diff --git a/.gitignore b/.gitignore index 6970c1d..c7900a9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,6 @@ SOURCES/06-2d-07 SOURCES/06-4e-03 SOURCES/06-55-04 SOURCES/06-5e-03 -SOURCES/microcode-20201112.tar.gz +SOURCES/06-8c-01 +SOURCES/microcode-20210216.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index fa82b90..f15499c 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -2,5 +2,6 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 -010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz +2204a6dee1688980cd228268fdf4b6ed5904fe04 SOURCES/06-8c-01 +26608161d98c3d0c965fc41856520434b14c000d SOURCES/microcode-20210216.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index 5df5775..cdec2c2 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -18,6 +18,7 @@ microcode revisions in question are listed below: * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 + * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 6d7cc84..91a58b8 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -201,7 +201,40 @@ separated by white space. Currently, the following options are supported: of the aforementioned value, then the check is successful, otherwise it fails (in accordance with "mode=success-all" semantics). This check fails if "-m" option is not specified. - + * "dmi" performs checks for specific values available in DMI sysfs files + (present under /sys/devices/virtual/dmi/id/). The check fails if file + is not readable. If "-m" option is specified, then the actual check + is skipped, and the check returns value in accordance with "no-model-mode" + parameter value (see below). Check arguments are a white-space-separated + list of "key=value" pairs. The following keys are supported: + * "key" - DMI file to check. Value can be one of the following: bios_date, + bios_vendor, bios_version, board_asset_tag, board_name, board_serial, + board_vendor, board_version, chassis_asset_tag, chassis_serial, + chassis_type, chassis_vendor, chassis_version, product_family, + product_name, product_serial, product_uuid, product_version, sys_vendor. + Default is empty string. + * "val" - a string to match DMI data against. Can be enclosed in single + or double quotes. Default is empty string. + * "mode" - check mode, the way matches are interpreted: + * "success-equal" - returns 0 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter, otherwise 1. + * "success-equal" - returns 1 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter, otherwise 0. + Default is "success-any". + * "no-model-mode" - return value if model filter ("-m" option) + is not enabled: + * "success" - return 0. + * "fail" - return 1. + Default is "success". + An example of a check: + dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." + It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its + content is "Dell Inc." (without quotes). It succeeds if "-m" option + is not enabled. check_caveats script diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index f43fb4a..ee8db57 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -138,7 +138,7 @@ check_kver() # [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 # [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 # -# $1 - params in config file, space-spearated, in key=value form: +# $1 - params in config file, space-separated, in key=value form: # domain=* - PCI domain, '*' or number # bus=* - PCI bus, '*' or number # device=* - PCI device, '*' or number @@ -258,6 +258,100 @@ check_pci_config_val() ) } +# It is needed for filtering by BIOS vendor name that is available in DMI data +# +# $1 - params in config file, space-separated, in key=value form: +# key= - DMI value to check. Can be one of the following: bios_date, +# bios_vendor, bios_version, board_asset_tag, board_name, board_serial, +# board_vendor, board_version, chassis_asset_tag, chassis_serial, +# chassis_type, chassis_vendor, chassis_version, product_family, +# product_name, product_serial, product_uuid, product_version, +# sys_vendor. +# val= - a string to match DMI data against. Can be enclosed in single +# or double quotes. +# mode=success-equal [ success-equal, fail-equal ] - matching mode: +# success-equal: Returns 0 if the value present in the corresponding file +# under /sys/devices/virtual/dmi/id/ is equal +# to the value supplied as a value of "val" parameter, +# otherwise 1. +# fail-equal: Returns 1 if the value present in the corresponding file +# under /sys/devices/virtual/dmi/id/ is equal +# to the value supplied as a value of "val" parameter, +# otherwise 0. +# no-model-mode=success [ success, fail ] - return value if model filter +# is not enabled: +# success: Return 0. +# fail: Return 1. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "mode" value that assumes that the check has failed). +check_dmi_val() +{ + local key= val= mode='success-equal' nm_mode='success' + local opts="${1:-}" opt= opt_= + local match_model="${2:0}" + + local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " + local success=1 + + while [ -n "$opts" ]; do + opt="${opts%%[ ]*}" + [ -n "${opt}" ] || { opts="${opts#[ ]}"; continue; } + + [ "x${opt#key=}" = "x${opt}" ] || key="${opt#key=}" + [ "x${opt#mode=}" = "x${opt}" ] || mode="${opt#mode=}" + [ "x${opt#no-model-mode=}" = "x${opt}" ] || \ + nm_mode="${opt#no-model-mode=}" + + # Handle possible quoting + [ "x${opt#val=}" = "x${opt}" ] || { + case "${opt#val=}" in + [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;; + ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; + *) val="${opt#val=}" ;; + esac + } + + opts="${opts#"${opt}"}" + continue + done + + # Check key for validity + [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { + debug "Invalid \"key\" parameter value: \"${key}\"" + echo 2 + exit + } + + [ 1 = "$match_model" ] || { + case "$nm_mode" in + success) echo 0 ;; + fail) echo 1 ;; + *) + debug "Invalid no-model-mode value: \"${nm_mode}\"" + echo 2 + ;; + esac + + exit + } + + [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { + debug "Can't access /sys/devices/virtual/dmi/id/${key}" + echo 3 + exit + } + + file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")" + + [ "x${val}" = "x${file_val}" ] || success=0 + + case "$mode" in + success-equal) echo "$((1 - $success))" ;; + fail-equal) echo "${success}" ;; + *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;; + esac +} + # Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" # # We check only the first processor as we don't expect non-symmetrical setups @@ -400,6 +494,7 @@ for cfg in $(echo "${configs}"); do cfg_mc_min_ver_late= cfg_disable= cfg_pci= + cfg_dmi= while read -r key value; do case "$key" in @@ -426,11 +521,19 @@ for cfg in $(echo "${configs}"); do ;; blacklist) cfg_blacklist=1 + # "blacklist" is special: it stops entity parsing, + # and the rest of file is a list of blacklisted model + # names. + break ;; pci_config_val) cfg_pci="$cfg_pci $value" ;; + dmi) + cfg_dmi="$cfg_dmi + $value" + ;; '#'*|'') continue ;; @@ -525,10 +628,9 @@ for cfg in $(echo "${configs}"); do cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do - { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ - -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0; - /bin/true; } \ - | /bin/grep -zFxq "$cpu_mc_path" \ + /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ || continue cfg_mc_present=1 @@ -639,6 +741,29 @@ for cfg in $(echo "${configs}"); do } fi + # Check DMI data if model filter is enabled + # Note that the model filter check is done inside check_pci_config_val + # based on the 'mode=' parameter. + if [ -n "$cfg_dmi" ]; then + dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line + do + [ -n "$dmi_line" ] || continue + dmi_res=$(check_dmi_val "$dmi_line" \ + "$match_model") + [ 0 != "$dmi_res" ] || continue + echo "$dmi_res $dmi_line" + break + done + echo "0 ")" + + [ -z "${dmi_line#* }" ] || { + debug "DMI data check '${dmi_line#* }'" \ + "failed (with return code ${dmi_line%% *})" + fail + continue + } + fi + ok_cfgs="$ok_cfgs $cfg" ok_paths="$ok_paths $cfg_path" done diff --git a/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch deleted file mode 100644 index 134c303..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20201112-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20201112.tar.gz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20210216-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20210216-tgz.patch new file mode 100644 index 0000000..05e2f9d --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20210216-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20210216.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 489a8ec..7857408 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20201112 +%define intel_ucode_version 20210216 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl @@ -21,7 +21,7 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 73.4%{?dist} +Release: 73.8%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted @@ -38,6 +38,12 @@ Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03 +# microcode-20201118 has removed 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode update +# at revision 0x68; it is, however, may still be useful for some[1], so it is +# to be preserved in a caveat. +# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/39 +Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20201112/intel-ucode/06-8c-01 + # systemd unit Source10: microcode.service @@ -104,9 +110,9 @@ Source182: 06-8c-01_disclaimer # "Provides:" RPM tags generator -Source200: gen_provides.sh -Source201: codenames.list -Source202: gen_updates2.py +Source1000: gen_provides.sh +Source1001: codenames.list +Source1002: gen_updates2.py Patch1: microcode_ctl-do-not-merge-ucode-with-caveats.patch Patch2: microcode_ctl-revert-intel-microcode2ucode-removal.patch @@ -127,7 +133,7 @@ Requires(postun): systemd coreutils Requires(posttrans): dracut coreutils %global _use_internal_dependency_generator 0 -%define __find_provides "%{SOURCE200}" "%{SOURCE201}" +%define __find_provides "%{SOURCE1000}" "%{SOURCE1001}" %description The microcode_ctl utility is a companion to the microcode driver written @@ -188,7 +194,7 @@ mv intel-ucode/06-5e-03 intel-ucode-with-caveats/ cp "%{SOURCE5}" intel-ucode/ # Moving 06-8c-01 microcode to intel-ucode-with-caveats -mv intel-ucode/06-8c-01 intel-ucode-with-caveats/ +cp "%{SOURCE8}" intel-ucode-with-caveats/ # man page sed "%{SOURCE40}" \ @@ -315,7 +321,7 @@ install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer" # SUMMARY.intel-ucode generation # It is to be done only after file population, so, it is here, # at the end of the install stage -/usr/bin/python "%{SOURCE202}" -C "%{SOURCE201}" \ +/usr/bin/python "%{SOURCE1002}" -C "%{SOURCE1001}" \ summary -A "%{buildroot}" \ > "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode" @@ -551,6 +557,27 @@ rm -rf %{buildroot} %changelog +* Wed Feb 17 2021 Eugene Syromiatnikov - 2:2.1-73.8 +- Update Intel CPU microcode to microcode-20210216 release (#1905111): + - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in + intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a08 up + to 0x2006a0a; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003003 + up to 0x4003006; + - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision + 0x5003003 up to 0x5003006. + +* Wed Feb 17 2021 Eugene Syromiatnikov - 2:2.1-73.7 +- Remove 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats. + +* Thu Feb 11 2021 Eugene Syromiatnikov - 2:2.1-73.6 +- Backport check_dmi_val to check_caveats from RHEL 8. + +* Fri Dec 11 2020 Eugene Syromiatnikov - 2:2.1-73.5 +- Do not use "grep -q" in a pipe in check_caveats. +- Add 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats + (#1905111). + * Fri Nov 13 2020 Eugene Syromiatnikov - 2:2.1-73.4 - Update Intel CPU microcode to microcode-20201112 release: - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28;