diff --git a/.gitignore b/.gitignore index 5a813eb..e7a0c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/microcode-20190507_Public_DEMO.tar.gz +SOURCES/microcode-20190514a.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 1f020cb..cf85c46 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,2 +1,2 @@ -e4348dac784e84458d1972c356ce772d58ce6b0e SOURCES/microcode-20190507_Public_DEMO.tar.gz +252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index f79f58d..740ad18 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -25,6 +25,9 @@ to the following knowledge base articles: https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 The information regarding enforcing microcode load is provided below. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index c9471f4..e56aefe 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -1,7 +1,11 @@ -The microcode_ctl package shipped with RHEL contains provisions for issues with -microcode loading on the old kernels. While those provisions are expected -to suit most users, several knobs are provided in order to provide ability -to override the default behaviour. +The microcode_ctl package contains microcode files (vendor-provided binary data +and/or code in proprietary format that affects behaviour of a device) for Intel +CPUs that may be loaded into the CPU during boot. + +The microcode_ctl package contains provisions for some issues related +to microcode loading. While those provisions are expected to suit most users, +several knobs are available in order to provide ability to override the default +behaviour. General behaviour @@ -393,7 +397,7 @@ and "reload_microcode script" for details). Affected microcode: intel-ucode/06-4f-01. -Mitigation: late microcode loading is disabled for the affected CPU model. +Mitigation: microcode loading is disabled for the affected CPU model. Minimum versions of the kernel package that contain the aforementioned patch series: @@ -421,24 +425,31 @@ Affected microcode: all. Mitigation: early microcode loading is disabled for all CPU models. -Minimum versions of kernel RPM that contain the fix: +Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 - RHEL 7.6 onwards: 3.10.0-930 - RHEL 7.5: 3.10.0-862.14.1 - RHEL 7.4: 3.10.0-693.38.1 - RHEL 7.3: 3.10.0-514.57.1 - - RHEL 7.2; 3.10.0-327.73.1 + - RHEL 7.2: 3.10.0-327.73.1 Additional information ====================== - -Information regarding microcode versions required for mitigating specific -side-channel cache attacks is available in the following knowledge base -articles: +Red Hat provides updated microcode, developed by our microprocessor +partners, as a customer convenience. Please contact your hardware vendor +to determine whether more recent BIOS/firmware updates are recommended +because additional improvements may be available. + +Information regarding microcode revisions required for mitigating specific +microarchitectural side-channel attacks is available in the following +knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 diff --git a/SOURCES/disclaimer b/SOURCES/disclaimer deleted file mode 100644 index de919a3..0000000 --- a/SOURCES/disclaimer +++ /dev/null @@ -1,16 +0,0 @@ -This updated microcode supersedes microcode provided by Red Hat with -the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability -mitigation. -Historically, Red Hat has provided updated microcode, developed by our -microprocessor partners, as a customer convenience. Red Hat had -temporarily suspended this practice while microcode stabilized. Red -Hat is once again providing an updated Intel microcode package -(microcode_ctl) and AMD microcode package (linux-firmware) to customers -in order to simplify deployment processes and minimize downtime. We’ll -continue to update these microcode packages as necessary. Please -contact your hardware vendor to determine whether more recent -BIOS/firmware updates are recommended because additional improvements -may be available. -This kbase https://access.redhat.com/articles/3436091 includes a table -that maps Intel and AMD CPU processor code family names to updated -Intel and AMD microcode package versions. diff --git a/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch deleted file mode 100644 index 6f70806..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20190507_Public_DEMO.tar.gz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch new file mode 100644 index 0000000..7da021f --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20190514a.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 8f4f128..11b51a3 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20190507_Public_DEMO +%define intel_ucode_version 20190514a %define intel_ucode_file_id 28727 %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl %define update_ucode %{microcode_ctl_libexec}/update_ucode @@ -11,14 +11,13 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 47.2%{?dist} +Release: 47.4%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz -Source1: microcode-%{intel_ucode_version}.tar.gz +Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz Source2: microcode.service @@ -28,7 +27,6 @@ Source4: dracut_99microcode_ctl-fw_dir_override_module_init.sh Source5: update_ucode Source6: check_caveats Source7: reload_microcode -Source8: disclaimer Source9: 99-microcode-override.conf @@ -99,14 +97,7 @@ make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} touch ghost_list tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ - \*/license \*/releasenote - -# In the 20190507 release, 06-4f-01 ucode has been moved back into intel-ucode; -# reverting it, as it is still considered unsafe: -# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 -# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 -mkdir intel-ucode-with-caveats -mv intel-ucode/06-4f-01 intel-ucode-with-caveats/ + \*/intel-ucode-with-caveats \*/license \*/releasenote # man page sed "%{SOURCE31}" \ @@ -123,7 +114,6 @@ mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE2} -t %{buildroot}%{_unitdir} install -m 644 %{SOURCE3} %{SOURCE9} \ -t %{buildroot}%{dracutlibdir}/dracut.conf.d -install -m 644 %{SOURCE8} %{buildroot}/usr/share/doc/microcode_ctl/disclaimer mkdir -p "%{buildroot}%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override" install -m 755 %{SOURCE4} \ @@ -180,14 +170,7 @@ rm -rf intel-ucode %{update_ucode} %{reload_microcode} -# send the message to syslog, so it gets recorded on /var/log -if [ -e /usr/bin/logger ]; then - /usr/bin/logger -p syslog.notice -t DISCLAIMER -f /usr/share/doc/microcode_ctl/disclaimer -fi -# also paste it over dmesg (some customers drop dmesg messages while -# others keep them into /var/log for the later case, we'll have the -# disclaimer recorded twice into system logs. -cat /usr/share/doc/microcode_ctl/disclaimer > /dev/kmsg +exit 0 %posttrans # We only want to regenerate the initramfs for a fully booted @@ -292,6 +275,14 @@ rm -rf %{buildroot} %changelog +* Sun Jun 02 2019 Eugene Syromiatnikov - 2:2.1-47.4 +- Remove disclaimer, as it is not as important now to justify kmsg/log + pollution; its contents are partially adopted in README.caveats. + +* Wed May 29 2019 Eugene Syromiatnikov - 2:2.1-47.3 +- Intel CPU microcode update to 20190514a. +- Resolves: #1714958. + * Fri May 10 2019 Eugene Syromiatnikov - 2:2.1-47.2 - Intel CPU microcode update to 20190507_Public_DEMO. - Resolves: #1704374.