.0-894 or newer; - RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer; - RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer; - RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer; - RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer. - -Please use the version of the kernel with the aforementioned patches when -running on Intel Broadwell EP/EX processors in order to have the microcode -updated. - -If you want to avoid late loading of this ucode for a specific kernel, please -create "disallow-late-06-4f-01" file inside /lib/firmware/ -directory and run /usr/libexec/microcode_ctl/update_ucode script: - - touch /lib/firmware/3.10.0-862.9.1/disallow-late-06-4f-01 +Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues +with microcode update that may lead to a system hang; while some changes +to the Linux kernel have been made in an attempt to address these issues, +they were not eliminated, so a possibility of unstable system behaviour +after a microcode update performed on a running system is still present even +on a kernels that contain aforementioned changes. As a result, microcode update +for this CPU model has been disabled by default. + +For the reference, kernel versions for the respective RHEL minor versions +that contain the aforementioned changes, are listed below: + * Upstream/RHEL 8: kernel-4.17.0 or newer; + * RHEL 7.6 onwards: kernel-3.10.0-894 or newer; + * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer; + * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer; + * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer; + * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer. + +Please contact you system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + +The information regarding enforcing microcode load is provided below. + +For enforcing addition of this microcode to the firmware directory +for a specific kernel, where it is available for a late microcode update, +please create a file "force-late-intel-06-4f-01" inside +/lib/firmware/ directory and run +"/usr/libexec/microcode_ctl/update_ucode": + + touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01 /usr/libexec/microcode_ctl/update_ucode -If you want to avoid late loading of this microcode for all kernels, please -create "disallow-late-06-4f-01" file inside /etc/microcode_ctl/ucode_with -caveats directory and run /usr/libexec/microcode_ctl/update_ucode script: +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. - mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/disallow-late-06-4f-01 +For enforcing addition of this microcode to firmware directories for all +kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01" +and run "/usr/libexec/microcode_ctl/update_ucode": + + touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01 /usr/libexec/microcode_ctl/update_ucode -If you want to enforce addition of this microcode to the firmware directory -for a specific kernel, please create "force-late-06-4f-01" file inside -/lib/firmware/ directory and run -dracut -f --kver "": +For enforcing early load of this microcode for a specific kernel, please +create a file "force-early-intel-06-4f-01" inside +"/lib/firmware/" directory and run +"dracut -f --kver ": - touch /lib/firmware/3.10.0-862.9.1/force-early-06-4f-01 + touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01 dracut -f --kver 3.10.0-862.9.1 -If you want to enforce addition of this microcode for all kernels, add a line -"06-4f-01" to the file /etc/microcode_ctl/force-early-microcode and run -dracut -f --regenerate-all: +For enforcing early load of this microcode for all kernels, please +create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01" +and run dracut -f --regenerate-all: - echo 06-4f-01 >> /etc/microcode_ctl/force-early-microcode + touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01 dracut -f --regenerate-all -If you want avoid removal of the ucode file during cleanup, please remove the -corresponding readme file (copy of this file in /lib/firmware/). +If you want avoid removal of the microcode file during cleanup performed by +/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme +file (/lib/firmware//readme-intel-06-4f-01). -See /usr/share/doc/microcode_ctl/README.caveats for additional information. +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/99-microcode-override.conf b/SOURCES/99-microcode-override.conf new file mode 100644 index 0000000..c898801 --- /dev/null +++ b/SOURCES/99-microcode-override.conf @@ -0,0 +1,7 @@ +## Uncomment the following line in order to disable +## microcode_ctl module that is used for $fw_dir variable overriding. +## +## Please refer to /usr/share/doc/microcode_ctl/README.caveats +## for additional information. +## +#omit_dracutmodules+=' microcode_ctl-fw_dir_override ' diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index a3fea12..c9471f4 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -1,21 +1,23 @@ -The microcode_ctl package shipped with RHEL contains provisions for the issues -with microcode loading on the old kernels. While those provisions are expected +The microcode_ctl package shipped with RHEL contains provisions for issues with +microcode loading on the old kernels. While those provisions are expected to suit most users, several knobs are provided in order to provide ability to override the default behaviour. General behaviour ================= -In RHEL 7, there are currently two main handlers for microcode update: +In RHEL 7, there are currently two main handlers for CPU microcode update: * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file placed at the beginning of an initramfs image - (/boot/initramfs-KERNEL_VERSION.img) in order to update CPU microcode and - is performed very early during the boot process (if the relevant microcode - file is available). + (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel + version in the same format as provided by "uname -r") as a source + of microcode data, and is performed very early during the boot process + (if the relevant microcode file is available in the aforementioned file). * On-demand (late) microcode update. It can be triggered by writing "1" to /sys/devices/system/cpu/microcode/reload file (provided my the "microcode" - module). It loads microcode from a file present in one of the following - directories: + module). It relies on request_firmware infrastructure, which searches (and + loads, if found) microcode from a file present in one of the following + directories (in the search order): /lib/firmware/updates/KERNEL_VERSION/ /lib/firmware/updates/ /lib/firmware/KERNEL_VERSION/ @@ -38,33 +40,41 @@ zero-filled. The early microcode is placed into initramfs image by the "dracut" script, which scans the aforementioned subdirectories of the configured list of firmware -directories (by default it consists of two directories in RHEL 7, +directories (by default, the list consists of two directories in RHEL 7, "/lib/firmware/updates" and "/lib/firmware"). -In RHEL 7, AMD microcode is shipped as a part of the linux-firmware package, +In RHEL 7, AMD CPU microcode is shipped as a part of the linux-firmware package, and Intel microcode is shipped as a part of the microcode_ctl package. The microcode_ctl package currently includes the following: - * Intel microcode files, placed in /usr/share/microcode_ctl directory; - * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf, - that enables inclusion of early microcode to the generated initramfs - in dracut; + * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode + directory (currently there are none); * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override, that controls which additional firmware directories will be added to dracut's default configuration; + * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf, + that enables inclusion of early microcode to the generated initramfs + in dracut; + * A dracut configuration file, + /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way + to quickly disable 99microcode_ctl-fw_dir-override dracut module; * A systemd service file, microcode.service, that triggers microcode reload late during boot; - * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, that - contain configuration and related data for various caveats related - to microcode; + * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each + of which contains configuration and related data for various caveats related + to microcode: + * readme - description of caveat and related information, + * config - caveat configuration file, with syntax as described in "Caveat + configuration" section below, + * intel-ucode - directory containing microcode files related to the caveat; * A set of support scripts, placed in /usr/libexec/microcode_ctl: * "check_caveats" is an utility script that performs checks of the target kernel (and running CPU) in accordance with caveat configuration files - in ucode_with_caveats directory and reports