From 81200a4e1767e6fc669ed44ab75f745669854b7e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 28 2020 08:28:48 +0000 Subject: import microcode_ctl-20200609-2.el8 --- diff --git a/.gitignore b/.gitignore index 73b7846..200d924 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ SOURCES/06-2d-07 +SOURCES/06-4e-03 SOURCES/06-55-04 +SOURCES/06-5e-03 +SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20191115.tar.gz +SOURCES/microcode-20200609.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 49611a4..c0d8e72 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,3 +1,7 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 +06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 +bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz +c2a433c1f68c2dc5b752bd7dddf204ea89ad5761 SOURCES/microcode-20200609.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config index 23e1d08..979455d 100644 --- a/SOURCES/06-2d-07_config +++ b/SOURCES/06-2d-07_config @@ -1,3 +1,13 @@ model GenuineIntel 06-2d-07 path intel-ucode/06-2d-07 -disable early late +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer index c8d99c4..ae71a34 100644 --- a/SOURCES/06-2d-07_disclaimer +++ b/SOURCES/06-2d-07_disclaimer @@ -1,4 +1,4 @@ MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, -stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability. +stepping 7; CPUID 0x206d7) CPUs is disabled. Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme index 60c20d4..e5e575b 100644 --- a/SOURCES/06-2d-07_readme +++ b/SOURCES/06-2d-07_readme @@ -1,17 +1,23 @@ Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) -have issues with MDS-related microcode update that may lead to a system hang -after a microcode update. In order to address this, microcode update -to the MDS-related revision 0x718 has been disabled, and the previously +had issues with MDS-related microcode update that may lead to a system hang +after a microcode update[1][2]. In order to address this, microcode update +to the MDS-related revision 0x718 had been disabled, and the previously published microcode revision 0x714 is used by default for the OS-driven -microcode update. +microcode update. The revision 0x71a of the microcode is intended to fix +the aforementioned issue, hence it is enabled by default (but can be disabled +explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 For the reference, SHA1 checksums of 06-2d-07 microcode files containing microcode revisions in question are listed below: * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + * 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6 Please contact your system vendor for a BIOS/firmware update that contains -the latest microcode version. For the information regarding microcode versions +the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer to the following knowledge base articles: * CVE-2017-5715 ("Spectre"): @@ -24,30 +30,27 @@ to the following knowledge base articles: ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 -The information regarding enforcing microcode load is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the 0x718 microcode revision for a specific kernel version, -please create file "force-intel-06-2d-07" inside /lib/firmware/ -directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware -directory where microcode will be available for late microcode update, -and run "dracut -f --kver ", so initramfs for this kernel -version is regenerated and the microcode can be loaded early, for example: +To disable usage of the newer microcode revision for a specific kernel +version, please create file "disallow-intel-06-2d-07" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config new file mode 100644 index 0000000..bee51b2 --- /dev/null +++ b/SOURCES/06-4e-03_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-4e-03 +path intel-ucode/06-4e-03 +disable early late diff --git a/SOURCES/06-4e-03_disclaimer b/SOURCES/06-4e-03_disclaimer new file mode 100644 index 0000000..ec27ef7 --- /dev/null +++ b/SOURCES/06-4e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6, +model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme new file mode 100644 index 0000000..e221544 --- /dev/null +++ b/SOURCES/06-4e-03_readme @@ -0,0 +1,68 @@ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e + * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel +version, please create a file "force-intel-06-4e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer index d5bc60d..c978958 100644 --- a/SOURCES/06-4f-01_disclaimer +++ b/SOURCES/06-4f-01_disclaimer @@ -1,4 +1,4 @@ -microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +Microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config index 6ba6d76..373c8ac 100644 --- a/SOURCES/06-55-04_config +++ b/SOURCES/06-55-04_config @@ -1,3 +1,22 @@ model GenuineIntel 06-55-04 path intel-ucode/06-55-04 -disable early late +## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +## affects only SKX-W/X (Workstation and HEDT segments); product segment +## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers +## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +## for Server/FPGA/Fabric segments description; for SKX-W/X no public +## documentation seems to be available). Specific device/function numbers +## are provided for speeding up the search only, VID:DID is the real selector. +## Commented out since revision 0x2006906 seems to fix the issue. +#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer index 238d233..66d71bd 100644 --- a/SOURCES/06-55-04_disclaimer +++ b/SOURCES/06-55-04_disclaimer @@ -1,6 +1,5 @@ -Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85, -stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112 -release is disabled as it may cause system instability and the previous revision -0x2000064 is used instead. +Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6, +model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system +hangs on reboot, so the previous revision 0x2000064 was used instead. Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index 41fb757..097e07b 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -1,14 +1,22 @@ -Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85, -stepping 4) have reports of system hangs when revision 0x2000065 of microcode, -that is included since microcode-20191112 update, is applied. In order -to address this, microcode update to this revision has been disabled, -and the previously published microcode revision 0x2000064 is used by default -for the OS-driven microcode update. +Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT +(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports +of system hangs on reboot when revision 0x2000065 of microcode, that was included +from microcode-20191112 update up to microcode-20200520 update, was applied[1]. +In order to address this, microcode update to the newer revision had been +disabled by default on these systems, and the previously published microcode +revision 0x2000064 is used by default for the OS-driven microcode update. + +Since revision 0x2006906 (included with the microcode-20200609 release) +it is reported that the issue is no longer present, so the newer microcode +revision is enabled by default now (but