diff --git a/.gitignore b/.gitignore
index 9746acd..73b7846 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
-SOURCES/microcode-20190514a.tar.gz
+SOURCES/06-2d-07
+SOURCES/06-55-04
+SOURCES/microcode-20191115.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index d49f21d..49611a4 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -1 +1,3 @@
-252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz
+bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
+2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
+774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config
new file mode 100644
index 0000000..23e1d08
--- /dev/null
+++ b/SOURCES/06-2d-07_config
@@ -0,0 +1,3 @@
+model GenuineIntel 06-2d-07
+path intel-ucode/06-2d-07
+disable early late
diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer
new file mode 100644
index 0000000..c8d99c4
--- /dev/null
+++ b/SOURCES/06-2d-07_disclaimer
@@ -0,0 +1,4 @@
+MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
+stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme
new file mode 100644
index 0000000..60c20d4
--- /dev/null
+++ b/SOURCES/06-2d-07_readme
@@ -0,0 +1,55 @@
+Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
+have issues with MDS-related microcode update that may lead to a system hang
+after a microcode update. In order to address this, microcode update
+to the MDS-related revision 0x718 has been disabled, and the previously
+published microcode revision 0x714 is used by default for the OS-driven
+microcode update.
+
+For the reference, SHA1 checksums of 06-2d-07 microcode files containing
+microcode revisions in question are listed below:
+ * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
+ * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+ https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+ https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+ https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
+
+The information regarding enforcing microcode load is provided below.
+
+To enforce usage of the 0x718 microcode revision for a specific kernel version,
+please create file "force-intel-06-2d-07" inside /lib/firmware/<kernel_version>
+directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware
+directory where microcode will be available for late microcode update,
+and run "dracut -f --kver <kernel_version>", so initramfs for this kernel
+version is regenerated and the microcode can be loaded early, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer
new file mode 100644
index 0000000..d5bc60d
--- /dev/null
+++ b/SOURCES/06-4f-01_disclaimer
@@ -0,0 +1,4 @@
+microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79,
+stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme
index 740ad18..962c7a6 100644
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@@ -49,6 +49,7 @@ kernels, please create a file
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
and run "/usr/libexec/microcode_ctl/update_ucode":
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
/usr/libexec/microcode_ctl/update_ucode
@@ -64,10 +65,11 @@ For enforcing early load of this microcode for all kernels, please
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
and run dracut -f --regenerate-all:
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
dracut -f --regenerate-all
-If you want avoid removal of the microcode file during cleanup performed by
+If you want to avoid removal of the microcode file during cleanup performed by
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config
new file mode 100644
index 0000000..6ba6d76
--- /dev/null
+++ b/SOURCES/06-55-04_config
@@ -0,0 +1,3 @@
+model GenuineIntel 06-55-04
+path intel-ucode/06-55-04
+disable early late
diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer
new file mode 100644
index 0000000..238d233
--- /dev/null
+++ b/SOURCES/06-55-04_disclaimer
@@ -0,0 +1,6 @@
+Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85,
+stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112
+release is disabled as it may cause system instability and the previous revision
+0x2000064 is used instead.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
new file mode 100644
index 0000000..41fb757
--- /dev/null
+++ b/SOURCES/06-55-04_readme
@@ -0,0 +1,61 @@
+Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85,
+stepping 4) have reports of system hangs when revision 0x2000065 of microcode,
+that is included since microcode-20191112 update, is applied. In order
+to address this, microcode update to this revision has been disabled,
+and the previously published microcode revision 0x2000064 is used by default
+for the OS-driven microcode update.
+
+For the reference, SHA1 checksums of 06-55-04 microcode files containing
+microcode revisions in question are listed below:
+ * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
+ * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+ https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+ https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+ https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the 0x2000065 microcode revision for a specific kernel
+version, please create a file "force-intel-06-55-04" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index 6f98122..4ead5e5 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -389,8 +389,10 @@ when a microcode update performed on a kernel that contains those changes.
As a result, microcode update for this CPU model is disabled by default;
the microcode file, however, is still shipped as a part of microcode_ctl
package and can be used for performing a microcode update if it is enforced
-via the aforementioned overridden. (See sections "check_caveats script"
-and "reload_microcode script" for details).