whether it passes them or not; + in ucode_with_caveats directory and reports whether it passes them or not, * "reload_microcode" is a script that is called by microcode.service and triggers microcode reloading (by writing "1" to /sys/devices/system/cpu/microcode/reload) if the running kernel passes - check_caveats checks. + check_caveats checks, * "update_ucode" is a script that populates symlinks to microcode files in /lib/firmware, so it can be picked up by relevant kernels for the late microcode loading. @@ -169,10 +179,13 @@ Options: -v - verbose output. Environment: - MC_CAVEATS_DATA_DIR - directory that contains caveats configurations + MC_CAVEATS_DATA_DIR - directory that contains caveats configurations, + "/usr/share/microcode_ctl/ucode_with_caveats" + by default. FW_DIR - directory containing firmware files (per-kernel configuration - overrides are checked there) - CFG_DIR - directory containing global caveats overrides. + overrides are checked there), "/lib/firmware" by default. + CFG_DIR - directory containing global caveats overrides, + "/etc/microcode_ctl/ucode_with_caveats" by default. Output: Script returns information about caveats check results. Output has a format @@ -312,11 +325,16 @@ reload_microcode script ----------------------- "reload_microcode" is a script that is called by microcode.service and triggers late microcode reloading (by writing "1" to -/sys/devices/system/cpu/microcode/reload) if the running kernel passes -check_caveats checks that applicable to the current CPU model. +/sys/devices/system/cpu/microcode/reload) if the following check are passed: + * the microcode update performed not in a virtualised environment; + * running kernel passes "check_caveats" checks that applicable to the current + CPU model. -The script checks /proc/cpuinfo for the presence of "hypervisor" flag -and avoids triggering microcode update if it is there. +For a virtualised environment check, the script searches the "/proc/cpuinfo" +file for presence of the "hypervisor" flag among CPU features (it corresponds +to a CPUID feature bit set by hypervisors in order to inform that the kernel +operates inside a virtual machine). This check can be overridden and skipped +by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag". The script has no options and always returns 0. @@ -329,8 +347,8 @@ to skip "hypervisor" flag check. --------------------------------------------- This dracut module injects directories with microcode files for caveats that pass "early" check_caveats check (with "-e" flag). In addition -to check_caveats overrides, the following abilities to control module behaviour -are present: +to "check_caveats" overrides, the following abilities to control module's +behaviour are present: * Presence of one of the following files: - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg @@ -340,17 +358,21 @@ are present: directory name) allows skipping matching of microcode file name when dracut's Host-Only mode is enabled. -When caveats_check succeeds, caveats directory (and not -/lib/firmware/KERNEL_VERSION) is added to the list of firmware search -directories. It is done so in order to enable independent caveat enablement -for the initramfs image. +When caveats_check succeeds, caveats directory (not its possibly populated +version for late microcode update: "/lib/firmware/KERNEL_VERSION"; +it is done so in order +to have ability to configure list of caveats enabled for early and late +microcode update, independently) is added to dracut's list of firmware search +directories. The module can be disabled by running dracut with -"-o microcode_ctl-fw_dir_override" (for one-time exclusion) or by creating -a file *.conf inside /usr/lib/dracut/dracut.conf.d that contains -"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in order to disable -it permanently. See dracut(8), section "Omitting dracut Modules", and -dracut.conf(5), variable "omit_dracutmodules" for additional information. +"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can +be disabled permanently by uncommenting string +"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in +/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file. + +See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable +"omit_dracutmodules" for additional information. Caveats @@ -358,16 +380,25 @@ Caveats Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat ---------------------------------------------- -The microcode for Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, -stepping 1) processors requires a kernel with specific commits present, -otherwise it might result in unexpected system behaviour. +Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0, +family 6, model 79, stepping 1) has issues that lead to system instability. +A series of changes for the Linux kernel has been developed in order to work +around those issues; however, as it turned out, some systems have issues even +when a microcode update performed on a kernel that contains those changes. +As a result, microcode update for this CPU model is disabled by default; +the microcode file, however, is still shipped as a part of microcode_ctl +package and can be used for performing a microcode update if it is enforced +via the aforementioned overridden. (See sections "check_caveats script" +and "reload_microcode script" for details). Affected microcode: intel-ucode/06-4f-01. Mitigation: late microcode loading is disabled for the affected CPU model. -Minimum versions of kernel RPM that contain the fix: - - RHEL 7.6: 3.10.0-894 +Minimum versions of the kernel package that contain the aforementioned patch +series: + - Upstream/RHEL 8: 4.17.0 + - RHEL 7.6 onwards: 3.10.0-894 - RHEL 7.5: 3.10.0-862.6.1 - RHEL 7.4: 3.10.0-693.35.1 - RHEL 7.3: 3.10.0-514.52.1 @@ -381,18 +412,33 @@ Minimum versions of kernel RPM that contain the fix: Early microcode load inside a virtual machine --------------------------------------------- -RHEL 7 kernel supports early microcode load from cpio archive placed -at the beginning of initramfs image. However, when early microcode loading -is attempted inside some virtualised environments, that may result -in unexpected system behaviour. +RHEL 7 kernel supports performing microcode update during early boot stage +from a cpio archive placed at the beginning of the initramfs image. However, +when an early microcode update is attempted inside some virtualised +environments, that may result in unexpected system behaviour. Affected microcode: all. Mitigation: early microcode loading is disabled for all CPU models. Minimum versions of kernel RPM that contain the fix: - - RHEL 7.6: 3.10.0-930 + - Upstream/RHEL 8: 4.10.0 + - RHEL 7.6 onwards: 3.10.0-930 - RHEL 7.5: 3.10.0-862.14.1 - RHEL 7.4: 3.10.0-693.38.1 - RHEL 7.3: 3.10.0-514.57.1 - RHEL 7.2; 3.10.0-327.73.1 + + +Additional information +====================== + +Information regarding microcode versions required for mitigating specific +side-channel cache attacks is available in the following knowledge base +articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index dd52742..93c7406 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -155,6 +155,18 @@ get_vendor_id() /bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } +get_mc_path() +{ + case "$1" in + GenuineIntel) + echo "intel-ucode/$2" + ;; + AuthenticAMD) + echo "amd-ucode/$2" + ;; + esac +} + get_mc_ver() { /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo @@ -359,6 +371,28 @@ for cfg in $(echo "${configs}"); do } fi + # Check paths if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then + cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ + "$cpu_vendor" "${cpu_model#* }")" + cfg_mc_present=0 + + for p in $(printf "%s" "$cfg_path"); do + find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | grep -zFxq "$cpu_mc_path" \ + || continue + + cfg_mc_present=1 + done + + [ 1 = "$cfg_mc_present" ] || { + debug "No matching microcode files in '$cfg_path'" \ + "for CPU model '$cpu_model', skipping" + continue + } + fi + # Check vendor if model filter is enabled if [ 1 -eq "$match_model" -a -n "$cfg_vendor" ]; then [ "x$cpu_vendor" = "x$cfg_vendor" ] || { diff --git a/SOURCES/disclaimer b/SOURCES/disclaimer index 13b450c..de919a3 100644 --- a/SOURCES/disclaimer +++ b/SOURCES/disclaimer @@ -1,6 +1,6 @@ This updated microcode supersedes microcode provided by Red Hat with the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability -mitigation. +mitigation. Historically, Red Hat has provided updated microcode, developed by our microprocessor partners, as a customer convenience. Red Hat had temporarily suspended this practice while microcode stabilized. Red @@ -10,7 +10,7 @@ in order to simplify deployment processes and minimize downtime. We’ll continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended because additional improvements -may be available. +may be available. This kbase https://access.redhat.com/articles/3436091 includes