diff --git a/.gitignore b/.gitignore index 9746acd..73b7846 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/microcode-20190514a.tar.gz +SOURCES/06-2d-07 +SOURCES/06-55-04 +SOURCES/microcode-20191115.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index d49f21d..49611a4 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1 +1,3 @@ -252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz +bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config new file mode 100644 index 0000000..23e1d08 --- /dev/null +++ b/SOURCES/06-2d-07_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-2d-07 +path intel-ucode/06-2d-07 +disable early late diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer new file mode 100644 index 0000000..c8d99c4 --- /dev/null +++ b/SOURCES/06-2d-07_disclaimer @@ -0,0 +1,4 @@ +MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, +stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme new file mode 100644 index 0000000..60c20d4 --- /dev/null +++ b/SOURCES/06-2d-07_readme @@ -0,0 +1,55 @@ +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +have issues with MDS-related microcode update that may lead to a system hang +after a microcode update. In order to address this, microcode update +to the MDS-related revision 0x718 has been disabled, and the previously +published microcode revision 0x714 is used by default for the OS-driven +microcode update. + +For the reference, SHA1 checksums of 06-2d-07 microcode files containing +microcode revisions in question are listed below: + * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 + * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + +The information regarding enforcing microcode load is provided below. + +To enforce usage of the 0x718 microcode revision for a specific kernel version, +please create file "force-intel-06-2d-07" inside /lib/firmware/ +directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware +directory where microcode will be available for late microcode update, +and run "dracut -f --kver ", so initramfs for this kernel +version is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer new file mode 100644 index 0000000..d5bc60d --- /dev/null +++ b/SOURCES/06-4f-01_disclaimer @@ -0,0 +1,4 @@ +microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index 740ad18..962c7a6 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -49,6 +49,7 @@ kernels, please create a file "/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01" and run "/usr/libexec/microcode_ctl/update_ucode": + mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01 /usr/libexec/microcode_ctl/update_ucode @@ -64,10 +65,11 @@ For enforcing early load of this microcode for all kernels, please create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01" and run dracut -f --regenerate-all: + mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01 dracut -f --regenerate-all -If you want avoid removal of the microcode file during cleanup performed by +If you want to avoid removal of the microcode file during cleanup performed by /usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme file (/lib/firmware//readme-intel-06-4f-01). diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config new file mode 100644 index 0000000..6ba6d76 --- /dev/null +++ b/SOURCES/06-55-04_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-55-04 +path intel-ucode/06-55-04 +disable early late diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer new file mode 100644 index 0000000..238d233 --- /dev/null +++ b/SOURCES/06-55-04_disclaimer @@ -0,0 +1,6 @@ +Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85, +stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112 +release is disabled as it may cause system instability and the previous revision +0x2000064 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme new file mode 100644 index 0000000..41fb757 --- /dev/null +++ b/SOURCES/06-55-04_readme @@ -0,0 +1,61 @@ +Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85, +stepping 4) have reports of system hangs when revision 0x2000065 of microcode, +that is included since microcode-20191112 update, is applied. In order +to address this, microcode update to this revision has been disabled, +and the previously published microcode revision 0x2000064 is used by default +for the OS-driven microcode update. + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a + * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the 0x2000065 microcode revision for a specific kernel +version, please create a file "force-intel-06-55-04" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 6f98122..4ead5e5 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -389,8 +389,10 @@ when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced -via the aforementioned overridden. (See sections "check_caveats script" -and "reload_microcode script" for details). +via the aforementioned overrides. (See the sections "check_caveats script" +and "reload_microcode script" for details.) + +Caveat name: intel-06-4f-01 Affected microcode: intel-ucode/06-4f-01. @@ -418,9 +420,12 @@ from a cpio archive placed at the beginning of the initramfs image. However, when an early microcode update is attempted inside some virtualised environments, that may result in unexpected system behaviour. +Caveat name: intel + Affected microcode: all. -Mitigation: early microcode loading is disabled for all CPU models. +Mitigation: early microcode loading is disabled for all CPU models on kernels +without the fix. Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 @@ -431,16 +436,52 @@ Minimum versions of the kernel package that contain the fix: - RHEL 7.2: 3.10.0-327.73.1 +Intel Sandy Bridge-E/EN/EP caveat +--------------------------------- +MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP +(SNB-EP, family 6, model 45, stepping 7) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +Caveat name: intel-06-2d-07 + +Affected microcode: intel-ucode/06-2d-07. + +Mitigation: previously published microcode revision 0x714 is used by default. + + +Intel Skylake-SP/W/X caveat +--------------------------- +Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X, +family 6, model 85, stepping 4) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overrides. +(See the sections "check_caveats script" and "reload_microcode script" +for details.) + +Caveat name: intel-06-55-04 + +Affected microcode: intel-ucode/06-55-04. + +Mitigation: previously published microcode revision 0x2000064 is used +by default. + + + Additional information ====================== -Red Hat provides updated microcode, developed by our microprocessor -partners, as a customer convenience. Please contact your hardware vendor -to determine whether more recent BIOS/firmware updates are recommended -because additional improvements may be available. +Red Hat provides updated microcode, developed by its microprocessor partners, +as a customer convenience. Please contact your hardware vendor to determine +whether more recent BIOS/firmware updates are recommended because additional +improvements may be available. Information regarding microcode revisions required for mitigating specific -microarchitectural side-channel attacks is available in the following -knowledge base articles: +Intel CPU vulnerabilities is available in the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): @@ -450,3 +491,8 @@ knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index 93c7406..462d541 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -10,8 +10,10 @@ : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} usage() { - echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]' + echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' + echo ' [-m] [-v]' echo + echo ' -d - enables disclaimer printing mode' echo ' -e - check for early microcode load possibility (instead of' echo ' late microcode load)' echo ' -k - target version to check against, $(uname -r) is used' @@ -178,6 +180,9 @@ fail() fail_cfgs="$fail_cfgs $cfg" fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ + || cat "${dir}/disclaimer" } #check_kver "$@" @@ -188,11 +193,16 @@ configs= kver=$(/bin/uname -r) verbose=0 early_check=0 +print_disclaimers=0 ret=0 -while getopts "ek:c:mv" opt; do +while getopts "dek:c:mv" opt; do case "${opt}" in + d) + print_disclaimers=1 + early_check=2 + ;; e) early_check=1 ;; @@ -472,6 +482,8 @@ for cfg in $(echo "${configs}"); do ok_paths="$ok_paths $cfg_path" done +[ 0 -eq "$print_disclaimers" ] || exit 0 + echo "cfgs$ret_cfgs" echo "skip_cfgs$skip_cfgs" echo "paths$ret_paths" diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh index c14fcb9..9839d36 100755 --- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -43,7 +43,8 @@ install() { dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\"" } - while read -d "/" -r i; do + fw_dir_add="" + while read -d $'\n' -r i; do dinfo " microcode_ctl: processing data directory " \ "\"$DATA_DIR/$i\"..." @@ -117,8 +118,10 @@ install() { # $path is a list of globs, so it needs special care for p in $(printf "%s" "$path"); do - find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ - -print0 \ + # "true" is due to sporadic SIGPIPE from find + # when "grep -q" exits early. + { find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -print0; true; } \ | grep -zFxq \ "$DATA_DIR/$i/$ucode_dir/$ucode" \ || continue @@ -143,8 +146,12 @@ install() { dinfo " microcode_ctl: $i: caveats check for kernel" \ "version \"$kernel\" passed, adding" \ "\"$DATA_DIR/$i\" to fw_dir variable" - fw_dir="$DATA_DIR/$i $fw_dir" + if [ 0 -eq "$do_skip_host_only" ]; then + fw_dir_add="$DATA_DIR/$i " + else + fw_dir_add="$DATA_DIR/$i $fw_dir_add" + fi # The list of directories is reverse-sorted in order to preserve the # "last wins" policy in case of presence of multiple microcode # revisions. @@ -153,11 +160,20 @@ install() { # but since the microcode search is done with the "first wins" policy # by the (early) microcode loading code, the correct microcode revision # still has to be picked. + # + # Note that dracut without patch [1] puts only the last directory + # in the early cpio; we try to address this by putting only the last + # matching caveat in the search path, but that workaround works only + # for host-only mode; non-host-only mode early cpio generation is still + # broken without that patch. + # + # [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b done <<-EOF - $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f/" \ - | sort -r) + $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \ + | LC_ALL=C sort) EOF + fw_dir="${fw_dir_add}${fw_dir}" dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\"" } diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh index 0ecf7aa..c0c6b1d 100755 --- a/SOURCES/gen_provides.sh +++ b/SOURCES/gen_provides.sh @@ -1,4 +1,4 @@ -#! /bin/bash -efux +#! /bin/bash -efu # Generator of RPM "Provides:" tags for Intel microcode files. # diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer new file mode 100644 index 0000000..c4669ba --- /dev/null +++ b/SOURCES/intel_disclaimer @@ -0,0 +1,10 @@ +This kernel doesn't handle early microcode load