diff --git a/.gitignore b/.gitignore
index 5eb5de5..8fd26a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
+SOURCES/06-55-04.20190918
+SOURCES/06-55-06
+SOURCES/06-55-07
SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 0367497..75a40e3 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -1,6 +1,9 @@
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
-2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
+5f18f985f6d5ad369b5f6549b7f3ee55acaef967 SOURCES/06-55-04
+2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04.20190918
+8affd949151a0badd3f71e23cf9ad668d4c1d82f SOURCES/06-55-06
+a7121c5f49753cc783f82135e268bc4efe85d4be SOURCES/06-55-07
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
index 5df5775..822e7a0 100644
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@@ -10,7 +10,12 @@ Since revision 0x2006906 (included with the microcode-20200609 release)
it is reported that the issue is no longer present, so the newer microcode
revision is enabled by default now (but can be disabled explicitly; see below).
+Revision 0x2006a08 (included since the microcode-20201110 release) exhibits
+a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2
+caveat; please refer to [2] for details.
+
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+[2] /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme
For the reference, SHA1 checksums of 06-55-04 microcode files containing
microcode revisions in question are listed below:
diff --git a/SOURCES/06-55-0x-ipu-2020.2_config b/SOURCES/06-55-0x-ipu-2020.2_config
new file mode 100644
index 0000000..80aa372
--- /dev/null
+++ b/SOURCES/06-55-0x-ipu-2020.2_config
@@ -0,0 +1,20 @@
+path intel-ucode/*
+vendor GenuineIntel
+## It is deemed that blocking the SKX/CLX microcode update on all hardware
+## in cases where no model filter is used is too broad, hence
+## no-model-mode=success.
+## https://bugzilla.redhat.com/1902884 https://bugzilla.redhat.com/1905111
+dmi mode=fail-equal no-model-mode=success key=product_name val="Superdome Flex"
+## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+dmi mode=fail-equal no-model-mode=success key=product_name val="SYS-2029TP-HTR/X11DPT-PS"
+## The "kernel_early" statements are carried over from the intel caveat config
+## in order to avoid enabling this newer microcode on these problematic kernels;
+## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
+## (That also means that this caveat has to be enforced separately on these
+## kernels.)
+kernel_early 4.10.0
+kernel_early 3.10.0-930
+kernel_early 3.10.0-862.14.1
+kernel_early 3.10.0-693.38.1
+kernel_early 3.10.0-514.57.1
+kernel_early 3.10.0-327.73.1
diff --git a/SOURCES/06-55-0x-ipu-2020.2_disclaimer b/SOURCES/06-55-0x-ipu-2020.2_disclaimer
new file mode 100644
index 0000000..788f089
--- /dev/null
+++ b/SOURCES/06-55-0x-ipu-2020.2_disclaimer
@@ -0,0 +1,6 @@
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+are disabled on some systems as these updates may cause system instability;
+microcode from the previous microcode-20200609 release is used instead.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-55-0x-ipu-2020.2_readme b/SOURCES/06-55-0x-ipu-2020.2_readme
new file mode 100644
index 0000000..11324a7
--- /dev/null
+++ b/SOURCES/06-55-0x-ipu-2020.2_readme
@@ -0,0 +1,83 @@
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+may cause system instability on some systems, namely, HPE Superdome Flex
+and Supermicro systems, when an update is performed with the resivions
+that come with microcode-20201110 release, so the previously released microcode
+(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively)
+from microcode-20200609 release are used on these systems by default instead
+for the OS-driven microcode update.
