diff --git a/.gitignore b/.gitignore index c4fca8e..b762a2e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ SOURCES/06-2d-07 +SOURCES/06-4e-03 SOURCES/06-55-04 -SOURCES/microcode-20200602.tar.gz +SOURCES/06-5e-03 +SOURCES/microcode-20200609.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 5e26097..2eb348d 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,3 +1,5 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 +06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 -ea699fd62ba3625062cae60d4a657fa11822b372 SOURCES/microcode-20200602.tar.gz +86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 +c2a433c1f68c2dc5b752bd7dddf204ea89ad5761 SOURCES/microcode-20200609.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config index 23e1d08..979455d 100644 --- a/SOURCES/06-2d-07_config +++ b/SOURCES/06-2d-07_config @@ -1,3 +1,13 @@ model GenuineIntel 06-2d-07 path intel-ucode/06-2d-07 -disable early late +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer index c8d99c4..ae71a34 100644 --- a/SOURCES/06-2d-07_disclaimer +++ b/SOURCES/06-2d-07_disclaimer @@ -1,4 +1,4 @@ MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, -stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability. +stepping 7; CPUID 0x206d7) CPUs is disabled. Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme index 2a9f5ec..e5e575b 100644 --- a/SOURCES/06-2d-07_readme +++ b/SOURCES/06-2d-07_readme @@ -1,9 +1,11 @@ Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) -have issues with MDS-related microcode update that may lead to a system hang +had issues with MDS-related microcode update that may lead to a system hang after a microcode update[1][2]. In order to address this, microcode update -to the MDS-related revision 0x718 has been disabled, and the previously +to the MDS-related revision 0x718 had been disabled, and the previously published microcode revision 0x714 is used by default for the OS-driven -microcode update. +microcode update. The revision 0x71a of the microcode is intended to fix +the aforementioned issue, hence it is enabled by default (but can be disabled +explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 [2] https://access.redhat.com/solutions/4593951 @@ -28,30 +30,27 @@ to the following knowledge base articles: ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 -The information regarding enforcing microcode load is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the 0x718 microcode revision for a specific kernel version, -please create file "force-intel-06-2d-07" inside /lib/firmware/ -directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware -directory where microcode will be available for late microcode update, -and run "dracut -f --kver ", so initramfs for this kernel -version is regenerated and the microcode can be loaded early, for example: +To disable usage of the newer microcode revision for a specific kernel +version, please create file "disallow-intel-06-2d-07" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config new file mode 100644 index 0000000..bee51b2 --- /dev/null +++ b/SOURCES/06-4e-03_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-4e-03 +path intel-ucode/06-4e-03 +disable early late diff --git a/SOURCES/06-4e-03_disclaimer b/SOURCES/06-4e-03_disclaimer new file mode 100644 index 0000000..ec27ef7 --- /dev/null +++ b/SOURCES/06-4e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6, +model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme new file mode 100644 index 0000000..e221544 --- /dev/null +++ b/SOURCES/06-4e-03_readme @@ -0,0 +1,68 @@ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e + * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel +version, please create a file "force-intel-06-4e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config index df081c9..373c8ac 100644 --- a/SOURCES/06-55-04_config +++ b/SOURCES/06-55-04_config @@ -1,10 +1,22 @@ model GenuineIntel 06-55-04 path intel-ucode/06-55-04 -# Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 -# affects only SKX-W/X (Workstation and HEDT segments); product segment -# can be determined by checking bits 5..3 of the CAPID0 field in PCU registers -# device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 -# for Server/FPGA/Fabric segments description; for SKX-W/X no public -# documentation seems to be available). Specific device/function numbers -# are provided for speeding up the search only, VID:DID is the real selector. -pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 +## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +## affects only SKX-W/X (Workstation and HEDT segments); product segment +## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers +## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +## for Server/FPGA/Fabric segments description; for SKX-W/X no public +## documentation seems to be available). Specific device/function numbers +## are provided for speeding up the search only, VID:DID is the real selector. +## Commented out since revision 0x2006906 seems to fix the issue. +#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer index afeb511..66d71bd 100644 --- a/SOURCES/06-55-04_disclaimer +++ b/SOURCES/06-55-04_disclaimer @@ -1,5 +1,5 @@ Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6, -model 85, stepping 4; CPUID 0x50654) are disabled as they may cause system -hangs on reboot and the previous revision 0x2000064 is used instead. +model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system +hangs on reboot, so the previous revision 0x2000064 was used instead. Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index fbfeeba..097e07b 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -1,10 +1,14 @@ -Intel Skulake Scalable Platform CPU models that belong to Workstation and HEDT -(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) have reports -of system hangs on reboot when revision 0x2000065 of microcode, that is included -since microcode-20191112 update, is applied[1]. In order to address this, -microcode update to this revision has been disabled by default on these systems, -and the previously published microcode revision 0x2000064 is used by default -for the OS-driven microcode update. +Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT +(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports +of system hangs on reboot when revision 0x2000065 of microcode, that was included +from microcode-20191112 update up to microcode-20200520 update, was applied[1]. +In order to address this, microcode update to the newer revision had been +disabled by default on these systems, and the previously published microcode +revision 0x2000064 is used by default for the OS-driven microcode update. + +Since revision 0x2006906 (included with the microcode-20200609 release) +it is reported that the issue is no longer present, so the newer microcode +revision is enabled by default now (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 @@ -12,6 +16,7 @@ For the reference, SHA1 checksums of 06-55-04 microcode files containing microcode revisions in question are listed below: * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions @@ -31,32 +36,32 @@ to the following knowledge base articles: CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 -The information regarding enforcing microcode update is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the 0x2000065 microcode revision for a specific kernel -version, please create a file "force-intel-06-55-04" inside +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-04" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run -"dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config new file mode 100644 index 0000000..7482d36 --- /dev/null +++ b/SOURCES/06-5e-03_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-5e-03 +path intel-ucode/06-5e-03 +disable early late diff --git a/SOURCES/06-5e-03_disclaimer b/SOURCES/06-5e-03_disclaimer new file mode 100644 index 0000000..7e3bb16 --- /dev/null +++ b/SOURCES/06-5e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6, +model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme new file mode 100644 index 0000000..b739bf2 --- /dev/null +++ b/SOURCES/06-5e-03_readme @@ -0,0 +1,68 @@ +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) have reports of possible system hangs when revision 0xdc +of microcode, that is included in microcode-20200609 update to address +CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order +to address this, microcode update to the newer revision has been disabled +by default on these systems, and the previously published microcode revision +0xd6 is used by default for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a + * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel +version, please create a file "force-intel-06-5e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 65a3fca..132d181 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -481,13 +481,20 @@ Minimum versions of the kernel package that contain the fix: Intel Sandy Bridge-E/EN/EP caveat --------------------------------- -MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP -(SNB-EP, family 6, model 45, stepping 7) may lead to system instability[1][2]. -In order to address this, this microcode update is not used and the previous -microcode revision is provided instead by default; the microcode file, however, -is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overrides. (See -the sections "check_caveats script" and "reload_microcode script" for details.) +Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, +model 45, stepping 7), that was released to address MDS vulnerability, +and was available from microcode-20190618 up to microcode-20190508 release) +could lead to system instability[1][2]. In order to address this, +this microcode update was not used and the previous microcode revision +was provided instead by default; the microcode file, however, was still shipped +as part of microcode_ctl package and could be used for performing a microcode +update if it is enforced via the aforementioned overrides. With the release +of 0x71a revision of the microcode (as art of microcode-20200520 release) +that aims at fixing the aforementioned stability issue, the latest microcode +revision is again used by default; it is still provided via the caveat +mechanism, hovewer, in order to enable ability to disable it in case such +a need arises. (See the sections "check_caveats script" and "reload_microcode +script" for details regarding caveats mechanism operation.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 [2] https://access.redhat.com/solutions/4593951 @@ -496,20 +503,28 @@ Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. -Mitigation: previously published microcode revision 0x714 is used by default. +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x714 is still available as a fallback +as part of "intel" caveat. Intel Skylake-SP/W/X caveat --------------------------- -Microcode revisions 0x2000065 and later for some CPU models that belong to -Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, -Workstation/HEDT segments) may lead to hangs during reboot[1]. In order -to address this, by default these microcode updates are not used -and the previous microcode revision is provided instead; the microcode file, -however, is still shipped as part of microcode_ctl package and can be used -for performing a microcode update if it is enforced via the aforementioned -overrides. (See the sections "check_caveats script" and "reload_microcode -script" for details.) +Microcode revision 0x2000065 (that was provided with microcode releases +microcode-20191112 up to microcode-20200520) for some CPU models that belong +to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, +Workstation/HEDT segments) could lead to hangs during reboot[1]. In order +to address this, by default this microcode update was disabled by default and +and the previous 0x2000064 microcode revision was used instead; the microcode +file with, however, is still shipped as part of microcode_ctl package and can +be used for performing a microcode update if it is enforced +via the aforementioned overrides. With the availability of 0x2006906 revision +of the microcode (in the microcode-20200609 release) that fixes +the aforementioned issue, the latest microcode revision is again used +by default; it is still provided via caveat mechanism, hovewer, in order +to enable ability to disable it in case such a need arises. (See the sections +"check_caveats script" and "reload_microcode script" for details regarding +caveats mechanism operation.