diff --git a/.gitignore b/.gitignore index 5eb5de5..8fd26a6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,9 @@ SOURCES/06-2d-07 SOURCES/06-4e-03 SOURCES/06-55-04 +SOURCES/06-55-04.20190918 +SOURCES/06-55-06 +SOURCES/06-55-07 SOURCES/06-5e-03 SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20191115.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 0367497..75a40e3 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,6 +1,9 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 -2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +5f18f985f6d5ad369b5f6549b7f3ee55acaef967 SOURCES/06-55-04 +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04.20190918 +8affd949151a0badd3f71e23cf9ad668d4c1d82f SOURCES/06-55-06 +a7121c5f49753cc783f82135e268bc4efe85d4be SOURCES/06-55-07 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index 5df5775..822e7a0 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -10,7 +10,12 @@ Since revision 0x2006906 (included with the microcode-20200609 release) it is reported that the issue is no longer present, so the newer microcode revision is enabled by default now (but can be disabled explicitly; see below). +Revision 0x2006a08 (included since the microcode-20201110 release) exhibits +a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2 +caveat; please refer to [2] for details. + [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +[2] /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme For the reference, SHA1 checksums of 06-55-04 microcode files containing microcode revisions in question are listed below: diff --git a/SOURCES/06-55-0x-ipu-2020.2_config b/SOURCES/06-55-0x-ipu-2020.2_config new file mode 100644 index 0000000..80aa372 --- /dev/null +++ b/SOURCES/06-55-0x-ipu-2020.2_config @@ -0,0 +1,20 @@ +path intel-ucode/* +vendor GenuineIntel +## It is deemed that blocking the SKX/CLX microcode update on all hardware +## in cases where no model filter is used is too broad, hence +## no-model-mode=success. +## https://bugzilla.redhat.com/1902884 https://bugzilla.redhat.com/1905111 +dmi mode=fail-equal no-model-mode=success key=product_name val="Superdome Flex" +## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45 +dmi mode=fail-equal no-model-mode=success key=product_name val="SYS-2029TP-HTR/X11DPT-PS" +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/06-55-0x-ipu-2020.2_disclaimer b/SOURCES/06-55-0x-ipu-2020.2_disclaimer new file mode 100644 index 0000000..788f089 --- /dev/null +++ b/SOURCES/06-55-0x-ipu-2020.2_disclaimer @@ -0,0 +1,6 @@ +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +are disabled on some systems as these updates may cause system instability; +microcode from the previous microcode-20200609 release is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-0x-ipu-2020.2_readme b/SOURCES/06-55-0x-ipu-2020.2_readme new file mode 100644 index 0000000..11324a7 --- /dev/null +++ b/SOURCES/06-55-0x-ipu-2020.2_readme @@ -0,0 +1,83 @@ +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +may cause system instability on some systems, namely, HPE Superdome Flex +and Supermicro systems, when an update is performed with the resivions +that come with microcode-20201110 release, so the previously released microcode +(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively) +from microcode-20200609 release are used on these systems by default instead +for the OS-driven microcode update. + +For the reference, SHA1 checksums of the relevant microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 + * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 + + * 06-55-06, revision 0x4004f01: 8affd949151a0badd3f71e23cf9ad668d4c1d82f + * 06-55-06, revision 0x4003003: b187866d2570f90ea69f434c2b012a8c88d85f43 + + * 06-55-07, revision 0x5002f01: a7121c5f49753cc783f82135e268bc4efe85d4be + * 06-55-07, revision 0x5003003: 74e129b108e676f0286742f609b2c1fa65d73db1 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest microcode revision for a specific kernel +version, please create a file "force-intel-06-55-0x-ipu-2020.2" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To disallow usage of the latest microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-0x-ipu-2020.2" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver ", +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To enforce addition of this microcode for all kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +To disallow usage of the latest microcode revision for all kernels, please +create a file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index d18c2a5..b177eed 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -560,6 +560,11 @@ to enable ability to disable it in case such a need arises. (See the sections "check_caveats script" and "reload_microcode script" for details regarding caveats mechanism operation.) +Revision 0x2006a08 (included since the microcode-20201110 release) exhibits +a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2 +caveat; please refer to the "Intel Skylake-SP and Cascade Lake-SP +microcode-20201110 