%define upstream_version 2.1-20180703 %define microcode_ctl_libexec /usr/libexec/microcode_ctl %define update_ucode %{microcode_ctl_libexec}/update_ucode %define check_caveats %{microcode_ctl_libexec}/check_caveats %define reload_microcode %{microcode_ctl_libexec}/reload_microcode Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 Release: 29.10%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: %{name}-%{upstream_version}.tar.xz Source1: microcode.service Source2: 01-microcode.conf Source3: disclaimer Source4: update_ucode Source5: check_caveats Source6: reload_microcode Source7: dracut_99microcode_ctl-fw_dir_override_module_init.sh Source8: 06-4f-01_readme Source9: 06-4f-01_config Buildroot: %{_tmppath}/%{name}-%{version}-root ExclusiveArch: %{ix86} x86_64 BuildRequires: systemd-units Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires(posttrans): kernel %description The microcode_ctl utility is a companion to the microcode driver written by Tigran Aivazian . The microcode update is volatile and needs to be uploaded on each system boot i.e. it doesn't reflash your cpu permanently, reboot and it reverts back to the old microcode. %prep %setup -q -n %{name}-%{upstream_version} %build make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list %install rm -rf %{buildroot} make DESTDIR=%{buildroot} PREFIX=%{_prefix} INSDIR=/usr/sbin MICDIR=/usr/share/microcode_ctl install clean mkdir -p %{buildroot}/usr/lib/dracut/dracut.conf.d mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE1} %{buildroot}%{_unitdir} install -m 644 %{SOURCE2} %{buildroot}/usr/lib/dracut/dracut.conf.d install -m 644 %{SOURCE3} %{buildroot}/usr/share/doc/microcode_ctl/disclaimer mkdir -p %{buildroot}/%{microcode_ctl_libexec} install -m 755 %{SOURCE4} %{buildroot}/%{update_ucode} install -m 755 %{SOURCE5} %{buildroot}/%{check_caveats} install -m 755 %{SOURCE6} %{buildroot}/%{reload_microcode} mkdir -p "%{buildroot}/usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override" install -m 755 %{SOURCE7} %{buildroot}/usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override/module-setup.sh mkdir -p "%{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel-06-4f-01/intel-ucode" install -m 644 intel-ucode-with-caveats/06-4f-01 %{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel-06-4f-01/intel-ucode/06-4f-01 install -m 644 %{SOURCE8} %{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel-06-4f-01/readme install -m 644 %{SOURCE9} %{buildroot}/usr/share/microcode_ctl/ucode_with_caveats/intel-06-4f-01/config rm -f intel-ucode-with-caveats/06-4f-01 rmdir intel-ucode-with-caveats %post %systemd_post microcode.service %{update_ucode} # "reload" file is not presented on a certain virtualized hw if [ -w /sys/devices/system/cpu/microcode/reload ] ; then %{reload_microcode} fi # send the message to syslog, so it gets recorded on /var/log if [ -e /usr/bin/logger ]; then /usr/bin/logger -p syslog.notice -t DISCLAIMER -f /usr/share/doc/microcode_ctl/disclaimer fi # also paste it over dmesg (some customers drop dmesg messages while # others keep them into /var/log for the later case, we'll have the # disclaimer recorded twice into system logs. cat /usr/share/doc/microcode_ctl/disclaimer > /dev/kmsg %posttrans # We only want to regenerate the initramfs for a fully booted # system; if this package happened to e.g. be pulled in as a build # dependency, it is pointless at best to regenerate the initramfs, # and also does not work with rpm-ostree: # https://bugzilla.redhat.com/show_bug.cgi?id=1199582 if [ -d /run/systemd/system ]; then dracut -f fi %preun %systemd_preun microcode.service # Storing ucode list before uninstall ls /usr/share/microcode_ctl/intel-ucode | sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" ls /usr/share/microcode_ctl/ucode_with_caveats | sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats" %postun %systemd_postun microcode.service ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null | sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" ls /usr/share/microcode_ctl/ucode_with_caveats 2> /dev/null | sort > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" comm -23 \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" \ > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" comm -23 \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats" \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" \ > "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" if [ -e "%{update_ucode}" ]; then %{update_ucode} --action remove --cleanup \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" \ "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" || exit 0 else while read f; do [ -L "/lib/firmware/intel-ucode/$f" ] || continue rm -f "/lib/firmware/intel-ucode/$f" done < "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" fi rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_after" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_after" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_intel-ucode_diff" rm -f "%{_localstatedir}/lib/rpm-state/microcode_ctl_un_ucode_caveats_diff" %triggerin -- kernel %{update_ucode} %triggerpostun -- kernel %{update_ucode} %clean rm -rf %{buildroot} %files -f ghost_list %ghost %attr(0100755, root, root) /lib/firmware/intel-ucode/ /usr/sbin/intel-microcode2ucode %{microcode_ctl_libexec} /usr/share/microcode_ctl /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override %config(noreplace) /usr/lib/dracut/dracut.conf.d/01-microcode.conf %{_unitdir}/microcode.service %doc /usr/share/doc/microcode_ctl/* %changelog * Fri Jul 27 2018 Eugene Syromiatnikov - 2:2.1-29.10 - Provide %attr for the ghosted /lib/firmware. * Thu Jul 26 2018 Eugene Syromiatnikov - 2:2.1-29.9 - Remove model name blacklists from caveats configuration files. * Tue Jul 24 2018 Eugene Syromiatnikov - 2.1-29.8 - Add model name blacklist infrastructure. - Store Intel ucode files in /usr/share/microcode_ctl; do not populate them in a virtualised environment. - Resolves: #1576334 * Tue Jul 17 2018 Eugene Syromiatnikov - 2.1-29.7 - Add infrastructure for handling kernel-version-dependant microcode. - Resolves: #1576334 * Mon Jul 16 2018 Eugene Syromiatnikov - 2.1-29.4 - Intel CPU microcode update to 20180703. - Resolves: #1573456 * Wed Jun 13 2018 Petr Oros - 2.1-29.3 - Fix: Operation not permitted when installing microcode_ctl - CVE-2018-3639 hw: cpu: speculative store bypass - Resolves: #1573456 * Tue May 15 2018 Petr Oros - 2.1-29.2 - Update disclaimer text - Resolves: #1575570 * Mon May 7 2018 Petr Oros - 2.1-29.1 - Intel CPU microcode update to 20180425. - Resolves: #1575570 * Fri Jan 12 2018 Petr Oros - 2.1-29 - Revert Microcode from Intel for Side Channel attack - Resolves: #1533939 * Fri Jan 12 2018 Petr Oros - 2.1-29 - Don't run dracut if not on a live system - Resolves: #1530400 * Tue Jan 9 2018 Petr Oros - 2.1-28 - Remove old binary tool - Resolves: #1527360 * Tue Jan 9 2018 Petr Oros - 2.1-27 - Update to upstream 2.1-15. Intel CPU microcode update to 20180108. - Resolves: #1527360 * Fri Dec 15 2017 Petr Oros - 2.1-26 - Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04 - Resolves: #1527360 * Wed Nov 22 2017 Petr Oros - 2.1-25 - Update to upstream 2.1-14. Intel CPU microcode update to 20171117. - Resolves: #1457522 * Tue Oct 17 2017 Petr Oros - 2.1-24 - Fix upstream URL - Resolves: #1502360 * Fri Jul 14 2017 Petr Oros - 2.1-23 - Update to upstream 2.1-13. Intel CPU microcode update to 20170707. - Resolves: #1457522 * Wed May 24 2017 Petr Oros - 2.1-22 - Update to upstream 2.1-12. Intel CPU microcode update to 20170511. - Resolves: #1384218 * Tue Mar 7 2017 Petr Oros - 2.1-21 - Rpm scriptlets should only rebuild the current kernel's initrd. - Resolves: #1420180 * Wed Jan 18 2017 Petr Oros - 2.1-20 - Fix issue with hot microcode cpu reload. - Resolves: #1411232 * Mon Jan 9 2017 Petr Oros - 2.1-19 - Fix broken quoting in ExecStart line. - Resolves: #1411232 * Fri Dec 16 2016 Petr Oros - 2.1-18 - Fix issue with hot microcode cpu reload. - Resolves: #1398698 * Wed Nov 30 2016 Petr Oros - 2.1-17 - Move dracut call into posttrans phase. - Resolves: #1398698 * Thu Jul 21 2016 Petr Oros - 2.1-16 - Update to upstream 2.1-10. Intel CPU microcode update to 20160714. - Resolves: #1358047 * Wed Jun 29 2016 Petr Oros - 2.1-15 - Load CPU microcode update only on supproted systems. - Resolves: #1307179 * Fri Jun 24 2016 Petr Oros - 2.1-14 - Update to upstream 2.1-9. Intel CPU microcode update to 20160607. - Resolves: #1253106 * Thu May 19 2016 Petr Oros - 2.1-13 - Run dracut -f for all kernels. - Resolves: #1292158 * Fri Jul 3 2015 Petr Oros - 2.1-12 - Update to upstream 2.1-7. Intel CPU microcode update to 20150121. - Resolves: #1174983 * Fri Oct 10 2014 Petr Oros - 2.1-11 - Run dracut -f after install microcode for update initramfs. - Resolves: #1151192 * Tue Sep 30 2014 Petr Oros - 2.1-10 - Update to upstream 2.1-6. Intel CPU microcode update to 20140913. - Resolves: #1142302 * Tue Jul 15 2014 Petr Oros - 2.1-9 - Update to upstream 2.1-5. Intel CPU microcode update to 20140624. - Resolves: #1113396 * Tue Jun 3 2014 Petr Oros - 2.1-8 - Fix bogus time in changelog - Resolves: #1085117 * Tue Jun 3 2014 Petr Oros - 2.1-8 - Update to upstream 2.1-4. Intel CPU microcode update to 20140430. - Resolves: #1085117 * Wed Mar 12 2014 Anton Arapov - 2.1-7.1 - Fix the microcode's behaviour in virtual environment. * Fri Feb 28 2014 Anton Arapov - 2.1-7 - Fix the microcode's dracut configuration file location. * Tue Feb 18 2014 Anton Arapov - 2.1-6 - Enable early microcode capabilities. Systemd and Dracut support. (Jeff Bastian) * Fri Jan 24 2014 Anton Arapov - 2.1-5 - Update to upstream 2.1-3. Intel CPU microcode update to 20140122. * Fri Dec 27 2013 Daniel Mach - 2:2.1-4 - Mass rebuild 2013-12-27 * Mon Sep 09 2013 Anton Arapov 2.1-3 - Imported to RHEL tree * Mon Sep 09 2013 Anton Arapov 2.1-2 - Update to upstream 2.1-2. * Wed Aug 14 2013 Anton Arapov 2.1-1 - Update to upstream 2.1-1. * Sat Jul 27 2013 Anton Arapov 2.1-0 - Update to upstream 2.1. AMD microcode has been removed, find it in linux-firmware. * Wed Apr 03 2013 Anton Arapov 2.0-3.1 - Update to upstream 2.0-3 * Thu Feb 14 2013 Fedora Release Engineering - 2:2.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Wed Oct 17 2012 Anton Arapov 2.0-2 - Update to upstream 2.0-2 * Tue Oct 02 2012 Anton Arapov 2.0-1 - Update to upstream 2.0-1 * Mon Aug 06 2012 Anton Arapov 2.0 - Update to upstream 2.0 * Wed Jul 25 2012 Anton Arapov 1.18-1 - Update to upstream 1.18 * Fri Jul 20 2012 Fedora Release Engineering - 1:1.17-26 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Thu Jun 07 2012 Anton Arapov 1.17-25 - Update to microcode-20120606.dat * Tue Feb 07 2012 Anton Arapov 1.17-24 - Update to amd-ucode-2012-01-17.tar * Fri Jan 13 2012 Fedora Release Engineering - 1:1.17-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Thu Dec 22 2011 Anton Arapov 1.17-21 - Fix a segfault that may be triggered by very long parameter [#768803] * Tue Dec 13 2011 Anton Arapov 1.17-20 - Update to microcode-20111110.dat * Tue Sep 27 2011 Anton Arapov 1.17-19 - Update to microcode-20110915.dat * Thu Aug 04 2011 Anton Arapov 1.17-18 - Ship splitted microcode for Intel CPUs [#690930] - Include tool for splitting microcode for Intl CPUs (Kay Sievers ) * Thu Jun 30 2011 Anton Arapov 1.17-17 - Fix udev rules (Dave Jones ) [#690930] * Thu May 12 2011 Anton Arapov 1.17-14 - Update to microcode-20110428.dat * Thu Mar 24 2011 Anton Arapov 1.17-13 - fix memory leak. * Mon Mar 07 2011 Anton Arapov 1.17-12 - Update to amd-ucode-2011-01-11.tar * Tue Feb 08 2011 Fedora Release Engineering - 1:1.17-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Wed Jan 19 2011 Anton Arapov 1.17-10 - manpage fix (John Bradshaw ) [#670879] * Wed Jan 05 2011 Anton Arapov 