+via the aforementioned overrides. (See the sections "check_caveats script"
+and "reload_microcode script" for details.)
+
+Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01.
@@ -418,9 +420,12 @@ from a cpio archive placed at the beginning of the initramfs image. However,
when an early microcode update is attempted inside some virtualised
environments, that may result in unexpected system behaviour.
+Caveat name: intel
+
Affected microcode: all.
-Mitigation: early microcode loading is disabled for all CPU models.
+Mitigation: early microcode loading is disabled for all CPU models on kernels
+without the fix.
Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8: 4.10.0
@@ -431,16 +436,52 @@ Minimum versions of the kernel package that contain the fix:
- RHEL 7.2: 3.10.0-327.73.1
+Intel Sandy Bridge-E/EN/EP caveat
+---------------------------------
+MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP
+(SNB-EP, family 6, model 45, stepping 7) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overrides. (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+Caveat name: intel-06-2d-07
+
+Affected microcode: intel-ucode/06-2d-07.
+
+Mitigation: previously published microcode revision 0x714 is used by default.
+
+
+Intel Skylake-SP/W/X caveat
+---------------------------
+Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X,
+family 6, model 85, stepping 4) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overrides.
+(See the sections "check_caveats script" and "reload_microcode script"
+for details.)
+
+Caveat name: intel-06-55-04
+
+Affected microcode: intel-ucode/06-55-04.
+
+Mitigation: previously published microcode revision 0x2000064 is used
+by default.
+
+
+
Additional information
======================
-Red Hat provides updated microcode, developed by our microprocessor
-partners, as a customer convenience. Please contact your hardware vendor
-to determine whether more recent BIOS/firmware updates are recommended
-because additional improvements may be available.
+Red Hat provides updated microcode, developed by its microprocessor partners,
+as a customer convenience. Please contact your hardware vendor to determine
+whether more recent BIOS/firmware updates are recommended because additional
+improvements may be available.
Information regarding microcode revisions required for mitigating specific
-microarchitectural side-channel attacks is available in the following
-knowledge base articles:
+Intel CPU vulnerabilities is available in the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
@@ -450,3 +491,8 @@ knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index 93c7406..462d541 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -10,8 +10,10 @@
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
usage() {
- echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]'
+ echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
+ echo ' [-m] [-v]'
echo
+ echo ' -d - enables disclaimer printing mode'
echo ' -e - check for early microcode load possibility (instead of'
echo ' late microcode load)'
echo ' -k - target version to check against, $(uname -r) is used'
@@ -178,6 +180,9 @@ fail()
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
+
+ [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
+ || cat "${dir}/disclaimer"
}
#check_kver "$@"
@@ -188,11 +193,16 @@ configs=
kver=$(/bin/uname -r)
verbose=0
early_check=0
+print_disclaimers=0
ret=0
-while getopts "ek:c:mv" opt; do
+while getopts "dek:c:mv" opt; do
case "${opt}" in
+ d)
+ print_disclaimers=1
+ early_check=2
+ ;;
e)
early_check=1
;;
@@ -472,6 +482,8 @@ for cfg in $(echo "${configs}"); do
ok_paths="$ok_paths $cfg_path"
done
+[ 0 -eq "$print_disclaimers" ] || exit 0
+
echo "cfgs$ret_cfgs"
echo "skip_cfgs$skip_cfgs"
echo "paths$ret_paths"
diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh
index c14fcb9..9839d36 100755
--- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh
+++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh
@@ -43,7 +43,8 @@ install() {
dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\""
}
- while read -d "/" -r i; do
+ fw_dir_add=""
+ while read -d $'\n' -r i; do
dinfo " microcode_ctl: processing data directory " \
"\"$DATA_DIR/$i\"..."
@@ -117,8 +118,10 @@ install() {
# $path is a list of globs, so it needs special care
for p in $(printf "%s" "$path"); do
- find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
- -print0 \
+ # "true" is due to sporadic SIGPIPE from find
+ # when "grep -q" exits early.