can be disabled explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 For the reference, SHA1 checksums of 06-55-04 microcode files containing microcode revisions in question are listed below: * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions @@ -28,32 +36,32 @@ to the following knowledge base articles: CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 -The information regarding enforcing microcode update is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the 0x2000065 microcode revision for a specific kernel -version, please create a file "force-intel-06-55-04" inside +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-04" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run -"dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config new file mode 100644 index 0000000..7482d36 --- /dev/null +++ b/SOURCES/06-5e-03_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-5e-03 +path intel-ucode/06-5e-03 +disable early late diff --git a/SOURCES/06-5e-03_disclaimer b/SOURCES/06-5e-03_disclaimer new file mode 100644 index 0000000..7e3bb16 --- /dev/null +++ b/SOURCES/06-5e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6, +model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme new file mode 100644 index 0000000..b739bf2 --- /dev/null +++ b/SOURCES/06-5e-03_readme @@ -0,0 +1,68 @@ +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) have reports of possible system hangs when revision 0xdc +of microcode, that is included in microcode-20200609 update to address +CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order +to address this, microcode update to the newer revision has been disabled +by default on these systems, and the previously published microcode revision +0xd6 is used by default for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a + * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel +version, please create a file "force-intel-06-5e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8e-9e-0x-0xca_config b/SOURCES/06-8e-9e-0x-0xca_config new file mode 100644 index 0000000..2dbca4a --- /dev/null +++ b/SOURCES/06-8e-9e-0x-0xca_config @@ -0,0 +1,4 @@ +path intel-ucode/* +vendor GenuineIntel +dmi mode=fail-equal key=bios_vendor val="Dell Inc." +disable early late diff --git a/SOURCES/06-8e-9e-0x-0xca_disclaimer b/SOURCES/06-8e-9e-0x-0xca_disclaimer new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-0xca_disclaimer diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme new file mode 100644 index 0000000..aba1bc7 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-0xca_readme @@ -0,0 +1,123 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released +by Intel; for the latest revision of the microcode files, please refer to caveat +06-8e-9e-0x-dell. + +For the reference, microarchitectures of the affected CPU models: + * Amber Lake-Y + * Kaby Lake-G/H/S/U/Y/Xeon E3 + * Coffee Lake-H/S/U/Xeon E + * Comet Lake-U 4+2 + * Whiskey Lake-U + +Family names of the affected CPU models: + * 7th Generation Intel® Core™ Processor Family + * 8th Generation Intel® Core™ Processor Family + * 9th Generation Intel® Core™ Processor Family + * 10th Generation Intel® Core™ Processor Family (selected models) + * Intel® Celeron® Processor G Series + * Intel® Celeron® Processor 5000 Series + * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only) + * Intel® Pentium® Gold Processor Series + * Intel® Pentium® Processor Series (selected models) + * Intel® Xeon® Processor E Family + * Intel® Xeon® Processor E3 v6 Family + +SHA1 checksums of the microcode files containing microcode revisions +in question: + * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f + * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d + * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43 + * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0 + * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1 + * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0 + * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95 + * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df + * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317 + + * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083 + * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16 + * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777 + * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace + * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35 + * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4 + * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b + * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408 + * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7 + + * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c + * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4 + * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5 + * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05 + * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f + * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0 + * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef + * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb + * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8e-9e-0x-dell_config b/SOURCES/06-8e-9e-0x-dell_config new file mode 100644 index 0000000..bc1fe2b --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_config @@ -0,0 +1,17 @@ +path intel-ucode/* +vendor GenuineIntel +## It is deemed that blacklisting all 06-[89]e-0x models on all hardware +## in cases where no model filter is used is too broad, hence +## no-model-mode=success. +dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-8e-9e-0x-dell_disclaimer b/SOURCES/06-8e-9e-0x-dell_disclaimer new file mode 100644 index 0000000..224a822 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_disclaimer @@ -0,0 +1,7 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to newer revisions. +In order to address this, microcode update to these newer revision +has been disabled by default on these systems, and the previously published +microcode revisions are used by default for the OS-driven microcode update. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme new file mode 100644 index 0000000..0c13193 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_readme @@ -0,0 +1,123 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +This caveat contains latest microcode revisions publicly released by Intel; +for the revision 0xca of the microcode files, please refer to caveat +06-8e-9e-0x-0xca. + +For the reference, microarchitectures of the affected CPU models: + * Amber Lake-Y + * Kaby Lake-G/H/S/U/X/Y/Xeon E3 + * Coffee Lake-H/S/U/Xeon E + * Comet Lake-U 4+2 + * Whiskey Lake-U + +Family names of the affected CPU models: + * 7th Generation Intel® Core™ Processor Family + * 8th Generation Intel® Core™ Processor Family + * 9th Generation Intel® Core™ Processor Family + * 10th Generation Intel® Core™ Processor Family (selected models) + * Intel® Celeron® Processor G Series + * Intel® Celeron® Processor 5000 Series + * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only) + * Intel® Pentium® Gold Processor Series + * Intel® Pentium® Processor Series (selected models) + * Intel® Xeon® Processor E Family + * Intel® Xeon® Processor