diff --git a/.gitignore b/.gitignore
index 5a813eb..e7a0c1d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/microcode-20190507_Public_DEMO.tar.gz
+SOURCES/microcode-20190514a.tar.gz
SOURCES/microcode_ctl-2.1-18.tar.xz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 1f020cb..cf85c46 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -1,2 +1,2 @@
-e4348dac784e84458d1972c356ce772d58ce6b0e SOURCES/microcode-20190507_Public_DEMO.tar.gz
+252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz
3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz
diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme
index f79f58d..740ad18 100644
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@@ -25,6 +25,9 @@ to the following knowledge base articles:
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
The information regarding enforcing microcode load is provided below.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index c9471f4..e56aefe 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -1,7 +1,11 @@
-The microcode_ctl package shipped with RHEL contains provisions for issues with
-microcode loading on the old kernels. While those provisions are expected
-to suit most users, several knobs are provided in order to provide ability
-to override the default behaviour.
+The microcode_ctl package contains microcode files (vendor-provided binary data
+and/or code in proprietary format that affects behaviour of a device) for Intel
+CPUs that may be loaded into the CPU during boot.
+
+The microcode_ctl package contains provisions for some issues related
+to microcode loading. While those provisions are expected to suit most users,
+several knobs are available in order to provide ability to override the default
+behaviour.
General behaviour
@@ -393,7 +397,7 @@ and "reload_microcode script" for details).
Affected microcode: intel-ucode/06-4f-01.
-Mitigation: late microcode loading is disabled for the affected CPU model.
+Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
series:
@@ -421,24 +425,31 @@ Affected microcode: all.
Mitigation: early microcode loading is disabled for all CPU models.
-Minimum versions of kernel RPM that contain the fix:
+Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8: 4.10.0
- RHEL 7.6 onwards: 3.10.0-930
- RHEL 7.5: 3.10.0-862.14.1
- RHEL 7.4: 3.10.0-693.38.1
- RHEL 7.3: 3.10.0-514.57.1
- - RHEL 7.2; 3.10.0-327.73.1
+ - RHEL 7.2: 3.10.0-327.73.1
Additional information
======================
-
-Information regarding microcode versions required for mitigating specific
-side-channel cache attacks is available in the following knowledge base
-articles:
+Red Hat provides updated microcode, developed by our microprocessor
+partners, as a customer convenience. Please contact your hardware vendor
+to determine whether more recent BIOS/firmware updates are recommended
+because additional improvements may be available.
+
+Information regarding microcode revisions required for mitigating specific
+microarchitectural side-channel attacks is available in the following
+knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
diff --git a/SOURCES/disclaimer b/SOURCES/disclaimer
deleted file mode 100644
index de919a3..0000000
--- a/SOURCES/disclaimer
+++ /dev/null
@@ -1,16 +0,0 @@
-This updated microcode supersedes microcode provided by Red Hat with
-the CVE-2017-5715 (“Spectre”) CPU branch injection vulnerability
-mitigation.
-Historically, Red Hat has provided updated microcode, developed by our
-microprocessor partners, as a customer convenience. Red Hat had
-temporarily suspended this practice while microcode stabilized. Red
-Hat is once again providing an updated Intel microcode package
-(microcode_ctl) and AMD microcode package (linux-firmware) to customers
-in order to simplify deployment processes and minimize downtime. We’ll
-continue to update these microcode packages as necessary. Please
-contact your hardware vendor to determine whether more recent
-BIOS/firmware updates are recommended because additional improvements
-may be available.
-This kbase https://access.redhat.com/articles/3436091 includes a table
-that maps Intel and AMD CPU processor code family names to updated
-Intel and AMD microcode package versions.
diff --git a/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch
deleted file mode 100644
index 6f70806..0000000
--- a/SOURCES/microcode_ctl-use-microcode-20190507_Public_DEMO-tgz.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: microcode_ctl-2.1-18/Makefile
-===================================================================
---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200
-+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200
-@@ -8,7 +8,7 @@
- # 2 of the License, or (at your option) any later version.
