diff --git a/.gitignore b/.gitignore index 54505c1..1e0ee83 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/microcode-20190618.tar.gz +SOURCES/06-2d-07 +SOURCES/microcode-20190918.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 9752458..6623deb 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1 +1,2 @@ -8484c44d39a2700fb568ccc67a8e1ed8877878a5 SOURCES/microcode-20190618.tar.gz +bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 +bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config new file mode 100644 index 0000000..23e1d08 --- /dev/null +++ b/SOURCES/06-2d-07_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-2d-07 +path intel-ucode/06-2d-07 +disable early late diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer new file mode 100644 index 0000000..c8d99c4 --- /dev/null +++ b/SOURCES/06-2d-07_disclaimer @@ -0,0 +1,4 @@ +MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, +stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme new file mode 100644 index 0000000..bfb8743 --- /dev/null +++ b/SOURCES/06-2d-07_readme @@ -0,0 +1,55 @@ +Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues +with MDS-related microcode update that may lead to a system hang after +a microcode update. In order to address this, microcode update +to the MDS-related revision 0x718 has been disabled, and the previously +published microcode revision 0x714 is used by default for the OS-driven +microcode update. + +For the reference, SHA1 checksums of 06-2d-07 microcode files containing +microcode revisions in question are listed below: + * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 + * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + +The information regarding enforcing microcode load is provided below. + +To enforce usage of this microcode revision, please create a file +"force-intel-06-2d-07" inside /lib/firmware/ directory, +run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware +directory where microcode will be available for late microcode update, +and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version +is regenerated and the microcode can be loaded early: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer new file mode 100644 index 0000000..d5bc60d --- /dev/null +++ b/SOURCES/06-4f-01_disclaimer @@ -0,0 +1,4 @@ +microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index 740ad18..962c7a6 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -49,6 +49,7 @@ kernels, please create a file "/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01" and run "/usr/libexec/microcode_ctl/update_ucode": + mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01 /usr/libexec/microcode_ctl/update_ucode @@ -64,10 +65,11 @@ For enforcing early load of this microcode for all kernels, please create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01" and run dracut -f --regenerate-all: + mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01 dracut -f --regenerate-all -If you want avoid removal of the microcode file during cleanup performed by +If you want to avoid removal of the microcode file during cleanup performed by /usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme file (/lib/firmware//readme-intel-06-4f-01). diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 6f98122..0111843 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -389,8 +389,8 @@ when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced -via the aforementioned overridden. (See sections "check_caveats script" -and "reload_microcode script" for details). +via the aforementioned overriddes. (See sections "check_caveats script" +and "reload_microcode script" for details.) Affected microcode: intel-ucode/06-4f-01. @@ -431,12 +431,28 @@ Minimum versions of the kernel package that contain the fix: - RHEL 7.2: 3.10.0-327.73.1 +Intel Sandy Bridge-E/EN/EP caveat +--------------------------------- +MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP +(SNB-EP, family 6, model 45, stepping 7) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overriddes. (See +sections "check_caveats script" and "reload_microcode script" for details.) + +Affected microcode: intel-ucode/06-2d-07. + +Mitigation: previously published microcode revision 0x714 is used by default. + + + Additional information ====================== -Red Hat provides updated microcode, developed by our microprocessor -partners, as a customer convenience. Please contact your hardware vendor -to determine whether more recent BIOS/firmware updates are recommended -because additional improvements may be available. +Red Hat provides updated microcode, developed by its microprocessor partners, +as a customer convenience. Please contact your hardware vendor to determine +whether more recent BIOS/firmware updates are recommended because additional +improvements may be available. Information regarding microcode revisions required for mitigating specific microarchitectural side-channel attacks is available in the following diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index 93c7406..462d541 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -10,8 +10,10 @@ : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} usage() { - echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]' + echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' + echo ' [-m] [-v]' echo + echo ' -d - enables disclaimer printing mode' echo ' -e - check for early microcode load possibility (instead of' echo ' late microcode load)' echo ' -k - target version to check against, $(uname -r) is used' @@ -178,6 +180,9 @@ fail() fail_cfgs="$fail_cfgs $cfg" fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ + || cat "${dir}/disclaimer" } #check_kver "$@" @@ -188,11 +193,16 @@ configs= kver=$(/bin/uname -r) verbose=0 early_check=0 +print_disclaimers=0 ret=0 -while getopts "ek:c:mv" opt; do +while getopts "dek:c:mv" opt; do case "${opt}" in + d) + print_disclaimers=1 + early_check=2 + ;; e) early_check=1 ;; @@ -472,6 +482,8 @@ for cfg in $(echo "${configs}"); do ok_paths="$ok_paths $cfg_path" done +[ 0 -eq "$print_disclaimers" ] || exit 0 + echo "cfgs$ret_cfgs" echo "skip_cfgs$skip_cfgs" echo "paths$ret_paths" diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer new file mode 100644 index 0000000..c4669ba --- /dev/null +++ b/SOURCES/intel_disclaimer @@ -0,0 +1,10 @@ +This kernel doesn't handle early microcode load properly (it tries to load +microcode even in virtualised environment, which may lead to a panic on some +hypervisors), thus the microcode files have not been added to the initramfs +image. Please update your kernel to one of the following: + RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + RHEL 7.2: kernel-3.10.0-327.73.1 or newer. +Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme index ed352e5..de9213d 100644 --- a/SOURCES/intel_readme +++ b/SOURCES/intel_readme @@ -18,8 +18,7 @@ If you want to avoid early load of microcode for a specific kernel, please create "disallow-early-intel" file inside /lib/firmware/ directory and run dracut -f --kver "": - touch /lib/firmware/3.10.0-862.9.1/disallow-intel - /usr/libexec/microcode_ctl/update_ucode + touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel dracut -f --kver 3.10.0-862.9.1 If you want to avoid early load of microcode for all kernels, please create @@ -27,14 +26,13 @@ If you want to avoid early load of microcode for all kernels, please create directory and run dracut -f --regenerate-all: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel - dracut -f --kver 3.10.0-862.9.1 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel + dracut -f --regenerate-all If you want to enforce early load of microcode for a specific kernel, please create "force-early-intel" file inside /lib/firmware/ directory and run dracut -f --kver "": - modir -p/lib/firmware/3.10.0-862.9.1/ touch /lib/firmware/3.10.0-862.9.1/force-early-intel dracut -f --kver 3.10.0-862.9.1 @@ -46,8 +44,9 @@ directory and run dracut -f --kver "": touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel dracut -f --regenerate-all -In order to override late load behaviour, the "early" part of file names should -be replaced with "late" (and there is no need to call dracut in that case). +In order to override the late load behaviour, the "early" part of file names +should be replaced with "late" (and there is no need to call dracut +in that case). Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 78fc18e..90b9620 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20190618 +%define intel_ucode_version 20190918 %define intel_ucode_file_id 28727 %global debug_package %{nil} @@ -13,13 +13,16 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl -Version: %{intel_ucode_version} -Release: 1%{?dist} +Version: 20190618 +Release: 1.%{intel_ucode_version}.2%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz +# (Pre-MDS) revision 0x714 of 06-2d-07 microcode +Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 + # systemd unit Source10: microcode.service @@ -39,14 +42,28 @@ Source41: README.caveats ## Caveats # BDW EP/EX +# https://bugzilla.redhat.com/show_bug.cgi?id=1622180 +# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 +# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 Source100: 06-4f-01_readme Source101: 06-4f-01_config +Source102: 06-4f-01_disclaimer # Unsafe early MC update inside VM: # https://bugzilla.redhat.com/show_bug.cgi?id=1596627 Source110: intel_readme Source111: intel_config +Source112: intel_disclaimer + +# SNB-EP (CPUID 0x206d7) post-MDS hangs +# https://bugzilla.redhat.com/show_bug.cgi?id=1758382 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +Source120: 06-2d-07_readme +Source121: 06-2d-07_config +Source122: 06-2d-07_disclaimer + +# "Provides:" RPM tags generator Source200: gen_provides.sh ExclusiveArch: %{ix86} x86_64 @@ -73,6 +90,10 @@ is no longer used for microcode upload and, as a result, no longer provided. %setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}" %build +# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version +mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ +cp "%{SOURCE2}" intel-ucode/ + : %install @@ -103,18 +124,21 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \ ## Documentation install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats" +# caveats readme install "%{SOURCE41}" \ -m 644 -t "%{buildroot}/%{_pkgdocdir}/" # Provide Intel microcode license, as it requires so install -m 644 license \ "%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode" + +# Provide release notes for Intel microcode install -m 644 releasenote \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" \ - -t "%{buildroot}/%{_pkgdocdir}/caveats/" +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \ + -t "%{buildroot}/%{_pkgdocdir}/caveats/" ## Caveat data @@ -122,9 +146,10 @@ install -m 644 "%{SOURCE100}" "%{SOURCE110}" \ # BDW caveat %define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/ install -m 755 -d "%{bdw_inst_dir}/intel-ucode" -install -m 644 intel-ucode-with-caveats/* -t "%{bdw_inst_dir}/intel-ucode/" +install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/" install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme" install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config" +install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer" # Early update caveat %define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/ @@ -132,12 +157,15 @@ install -m 755 -d "%{intel_inst_dir}/intel-ucode" install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/" install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme" install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" +install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer" - -## Cleanup -#rm -f intel-ucode-with-caveats/06-4f-01 -#rmdir intel-ucode-with-caveats -#rm -rf intel-ucode +# SNB caveat +%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/ +install -m 755 -d "%{snb_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" +install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" +install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" %post @@ -145,6 +173,15 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" %{update_ucode} %{reload_microcode} +# send the message to syslog, so it gets recorded on /var/log +if [ -e /usr/bin/logger ]; then + %{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER +fi +# also paste it over dmesg (some customers drop dmesg messages while +# others keep them into /var/log for the later case, we'll have the +# disclaimer recorded twice into system logs. +%{check_caveats} -m -d > /dev/kmsg + exit 0 %posttrans @@ -260,6 +297,14 @@ rm -rf %{buildroot} %changelog +* Sun Oct 06 2019 Eugene Syromiatnikov - 4:20190618-1.20190918.2 +- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 + by default. + +* Thu Sep 19 2019 Eugene Syromiatnikov - 4:20190618-1.20190918.1 +- Intel CPU microcode update to 20190918 (#1758538). +- Add new disclaimer, generated based on relevant caveats. + * Wed Jun 19 2019 Eugene Syromiatnikov - 4:20190618-1 - Intel CPU microcode update to 20190618 (#1717240).