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 @@ -517,8 +532,33 @@ Caveat name: intel-06-55-04 Affected microcode: intel-ucode/06-55-04. -Mitigation: previously published microcode revision 0x2000064 is used -by default. +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x2000064 is still available +as a fallback as part of "intel" caveat. + + +Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats +---------------------------------------- +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; +and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system +hangs when revision 0xdc of microcode, that is included in microcode-20200609 +update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, +is applied[1][2]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revision 0xd6 is used instead; the newer microcode files, +however, are still shipped as part of microcode_ctl package and can be used +for performing a microcode update if they are enforced via the aforementioned +overrides. (See the sections "check_caveats script" and "reload_microcode +script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 + +Caveat names: intel-06-4e-03, intel-06-5e-03 + +Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. + +Mitigation: previously published microcode revision 0xd6 is used by default. @@ -545,3 +585,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index bf02db2..a0aebed 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20200602 +%define intel_ucode_version 20200609 %global debug_package %{nil} %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats @@ -13,7 +13,7 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: 20191115 -Release: 4.%{intel_ucode_version}.2%{?dist} +Release: 4.%{intel_ucode_version}.1%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files @@ -25,6 +25,10 @@ Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi # (Pre-20191112) revision 0x2000064 of 06-55-04 microcode Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 +# (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode +Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 +Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03 + # systemd unit Source10: microcode.service @@ -70,6 +74,18 @@ Source130: 06-55-04_readme Source131: 06-55-04_config Source132: 06-55-04_disclaimer +# SKL-U/Y (CPUID 0x406e3) post-20200609 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 +Source140: 06-4e-03_readme +Source141: 06-4e-03_config +Source142: 06-4e-03_disclaimer + +# SKL-H/S/Xeon E3 v5 (CPUID 0x506e3) post-20200609 possible hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +Source150: 06-5e-03_readme +Source151: 06-5e-03_config +Source152: 06-5e-03_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -109,6 +125,14 @@ cp "%{SOURCE2}" intel-ucode/ mv intel-ucode/06-55-04 intel-ucode-with-caveats/ cp "%{SOURCE3}" intel-ucode/ +# replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version +mv intel-ucode/06-4e-03 intel-ucode-with-caveats/ +cp "%{SOURCE4}" intel-ucode/ + +# replacing SKL-H/S/Xeon E3 v5 (CPUID 0x5063e) microcode with pre-20200609 version +mv intel-ucode/06-5e-03 intel-ucode-with-caveats/ +cp "%{SOURCE5}" intel-ucode/ + : %install @@ -153,6 +177,7 @@ install -m 644 releasenote \ # caveats install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ + "%{SOURCE140}" "%{SOURCE150}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -183,12 +208,28 @@ install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" # SKL-SP caveat -%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ -install -m 755 -d "%{skl_inst_dir}/intel-ucode" -install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" -install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" -install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" -install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" +%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer" + +# SKL-U/Y caveat +%define skl_uy_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4e-03/ +install -m 755 -d "%{skl_uy_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-4e-03 -t "%{skl_uy_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE140}" "%{skl_uy_inst_dir}/readme" +install -m 644 "%{SOURCE141}" "%{skl_uy_inst_dir}/config" +install -m 644 "%{SOURCE142}" "%{skl_uy_inst_dir}/disclaimer" + +# SKL-H/S/Xeoon E3 v5 caveat +%define skl_hs_inst_dir %{buildroot}/%{caveat_dir}/intel-06-5e-03/ +install -m 755 -d "%{skl_hs_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-5e-03 -t "%{skl_hs_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE150}" "%{skl_hs_inst_dir}/readme" +install -m 644 "%{SOURCE151}" "%{skl_hs_inst_dir}/config" +install -m 644 "%{SOURCE152}" "%{skl_hs_inst_dir}/disclaimer" %post @@ -420,6 +461,20 @@ rm -rf %{buildroot} %changelog +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20191115-4.20200609.1 +- Update Intel CPU microcode to microcode-20200609 release (#1848504): + - Fixed a typo in the release note file. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20191115-4.20200602.5 +- Enable 06-2d-07 (SNB-E/EN/EP) caveat by default. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20191115-4.20200602.4 +- Enable 06-55-04 (SKL-X/W) caveat by default. + +* Sun Jun 14 2020 Eugene Syromiatnikov - 4:20191115-4.20200602.3 +- Do not update 06-4e-03 (SKL-U/Y) and 06-5e-03 (SKL-H/S/Xeon E3 v5) to revision + 0xdc, use 0xd6 by default (#1848440). + * Thu Jun 04 2020 Eugene Syromiatnikov - 4:20191115-4.20200602.2 - Avoid temporary file creation, used for here-documents in check_caveats.