+
+For the reference, SHA1 checksums of the relevant microcode files containing
+microcode revisions in question are listed below:
+ * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
+ * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
+
+ * 06-55-06, revision 0x4004f01: 8affd949151a0badd3f71e23cf9ad668d4c1d82f
+ * 06-55-06, revision 0x4003003: b187866d2570f90ea69f434c2b012a8c88d85f43
+
+ * 06-55-07, revision 0x5002f01: a7121c5f49753cc783f82135e268bc4efe85d4be
+ * 06-55-07, revision 0x5003003: 74e129b108e676f0286742f609b2c1fa65d73db1
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the latest microcode revision for a specific kernel
+version, please create a file "force-intel-06-55-0x-ipu-2020.2" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-0x-ipu-2020.2
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To disallow usage of the latest microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-55-0x-ipu-2020.2" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
+used for late microcode updates, and run "dracut -f --kver <kernel_version>",
+so initramfs for this kernel version is regenerated, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-0x-ipu-2020.2
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+To enforce addition of this microcode for all kernels, please create a file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+To disallow usage of the latest microcode revision for all kernels, please
+create a file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2",
+run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
+used for late microcode updates, and run "dracut -f --regenerate-all"
+so initramfs images get regenerated, for example:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index d18c2a5..b177eed 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -560,6 +560,11 @@ to enable ability to disable it in case such a need arises. (See the sections
"check_caveats script" and "reload_microcode script" for details regarding
caveats mechanism operation.)
+Revision 0x2006a08 (included since the microcode-20201110 release) exhibits
+a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2
+caveat; please refer to the "Intel Skylake-SP and Cascade Lake-SP
+microcode-20201110 caveats" section for details.
+
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
Caveat name: intel-06-55-04
@@ -571,6 +576,28 @@ previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
+Intel Skylake-SP and Cascade Lake-SP microcode-20201110 caveats
+---------------------------------------------------------------
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+may cause system instability on some systems (there were reports for HPE
+Superdome Flex and Supermicro systems[1]) with the resivions that come
+with microcode-20201110 release, so the previously released microcode
+(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively)
+from microcode-20200609 release are used by default instead for the OS-driven
+microcode update.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+
+Caveat name: intel-06-55-0x-ipu-2020.2
+
+Affected microcode: intel-ucode/06-55-04, intel-ucode/06-55-06,
+ intel-ucode/06-55-07
+
+Mitigation: previously published microcode files (revision 0x2006906 for 06-55-04,
+ 0x4002f01 for 06-55-06, 0x5002f01 for 06-55-07) are used by default.
+
+
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
----------------------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index ab02a02..ee8db57 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -628,10 +628,9 @@ for cfg in $(echo "${configs}"); do
cfg_mc_present=0
for p in $(printf "%s" "$cfg_path"); do
- { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
- -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0;
- /bin/true; } \
- | /bin/grep -zFxq "$cpu_mc_path" \
+ /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
+ -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \
+ | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \
|| continue
cfg_mc_present=1
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 0b21e40..ae65361 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -13,7 +13,7 @@
Summary: CPU microcode updates for Intel x86 processors
Name: microcode_ctl
Version: %{intel_ucode_version}
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
@@ -23,7 +23,7 @@ Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
-Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
+Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04#/06-55-04.20190918
# (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode
Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03
@@ -34,9 +34,15 @@ Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode
Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz
+# (Pre-20201110) revision 0x2006906 of 06-55-04/0xb7 microcode
+Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-04
+# (Pre-20201110) revision 0x4002f01 of 06-55-06/0xbf microcode
+Source9: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-06
+# (Pre-20201110) revision 0x5002f01 of 06-55-07/0xbf microcode
+Source10: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-07
# systemd unit
-Source10: microcode.service
+Source15: microcode.service
# dracut-related stuff
Source20: 01-microcode.conf
@@ -76,6 +82,7 @@ Source122: 06-2d-07_disclaimer
# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+# It is still preerved due to https://bugzilla.redhat.com/1908432
Source130: 06-55-04_readme
Source131: 06-55-04_config
Source132: 06-55-04_disclaimer
@@ -116,10 +123,18 @@ Source180: 06-8c-01_readme
Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer
+# SKX-SP/CLX-SP (CPUID 0x50654/0x50656/0x50657)
+# IPU 2020.2 HPE Superdome issue
+# https://bugzilla.redhat.com/show_bug.cgi?id=1902884
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+Source190: 06-55-0x-ipu-2020.2_readme
+Source191: 06-55-0x-ipu-2020.2_config
+Source192: 06-55-0x-ipu-2020.2_disclaimer
+
# "Provides:" RPM tags generator
-Source200: gen_provides.sh
-Source201: codenames.list
-Source202: gen_updates2.py
+Source1000: gen_provides.sh
+Source1001: codenames.list
+Source1002: gen_updates2.py
ExclusiveArch: %{ix86} x86_64
BuildRequires: systemd-units
@@ -132,7 +147,7 @@ Requires(postun): systemd coreutils
Requires(posttrans): dracut coreutils
%global _use_internal_dependency_generator 0
-%define __find_provides "%{SOURCE200}" "%{SOURCE201}"
+%define __find_provides "%{SOURCE1000}" "%{SOURCE1001}"
%description
This package provides microcode update files for Intel x86 and x86_64 CPUs.