a table that maps Intel and AMD CPU processor code family names to updated -Intel and AMD microcode package versions. +Intel and AMD microcode package versions. diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh index 7d88111..c14fcb9 100755 --- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -105,7 +105,7 @@ install() { ucode_dir="intel-ucode" ;; AMD) - ucode_dir="and-ucode" + ucode_dir="amd-ucode" ;; *) dinfo " microcode_ctl: unknown CPU" \ @@ -144,8 +144,18 @@ install() { "version \"$kernel\" passed, adding" \ "\"$DATA_DIR/$i\" to fw_dir variable" fw_dir="$DATA_DIR/$i $fw_dir" + + # The list of directories is reverse-sorted in order to preserve the + # "last wins" policy in case of presence of multiple microcode + # revisions. + # + # In case of hostonly == 0, all microcode revisions will be included, + # but since the microcode search is done with the "first wins" policy + # by the (early) microcode loading code, the correct microcode revision + # still has to be picked. done <<-EOF - $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f/") + $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f/" \ + | sort -r) EOF dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\"" diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh new file mode 100755 index 0000000..0ecf7aa --- /dev/null +++ b/SOURCES/gen_provides.sh @@ -0,0 +1,114 @@ +#! /bin/bash -efux + +# Generator of RPM "Provides:" tags for Intel microcode files. +# +# SPDX-License-Identifier: CC0-1.0 + +IFS=$'\n' +UPDATED="intel-beta" +CODENAMES="codenames" + +if [ "$#" -ge 1 ]; then + CODENAMES="$1" + shift +fi + +# Match only FF-MM-SS ucode files under intel-ucode/intel-ucode-with-caveats +# directories. +for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]$'); do + ucode=$(basename "$f") + ucode_caveat="$(basename "$(dirname "$(dirname "$f")")")" + ucode_fname="$ucode_caveat/$ucode" + file_sz="$(stat -c "%s" "$f")" + skip=0 + + while :; do + [ "$skip" -lt "$file_sz" ] || break + + # Microcode header format description: + # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c + IFS=' ' read hdrver rev \ + date_y date_d date_m \ + cpuid cksum ldrver \ + pf_mask datasz totalsz <<- EOF + $(dd if="$f" bs=1 skip="$skip" count=36 status=none \ + | hexdump -e '"" 1/4 "%u " 1/4 "%#x " \ + 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ + 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ + 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"') + EOF + + [ 0 != "$datasz" ] || datasz=2000 + [ 0 != "$totalsz" ] || totalsz=2048 + + # TODO: add some sanity/safety checks here. As of now, there's + # a (pretty fragile) assumption that all the matched files + # are valid Intel microcode files in the expected format. + + skip=$((skip + totalsz)) + + #[ -n "$rev" ] || continue + + # Basic "Provides:" tag. Everything else is bells and whistles. + # It's possible that microcode files for different platform_id's + # and the same CPUID have the same version, that's why "sort -u" + # in the end. + printf "firmware(intel-ucode/%s) = %s\n" "$ucode" "$rev" + + # Generate extended "Provides:" tags with additional + # information, which allow more precise matching. + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$date_y" "$date_m" "$date_d" + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$rev" + + # Generate tags for each possible platform_id + _pf=1 + _pf_mask="$pf_mask" + while [ 0 -lt "$_pf_mask" ]; do + [ 1 -ne "$((_pf_mask % 2))" ] || \ + # We try to provide a more specific firmware() + # dependency here. It has incorrect file name, + # but allows constructing a required RPM + # capability name by (directly) using + # the contents of /proc/cpuinfo and + # /sys/devices/system/cpu/cpu*/microcode/processor_flags + # (except for a Deschutes CPU with sig 0x1632) + printf "iucode_rev(fname:%s;platform_id:0x%x) = %s\n" \ + "$ucode_fname" "$_pf" "$rev" + + _pf_mask=$((_pf_mask / 2)) + _pf=$((_pf * 2)) + done + + # Generate tags with codename information, in case + # it is available + cpuid_up="$(echo "$cpuid" | tr 'a-z' 'A-Z')" + if [ -e "$CODENAMES" ]; then + grep ' '"$cpuid_up"' ' "$CODENAMES" \ + | while IFS=$'\t' read segm int_fname codename stepping candidate_pf rest; do + codename=$(echo "$codename" | tr ' (),' '_[];') + candidate_pf=$(printf "%u" "0x${candidate_pf}") + [ \( 0 -ne "$pf_mask" \) -a \ + \( "$candidate_pf" -ne "$((candidate_pf & pf_mask))" \) ] || { \ + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$stepping" "$candidate_pf" \ + "$rev"; + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$stepping" "$candidate_pf" \ + "$date_y" "$date_m" "$date_d"; + } + done + fi + + # Kludge squared: generate additional "Provides:" tags + # for the files in the overrides tarball (that a placed + # in a separate caveat with a specific name) + [ "x${ucode_caveat}" != "x${UPDATED}" ] || { + printf "firmware_updated(intel-ucode/%s) = %s\n" \ + "$ucode" "$rev"; + } + done +done | sort -u diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme index 6250d1e..fcdf4bb 100644 --- a/SOURCES/intel_readme +++ b/SOURCES/intel_readme @@ -7,21 +7,21 @@ initramfs is generated for the kernel version that properly handles early microcode inside a virtual machine (i.e. do not attempts yo load it). The versions of the kernel package that properly handle early microcode load inside a virtual machine are as follows: - RHEL 7.6: kernel-3.10.0-930 or newer; - RHEL 7.5: kernel-3.10.0-862.14.1 or newer; - RHEL 7.4: kernel-3.10.0-693.38.1 or newer; - RHEL 7.3: kernel-3.10.0-514.57.1 or newer. - RHEL 7.2: kernel-3.10.0-327.73.1 or newer. - -If you want to avoid adding this ucode for a specific kernel, please create -"disallow-early-intel" file inside /lib/firmware/ directory -and run dracut -f: + * RHEL 7.6 onwards: kernel-3.10.0-930 or newer; + * RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + * RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + * RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + * RHEL 7.2: kernel-3.10.0-327.73.1 or newer. + +If you want to avoid early load of microcode for a specific kernel, please +create "disallow-early-intel" file inside /lib/firmware/ +directory and run dracut -f --kver "": touch /lib/firmware/3.10.0-862.9.1/disallow-intel /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -If you want to skip processing of this microcode for all kernels, please create +If you want to avoid early load of microcode for all kernels, please create "disallow-early-intel" file inside the "/etc/microcode_ctl/ucode_with_caveats" directory and run dracut -f --regenerate-all: @@ -29,17 +29,16 @@ directory and run dracut -f --regenerate-all: touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel dracut -f --kver 3.10.0-862.9.1 -If you want to enforce addition of this microcode to initramfs for a specific -kernel, please create "force-early-intel" file inside -/lib/firmware/ directory and run -dracut -f --kver "": +If you want to enforce early load of microcode for a specific kernel, please +create "force-early-intel" file inside /lib/firmware/ directory +and run dracut -f --kver "": modir -p/lib/firmware/3.10.0-862.9.1/ touch /lib/firmware/3.10.0-862.9.1/force-early-intel dracut -f --kver 3.10.0-862.9.1 -If you want to enforce addition of this microcode for all kernels, please -create "force-early-intel" file inside /etc/microcode_ctl/ucode_with_caveats +If you want to enforce early load of microcode for all kernels, please create +"force-early-intel" file inside /etc/microcode_ctl/ucode_with_caveats directory and run dracut -f --kver "": mkdir -p /etc/microcode_ctl/ucode_with_caveats @@ -47,7 +46,8 @@ directory and run dracut -f --kver "": dracut -f --regenerate-all In order to override late load behaviour, the "early" part of file names should -be replaced with "late". +be replaced with "late" (and there is no need to call dracut in that case). -See /usr/share/doc/microcode_ctl/README.caveats for additional information. +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch b/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch new file mode 100644 index 0000000..d4f136c --- /dev/null +++ b/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2019-04-16 00:47:14.671953255 +0200 ++++ microcode_ctl-2.1-18/Makefile 2019-04-16 00:57:29.656380940 +0200 +@@ -23,7 +23,7 @@ + MICDIRINTEL = $(MICDIR)/intel-ucode + + all: microcode_ctl +- tar -xf $(MICROCODE_INTEL) ./intel-ucode ++ tar -xf ${MICROCODE_INTEL} --wildcards --strip-components=1 \*/intel-ucode + + microcode_ctl: intel-microcode2ucode.c + $(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c diff --git a/SOURCES/microcode_ctl-use-microcode-20180807a-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20180807a-tgz.patch deleted file mode 100644 index c698100..