diff --git a/.gitignore b/.gitignore index c46b03a..9746acd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/microcode-20190507_Public_DEMO.tar.gz +SOURCES/microcode-20190514a.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index cfde0ee..d49f21d 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1 +1 @@ -e4348dac784e84458d1972c356ce772d58ce6b0e SOURCES/microcode-20190507_Public_DEMO.tar.gz +252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index f79f58d..740ad18 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -25,6 +25,9 @@ to the following knowledge base articles: https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 The information regarding enforcing microcode load is provided below. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 4809372..6f98122 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -1,7 +1,11 @@ -The microcode_ctl package shipped with RHEL contains provisions for issues with -microcode loading on the old kernels. While those provisions are expected -to suit most users, several knobs are provided in order to provide ability -to override the default behaviour. +The microcode_ctl package contains microcode files (vendor-provided binary data +and/or code in proprietary format that affects behaviour of a device) for Intel +CPUs that may be loaded into the CPU during boot. + +The microcode_ctl package contains provisions for some issues related +to microcode loading. While those provisions are expected to suit most users, +several knobs are available in order to provide ability to override the default +behaviour. General behaviour @@ -390,7 +394,7 @@ and "reload_microcode script" for details). Affected microcode: intel-ucode/06-4f-01. -Mitigation: late microcode loading is disabled for the affected CPU model. +Mitigation: microcode loading is disabled for the affected CPU model. Minimum versions of the kernel package that contain the aforementioned patch series: @@ -418,24 +422,31 @@ Affected microcode: all. Mitigation: early microcode loading is disabled for all CPU models. -Minimum versions of kernel RPM that contain the fix: +Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 - RHEL 7.6 onwards: 3.10.0-930 - RHEL 7.5: 3.10.0-862.14.1 - RHEL 7.4: 3.10.0-693.38.1 - RHEL 7.3: 3.10.0-514.57.1 - - RHEL 7.2; 3.10.0-327.73.1 + - RHEL 7.2: 3.10.0-327.73.1 Additional information ====================== - -Information regarding microcode versions required for mitigating specific -side-channel cache attacks is available in the following knowledge base -articles: +Red Hat provides updated microcode, developed by our microprocessor +partners, as a customer convenience. Please contact your hardware vendor +to determine whether more recent BIOS/firmware updates are recommended +because additional improvements may be available. + +Information regarding microcode revisions required for mitigating specific +microarchitectural side-channel attacks is available in the following +knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 diff --git a/SOURCES/disclaimer b/SOURCES/disclaimer deleted file mode 100644 index de919a3..0000000 --- a/SOURCES/disclaimer +++ /dev/null @@ -1,16 +0,0 @@ -This updated microcode supersedes microcode provided by Red Hat with -the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability -mitigation. -Historically, Red Hat has provided updated microcode, developed by our -microprocessor partners, as a customer convenience. Red Hat had -temporarily suspended this practice while microcode stabilized. Red -Hat is once again providing an updated Intel microcode package -(microcode_ctl) and AMD microcode package (linux-firmware) to customers -in order to simplify deployment processes and minimize downtime. We’ll -continue to update these microcode packages as necessary. Please -contact your hardware vendor to determine whether more recent -BIOS/firmware updates are recommended because additional improvements -may be available. -This kbase https://access.redhat.com/articles/3436091 includes a table -that maps Intel and AMD CPU processor code family names to updated -Intel and AMD microcode package versions. diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 2a29705..01ee903 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20190507 +%define intel_ucode_version 20190514a %define intel_ucode_file_id 28727 %global debug_package %{nil} @@ -14,12 +14,11 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: 20180807a -Release: 2.%{intel_ucode_version}.1%{?dist} +Release: 2.%{intel_ucode_version}.2%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File -#Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz -Source0: microcode-%{intel_ucode_version}_Public_DEMO.tar.gz +Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # systemd unit @@ -36,7 +35,6 @@ Source31: check_caveats Source32: reload_microcode # docs -Source40: disclaimer Source41: README.caveats ## Caveats @@ -72,17 +70,11 @@ Package name "microcode_ctl" is historical, as the binary with the same name is no longer used for microcode upload and, as a result, no longer provided. %prep -%setup -n "Intel-Public-Microcode-%{intel_ucode_version}_Public_DEMO" +%setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}" %build : -# In the 20190507 release, 06-4f-01 ucode has been moved back into intel-ucode; -# reverting it, as it is still considered unsafe: -# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 -mkdir intel-ucode-with-caveats -mv intel-ucode/06-4f-01 intel-ucode-with-caveats/ - %install install -m 755 -d \ "%{buildroot}/%{_datarootdir}/microcode_ctl/intel-ucode" \ @@ -111,7 +103,7 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \ ## Documentation install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats" -install "%{SOURCE40}" "%{SOURCE41}" \ +install "%{SOURCE41}" \ -m 644 -t "%{buildroot}/%{_pkgdocdir}/" # Provide Intel microcode license, as it requires so @@ -153,15 +145,6 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" %{update_ucode} %{reload_microcode} -# send the message to syslog, so it gets recorded on /var/log -if [ -e /usr/bin/logger ]; then - /usr/bin/logger -p syslog.notice -t DISCLAIMER -f "%{_pkgdocdir}/disclaimer" || : -fi -# also paste it over dmesg (some customers drop dmesg messages while -# others keep them into /var/log for the later case, we'll have the -# disclaimer recorded twice into system logs. -cat "%{_pkgdocdir}/disclaimer" > /dev/kmsg || : - exit 0 %posttrans @@ -277,6 +260,13 @@ rm -rf %{buildroot} %changelog +* Sun Jun 02 2019 Eugene Syromiatnikov - 4:20180807a-2.20190514a.2 +- Remove disclaimer, as it is not as important now to justify kmsg/log + pollution; its contents are partially adopted in README.caveats. + +* Mon May 20 2019 Eugene Syromiatnikov - 4:20180807a-2.20190514a.1 +- Intel CPU microcode update to 20190514a (#1715334). + * Fri May 10 2019 Eugene Syromiatnikov - 4:20180807a-2.20190507.1 - Intel CPU microcode update to 20190507 (#1704339).