diff --git a/.gitignore b/.gitignore index 0a58551..6970c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ SOURCES/06-2d-07 SOURCES/06-4e-03 SOURCES/06-55-04 SOURCES/06-5e-03 -SOURCES/microcode-20201027.tar.gz +SOURCES/microcode-20201112.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 47b326f..fa82b90 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -2,5 +2,5 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 -8036bee2e4aa101bdb41a96ea051d91d357df514 SOURCES/microcode-20201027.tar.gz +010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme index 016364f..49373e2 100644 --- a/SOURCES/06-4e-03_readme +++ b/SOURCES/06-4e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index 7b8051a..5df5775 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -41,6 +41,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme index 9255d3f..9e21ac0 100644 --- a/SOURCES/06-5e-03_readme +++ b/SOURCES/06-5e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config new file mode 100644 index 0000000..c7c5d65 --- /dev/null +++ b/SOURCES/06-8c-01_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-8c-01 +path intel-ucode/06-8c-01 +disable early late diff --git a/SOURCES/06-8c-01_disclaimer b/SOURCES/06-8c-01_disclaimer new file mode 100644 index 0000000..6e02fa6 --- /dev/null +++ b/SOURCES/06-8c-01_disclaimer @@ -0,0 +1,4 @@ +Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1; +CPUID 0x806c1) are disabled as they may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme new file mode 100644 index 0000000..16afb9b --- /dev/null +++ b/SOURCES/06-8c-01_readme @@ -0,0 +1,40 @@ +Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) +have reports of system hangs when a microcode update, that is included +since microcode-20201110 update, is applied[1]. In order to address this, +microcode update has been disabled by default on these systems. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel +version, please create a file "force-intel-06-8c-01" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 4e1c53b..6d7cc84 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -560,6 +560,26 @@ Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. Mitigation: previously published microcode revision 0xd6 is used by default. +Intel Tiger Lake-UP3/UP4 caveat +------------------------------- +Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, +stepping 1) have reports of system hangs when a microcode update, +that is included since microcode-20201110 release, is applied[1]. +In order to address this, microcode update to a newer revision has been disabled +by default on these systems; the newer microcode file, however, is still shipped +as a part of microcode_ctl package and can be used for performing a microcode +update if it is enforced via the aforementioned overrides. (See the sections +"check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Caveat names: intel-06-8c-01 + +Affected microcode: intel-ucode/06-8c-01. + +Mitigation: microcode loading is disabled for the affected CPU model. + + Additional information ====================== @@ -588,3 +608,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list index 502fc92..be1f3d2 100644 --- a/SOURCES/codenames.list +++ b/SOURCES/codenames.list @@ -297,6 +297,7 @@ Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; # sources: # https://en.wikichip.org/wiki/intel/cpuid diff --git a/SOURCES/microcode_ctl-use-microcode-20201027-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20201027-tgz.patch deleted file mode 100644 index f7badfa..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20201027-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20201027.tar.gz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch new file mode 100644 index 0000000..134c303 --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20201112.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 804775e..489a8ec 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20201027 +%define intel_ucode_version 20201112 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl @@ -21,14 +21,13 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 73.2%{?dist} +Release: 73.4%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz -Source1: microcode-%{intel_ucode_version}.tar.gz +Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 @@ -98,6 +97,11 @@ Source150: 06-5e-03_readme Source151: 06-5e-03_config Source152: 06-5e-03_disclaimer +# TGL-UP3/UP4 (CPUID 06-8c-01) hangs +Source180: 06-8c-01_readme +Source181: 06-8c-01_config +Source182: 06-8c-01_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -183,6 +187,9 @@ cp "%{SOURCE4}" intel-ucode/ mv intel-ucode/06-5e-03 intel-ucode-with-caveats/ cp "%{SOURCE5}" intel-ucode/ +# Moving 06-8c-01 microcode to intel-ucode-with-caveats +mv intel-ucode/06-8c-01 intel-ucode-with-caveats/ + # man page sed "%{SOURCE40}" \ -e "s/@DATE@/2019-05-09/g" \ @@ -239,6 +246,7 @@ install -m 644 releasenote.md \ # caveats install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ "%{SOURCE140}" "%{SOURCE150}" \ + "%{SOURCE180}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" # Man page @@ -296,6 +304,14 @@ install -m 644 "%{SOURCE150}" "%{skl_hs_inst_dir}/readme" install -m 644 "%{SOURCE151}" "%{skl_hs_inst_dir}/config" install -m 644 "%{SOURCE152}" "%{skl_hs_inst_dir}/disclaimer" +# TGL caveat +%define tgl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8c-01/ +install -m 755 -d "%{tgl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-8c-01 -t "%{tgl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme" +install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config" +install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer" + # SUMMARY.intel-ucode generation # It is to be done only after file population, so, it is here, # at the end of the install stage @@ -309,6 +325,7 @@ rm -f intel-ucode-with-caveats/06-4e-03 rm -f intel-ucode-with-caveats/06-4f-01 rm -f intel-ucode-with-caveats/06-55-04 rm -f intel-ucode-with-caveats/06-5e-03 +rm -f intel-ucode-with-caveats/06-8c-01 rmdir intel-ucode-with-caveats rm -rf intel-ucode @@ -534,6 +551,16 @@ rm -rf %{buildroot} %changelog +* Fri Nov 13 2020 Eugene Syromiatnikov - 2:2.1-73.4 +- Update Intel CPU microcode to microcode-20201112 release: + - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28; + - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x32 up + to 0x34; + - Updated releasenote file. + +* Fri Nov 13 2020 Eugene Syromiatnikov - 2:2.1-73.3 +- Disable 06-8c-01 (TGL-UP3/UP4 B1) microcode update by default. + * Fri Oct 30 2020 Eugene Syromiatnikov - 2:2.1-73.2 - Update Intel CPU microcode to microcode-20201027 release, addresses CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698