diff --git a/.gitignore b/.gitignore
index bec24a5..73b7846 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
SOURCES/06-2d-07
-SOURCES/microcode-20191112.pre.tar.gz
+SOURCES/06-55-04
+SOURCES/microcode-20191115.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index a9d16a9..49611a4 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -1,2 +1,3 @@
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
-7f4a43a1e7d06c7d67e602b43009fa7a39e6d102 SOURCES/microcode-20191112.pre.tar.gz
+2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
+774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme
index bfb8743..60c20d4 100644
--- a/SOURCES/06-2d-07_readme
+++ b/SOURCES/06-2d-07_readme
@@ -1,6 +1,6 @@
-Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues
-with MDS-related microcode update that may lead to a system hang after
-a microcode update. In order to address this, microcode update
+Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
+have issues with MDS-related microcode update that may lead to a system hang
+after a microcode update. In order to address this, microcode update
to the MDS-related revision 0x718 has been disabled, and the previously
published microcode revision 0x714 is used by default for the OS-driven
microcode update.
@@ -26,12 +26,12 @@ to the following knowledge base articles:
The information regarding enforcing microcode load is provided below.
-To enforce usage of this microcode revision, please create a file
-"force-intel-06-2d-07" inside /lib/firmware/<kernel_version> directory,
-run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware
+To enforce usage of the 0x718 microcode revision for a specific kernel version,
+please create file "force-intel-06-2d-07" inside /lib/firmware/<kernel_version>
+directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware
directory where microcode will be available for late microcode update,
-and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version
-is regenerated and the microcode can be loaded early:
+and run "dracut -f --kver <kernel_version>", so initramfs for this kernel
+version is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07
/usr/libexec/microcode_ctl/update_ucode
@@ -41,7 +41,7 @@ After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
-To enforce addition of this microcode for all kernels, please create a file
+To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config
new file mode 100644
index 0000000..6ba6d76
--- /dev/null
+++ b/SOURCES/06-55-04_config
@@ -0,0 +1,3 @@
+model GenuineIntel 06-55-04
+path intel-ucode/06-55-04
+disable early late
diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer
new file mode 100644
index 0000000..238d233
--- /dev/null
+++ b/SOURCES/06-55-04_disclaimer
@@ -0,0 +1,6 @@
+Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85,
+stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112
+release is disabled as it may cause system instability and the previous revision
+0x2000064 is used instead.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
new file mode 100644
index 0000000..41fb757
--- /dev/null
+++ b/SOURCES/06-55-04_readme
@@ -0,0 +1,61 @@
+Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85,
+stepping 4) have reports of system hangs when revision 0x2000065 of microcode,
+that is included since microcode-20191112 update, is applied. In order
+to address this, microcode update to this revision has been disabled,
+and the previously published microcode revision 0x2000064 is used by default
+for the OS-driven microcode update.
+
+For the reference, SHA1 checksums of 06-55-04 microcode files containing
+microcode revisions in question are listed below:
+ * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
+ * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+ https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+ https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+ https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the 0x2000065 microcode revision for a specific kernel
+version, please create a file "force-intel-06-55-04" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index 0111843..4ead5e5 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -389,9 +389,11 @@ when a microcode update performed on a kernel that contains those changes.
As a result, microcode update for this CPU model is disabled by default;
the microcode file, however, is still shipped as a part of microcode_ctl
package and can be used for performing a microcode update if it is enforced
-via the aforementioned overriddes. (See sections "check_caveats script"
+via the aforementioned overrides. (See the sections "check_caveats script"
and "reload_microcode script" for details.)
+Caveat name: intel-06-4f-01
+
Affected microcode: intel-ucode/06-4f-01.
Mitigation: microcode loading is disabled for the affected CPU model.
@@ -418,9 +420,12 @@ from a cpio archive placed at the beginning of the initramfs image. However,
when an early microcode update is attempted inside some virtualised
environments, that may result in unexpected system behaviour.
+Caveat name: intel
+
Affected microcode: all.
-Mitigation: early microcode loading is disabled for all CPU models.
+Mitigation: early microcode loading is disabled for all CPU models on kernels
+without the fix.
Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8: 4.10.0
@@ -438,14 +443,35 @@ MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP
In order to address this, this microcode update is not used and the previous
microcode revision is provided instead by default; the microcode file, however,
is still shipped as part of microcode_ctl package and can be used for performing
-a microcode update if it is enforced via the aforementioned overriddes. (See
-sections "check_caveats script" and "reload_microcode script" for details.)
+a microcode update if it is enforced via the aforementioned overrides. (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
Mitigation: previously published microcode revision 0x714 is used by default.