-
- PROGRAM = intel-microcode2ucode
--MICROCODE_INTEL = microcode-20180703.tgz
-+MICROCODE_INTEL = microcode-20190507_Public_DEMO.tar.gz
-
- INS = install
- CC = gcc
diff --git a/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch
new file mode 100644
index 0000000..7da021f
--- /dev/null
+++ b/SOURCES/microcode_ctl-use-microcode-20190514a-tgz.patch
@@ -0,0 +1,13 @@
+Index: microcode_ctl-2.1-18/Makefile
+===================================================================
+--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200
++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200
+@@ -8,7 +8,7 @@
+ # 2 of the License, or (at your option) any later version.
+
+ PROGRAM = intel-microcode2ucode
+-MICROCODE_INTEL = microcode-20180703.tgz
++MICROCODE_INTEL = microcode-20190514a.tar.gz
+
+ INS = install
+ CC = gcc
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 8f4f128..11b51a3 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,5 +1,5 @@
%define upstream_version 2.1-18
-%define intel_ucode_version 20190507_Public_DEMO
+%define intel_ucode_version 20190514a
%define intel_ucode_file_id 28727
%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl
%define update_ucode %{microcode_ctl_libexec}/update_ucode
@@ -11,14 +11,13 @@
Summary: Tool to transform and deploy CPU microcode update for x86.
Name: microcode_ctl
Version: 2.1
-Release: 47.2%{?dist}
+Release: 47.4%{?dist}
Epoch: 2
Group: System Environment/Base
License: GPLv2+ and Redistributable, no modification permitted
URL: https://pagure.io/microcode_ctl
Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz
-#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
-Source1: microcode-%{intel_ucode_version}.tar.gz
+Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
Source2: microcode.service
@@ -28,7 +27,6 @@ Source4: dracut_99microcode_ctl-fw_dir_override_module_init.sh
Source5: update_ucode
Source6: check_caveats
Source7: reload_microcode
-Source8: disclaimer
Source9: 99-microcode-override.conf
@@ -99,14 +97,7 @@ make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags}
touch ghost_list
tar xf "%{SOURCE1}" --wildcards --strip-components=1 \
- \*/license \*/releasenote
-
-# In the 20190507 release, 06-4f-01 ucode has been moved back into intel-ucode;
-# reverting it, as it is still considered unsafe:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1623630
-# https://bugzilla.redhat.com/show_bug.cgi?id=1646383
-mkdir intel-ucode-with-caveats
-mv intel-ucode/06-4f-01 intel-ucode-with-caveats/
+ \*/intel-ucode-with-caveats \*/license \*/releasenote
# man page
sed "%{SOURCE31}" \
@@ -123,7 +114,6 @@ mkdir -p %{buildroot}%{_unitdir}
install -m 644 %{SOURCE2} -t %{buildroot}%{_unitdir}
install -m 644 %{SOURCE3} %{SOURCE9} \
-t %{buildroot}%{dracutlibdir}/dracut.conf.d
-install -m 644 %{SOURCE8} %{buildroot}/usr/share/doc/microcode_ctl/disclaimer
mkdir -p "%{buildroot}%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override"
install -m 755 %{SOURCE4} \
@@ -180,14 +170,7 @@ rm -rf intel-ucode
%{update_ucode}
%{reload_microcode}
-# send the message to syslog, so it gets recorded on /var/log
-if [ -e /usr/bin/logger ]; then
- /usr/bin/logger -p syslog.notice -t DISCLAIMER -f /usr/share/doc/microcode_ctl/disclaimer
-fi
-# also paste it over dmesg (some customers drop dmesg messages while
-# others keep them into /var/log for the later case, we'll have the
-# disclaimer recorded twice into system logs.
-cat /usr/share/doc/microcode_ctl/disclaimer > /dev/kmsg
+exit 0
%posttrans
# We only want to regenerate the initramfs for a fully booted
@@ -292,6 +275,14 @@ rm -rf %{buildroot}
%changelog
+* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-47.4
+- Remove disclaimer, as it is not as important now to justify kmsg/log
+ pollution; its contents are partially adopted in README.caveats.
+
+* Wed May 29 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-47.3
+- Intel CPU microcode update to 20190514a.
+- Resolves: #1714958.
+
* Fri May 10 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-47.2
- Intel CPU microcode update to 20190507_Public_DEMO.
- Resolves: #1704374.