E3 v6 Family + +SHA1 checksums of the microcode files containing microcode revisions +in question: + * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f + * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d + * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43 + * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0 + * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1 + * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0 + * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95 + * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df + * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317 + + * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083 + * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16 + * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777 + * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace + * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35 + * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4 + * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b + * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408 + * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7 + + * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c + * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4 + * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5 + * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05 + * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f + * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0 + * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef + * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb + * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 4ead5e5..2220a09 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -160,6 +160,83 @@ separated by white space. Currently, the following options are supported: one model name per line. The model name of the running CPU (as reported in /proc/cpuinfo) is compared against the names in the provided list, and, if there is a match, caveat check fails. + * "pci_config_val" performs check for specific values in selected parts + of configuration space of specified PCI devices. If "-m" option + is not specified, then the actual check is skipped, and the check returns + result in accordance with the provided "mode" option (se below). Check + arguments are a white-space-separated list of "key=value" pairs. + The following keys are supported: + * "domain" - PCI domain number, or "*" (an asterisk) for any domain. + Default is "*". + * "bus" - PCI bus number, or "*" (an asterisk) for any bus. Default is "*". + * "device" - PCI device number, or "*" (an asterisk) for any device. + Default is "*". + * "function" - PCI function number, or "*" (an asterisk) for any function. + Default is "*". + * "vid" - PCI vendor ID, or empty string for any vendor ID. Default + is empty string. + * "did" - PCI device ID, or empty string for any device ID. Default + is empty string. + * "offset" - offset in device's configuration space where the value resides. + Default is 0. + * "size" - field size. Possible values are 1, 2, 4, or 8. Default is 4. + * "mask" - mask applied to the values during the check. Default is 0. + * "val" - comma-separated list of matching values. Default is 0. + * "mode" - check mode, the way matches are interpreted: + * "success-any" - check succeeds if there was at least one match, + otherwise it fails. + * "success-all" - check succeeds if there was at least one device checked + and all the checked devices have matches, otherwise the check fails. + * "fail-any" - check fails if there was at least one match, otherwise + it succeeds. + * "fail-all" - check fails if there was at least one device checked + and all the checked devices have matches, otherwise the check succeeds. + Default is "success-any". + An example of a check: + pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 + It interprets 4 bytes at offset 0x84 of special files "config" under + directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3" + as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3 + of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111, + 0b011, or 0b001 in bits 5..3, respectively); if there are such files, + and all the checked values in every checked file has matched at least one + of the aforementioned value, then the check is successful, otherwise + it fails (in accordance with "mode=success-all" semantics). This check fails + if "-m" option is not specified. + * "dmi" performs checks for specific values available in DMI sysfs files + (present under /sys/devices/virtual/dmi/id/). The check fails if file + is not readable. If "-m" option is specified, then the actual check + is skipped, and the check returns value in accordance with "no-model-mode" + parameter value (see below). Check arguments are a white-space-separated + list of "key=value" pairs. The following keys are supported: + * "key" - DMI file to check. Value can be one of the following: bios_date, + bios_vendor, bios_version, board_asset_tag, board_name, board_serial, + board_vendor, board_version, chassis_asset_tag, chassis_serial, + chassis_type, chassis_vendor, chassis_version, product_family, + product_name, product_serial, product_uuid, product_version, sys_vendor. + Default is empty string. + * "val" - a string to match DMI data against. Can be enclosed in single + or double quotes. Default is empty string. + * "mode" - check mode, the way matches are interpreted: + * "success-equal" - returns 0 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter, otherwise 1. + * "success-equal" - returns 1 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter, otherwise 0. + Default is "success-any". + * "no-model-mode" - return value if model filter ("-m" option) + is not enabled: + * "success" - return 0. + * "fail" - return 1. + Default is "success". + An example of a check: + dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." + It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its + content is "Dell Inc." (without quotes). It succeeds if "-m" option + is not enabled. check_caveats script @@ -438,38 +515,119 @@ Minimum versions of the kernel package that contain the fix: Intel Sandy Bridge-E/EN/EP caveat --------------------------------- -MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP -(SNB-EP, family 6, model 45, stepping 7) may lead to system instability. -In order to address this, this microcode update is not used and the previous -microcode revision is provided instead by default; the microcode file, however, -is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overrides. (See -the sections "check_caveats script" and "reload_microcode script" for details.) +Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, +model 45, stepping 7), that was released to address MDS vulnerability, +and was available from microcode-20190618 up to microcode-20190508 release) +could lead to system instability[1][2]. In order to address this, +this microcode update was not used and the previous microcode revision +was provided instead by default; the microcode file, however, was still shipped +as part of microcode_ctl package and could be used for performing a microcode +update if it is enforced via the aforementioned overrides. With the release +of 0x71a revision of the microcode (as art of microcode-20200520 release) +that aims at fixing the aforementioned stability issue, the latest microcode +revision is again used by default; it is still provided via the caveat +mechanism, hovewer, in order to enable ability to disable it in case such +a need arises. (See the sections "check_caveats script" and "reload_microcode +script" for details regarding caveats mechanism operation.