+ { find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
+ -print0; true; } \
| grep -zFxq \
"$DATA_DIR/$i/$ucode_dir/$ucode" \
|| continue
@@ -143,8 +146,12 @@ install() {
dinfo " microcode_ctl: $i: caveats check for kernel" \
"version \"$kernel\" passed, adding" \
"\"$DATA_DIR/$i\" to fw_dir variable"
- fw_dir="$DATA_DIR/$i $fw_dir"
+ if [ 0 -eq "$do_skip_host_only" ]; then
+ fw_dir_add="$DATA_DIR/$i "
+ else
+ fw_dir_add="$DATA_DIR/$i $fw_dir_add"
+ fi
# The list of directories is reverse-sorted in order to preserve the
# "last wins" policy in case of presence of multiple microcode
# revisions.
@@ -153,11 +160,20 @@ install() {
# but since the microcode search is done with the "first wins" policy
# by the (early) microcode loading code, the correct microcode revision
# still has to be picked.
+ #
+ # Note that dracut without patch [1] puts only the last directory
+ # in the early cpio; we try to address this by putting only the last
+ # matching caveat in the search path, but that workaround works only
+ # for host-only mode; non-host-only mode early cpio generation is still
+ # broken without that patch.
+ #
+ # [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b
done <<-EOF
- $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f/" \
- | sort -r)
+ $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \
+ | LC_ALL=C sort)
EOF
+ fw_dir="${fw_dir_add}${fw_dir}"
dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\""
}
diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh
index 0ecf7aa..c0c6b1d 100755
--- a/SOURCES/gen_provides.sh
+++ b/SOURCES/gen_provides.sh
@@ -1,4 +1,4 @@
-#! /bin/bash -efux
+#! /bin/bash -efu
# Generator of RPM "Provides:" tags for Intel microcode files.
#
diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer
new file mode 100644
index 0000000..c4669ba
--- /dev/null
+++ b/SOURCES/intel_disclaimer
@@ -0,0 +1,10 @@
+This kernel doesn't handle early microcode load properly (it tries to load
+microcode even in virtualised environment, which may lead to a panic on some
+hypervisors), thus the microcode files have not been added to the initramfs
+image. Please update your kernel to one of the following:
+ RHEL 7.5: kernel-3.10.0-862.14.1 or newer;
+ RHEL 7.4: kernel-3.10.0-693.38.1 or newer;
+ RHEL 7.3: kernel-3.10.0-514.57.1 or newer;
+ RHEL 7.2: kernel-3.10.0-327.73.1 or newer.
+Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme
index ed352e5..de9213d 100644
--- a/SOURCES/intel_readme
+++ b/SOURCES/intel_readme
@@ -18,8 +18,7 @@ If you want to avoid early load of microcode for a specific kernel, please
create "disallow-early-intel" file inside /lib/firmware/<kernel_version>
directory and run dracut -f --kver "<kernel_version>":
- touch /lib/firmware/3.10.0-862.9.1/disallow-intel
- /usr/libexec/microcode_ctl/update_ucode
+ touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel
dracut -f --kver 3.10.0-862.9.1
If you want to avoid early load of microcode for all kernels, please create
@@ -27,14 +26,13 @@ If you want to avoid early load of microcode for all kernels, please create
directory and run dracut -f --regenerate-all:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
- touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel
- dracut -f --kver 3.10.0-862.9.1
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel
+ dracut -f --regenerate-all
If you want to enforce early load of microcode for a specific kernel, please
create "force-early-intel" file inside /lib/firmware/<kernel_version> directory
and run dracut -f --kver "<kernel_version>":
- modir -p/lib/firmware/3.10.0-862.9.1/
touch /lib/firmware/3.10.0-862.9.1/force-early-intel
dracut -f --kver 3.10.0-862.9.1
@@ -46,8 +44,9 @@ directory and run dracut -f --kver "<kernel_version>":
touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel
dracut -f --regenerate-all
-In order to override late load behaviour, the "early" part of file names should
-be replaced with "late" (and there is no need to call dracut in that case).
