diff --git a/.gitignore b/.gitignore index bec24a5..73b7846 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ SOURCES/06-2d-07 -SOURCES/microcode-20191112.pre.tar.gz +SOURCES/06-55-04 +SOURCES/microcode-20191115.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index a9d16a9..49611a4 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,2 +1,3 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 -7f4a43a1e7d06c7d67e602b43009fa7a39e6d102 SOURCES/microcode-20191112.pre.tar.gz +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme index bfb8743..60c20d4 100644 --- a/SOURCES/06-2d-07_readme +++ b/SOURCES/06-2d-07_readme @@ -1,6 +1,6 @@ -Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues -with MDS-related microcode update that may lead to a system hang after -a microcode update. In order to address this, microcode update +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +have issues with MDS-related microcode update that may lead to a system hang +after a microcode update. In order to address this, microcode update to the MDS-related revision 0x718 has been disabled, and the previously published microcode revision 0x714 is used by default for the OS-driven microcode update. @@ -26,12 +26,12 @@ to the following knowledge base articles: The information regarding enforcing microcode load is provided below. -To enforce usage of this microcode revision, please create a file -"force-intel-06-2d-07" inside /lib/firmware/ directory, -run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware +To enforce usage of the 0x718 microcode revision for a specific kernel version, +please create file "force-intel-06-2d-07" inside /lib/firmware/ +directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory where microcode will be available for late microcode update, -and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version -is regenerated and the microcode can be loaded early: +and run "dracut -f --kver ", so initramfs for this kernel +version is regenerated and the microcode can be loaded early, for example: touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode @@ -41,7 +41,7 @@ After that, it is possible to perform a late microcode update by executing "/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to "/sys/devices/system/cpu/microcode/reload" directly. -To enforce addition of this microcode for all kernels, please create a file +To enforce addition of this microcode for all kernels, please create file "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run "/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, and "dracut -f --regenerate-all" for enabling early microcode updates: diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config new file mode 100644 index 0000000..6ba6d76 --- /dev/null +++ b/SOURCES/06-55-04_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-55-04 +path intel-ucode/06-55-04 +disable early late diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer new file mode 100644 index 0000000..238d233 --- /dev/null +++ b/SOURCES/06-55-04_disclaimer @@ -0,0 +1,6 @@ +Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85, +stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112 +release is disabled as it may cause system instability and the previous revision +0x2000064 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme new file mode 100644 index 0000000..41fb757 --- /dev/null +++ b/SOURCES/06-55-04_readme @@ -0,0 +1,61 @@ +Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85, +stepping 4) have reports of system hangs when revision 0x2000065 of microcode, +that is included since microcode-20191112 update, is applied. In order +to address this, microcode update to this revision has been disabled, +and the previously published microcode revision 0x2000064 is used by default +for the OS-driven microcode update. + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a + * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the 0x2000065 microcode revision for a specific kernel +version, please create a file "force-intel-06-55-04" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 0111843..4ead5e5 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -389,9 +389,11 @@ when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced -via the aforementioned overriddes. (See sections "check_caveats script" +via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) +Caveat name: intel-06-4f-01 + Affected microcode: intel-ucode/06-4f-01. Mitigation: microcode loading is disabled for the affected CPU model. @@ -418,9 +420,12 @@ from a cpio archive placed at the beginning of the initramfs image. However, when an early microcode update is attempted inside some virtualised environments, that may result in unexpected system behaviour. +Caveat name: intel + Affected microcode: all. -Mitigation: early microcode loading is disabled for all CPU models. +Mitigation: early microcode loading is disabled for all CPU models on kernels +without the fix. Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 @@ -438,14 +443,35 @@ MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP In order to address this, this microcode update is not used and the previous microcode revision is provided instead by default; the microcode file, however, is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overriddes. (See -sections "check_caveats script" and "reload_microcode script" for details.) +a microcode update if it is enforced via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. Mitigation: previously published microcode revision 0x714 is used by default. +Intel Skylake-SP/W/X caveat +--------------------------- +Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X, +family 6, model 85, stepping 4) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overrides. +(See the sections "check_caveats script" and "reload_microcode script" +for details.) + +Caveat name: intel-06-55-04 + +Affected microcode: intel-ucode/06-55-04. + +Mitigation: previously published microcode revision 0x2000064 is used +by default. + + Additional information ====================== @@ -455,8 +481,7 @@ whether more recent BIOS/firmware updates are recommended because additional improvements may be available. Information regarding microcode revisions required for mitigating specific -microarchitectural side-channel attacks is available in the following -knowledge base articles: +Intel CPU vulnerabilities is available in the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): @@ -466,3 +491,8 @@ knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh index 0ecf7aa..c0c6b1d 100755 --- a/SOURCES/gen_provides.sh +++ b/SOURCES/gen_provides.sh @@ -1,4 +1,4 @@ -#! /bin/bash -efux +#! /bin/bash -efu # Generator of RPM "Provides:" tags for Intel microcode files. # diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 44b17d2..becc260 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20191112 +%define intel_ucode_version 20191115 %define intel_ucode_file_id 28727 %global debug_package %{nil} @@ -14,15 +14,18 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: 20190618 -Release: 1.%{intel_ucode_version}.1%{?dist} +Release: 1.%{intel_ucode_version}.3%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File -Source0: microcode-%{intel_ucode_version}.pre.tar.gz +Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + # systemd unit Source10: microcode.service @@ -62,6 +65,12 @@ Source120: 06-2d-07_readme Source121: 06-2d-07_config Source122: 06-2d-07_disclaimer +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -71,7 +80,7 @@ BuildRequires: systemd-units Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -Requires(posttrans): kernel +Requires(posttrans): dracut %global _use_internal_dependency_generator 0 %define __find_provides "%{SOURCE200}" @@ -94,6 +103,10 @@ is no longer used for microcode upload and, as a result, no longer provided. mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ cp "%{SOURCE2}" intel-ucode/ +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + : %install @@ -137,7 +150,7 @@ install -m 644 releasenote \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \ +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -167,6 +180,14 @@ install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" +# SKL-SP caveat +%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" + %post %systemd_post microcode.service @@ -274,10 +295,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list" exit 0 -%triggerin -- kernel-core +%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core %{update_ucode} -%triggerpostun -- kernel-core +%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core %{update_ucode} @@ -297,6 +318,54 @@ rm -rf %{buildroot} %changelog +* Thu Dec 05 2019 Eugene Syromiatnikov - 4:20190618-1.20191115.3 +- Update stale posttrans dependency, add triggers for proper handling + of the debug kernel flavour along with kernel-rt (#1780009). + +* Tue Nov 20 2019 Eugene Syromiatnikov - 4:20190618-1.20191115.2 +- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 + by default. + +* Mon Nov 18 2019 Eugene Syromiatnikov - 4:20190618-1.20191115.1 +- Update Intel CPU microcode to microcode-20191115 release: + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 + up to 0xd6; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision + 0xc6 up to 0xca; + - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 + up to 0xca; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca. + +* Mon Nov 18 2019 Eugene Syromiatnikov - 4:20190618-1.20191113.1 +- Update Intel CPU microcode to microcode-20191113 release: + - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6. +- Drop 0001-releasenote-changes-summary-fixes.patch. + +* Mon Nov 18 2019 Eugene Syromiatnikov - 4:20190618-1.20191112.2 +- Package the publicy available microcode-20191112 release (#1758539): + - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d; + - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c; + - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16; + - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 + up to 0x1000151; + - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision + 0x2000064 up to 0x2000065; + - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b + up to 0x500002c; + - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32; +- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release. +- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch). +- Update README.caveats with the link to the new Knowledge Base article. + * Thu Nov 07 2019 Eugene Syromiatnikov - 4:20190618-1.20191112-1 - Intel CPU microcode update to 20191112, addresses CVE-2017-5715, CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764059, #1764072, #1764951,