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. -Mitigation: previously published microcode revision 0x714 is used by default. +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x714 is still available as a fallback +as part of "intel" caveat. Intel Skylake-SP/W/X caveat --------------------------- -Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X, -family 6, model 85, stepping 4) may lead to system instability. -In order to address this, this microcode update is not used and the previous -microcode revision is provided instead by default; the microcode file, however, -is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overrides. -(See the sections "check_caveats script" and "reload_microcode script" -for details.) +Microcode revision 0x2000065 (that was provided with microcode releases +microcode-20191112 up to microcode-20200520) for some CPU models that belong +to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, +Workstation/HEDT segments) could lead to hangs during reboot[1]. In order +to address this, by default this microcode update was disabled by default and +and the previous 0x2000064 microcode revision was used instead; the microcode +file with, however, is still shipped as part of microcode_ctl package and can +be used for performing a microcode update if it is enforced +via the aforementioned overrides. With the availability of 0x2006906 revision +of the microcode (in the microcode-20200609 release) that fixes +the aforementioned issue, the latest microcode revision is again used +by default; it is still provided via caveat mechanism, hovewer, in order +to enable ability to disable it in case such a need arises. (See the sections +"check_caveats script" and "reload_microcode script" for details regarding +caveats mechanism operation.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 Caveat name: intel-06-55-04 Affected microcode: intel-ucode/06-55-04. -Mitigation: previously published microcode revision 0x2000064 is used -by default. +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x2000064 is still available +as a fallback as part of "intel" caveat. + + +Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats +---------------------------------------- +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; +and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system +hangs when revision 0xdc of microcode, that is included in microcode-20200609 +update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, +is applied[1][2]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revision 0xd6 is used instead; the newer microcode files, +however, are still shipped as part of microcode_ctl package and can be used +for performing a microcode update if they are enforced via the aforementioned +overrides. (See the sections "check_caveats script" and "reload_microcode +script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 + +Caveat names: intel-06-4e-03, intel-06-5e-03 + +Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. + +Mitigation: previously published microcode revision 0xd6 is used by default. + + +Dell caveats +------------ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca + +Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a, + intel-ucode/06-8e-0b, intel-ucode/06-8e-0c, + intel-ucode/06-9e-09, intel-ucode/06-9e-0a, + intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, + intel-ucode/06-9e-0d. + +Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used + by default if /sys/devices/virtual/dmi/id/bios_vendor reports + "Dell Inc."; otherwise, the latest microcode revision is used. + Caveat with revision 0xca of microcode files is provided + as a convenience for the cases where it was working well before. @@ -496,3 +654,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index 462d541..ab02a02 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -132,6 +132,226 @@ check_kver() return 1 } +# It is needed for SKX[1] for which different product segments +# are differentiated by a value in the CAPID0 field of PCU registers +# device[2]. +# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +# [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +# +# $1 - params in config file, space-separated, in key=value form: +# domain=* - PCI domain, '*' or number +# bus=* - PCI bus, '*' or number +# device=* - PCI device, '*' or number +# function=* - PCI function, '*' or number +# vid= - PCI vendor ID, empty or number +# did= - PCI device ID, empty or number +# offset=0 - offset in configuration space +# size=4 - field size +# mask=0 - mask applied to the data read +# val=0 - comma-separated list of possible values +# mode=success-any [ success-ail, fail-any, fail-all ] - matching mode: +# success-any: Returns 0 if there was at least one match, otherwise 1. +# success-all: Returns 0 if there was at least one device checked and all +# the checked devices have matches, otherwise 1. +# fail-any: Returns 1 if there was at least one match, otherwise 0. +# fail-all: Returns 1 if there was at least one device checked and all +# the checked devices have matches, otherwise 0. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "mode" value that assumes that there were 0 checks/0 matches). +check_pci_config_val() +{ + local domain='*' bus='*' device='*' func='*' vid= did= + local offset=0 size=4 mask=0 val=0 mode=success-any + local checked=0 matched=0 path='' + local dev_path dev_vid dev_did dev_val + local opts="${1:-}" + local match_model="${2:0}" + + set -- $1 + while [ "$#" -gt 0 ]; do + [ "x${1#domain=}" = "x${1}" ] || domain="${1#domain=}" + [ "x${1#bus=}" = "x${1}" ] || bus="${1#bus=}" + [ "x${1#device=}" = "x${1}" ] || device="${1#device=}" + [ "x${1#function=}" = "x${1}" ] || func="${1#function=}" + [ "x${1#vid=}" = "x${1}" ] || vid="${1#vid=}" + [ "x${1#did=}" = "x${1}" ] || did="${1#did=}" + [ "x${1#offset=}" = "x${1}" ] || offset="${1#offset=}" + [ "x${1#size=}" = "x${1}" ] || size="${1#size=}" + [ "x${1#mask=}" = "x${1}" ] || mask="${1#mask=}" + [ "x${1#val=}" = "x${1}" ] || val="${1#val=}" + [ "x${1#mode=}" = "x${1}" ] || mode="${1#mode=}" + + shift + done + + path="$domain" + if [ "x$bus" = 'x*' ]; then + path="$path:$bus"; + else + path=$(printf '%s:%02x' "$path" "$bus") + fi + if [ "x$device" = 'x*' ]; then + path="$path:$device"; + else + path=$(printf '%s:%02x' "$path" "$device") + fi + if [ "x$func" = 'x*' ]; then + path="$path.$func"; + else + path=$(printf '%s.