+In order to override the late load behaviour, the "early" part of file names
+should be replaced with "late" (and there is no need to call dracut
+in that case).
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 01ee903..66933e1 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,4 +1,4 @@
-%define intel_ucode_version 20190514a
+%define intel_ucode_version 20191115
%define intel_ucode_file_id 28727
%global debug_package %{nil}
@@ -13,13 +13,19 @@
Summary: CPU microcode updates for Intel x86 processors
Name: microcode_ctl
-Version: 20180807a
-Release: 2.%{intel_ucode_version}.2%{?dist}
+Version: %{intel_ucode_version}
+Release: 4%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File
Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
+# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
+Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
+
+# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
+Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
+
# systemd unit
Source10: microcode.service
@@ -39,14 +45,34 @@ Source41: README.caveats
## Caveats
# BDW EP/EX
+# https://bugzilla.redhat.com/show_bug.cgi?id=1622180
+# https://bugzilla.redhat.com/show_bug.cgi?id=1623630
+# https://bugzilla.redhat.com/show_bug.cgi?id=1646383
Source100: 06-4f-01_readme
Source101: 06-4f-01_config
+Source102: 06-4f-01_disclaimer
# Unsafe early MC update inside VM:
# https://bugzilla.redhat.com/show_bug.cgi?id=1596627
Source110: intel_readme
Source111: intel_config
+Source112: intel_disclaimer
+
+# SNB-EP (CPUID 0x206d7) post-MDS hangs
+# https://bugzilla.redhat.com/show_bug.cgi?id=1758382
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
+Source120: 06-2d-07_readme
+Source121: 06-2d-07_config
+Source122: 06-2d-07_disclaimer
+
+# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+Source130: 06-55-04_readme
+Source131: 06-55-04_config
+Source132: 06-55-04_disclaimer
+
+# "Provides:" RPM tags generator
Source200: gen_provides.sh
ExclusiveArch: %{ix86} x86_64
@@ -54,7 +80,7 @@ BuildRequires: systemd-units
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
-Requires(posttrans): kernel
+Requires(posttrans): dracut
%global _use_internal_dependency_generator 0
%define __find_provides "%{SOURCE200}"
@@ -73,6 +99,14 @@ is no longer used for microcode upload and, as a result, no longer provided.
%setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}"
%build
+# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version
+mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
+cp "%{SOURCE2}" intel-ucode/
+
+# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
+mv intel-ucode/06-55-04 intel-ucode-with-caveats/
+cp "%{SOURCE3}" intel-ucode/
+
:
%install
@@ -103,18 +137,21 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \
## Documentation
install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats"
+# caveats readme
install "%{SOURCE41}" \
-m 644 -t "%{buildroot}/%{_pkgdocdir}/"
# Provide Intel microcode license, as it requires so
install -m 644 license \
"%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode"
+
+# Provide release notes for Intel microcode
install -m 644 releasenote \
"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"
# caveats
-install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
- -t "%{buildroot}/%{_pkgdocdir}/caveats/"
+install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
+ -t "%{buildroot}/%{_pkgdocdir}/caveats/"
## Caveat data
@@ -122,9 +159,10 @@ install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
# BDW caveat
%define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/
install -m 755 -d "%{bdw_inst_dir}/intel-ucode"
-install -m 644 intel-ucode-with-caveats/* -t "%{bdw_inst_dir}/intel-ucode/"
+install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme"
install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config"
+install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer"
# Early update caveat
%define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/
@@ -132,12 +170,23 @@ install -m 755 -d "%{intel_inst_dir}/intel-ucode"
install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme"
install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
+install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer"
+# SNB caveat
+%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/
+install -m 755 -d "%{snb_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
+install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
+install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
-## Cleanup
-#rm -f intel-ucode-with-caveats/06-4f-01
-#rmdir intel-ucode-with-caveats
-#rm -rf intel-ucode
+# SKL-SP caveat
+%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
+install -m 755 -d "%{skl_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme"
+install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config"
+install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer"
%post
@@ -145,6 +194,15 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
%{update_ucode}
%{reload_microcode}
+# send the message to syslog, so it gets recorded on /var/log
+if [ -e /usr/bin/logger ]; then
+ %{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER
+fi
+# also paste it over dmesg (some customers drop dmesg messages while
+# others keep them into /var/log for the later case, we'll have the
+# disclaimer recorded twice into system logs.