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20180807a-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20180807a.tgz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch new file mode 100644 index 0000000..6f70806 --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20190507_Public_DEMO.tar.gz + + INS = install + CC = gcc diff --git a/SOURCES/reload_microcode b/SOURCES/reload_microcode index 82ff2b9..5d4d1b1 100644 --- a/SOURCES/reload_microcode +++ b/SOURCES/reload_microcode @@ -7,7 +7,6 @@ CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag" -trigger=1 [ -e "$IGNORE_HYPERVISOR" ] || { if grep -q '^flags[[:space:]]*:.* hypervisor\( .*\)\?$' /proc/cpuinfo @@ -16,6 +15,8 @@ trigger=1 fi } -"$CHECK_CAVEATS" -m > /dev/null || trigger=0 +"$CHECK_CAVEATS" -m > /dev/null || exit 0 -[ 0 -eq "$trigger" ] || echo 2>/dev/null 1 > /sys/devices/system/cpu/microcode/reload || true +echo 2>/dev/null 1 > /sys/devices/system/cpu/microcode/reload || : + +exit 0 diff --git a/SOURCES/update_ucode b/SOURCES/update_ucode index 431148a..51c9106 100644 --- a/SOURCES/update_ucode +++ b/SOURCES/update_ucode @@ -164,7 +164,7 @@ while :; do debug " Creating symlinks in ${FW_DIR}/${INTEL_UCODE_DIR}" $cmd mkdir -p $verbose_opt "${FW_DIR}/${INTEL_UCODE_DIR}" $cmd find "${MC_DIR}/${INTEL_UCODE_DIR}" -maxdepth 1 -mindepth 1 \ - -type f -exec bash -c 'ln -s '"$verbose_opt"' '\''{}'\'' \ + -type f -exec bash -c 'ln -fs '"$verbose_opt"' '\''{}'\'' \ "'"${FW_DIR}/${INTEL_UCODE_DIR}/"'$(basename '\''{}'\'')"' \; ;; esac @@ -272,7 +272,7 @@ fi | while read -r i; do debug " Adding \"$FW_DIR/$k/$path\"" $cmd mkdir -p $verbose_opt \ "$(dirname "$FW_DIR/$k/$path")" - $cmd ln -s $verbose_opt "$DATA_DIR/$i/$path" \ + $cmd ln -fs $verbose_opt "$DATA_DIR/$i/$path" \ "$FW_DIR/$k/$path" done diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index acffd2e..8f4f128 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,6 +1,6 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20180807a -%define intel_ucode_file_id 28087 +%define intel_ucode_version 20190507_Public_DEMO +%define intel_ucode_file_id 28727 %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl %define update_ucode %{microcode_ctl_libexec}/update_ucode %define check_caveats %{microcode_ctl_libexec}/check_caveats @@ -11,13 +11,14 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 47%{?dist} +Release: 47.2%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -Source1: https://downloadmirror.intel.com/%{intel_ucode_file_id}/eng/microcode-%{intel_ucode_version}.tgz +#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz +Source1: microcode-%{intel_ucode_version}.tar.gz Source2: microcode.service @@ -29,6 +30,8 @@ Source6: check_caveats Source7: reload_microcode Source8: disclaimer +Source9: 99-microcode-override.conf + Source10: 06-4f-01_readme Source11: 06-4f-01_config @@ -38,11 +41,14 @@ Source21: intel_config Source30: README.caveats Source31: %{i_m2u_man}.in +Source100: gen_provides.sh + Patch1: microcode_ctl-do-not-merge-ucode-with-caveats.patch Patch2: microcode_ctl-revert-intel-microcode2ucode-removal.patch Patch3: microcode_ctl-use-microcode-%{intel_ucode_version}-tgz.patch Patch4: microcode_ctl-do-not-install-intel-ucode.patch Patch5: microcode_ctl-intel-microcode2ucode-buf-handling.patch +Patch6: microcode_ctl-ignore-first-directory-level-in-archive.patch Buildroot: %{_tmppath}/%{name}-%{version}-root ExclusiveArch: %{ix86} x86_64 @@ -52,6 +58,9 @@ Requires(preun): systemd Requires(postun): systemd Requires(posttrans): kernel +%global _use_internal_dependency_generator 0 +%define __find_provides "%{SOURCE100}" + %description The microcode_ctl utility is a companion to the microcode driver written by Tigran Aivazian . @@ -65,8 +74,8 @@ back to the old microcode. %patch1 -p1 %patch2 -p1 -# Use microcode-20180807a.tgz instead of microcode-20180703.tgz bundled with -# upstream microcode_ctl-2.1-18. +# Use the latest archive instead of microcode-20180703.tgz bundled +# with upstream microcode_ctl-2.1-18. cp "%{SOURCE1}" . %patch3 -p1 @@ -75,6 +84,10 @@ cp "%{SOURCE1}" . %patch5 -p1 +# The archive published on github has an additional top-level directory, +# strip it. +%patch6 -p1 + %build make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} @@ -85,11 +98,19 @@ make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} #find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list touch ghost_list -tar xf microcode-%{intel_ucode_version}.tgz ./intel-ucode-with-caveats ./license +tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ + \*/license \*/releasenote + +# In the 20190507 release, 06-4f-01 ucode has been moved back into intel-ucode; +# reverting