%01x' "$path" "$func") + fi + + # Normalise VID, DID + [ -n "$vid" ] || vid="$(printf '0x%04x' "$vid")" + [ -n "$did" ] || did="$(printf '0x%04x' "$did")" + + ( [ 1 != "$match_model" ] \ + || /usr/bin/find /sys/bus/pci/devices/ -maxdepth 1 -name "$path" \ + || : ) | ( + while read -r dev_path; do + # Filter VID, DID + if [ -n "$vid" ]; then + dev_vid=$(/bin/cat "$dev_path/vendor") + [ "x$vid" = "x$dev_vid" ] || continue + fi + if [ -n "$did" ]; then + dev_did=$(/bin/cat "$dev_path/device") + [ "x$did" = "x$dev_did" ] || continue + fi + + checked="$((checked + 1))" + + dev_val="$(/usr/bin/od -j "$offset" -N "$size" -A n \ + -t "u$size" "$dev_path/config")" + + val_rest="${val}" + while :; do + cur_val="${val_rest%%,*}" + if [ "$((dev_val & mask))" = "$((cur_val & mask))" ] + then + matched="$((matched + 1))" + break + fi + [ "x${val_rest}" != "x${val_rest#*,}" ] || break + val_rest="${val_rest#*,}" + done + + case "$mode" in + success-any) [ "$matched" -eq 0 ] || { echo 0; exit; } ;; + success-all) [ "$matched" -eq "$checked" ] || { echo 1; exit; } ;; + fail-any) [ "$matched" -eq 0 ] || { echo 1; exit; } ;; + fail-all) [ "$matched" -eq "$checked" ] || { echo 0; exit; } ;; + *) echo 2; exit;; + esac + done + + debug "PCI config value check ($opts): checked $checked," \ + "matched $matched (model check is set to $match_model)" + + case "$mode" in + success-any) if [ "$matched" -eq 0 ]; then echo 1; else echo 0; fi ;; + success-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 0; else echo 1; fi ;; + fail-any) if [ "$matched" -eq 0 ]; then echo 0; else echo 1; fi ;; + fail-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 1; else echo 0; fi ;; + *) echo 2; exit;; + esac + ) +} + +# It is needed for filtering by BIOS vendor name that is available in DMI data +# +# $1 - params in config file, space-separated, in key=value form: +# key= - DMI value to check. Can be one of the following: bios_date, +# bios_vendor, bios_version, board_asset_tag, board_name, board_serial, +# board_vendor, board_version, chassis_asset_tag, chassis_serial, +# chassis_type, chassis_vendor, chassis_version, product_family, +# product_name, product_serial, product_uuid, product_version, +# sys_vendor. +# val= - a string to match DMI data against. Can be enclosed in single +# or double quotes. +# mode=success-equal [ success-equal, fail-equal ] - matching mode: +# success-equal: Returns 0 if the value present in the corresponding file +# under /sys/devices/virtual/dmi/id/ is equal +# to the value supplied as a value of "val" parameter, +# otherwise 1. +# fail-equal: Returns 1 if the value present in the corresponding file +# under /sys/devices/virtual/dmi/id/ is equal +# to the value supplied as a value of "val" parameter, +# otherwise 0. +# no-model-mode=success [ success, fail ] - return value if model filter +# is not enabled: +# success: Return 0. +# fail: Return 1. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "mode" value that assumes that the check has failed). +check_dmi_val() +{ + local key= val= mode='success-equal' nm_mode='success' + local opts="${1:-}" opt= opt_= + local match_model="${2:0}" + + local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " + local success=1 + + while [ -n "$opts" ]; do + opt="${opts%%[ ]*}" + [ -n "${opt}" ] || { opts="${opts#[ ]}"; continue; } + + [ "x${opt#key=}" = "x${opt}" ] || key="${opt#key=}" + [ "x${opt#mode=}" = "x${opt}" ] || mode="${opt#mode=}" + [ "x${opt#no-model-mode=}" = "x${opt}" ] || \ + nm_mode="${opt#no-model-mode=}" + + # Handle possible quoting + [ "x${opt#val=}" = "x${opt}" ] || { + case "${opt#val=}" in + [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;; + ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; + *) val="${opt#val=}" ;; + esac + } + + opts="${opts#"${opt}"}" + continue + done + + # Check key for validity + [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { + debug "Invalid \"key\" parameter value: \"${key}\"" + echo 2 + exit + } + + [ 1 = "$match_model" ] || { + case "$nm_mode" in + success) echo 0 ;; + fail) echo 1 ;; + *) + debug "Invalid no-model-mode value: \"${nm_mode}\"" + echo 2 + ;; + esac + + exit + } + + [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { + debug "Can't access /sys/devices/virtual/dmi/id/${key}" + echo 3 + exit + } + + file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")" + + [ "x${val}" = "x${file_val}" ] || success=0 + + case "$mode" in + success-equal) echo "$((1 - $success))" ;; + fail-equal) echo "${success}" ;; + *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;; + esac +} + # Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" # # We check only the first processor as we don't expect non-symmetrical setups @@ -182,7 +402,7 @@ fail() fail_paths="$fail_paths $cfg_path" [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ - || cat "${dir}/disclaimer" + || /bin/cat "${dir}/disclaimer" } #check_kver "$@" @@ -225,7 +445,7 @@ while getopts "dek:c:mv" opt; do esac done -: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")} +: "${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}" cpu_model=$(get_model_string) cpu_model_name=$(get_model_name) @@ -273,6 +493,8 @@ for cfg in $(echo "${configs}"); do cfg_blacklist= cfg_mc_min_ver_late= cfg_disable= + cfg_pci= + cfg_dmi= while read -r key value; do case "$key" in @@ -299,8 +521,26 @@ for cfg in $(echo "${configs}"); do ;; blacklist) cfg_blacklist=1 + # "blacklist" is special: it stops entity parsing, + # and the rest of file is a list of blacklisted model + # names. break ;; + pci_config_val) + cfg_pci="$cfg_pci + $value" + ;; + dmi) + cfg_dmi="$cfg_dmi + $value" + ;; + '#'*|'') + continue + ;; + *) + debug "Unknown key '$key' (value '$value') in config" \ + "'$cfg'" + ;; esac done < "${dir}/config" @@ -388,12 +628,14 @@ for cfg in $(echo "${configs}"); do cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do - find "$MC_CAVEATS_DATA_DIR/$cfg" \ - -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ - | grep -zFxq "$cpu_mc_path" \ + { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0; + /bin/true; } \ + | /bin/grep -zFxq "$cpu_mc_path" \ || continue cfg_mc_present=1 + break done [ 1 = "$cfg_mc_present" ] || { @@ -478,6 +720,51 @@ for cfg in $(echo "${configs}"); do } fi + # Check PCI devices if model filter is enabled + # Note that the model filter check is done inside check_pci_config_val + # based on the 'mode=' parameter. + if [ -n "$cfg_pci" ]; then + pci_line="$(printf "%s\n" "$cfg_pci" | while read -r pci_line; do + [ -n "$pci_line" ] || continue + pci_res=$(check_pci_config_val "$pci_line" \ + "$match_model") + [ 0 != "$pci_res" ] || continue + echo "$pci_res $pci_line" + break + done + echo "0 ")" + + [ -z "${pci_line#* }" ] || { + debug "PCI configuration word check '${pci_line#* }'" \ + "failed (with return code ${pci_line%% *})" + fail + continue + } + fi + + # Check DMI data if model filter is enabled + # Note that the model filter check is done inside check_pci_config_val + # based on the 'mode=' parameter. + if [ -n "$cfg_dmi" ]; then + dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line + do + [ -n "$dmi_line" ] || continue + dmi_res=$(check_dmi_val "$dmi_line" \ + "$match_model") + [ 0 != "$dmi_res" ] || continue + echo "$dmi_res $dmi_line" + break + done + echo "0 ")" + + [ -z "${dmi_line#* }" ] || { + debug "DMI data check '${dmi_line#* }'" \ + "failed (with return code ${dmi_line%% *})" + fail + continue + } + fi + ok_cfgs="$ok_cfgs $cfg" ok_paths="$ok_paths $cfg_path" done diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh index 9839d36..854e278 