+%{check_caveats} -m -d > /dev/kmsg
+
exit 0
%posttrans
@@ -237,10 +295,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list"
exit 0
-%triggerin -- kernel-core
+%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
%{update_ucode}
-%triggerpostun -- kernel-core
+%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
%{update_ucode}
@@ -260,18 +318,112 @@ rm -rf %{buildroot}
%changelog
-* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190514a.2
+* Mon Dec 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4
+- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script
+ (#1781365).
+
+* Mon Dec 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-3
+- Update stale posttrans dependency, add triggers for proper handling
+ of the debug kernel flavour along with kernel-rt (#1766178).
+
+* Mon Nov 18 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-2
+- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064
+ by default (#1774322).
+
+* Sat Nov 16 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-1
+- Update Intel CPU microcode to microcode-20191115 release:
+ - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6;
+ - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4
+ up to 0xd6;
+ - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision
+ 0xc6 up to 0xca;
+ - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6
+ up to 0xca;
+ - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca;
+ - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca.
+
+* Fri Nov 15 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191113-1
+- Update Intel CPU microcode to microcode-20191113 release:
+ - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6.
+- Drop 0001-releasenote-changes-summary-fixes.patch.
+
+* Tue Nov 12 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191112-2
+- Package the publicy available microcode-20191112 release (#1755027):
+ - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d;
+ - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c;
+ - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16;
+ - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150
+ up to 0x1000151;
+ - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision
+ 0x2000064 up to 0x2000065;
+ - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b
+ up to 0x500002c;
+ - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32;
+- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release.
+- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch).
+- Update README.caveats with the link to the new Knowledge Base article.
+
+* Thu Nov 07 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191112-1
+- Intel CPU microcode update to 20191112, addresses CVE-2017-5715,
+ CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1755019, #1764060, #1764073,
+ #1764952, #1764972, #1765000, #1765404, #1765416, #1766444, #1766873):
+ - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6;
+ - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a;
+ - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150;
+ - Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46;
+ - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4;
+ - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc
+ to 0xd4
+ - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6;
+ - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6;
+ - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4
+ to 0xc6;
+ - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6;
+ - Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6;
+ - Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6;
+ - Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6;
+ - Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6;
+ - Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4
+ to 0xc6;
+ - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4
+ to 0xc6;
+ - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6;
+ - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6.
+
+* Thu Oct 10 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-3
+- Rework dracut hook to address dracut's early initramfs generation
+ behaviour (#1760508).
+
+* Sun Oct 06 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-2
+- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714
+ by default.
+
+* Thu Sep 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-1
+- Intel CPU microcode update to 20190918 (#1753544).
+- Add new disclaimer, generated based on relevant caveats.
+
+* Wed Jun 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1
+- Intel CPU microcode update to 20190618 (#1717240).
+
+* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190514a-2
- Remove disclaimer, as it is not as important now to justify kmsg/log
pollution; its contents are partially adopted in README.caveats.
-* Mon May 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190514a.1
-- Intel CPU microcode update to 20190514a (#1715334).
+* Mon May 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190514a-1
+- Intel CPU microcode update to 20190514a (#1711940).
-* Fri May 10 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190507.1
-- Intel CPU microcode update to 20190507 (#1704339).
+* Thu May 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190507-1
+- Intel CPU microcode update to 20190507 (#1697901).
-* Fri May 10 2019 Eugene Syromiatnikov <esyr@redhat.com> 4:20180807a-2.20190312.1
-- Intel CPU microcode update to 20190312 (#1704339).
+* Mon Apr 15 2019 Eugene Syromiatnikov <esyr@redhat.com> 4:20190312-1
+- Intel CPU microcode update to 20190312 (#1660320).
- Add "Provides:" tags generation.
* Tue Nov 06 2018 Eugene Syromiatnikov <esyr@redhat.com> 4:20180807a-2