properly (it tries to load +microcode even in virtualised environment, which may lead to a panic on some +hypervisors), thus the microcode files have not been added to the initramfs +image. Please update your kernel to one of the following: + RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + RHEL 7.2: kernel-3.10.0-327.73.1 or newer. +Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme index ed352e5..de9213d 100644 --- a/SOURCES/intel_readme +++ b/SOURCES/intel_readme @@ -18,8 +18,7 @@ If you want to avoid early load of microcode for a specific kernel, please create "disallow-early-intel" file inside /lib/firmware/ directory and run dracut -f --kver "": - touch /lib/firmware/3.10.0-862.9.1/disallow-intel - /usr/libexec/microcode_ctl/update_ucode + touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel dracut -f --kver 3.10.0-862.9.1 If you want to avoid early load of microcode for all kernels, please create @@ -27,14 +26,13 @@ If you want to avoid early load of microcode for all kernels, please create directory and run dracut -f --regenerate-all: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel - dracut -f --kver 3.10.0-862.9.1 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel + dracut -f --regenerate-all If you want to enforce early load of microcode for a specific kernel, please create "force-early-intel" file inside /lib/firmware/ directory and run dracut -f --kver "": - modir -p/lib/firmware/3.10.0-862.9.1/ touch /lib/firmware/3.10.0-862.9.1/force-early-intel dracut -f --kver 3.10.0-862.9.1 @@ -46,8 +44,9 @@ directory and run dracut -f --kver "": touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel dracut -f --regenerate-all -In order to override late load behaviour, the "early" part of file names should -be replaced with "late" (and there is no need to call dracut in that case). +In order to override the late load behaviour, the "early" part of file names +should be replaced with "late" (and there is no need to call dracut +in that case). Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 01ee903..66933e1 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20190514a +%define intel_ucode_version 20191115 %define intel_ucode_file_id 28727 %global debug_package %{nil} @@ -13,13 +13,19 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl -Version: 20180807a -Release: 2.%{intel_ucode_version}.2%{?dist} +Version: %{intel_ucode_version} +Release: 4%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz +# (Pre-MDS) revision 0x714 of 06-2d-07 microcode +Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 + +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + # systemd unit Source10: microcode.service @@ -39,14 +45,34 @@ Source41: README.caveats ## Caveats # BDW EP/EX +# https://bugzilla.redhat.com/show_bug.cgi?id=1622180 +# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 +# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 Source100: 06-4f-01_readme Source101: 06-4f-01_config +Source102: 06-4f-01_disclaimer # Unsafe early MC update inside VM: # https://bugzilla.redhat.com/show_bug.cgi?id=1596627 Source110: intel_readme Source111: intel_config +Source112: intel_disclaimer + +# SNB-EP (CPUID 0x206d7) post-MDS hangs +# https://bugzilla.redhat.com/show_bug.cgi?id=1758382 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +Source120: 06-2d-07_readme +Source121: 06-2d-07_config +Source122: 06-2d-07_disclaimer + +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + +# "Provides:" RPM tags generator Source200: gen_provides.sh ExclusiveArch: %{ix86} x86_64 @@ -54,7 +80,7 @@ BuildRequires: systemd-units Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -Requires(posttrans): kernel +Requires(posttrans): dracut %global _use_internal_dependency_generator 0 %define __find_provides "%{SOURCE200}" @@ -73,6 +99,14 @@ is no longer used for microcode upload and, as a result, no longer provided. %setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}" %build +# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version +mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ +cp "%{SOURCE2}" intel-ucode/ + +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + : %install @@ -103,18 +137,21 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \ ## Documentation install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats" +# caveats readme install "%{SOURCE41}" \ -m 644 -t "%{buildroot}/%{_pkgdocdir}/" # Provide Intel microcode license, as it requires so install -m 644 license \ "%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode" + +# Provide release notes for Intel microcode install -m 644 releasenote \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" \ - -t "%{buildroot}/%{_pkgdocdir}/caveats/" +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ + -t "%{buildroot}/%{_pkgdocdir}/caveats/" ## Caveat data @@ -122,9 +159,10 @@ install -m 644 "%{SOURCE100}" "%{SOURCE110}" \ # BDW caveat %define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/ install -m 755 -d "%{bdw_inst_dir}/intel-ucode" -install -m 644 intel-ucode-with-caveats/* -t "%{bdw_inst_dir}/intel-ucode/" +install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/" install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme" install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config" +install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer" # Early update caveat %define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/ @@ -132,12 +170,23 @@ install -m 755 -d "%{intel_inst_dir}/intel-ucode" install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/" install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme" install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" +install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer" +# SNB caveat +%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/ +install -m 755 -d "%{snb_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" +install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" +install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" -## Cleanup -#rm -f intel-ucode-with-caveats/06-4f-01 -#rmdir intel-ucode-with-caveats -#rm -rf intel-ucode +# SKL-SP caveat +%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" %post @@ -145,6 +194,15 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" %{update_ucode} %{reload_microcode} +# send the message to syslog, so it gets recorded on /var/log +if [ -e /usr/bin/logger ]; then + %{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER +fi +# also paste it over dmesg (some customers drop dmesg messages while +# others keep them into /var/log for the later case, we'll have the +# disclaimer recorded twice into system logs. +%{check_caveats} -m -d > /dev/kmsg + exit 0 %posttrans @@ -237,10 +295,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list" exit 0 -%triggerin -- kernel-core +%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core %{update_ucode} -%triggerpostun -- kernel-core +%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core %{update_ucode} @@ -260,18 +318,112 @@ rm -rf %{buildroot} %changelog -* Sun Jun 02 2019 Eugene Syromiatnikov - 4:20180807a-2.20190514a.2 +* Mon Dec 09 2019 Eugene Syromiatnikov - 4:20191115-4 +- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script + (#1781365). + +* Mon Dec 02 2019 Eugene Syromiatnikov - 4:20191115-3 +- Update stale posttrans dependency, add triggers for proper handling + of the debug kernel flavour along with kernel-rt (#1766178). + +* Mon Nov 18 2019 Eugene Syromiatnikov - 4:20191115-2 +- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 + by default (#1774322). + +* Sat Nov 16 2019 Eugene Syromiatnikov - 4:20191115-1 +- Update Intel CPU microcode to microcode-20191115 release: + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 + up to 0xd6; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision + 0xc6 up to 0xca; + - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 + up to 0xca; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca. + +* Fri Nov 15 2019 Eugene Syromiatnikov - 4:20191113-1 +- Update Intel CPU microcode to microcode-20191113 release: + - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6. +- Drop 0001-releasenote-changes-summary-fixes.patch. + +* Tue Nov 12 2019 Eugene Syromiatnikov - 4:20191112-2 +- Package the publicy available microcode-20191112 release (#1755027): + - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d; + - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c; + - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16; + - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 + up to 0x1000151; + - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision + 0x2000064 up to 0x2000065; + - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b + up to 0x500002c; + - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32; +- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release. +- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch). +- Update README.caveats with the link to the new Knowledge Base article. + +* Thu Nov 07 2019 Eugene Syromiatnikov - 4:20191112-1 +- Intel CPU microcode update to 20191112, addresses CVE-2017-5715, + CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1755019, #1764060, #1764073, + #1764952, #1764972, #1765000, #1765404, #1765416, #1766444, #1766873): + - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6; + - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a; + - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150; + - Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc + to 0xd4 + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6. + +* Thu Oct 10 2019 Eugene Syromiatnikov - 4:20190918-3 +- Rework dracut hook to address dracut's early initramfs generation + behaviour (#1760508). + +* Sun Oct 06 2019 Eugene Syromiatnikov - 4:20190918-2 +- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 + by default. + +* Thu Sep 19 2019 Eugene Syromiatnikov - 4:20190918-1 +- Intel CPU microcode update to 20190918 (#1753544). +- Add new disclaimer, generated based on relevant caveats. + +* Wed Jun 19 2019 Eugene Syromiatnikov - 4:20190618-1 +- Intel CPU microcode update to 20190618 (#1717240). + +* Sun Jun 02 2019 Eugene Syromiatnikov - 4:20190514a-2 - Remove disclaimer, as it is not as important now to justify kmsg/log pollution; its contents are partially adopted in README.caveats. -* Mon May 20 2019 Eugene Syromiatnikov - 4:20180807a-2.20190514a.1 -- Intel CPU microcode update to 20190514a (#1715334). +* Mon May 20 2019 Eugene Syromiatnikov - 4:20190514a-1 +- Intel CPU microcode update to 20190514a (#1711940). -* Fri May 10 2019 Eugene Syromiatnikov - 4:20180807a-2.20190507.1 -- Intel CPU microcode update to 20190507 (#1704339). +* Thu May 09 2019 Eugene Syromiatnikov - 4:20190507-1 +- Intel CPU microcode update to 20190507 (#1697901). -* Fri May 10 2019 Eugene Syromiatnikov 4:20180807a-2.20190312.1 -- Intel CPU microcode update to 20190312 (#1704339). +* Mon Apr 15 2019 Eugene Syromiatnikov 4:20190312-1 +- Intel CPU microcode update to 20190312 (#1660320). - Add "Provides:" tags generation. * Tue Nov 06 2018 Eugene Syromiatnikov 4:20180807a-2