100755 --- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -48,29 +48,6 @@ install() { dinfo " microcode_ctl: processing data directory " \ "\"$DATA_DIR/$i\"..." - if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" $verbose_opt) - then - dinfo " microcode_ctl: kernel version \"$kernel\"" \ - "failed early load check for \"$i\", skipping" - continue - fi - - path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') - [ -n "$path" ] || { - ignored=$(printf "%s" "$cc_out" | \ - sed -n 's/^skip_cfgs //p') - - if [ -n "$ignored" ]; then - dinfo " microcode_ctl: configuration" \ - "\"$i\" is ignored" - else - dinfo " microcode_ctl: no microcode paths" \ - "are associated with \"$i\", skipping" - fi - - continue - } - if [ "x" != "x$hostonly" ]; then do_skip_host_only=0 @@ -92,57 +69,33 @@ install() { do_skip_host_only=1 fi - if [ 0 -eq "$do_skip_host_only" ]; then - local hostonly_passed=0 - local ucode - local uvendor - local ucode_dir="" - - ucode=$(get_ucode_file) - uvendor=$(get_cpu_vendor) - - case "$uvendor" in - Intel) - ucode_dir="intel-ucode" - ;; - AMD) - ucode_dir="amd-ucode" - ;; - *) - dinfo " microcode_ctl: unknown CPU" \ - "vendor: \"$uvendor\", bailing out of" \ - "Host-Only check" - continue - ;; - esac - - # $path is a list of globs, so it needs special care - for p in $(printf "%s" "$path"); do - # "true" is due to sporadic SIGPIPE from find - # when "grep -q" exits early. - { find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ - -print0; true; } \ - | grep -zFxq \ - "$DATA_DIR/$i/$ucode_dir/$ucode" \ - || continue - - dinfo " microcode_ctl: $i: Host-Only" \ - "mode is enabled and" \ - "\"$ucode_dir/$ucode\" matches \"$p\"" - - hostonly_passed=1 - break - done + match_model_opt="" + [ 1 = "$do_skip_host_only" ] || match_model_opt="-m" - [ 1 -eq "$hostonly_passed" ] || { - dinfo " microcode_ctl: $i: Host-Only mode" \ - "is enabled and ucode name does not" \ - "match the expected one, skipping" \ - "caveat (\"$ucode\" not in \"$path\")" - continue - } + if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" \ + $verbose_opt $match_model_opt) + then + dinfo " microcode_ctl: kernel version \"$kernel\"" \ + "failed early load check for \"$i\", skipping" + continue fi + path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') + [ -n "$path" ] || { + ignored=$(printf "%s" "$cc_out" | \ + sed -n 's/^skip_cfgs //p') + + if [ -n "$ignored" ]; then + dinfo " microcode_ctl: configuration" \ + "\"$i\" is ignored" + else + dinfo " microcode_ctl: no microcode paths" \ + "are associated with \"$i\", skipping" + fi + + continue + } + dinfo " microcode_ctl: $i: caveats check for kernel" \ "version \"$kernel\" passed, adding" \ "\"$DATA_DIR/$i\" to fw_dir variable" diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh index c0c6b1d..5e2a2a4 100755 --- a/SOURCES/gen_provides.sh +++ b/SOURCES/gen_provides.sh @@ -21,31 +21,75 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0- ucode_fname="$ucode_caveat/$ucode" file_sz="$(stat -c "%s" "$f")" skip=0 + ext_hdr=0 + ext_sig_cnt=0 + ext_sig_pos=0 + next_skip=0 + # Microcode header format description: + # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c while :; do [ "$skip" -lt "$file_sz" ] || break - # Microcode header format description: - # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c - IFS=' ' read hdrver rev \ - date_y date_d date_m \ - cpuid cksum ldrver \ - pf_mask datasz totalsz <<- EOF - $(dd if="$f" bs=1 skip="$skip" count=36 status=none \ - | hexdump -e '"" 1/4 "%u " 1/4 "%#x " \ - 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ - 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ - 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"') - EOF - - [ 0 != "$datasz" ] || datasz=2000 - [ 0 != "$totalsz" ] || totalsz=2048 - - # TODO: add some sanity/safety checks here. As of now, there's - # a (pretty fragile) assumption that all the matched files - # are valid Intel microcode files in the expected format. - - skip=$((skip + totalsz)) + # Do we parse ext_sig table or another microcode header? + if [ 0 != "$next_skip" ]; then + # Check whether we should abort ext_sig table parsing + [ \( "${skip}" -lt "${next_skip}" \) -a \ + \( "${ext_sig_pos}" -lt "${ext_sig_cnt}" \) ] || { + skip="${next_skip}" + next_skip=0 + continue + } + + # ext_sig, 12 bytes in size + IFS=' ' read cpuid pf_mask <<- EOF + $(hexdump -s "$skip" -n 8 \ + -e '"" 1/4 "%08x " 1/4 "%u" "\n"' "$f") + EOF + + skip="$((skip + 12))" + ext_sig_pos="$((ext_sig_pos + 1))" + else + # Microcode header, 48 bytes, last 3 fields reserved + IFS=' ' read hdrver rev \ + date_y date_d date_m \ + cpuid cksum ldrver \ + pf_mask datasz totalsz <<- EOF + $(hexdump -s "$skip" -n 36 \ + -e '"" 1/4 "%u " 1/4 "%#x " \ + 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ + 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ + 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"' "$f") + EOF + + [ 0 != "$datasz" ] || datasz=2000 + [ 0 != "$totalsz" ] || totalsz=2048 + + # TODO: add some sanity/safety checks here. As of now, + # there's a (pretty fragile) assumption that all + # the matched files are valid Intel microcode + # files in the expected format. + + # ext_sig table is after the microcode payload, + # check for its presence + if [ 48 -lt "$((totalsz - datasz))" ]; then + next_skip="$((skip + totalsz))" + skip="$((skip + datasz + 48))" + ext_sig_pos=0 + + # ext_sig table header, 20 bytes in size, + # last 3 fields are reserved. + IFS=' ' read ext_sig_cnt <<- EOF + $(hexdump -s "$skip" -n 4 \ + -e '"" 1/4 "%u" "\n"' "$f") + EOF + + skip="$((skip + 20))" + else + skip="$((skip + totalsz))" + next_skip=0 + fi + fi #[ -n "$rev" ] || continue diff --git a/SOURCES/intel_config b/SOURCES/intel_config index d37878d..1f47b87 100644 --- a/SOURCES/intel_config +++ b/SOURCES/intel_config @@ -1,5 +1,5 @@ path intel-ucode/* -vendor_id GenuineIntel +vendor GenuineIntel kernel_early 4.10.0 kernel_early 3.10.0-930 kernel_early 3.10.0-862.14.1 diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 66933e1..b425ef5 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,4 @@ -%define intel_ucode_version 20191115 -%define intel_ucode_file_id 28727 +%define intel_ucode_version 20200609 %global debug_package %{nil} %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats @@ -14,10 +13,10 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: %{intel_ucode_version} -Release: 4%{?dist} +Release: 2%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted -URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File +URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode @@ -26,6 +25,15 @@ Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi # (Pre-20191112) revision 0x2000064 of 06-55-04 microcode Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 +# (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode +Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 +Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03 + +# microcode-20190918 release,containing revision 0xb4/0xb8 of 06-[89]e-0X microcode +Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz +# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode +Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz + # systemd unit Source10: microcode.service @@ -71,16 +79,50 @@ Source130: 06-55-04_readme Source131: 06-55-04_config Source132: 06-55-04_disclaimer +# SKL-U/Y (CPUID 0x406e3) post-20200609 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 +Source140: 06-4e-03_readme +Source141: 06-4e-03_config +Source142: 06-4e-03_disclaimer + +# SKL-H/S/Xeon E3 v5 (CPUID 0x506e3) post-20200609 possible hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +Source150: 06-5e-03_readme +Source151: 06-5e-03_config +Source152: 06-5e-03_disclaimer + +# Dell 06-[89]e-0x hangs - intermediate 0xca microcode revision +# https://bugzilla.redhat.com/show_bug.cgi?id=1807960 +# https://bugzilla.redhat.com/show_bug.cgi?id=1846097 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862751 +Source160: 06-8e-9e-0x-0xca_readme +Source161: 06-8e-9e-0x-0xca_config +Source162: 06-8e-9e-0x-0xca_disclaimer + +# Dell 06-[89]e-0x hangs - latest microcode revision +# https://bugzilla.redhat.com/show_bug.cgi?id=1807960 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +# https://bugs.debian.org/962757 +# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943 +Source170: 06-8e-9e-0x-dell_readme +Source171: 06-8e-9e-0x-dell_config +Source172: 06-8e-9e-0x-dell_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh ExclusiveArch: %{ix86} x86_64 BuildRequires: systemd-units -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -Requires(posttrans): dracut +# hexdump is used in gen_provides.sh +BuildRequires: coreutils util-linux +Requires: coreutils +Requires(post): systemd coreutils +Requires(preun): systemd coreutils +Requires(postun): systemd coreutils +Requires(posttrans): dracut coreutils %global _use_internal_dependency_generator 0 %define __find_provides "%{SOURCE200}" @@ -107,6 +149,26 @@ cp "%{SOURCE2}" intel-ucode/ mv intel-ucode/06-55-04 intel-ucode-with-caveats/ cp "%{SOURCE3}" intel-ucode/ +# replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version +mv intel-ucode/06-4e-03 intel-ucode-with-caveats/ +cp "%{SOURCE4}" intel-ucode/ + +# replacing SKL-H/S/Xeon E3 v5 (CPUID 0x5063e) microcode with pre-20200609 version +mv intel-ucode/06-5e-03 intel-ucode-with-caveats/ +cp "%{SOURCE5}" intel-ucode/ + +# Replacing the latest 06-[89]e-0x caveat with pre-20191112 version +mv intel-ucode/06-[89]e-0* intel-ucode-with-caveats/ +tar xvvf "%{SOURCE6}" --wildcards --strip-components=1 \ + '*/intel-ucode/06-[89]e-0*' + +# Unpacking intermediate 06-[89]e-0x microcode revision 0xca (from microcode-20191115) +mkdir -p intel-ucode-0xca +pushd intel-ucode-0xca +tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \ + '*/intel-ucode/06-[89]e-0*' +popd + : %install @@ -151,6 +213,7 @@ install -m 644 releasenote \ # caveats install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ + "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -181,12 +244,44 @@ install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" # SKL-SP caveat -%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ -install -m 755 -d "%{skl_inst_dir}/intel-ucode" -install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" -install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" -install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" -install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" +%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer" + +# SKL-U/Y caveat +%define skl_uy_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4e-03/ +install -m 755 -d "%{skl_uy_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-4e-03 -t "%{skl_uy_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE140}" "%{skl_uy_inst_dir}/readme" +install -m 644 "%{SOURCE141}" "%{skl_uy_inst_dir}/config" +install -m 644 "%{SOURCE142}" "%{skl_uy_inst_dir}/disclaimer" + +# SKL-H/S/Xeoon E3 v5 caveat +%define skl_hs_inst_dir %{buildroot}/%{caveat_dir}/intel-06-5e-03/ +install -m 755 -d "%{skl_hs_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-5e-03 -t "%{skl_hs_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE150}" "%{skl_hs_inst_dir}/readme" +install -m 644 "%{SOURCE151}" "%{skl_hs_inst_dir}/config" +install -m 644 "%{SOURCE152}" "%{skl_hs_inst_dir}/disclaimer" + +# Dell 06-[89]e-0x 0xca caveat +%define dell_0xca_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-0xca/ +install -m 755 -d "%{dell_0xca_inst_dir}/intel-ucode" +install -m 644 intel-ucode-0xca/06-[89]e-0? -t "%{dell_0xca_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE160}" "%{dell_0xca_inst_dir}/readme" +install -m 644 "%{SOURCE161}" "%{dell_0xca_inst_dir}/config" +install -m 644 "%{SOURCE162}" "%{dell_0xca_inst_dir}/disclaimer" + +# Dell 06-[89]e-0x latest caveat +%define dell_latest_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-dell/ +install -m 755 -d "%{dell_latest_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-[89]e-0? -t "%{dell_latest_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE170}" "%{dell_latest_inst_dir}/readme" +install -m 644 "%{SOURCE171}" "%{dell_latest_inst_dir}/config" +install -m 644 "%{SOURCE172}" "%{dell_latest_inst_dir}/disclaimer" %post @@ -211,21 +306,121 @@ exit 0 # dependency, it is pointless at best to regenerate the initramfs, # and also does not work with rpm-ostree: # https://bugzilla.redhat.com/show_bug.cgi?id=1199582 +# https://bugzilla.redhat.com/show_bug.cgi?id=1530400 +[ -d /run/systemd/system ] || exit 0 + +# We can't simply update all initramfs images, since "dracut --regenerate-all" +# generates initramfs even for removed kernels and if dracut generates botched +# initramfs image, that results in unbootable system, even with older kernels +# that can't be used as a fallback: +# https://bugzilla.redhat.com/show_bug.cgi?id=1420180 +# https://access.redhat.com/support/cases/#/case/01779274 +# https://access.redhat.com/support/cases/#/case/01814106 # -# Also check that the running kernel is actually installed: -# https://bugzilla.redhat.com/show_bug.cgi?id=1591664 -# We use the presence of symvers file as an indicator, the check similar -# to what weak-modules script does. +# ...and we can't simply limit ourselves to updating only the currently +# running kernel, as this doesn't work well with cases where kernel +# is installed before the updated microcode, or in the same transaction. +# And we can't rely on late update either, due to issues like this: +# https://bugzilla.redhat.com/show_bug.cgi?id=1710445 # -# Now that /boot/symvers-KVER.gz population is now relies on some shell scripts -# that are triggered by other shell scripts (kernel-install, which is a part -# of systemd) that called by RPM scripts, and systemd is not inclined to fix -# https://bugzilla.redhat.com/show_bug.cgi?id=1609698 -# https://bugzilla.redhat.com/show_bug.cgi?id=1609696 -# So, we check for symvers file inside /lib/modules. -if [ -d /run/systemd/system -a -e "/lib/modules/$(uname -r)/symvers.gz" ]; then - dracut -f -fi +# ...and there are also issues with setups with increased "installonly_limit" +# in /etc/yum.conf, which could lead to unacceptably long package installation +# times. +# +# So, in the end, we try to grab no more than 2 most recently installed kernels +# that are installed after the currently running one (with the currently running +# kernel that makes up to 3 in total, the default "installonly_limit" value) +# as a kernel package selection heuristic that tries to accomodate both the need +# to put the latest microcode in freshly installed kernels and also addresses +# existing concerns. +# +# For RPM selection, kernel flavours (like "debug" or "kdump" or "zfcp", +# with only the former being relevant to x86 architecture) are a part or RPM +# name; it's also a part of uname, with different separator used in RHEL 6/7 +# and RHEL 8. RT kernel, however, is special, as "rt" is another part +# of RPM name and it has its own versioning scheme both in NVR and uname. +# And there's the kernel package split in RHEL 8, so one should look for *-core +# and not the main package. +pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core" +qf='%%{NAME} %%{VERSION}-%%{RELEASE}.