1.17-9 - Update to microcode-20101123.dat * Mon Nov 01 2010 Anton Arapov 1.17-8 - Update to microcode-20100914.dat * Wed Sep 29 2010 jkeating - 1:1.17-7 - Rebuilt for gcc bug 634757 * Wed Sep 15 2010 Anton Arapov 1.17-6 - Update to microcode-20100826.dat * Tue Sep 07 2010 Toshio Kuratomi 1.17-5 - Fix license tag: bz#450491 * Fri Aug 27 2010 Dave Jones 1.17-4 - Update to microcode-20100826.dat * Tue Mar 23 2010 Anton Arapov 1.17-3 - Fix the udev rules (Harald Hoyer ) * Mon Mar 22 2010 Anton Arapov 1.17-2 - Make microcode_ctl event driven (Bill Nottingham ) [#479898] * Thu Feb 11 2010 Dave Jones 1.17-1.58 - Update to microcode-20100209.dat * Fri Dec 04 2009 Kyle McMartin 1.17-1.57 - Fix duplicate message pointed out by Edward Sheldrake. * Wed Dec 02 2009 Kyle McMartin 1.17-1.56 - Add AMD x86/x86-64 microcode. (Dated: 2009-10-09) Doesn't need microcode_ctl modifications as it's loaded by request_firmware() like any other sensible driver. - Eventually, this AMD firmware can probably live inside kernel-firmware once it is split out. * Wed Sep 30 2009 Dave Jones - Update to microcode-20090927.dat * Fri Sep 11 2009 Dave Jones - Remove some unnecessary code from the init script. * Sat Jul 25 2009 Fedora Release Engineering - 1:1.17-1.52.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Thu Jun 25 2009 Dave Jones - Shorten sleep time during init. This really needs to be replaced with proper udev hooks, but this is a quick interim fix. * Wed Jun 03 2009 Kyle McMartin 1:1.17-1.50 - Change ExclusiveArch to i586 instead of i386. Resolves rhbz#497711. * Wed May 13 2009 Dave Jones - update to microcode 20090330 * Wed Feb 25 2009 Fedora Release Engineering - 1:1.17-1.46.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Fri Sep 12 2008 Dave Jones - update to microcode 20080910 * Tue Apr 01 2008 Jarod Wilson - Update to microcode 20080401 * Sat Mar 29 2008 Dave Jones - Update to microcode 20080220 - Fix rpmlint warnings in specfile. * Mon Mar 17 2008 Dave Jones - specfile cleanups. * Fri Feb 22 2008 Jarod Wilson - Use /lib/firmware instead of /etc/firmware * Wed Feb 13 2008 Jarod Wilson - Fix permissions on microcode.dat * Thu Feb 07 2008 Jarod Wilson - Spec cleanup and macro standardization. - Update license - Update microcode data file to 20080131 revision. * Mon Jul 2 2007 Dave Jones - Update to upstream 1.17 * Thu Oct 12 2006 Jon Masters - BZ209455 fixes. * Mon Jul 17 2006 Jesse Keating - rebuild * Fri Jun 16 2006 Bill Nottingham - remove kudzu requirement - add prereq for coreutils, awk, grep * Thu Feb 09 2006 Dave Jones - rebuild. * Fri Jan 27 2006 Dave Jones - Update to upstream 1.13 * Fri Dec 16 2005 Jesse Keating - rebuilt for new gcj * Fri Dec 09 2005 Jesse Keating - rebuilt * Mon Nov 14 2005 Dave Jones - initscript tweaks. * Tue Sep 13 2005 Dave Jones - Update to upstream 1.12 * Wed Aug 17 2005 Dave Jones - Check for device node *after* loading the module. (#157672) * Tue Mar 1 2005 Dave Jones - Rebuild for gcc4 * Thu Feb 17 2005 Dave Jones - s/Serial/Epoch/ * Tue Jan 25 2005 Dave Jones - Drop the node creation/deletion change from previous release. It'll cause grief with selinux, and was a hack to get around a udev shortcoming that should be fixed properly. * Fri Jan 21 2005 Dave Jones - Create/remove the /dev/cpu/microcode dev node as needed. - Use correct path again for the microcode.dat. - Remove some no longer needed tests in the init script. * Fri Jan 14 2005 Dave Jones - Only enable microcode_ctl service if the CPU is capable. - Prevent microcode_ctl getting restarted multiple times on initlevel change (#141581) - Make restart/reload work properly - Do nothing if not started by root. * Wed Jan 12 2005 Dave Jones - Adjust dev node location. (#144963) * Tue Jan 11 2005 Dave Jones - Load/Remove microcode module in initscript. * Mon Jan 10 2005 Dave Jones - Update to upstream 1.11 release. * Sat Dec 18 2004 Dave Jones - Initial packaging, based upon kernel-utils.