+Intel Skylake-SP/W/X caveat
+---------------------------
+Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X,
+family 6, model 85, stepping 4) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overrides.
+(See the sections "check_caveats script" and "reload_microcode script"
+for details.)
+
+Caveat name: intel-06-55-04
+
+Affected microcode: intel-ucode/06-55-04.
+
+Mitigation: previously published microcode revision 0x2000064 is used
+by default.
+
+
Additional information
======================
@@ -455,8 +481,7 @@ whether more recent BIOS/firmware updates are recommended because additional
improvements may be available.
Information regarding microcode revisions required for mitigating specific
-microarchitectural side-channel attacks is available in the following
-knowledge base articles:
+Intel CPU vulnerabilities is available in the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
@@ -466,3 +491,8 @@ knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh
index 0ecf7aa..c0c6b1d 100755
--- a/SOURCES/gen_provides.sh
+++ b/SOURCES/gen_provides.sh
@@ -1,4 +1,4 @@
-#! /bin/bash -efux
+#! /bin/bash -efu
# Generator of RPM "Provides:" tags for Intel microcode files.
#
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 44b17d2..becc260 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,4 +1,4 @@
-%define intel_ucode_version 20191112
+%define intel_ucode_version 20191115
%define intel_ucode_file_id 28727
%global debug_package %{nil}
@@ -14,15 +14,18 @@
Summary: CPU microcode updates for Intel x86 processors
Name: microcode_ctl
Version: 20190618
-Release: 1.%{intel_ucode_version}.1%{?dist}
+Release: 1.%{intel_ucode_version}.3%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File
-Source0: microcode-%{intel_ucode_version}.pre.tar.gz
+Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
+# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
+Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
+
# systemd unit
Source10: microcode.service
@@ -62,6 +65,12 @@ Source120: 06-2d-07_readme
Source121: 06-2d-07_config
Source122: 06-2d-07_disclaimer
+# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+Source130: 06-55-04_readme
+Source131: 06-55-04_config
+Source132: 06-55-04_disclaimer
+
# "Provides:" RPM tags generator
Source200: gen_provides.sh
@@ -71,7 +80,7 @@ BuildRequires: systemd-units
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
-Requires(posttrans): kernel
+Requires(posttrans): dracut
%global _use_internal_dependency_generator 0
%define __find_provides "%{SOURCE200}"
@@ -94,6 +103,10 @@ is no longer used for microcode upload and, as a result, no longer provided.
mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
cp "%{SOURCE2}" intel-ucode/
+# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
+mv intel-ucode/06-55-04 intel-ucode-with-caveats/
+cp "%{SOURCE3}" intel-ucode/
+
:
%install
@@ -137,7 +150,7 @@ install -m 644 releasenote \
"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"
# caveats
-install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \
+install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"
@@ -167,6 +180,14 @@ install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
+# SKL-SP caveat
+%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
+install -m 755 -d "%{skl_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme"
+install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config"
+install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer"
+
%post
%systemd_post microcode.service
@@ -274,10 +295,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list"
exit 0
-%triggerin -- kernel-core
+%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
%{update_ucode}
-%triggerpostun -- kernel-core
+%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
%{update_ucode}
@@ -297,6 +318,54 @@ rm -rf %{buildroot}
%changelog
+* Thu Dec 05 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191115.3
+- Update stale posttrans dependency, add triggers for proper handling
+ of the debug kernel flavour along with kernel-rt (#1780009).
+
+* Tue Nov 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191115.2
+- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064
+ by default.
+
+* Mon Nov 18 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191115.1
+- Update Intel CPU microcode to microcode-20191115 release:
+ - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6;
+ - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4
+ up to 0xd6;
+ - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca;
+ - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision
+ 0xc6 up to 0xca;
+ - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6
+ up to 0xca;
+ - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca;
+ - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca;
+ - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca.
+
+* Mon Nov 18 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191113.1
+- Update Intel CPU microcode to microcode-20191113 release:
+ - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6.
+- Drop 0001-releasenote-changes-summary-fixes.patch.
+
+* Mon Nov 18 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191112.2
+- Package the publicy available microcode-20191112 release (#1758539):
+ - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d;
+ - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c;
+ - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16;
+ - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150
+ up to 0x1000151;
+ - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision
+ 0x2000064 up to 0x2000065;
+ - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b
+ up to 0x500002c;
+ - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32;
+- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release.
+- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch).
+- Update README.caveats with the link to the new Knowledge Base article.
+
* Thu Nov 07 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1.20191112-1
- Intel CPU microcode update to 20191112, addresses CVE-2017-5715,
CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764059, #1764072, #1764951,