it, as it is still considered unsafe: +# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 +# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 +mkdir intel-ucode-with-caveats +mv intel-ucode/06-4f-01 intel-ucode-with-caveats/ # man page sed "%{SOURCE31}" \ - -e "s/@DATE@/2018-08-28/g" \ + -e "s/@DATE@/2019-05-09/g" \ -e "s/@VERSION@/%{version}-%{release}/g" \ -e "s|@MICROCODE_URL@|https://downloadcenter.intel.com/download/%{intel_ucode_file_id}|g" > "%{i_m2u_man}" @@ -100,7 +121,8 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} INSDIR=/usr/sbin MICDIR=/usr/share/m mkdir -p %{buildroot}%{dracutlibdir}/dracut.conf.d mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE2} -t %{buildroot}%{_unitdir} -install -m 644 %{SOURCE3} -t %{buildroot}%{dracutlibdir}/dracut.conf.d +install -m 644 %{SOURCE3} %{SOURCE9} \ + -t %{buildroot}%{dracutlibdir}/dracut.conf.d install -m 644 %{SOURCE8} %{buildroot}/usr/share/doc/microcode_ctl/disclaimer mkdir -p "%{buildroot}%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override" @@ -119,6 +141,9 @@ install -m 644 %{SOURCE30} -t %{buildroot}/usr/share/doc/microcode_ctl/ # Provide Intel microcode license, as it requires so install -m 644 license %{buildroot}/usr/share/doc/microcode_ctl/LICENSE.intel-ucode +# Provide release notes for Intel microcode +install -m 644 releasenote %{buildroot}/usr/share/doc/microcode_ctl/RELEASE_NOTES.intel-ucode + # Handle ucode with caveats mkdir -p "%{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel-06-4f-01/intel-ucode" install -m 644 intel-ucode-with-caveats/06-4f-01 \ @@ -136,6 +161,11 @@ install -m 644 %{SOURCE20} \ install -m 644 %{SOURCE21} \ %{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel/config +# Install caveat readme files to doc +mkdir -p "%{buildroot}/usr/share/doc/microcode_ctl/caveats" +install -m 644 "%{SOURCE10}" "%{SOURCE20}" \ + -t "%{buildroot}/usr/share/doc/microcode_ctl/caveats/" + # Man page install -m 755 -d %{buildroot}/%{_mandir}/man8/ install -m 644 "%{i_m2u_man}" -t %{buildroot}/%{_mandir}/man8/ @@ -188,18 +218,18 @@ ls /usr/share/microcode_ctl/ucode_with_caveats | %postun %systemd_postun microcode.service +ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null | + sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" +comm -23 \ + "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" \ + "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" \ + > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" + if [ -e "%{update_ucode}" ]; then - ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null | - sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" ls /usr/share/microcode_ctl/ucode_with_caveats 2> /dev/null | sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" comm -23 \ - "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" \ - "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" \ - > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" - - comm -23 \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats" \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" \ > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" @@ -208,10 +238,7 @@ if [ -e "%{update_ucode}" ]; then "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" || exit 0 - rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" - - rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" else while read -r f; do @@ -232,10 +259,14 @@ else fi rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" +rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" +rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" + rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_file_list" + exit 0 %triggerin -- kernel @@ -254,13 +285,23 @@ rm -rf %{buildroot} %{microcode_ctl_libexec} /usr/share/microcode_ctl %{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override -%config(noreplace) %{dracutlibdir}/dracut.conf.d/01-microcode.conf +%config(noreplace) %{dracutlibdir}/dracut.conf.d/* %{_unitdir}/microcode.service %doc /usr/share/doc/microcode_ctl/* %{_mandir}/man8/* %changelog +* Fri May 10 2019 Eugene Syromiatnikov - 2:2.1-47.2 +- Intel CPU microcode update to 20190507_Public_DEMO. +- Resolves: #1704374. + +* Fri May 10 2019 Eugene Syromiatnikov - 2:2.1-47.1 +- Intel CPU microcode update to 20190312. +- Add "Provides:" tags generation. +- Fix %postun script. +- Resolves: #1704374. + * Wed Sep 05 2018 Eugene Syromiatnikov - 2:2.1-47 - Add 7.3.z kernel version to kernel_early configuration.