%%{ARCH} %%{installtime}\n' +: "${MICROCODE_RPM_KVER_LIMIT=2}" + +rpm -qa --qf "${qf}" ${pkgs} | sort -r -n -k'3,3' | { + kver_cnt=0 + processed="" + skipped="" + skip=0 + + while read -r pkgname vra install_ts; do + flavour='' + + # For x86, only "debug" flavour exists in RHEL 8 + [ "x${pkgname%*-debug-core}" = "x${pkgname}" ] \ + || flavour='+debug' + + kver_cnt="$((kver_cnt + 1))" + kver_uname="${vra}${flavour}" + + # Also check that the kernel is actually installed: + # https://bugzilla.redhat.com/show_bug.cgi?id=1591664 + # We use the presence of symvers file as an indicator, the check + # similar to what weak-modules script does. + # + # Now that /boot/symvers-KVER.gz population is now relies + # on some shell scripts that are triggered by other shell + # scripts (kernel-install, which is a part of systemd) that + # called by RPM scripts, and systemd is not inclined to fix + # https://bugzilla.redhat.com/show_bug.cgi?id=1609698 + # https://bugzilla.redhat.com/show_bug.cgi?id=1609696 + # So, we check for symvers file inside /lib/modules. + # + # XXX: Not sure if this check is still needed, since we now + # iterate over the rpm output. + [ -e "/lib/modules/${kver_uname}/symvers.gz" ] || continue + # Check that modules.dep for the kernel is present as well, + # otherwise dracut complains with "/lib/modules/.../modules.dep + # is missing. Did you run depmod?". + [ -e "/lib/modules/${kver_uname}/modules.dep" ] || continue + + # We update the kernels with the same uname as the running kernel + # regardless of the selected limit + if [ "x$(uname -r)" = "x${kver_uname}" \ + -o \( "${kver_cnt}" -le "${MICROCODE_RPM_KVER_LIMIT}" \ + -a "${skip}" = 0 \) ] + then + dracut -f --kver "${kver_uname}" + + processed="${processed} ${pkgname}-${vra}" + else + skipped="${skipped} ${pkgname}-${vra}" + fi + + # The packages are processed until a package with the same uname + # as the running kernel is hit (since they are sorted + # in the descending installation time stamp older). + [ "x$(uname -r)" != "x${kver_uname}" ] || skip=1 + done + + if [ -n "${skipped}" ]; then + skip_msg="After installation of a new version of microcode_ctl package, +initramfs hasn't been re-generated for all the installed kernel packages. +The following kernel packages have been skipped:${skipped}. +Please re-generate initramfs manually for these kernel packages with the +\"dracut -f --kver KERNEL_VERSION\" command in order to get the latest +Intel CPU microcode included into early initramfs image for it, if needed." + + if [ -e /usr/bin/logger ]; then + echo "${skip_msg}" | + /usr/bin/logger -p syslog.notice -t microcode_ctl + fi + + if [ -e /dev/kmsg ]; then + echo "${skip_msg}" > /dev/kmsg + fi + fi +} + +exit 0 %global rpm_state_dir %{_localstatedir}/lib/rpm-state @@ -318,6 +513,95 @@ rm -rf %{buildroot} %changelog +* Mon Jun 22 2020 Eugene Syromiatnikov - 4:20200609-2 +- Blacklist latest microcode revision for 06-[89]e-0x CPUs (AML-Y, + CFL-H/S/U/Xeon E, CML-Y, KBL-G/H/S/X/U/Y/Xeon E3 v6, WHL-U) on Dell systems, + use revision 0xae/0xb4/0xb8 by default, provide the latest revision + and intermediate revision 0xca in caveats (#1807960, #1846097). + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200609-1 +- Update Intel CPU microcode to microcode-20200609 release (#1845967): + - Fixed a typo in the release note file. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200602-5 +- Enable 06-2d-07 (SNB-E/EN/EP) caveat by default. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200602-4 +- Enable 06-55-04 (SKL-X/W) caveat by default. + +* Sun Jun 14 2020 Eugene Syromiatnikov - 4:20200602-3 +- Do not update 06-4e-03 (SKL-U/Y) and 06-5e-03 (SKL-H/S/Xeon E3 v5) to revision + 0xdc, use 0xd6 by default (#1846119). + +* Thu Jun 04 2020 Eugene Syromiatnikov - 4:20200602-2 +- Avoid temporary file creation, used for here-documents in check_caveats + (#1839163). + +* Wed Jun 03 2020 Eugene Syromiatnikov - 4:20200602-1 +- Update Intel CPU microcode to microcode-20200602 release, addresses + CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1795354, #1795356, #1827184): + - Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28; + - Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e + up to 0x2f; + - Update of 06-45-01/0x72 (HSW-U C0/D0) microcode from revision 0x25 + up to 0x26; + - Update of 06-46-01/0x32 (HSW-H C0) microcode from revision 0x1b up to 0x1c; + - Update of 06-47-01/0x22 (BDW-H/Xeon E3 E0/G0) microcode from revision 0x21 + up to 0x22; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000151 + up to 0x1000157; + - Update of 06-55-04/0xb7 (SKX-SP H0/M0/U0, SKX-D M1) microcode + (in intel-06-55-04/intel-ucode/06-55-04) from revision 0x2000065 + up to 0x2006906; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x400002c + up to 0x4002f01; + - Update of 06-55-07/0xbf (CLX-SP B1) microcode from revision 0x500002c + up to 0x5002f01; + - Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0a/0xc0 (CFL-U43e D0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0c/0x94 (AML-Y42 V0, CML-Y42 V0, WHL-U V0) microcode + from revision 0xca up to 0xd6; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode from revision + 0xca up to 0xd6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E3 U0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xca up to 0xd6; + - Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6. + +* Fri May 22 2020 Eugene Syromiatnikov - 4:20200520-1 +- Update Intel CPU microcode to microcode-20200520 release (#1783103): + - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f + up to 0x621; + - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718 + up to 0x71a. + +* Tue May 12 2020 Eugene Syromiatnikov - 4:20200508-1 +- Update Intel CPU microcode to microcode-20200508 release (#1783103): + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46 + up to 0x78. +- Change the URL to point to the GitHub repository since the microcode download + section at Intel Download Center does not exist anymore. + +* Thu May 07 2020 Eugene Syromiatnikov - 4:20191115-6 +- Narrow down SKL-SP/W/X blacklist to exclude Server/FPGA/Fabric segment + models (#1833036). + +* Wed Apr 29 2020 Eugene Syromiatnikov - 4:20191115-5 +- Re-generate initramfs not only for the currently running kernel, + but for several recently installed kernels as well (#1773338). + * Mon Dec 09 2019 Eugene Syromiatnikov - 4:20191115-4 - Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script (#1781365).