@@ -152,9 +167,16 @@ is no longer used for microcode upload and, as a result, no longer provided.
mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
cp "%{SOURCE2}" intel-ucode/
+# replacing SKX/CLX (CPUID 0x50654/0x50656/0x50657) microcode with pre-20201110
+# versions
+# placing this caveat because the older 06-55-04 one in order to preserve
+# mv/cp command pattern
+mv intel-ucode/06-55-0[467] intel-ucode-with-caveats/
+cp "%{SOURCE8}" "%{SOURCE9}" "%{SOURCE10}" intel-ucode/
+
# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
-mv intel-ucode/06-55-04 intel-ucode-with-caveats/
-cp "%{SOURCE3}" intel-ucode/
+mv intel-ucode/06-55-04 intel-ucode-with-caveats/06-55-04.20200609
+cp "%{SOURCE3}" intel-ucode/06-55-04
# replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version
mv intel-ucode/06-4e-03 intel-ucode-with-caveats/
@@ -189,7 +211,7 @@ install -m 755 -d \
# systemd unit
install -m 755 -d "%{buildroot}/%{_unitdir}"
-install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/"
+install -m 644 "%{SOURCE15}" -t "%{buildroot}/%{_unitdir}/"
# dracut
%define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override"
@@ -228,7 +250,7 @@ install -m 644 releasenote.md \
# caveats
install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
"%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \
- "%{SOURCE180}" \
+ "%{SOURCE180}" "%{SOURCE190}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"
@@ -261,7 +283,7 @@ install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
# SKL-SP caveat
%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode"
-install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/"
+install -m 644 intel-ucode-with-caveats/06-55-04.20200609 "%{skl_sp_inst_dir}/intel-ucode/06-55-04"
install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme"
install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config"
install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer"
@@ -306,10 +328,18 @@ install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme"
install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config"
install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer"
+# SKX-SP/CLX-SP HPE Superdome caveat
+%define skx_clx_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-0x-ipu-2020.2/
+install -m 755 -d "%{skx_clx_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-55-0[467] -t "%{skx_clx_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE190}" "%{skx_clx_inst_dir}/readme"
+install -m 644 "%{SOURCE191}" "%{skx_clx_inst_dir}/config"
+install -m 644 "%{SOURCE192}" "%{skx_clx_inst_dir}/disclaimer"
+
# SUMMARY.intel-ucode generation
# It is to be done only after file population, so, it is here,
# at the end of the install stage
-/usr/libexec/platform-python "%{SOURCE202}" -C "%{SOURCE201}" \
+/usr/libexec/platform-python "%{SOURCE1002}" -C "%{SOURCE1001}" \
summary -A "%{buildroot}" \
> "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode"
@@ -543,6 +573,11 @@ rm -rf %{buildroot}
%changelog
+* Tue Dec 01 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201112-2
+- Do not use "grep -q" in a pipe in check_caveats (#1902021).
+- Add 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats
+ (#1902884).
+
* Fri Nov 13 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201112-1
- Update Intel CPU microcode to microcode-20201112 release (#1896912):
- Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28;