caveats" section for details. + [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 Caveat name: intel-06-55-04 @@ -571,6 +576,28 @@ previously published microcode revision 0x2000064 is still available as a fallback as part of "intel" caveat. +Intel Skylake-SP and Cascade Lake-SP microcode-20201110 caveats +--------------------------------------------------------------- +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +may cause system instability on some systems (there were reports for HPE +Superdome Flex and Supermicro systems[1]) with the resivions that come +with microcode-20201110 release, so the previously released microcode +(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively) +from microcode-20200609 release are used by default instead for the OS-driven +microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45 + +Caveat name: intel-06-55-0x-ipu-2020.2 + +Affected microcode: intel-ucode/06-55-04, intel-ucode/06-55-06, + intel-ucode/06-55-07 + +Mitigation: previously published microcode files (revision 0x2006906 for 06-55-04, + 0x4002f01 for 06-55-06, 0x5002f01 for 06-55-07) are used by default. + + Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats ---------------------------------------- Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index ab02a02..ee8db57 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -628,10 +628,9 @@ for cfg in $(echo "${configs}"); do cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do - { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ - -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0; - /bin/true; } \ - | /bin/grep -zFxq "$cpu_mc_path" \ + /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ || continue cfg_mc_present=1 diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 0b21e40..ae65361 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -13,7 +13,7 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: %{intel_ucode_version} -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files @@ -23,7 +23,7 @@ Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 # (Pre-20191112) revision 0x2000064 of 06-55-04 microcode -Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04#/06-55-04.20190918 # (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 @@ -34,9 +34,15 @@ Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi # microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz +# (Pre-20201110) revision 0x2006906 of 06-55-04/0xb7 microcode +Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-04 +# (Pre-20201110) revision 0x4002f01 of 06-55-06/0xbf microcode +Source9: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-06 +# (Pre-20201110) revision 0x5002f01 of 06-55-07/0xbf microcode +Source10: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-07 # systemd unit -Source10: microcode.service +Source15: microcode.service # dracut-related stuff Source20: 01-microcode.conf @@ -76,6 +82,7 @@ Source122: 06-2d-07_disclaimer # SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs # https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +# It is still preerved due to https://bugzilla.redhat.com/1908432 Source130: 06-55-04_readme Source131: 06-55-04_config Source132: 06-55-04_disclaimer @@ -116,10 +123,18 @@ Source180: 06-8c-01_readme Source181: 06-8c-01_config Source182: 06-8c-01_disclaimer +# SKX-SP/CLX-SP (CPUID 0x50654/0x50656/0x50657) +# IPU 2020.2 HPE Superdome issue +# https://bugzilla.redhat.com/show_bug.cgi?id=1902884 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45 +Source190: 06-55-0x-ipu-2020.2_readme +Source191: 06-55-0x-ipu-2020.2_config +Source192: 06-55-0x-ipu-2020.2_disclaimer + # "Provides:" RPM tags generator -Source200: gen_provides.sh -Source201: codenames.list -Source202: gen_updates2.py +Source1000: gen_provides.sh +Source1001: codenames.list +Source1002: gen_updates2.py ExclusiveArch: %{ix86} x86_64 BuildRequires: systemd-units @@ -132,7 +147,7 @@ Requires(postun): systemd coreutils Requires(posttrans): dracut coreutils %global _use_internal_dependency_generator 0 -%define __find_provides "%{SOURCE200}" "%{SOURCE201}" +%define __find_provides "%{SOURCE1000}" "%{SOURCE1001}" %description This package provides microcode update files for Intel x86 and x86_64 CPUs. @@ -152,9 +167,16 @@ is no longer used for microcode upload and, as a result, no longer provided. mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ cp "%{SOURCE2}" intel-ucode/ +# replacing SKX/CLX (CPUID 0x50654/0x50656/0x50657) microcode with pre-20201110 +# versions +# placing this caveat because the older 06-55-04 one in order to preserve +# mv/cp command pattern +mv intel-ucode/06-55-0[467] intel-ucode-with-caveats/ +cp "%{SOURCE8}" "%{SOURCE9}" "%{SOURCE10}" intel-ucode/ + # replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version -mv intel-ucode/06-55-04 intel-ucode-with-caveats/ -cp "%{SOURCE3}" intel-ucode/ +mv intel-ucode/06-55-04 intel-ucode-with-caveats/06-55-04.20200609 +cp "%{SOURCE3}" intel-ucode/06-55-04 # replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version mv intel-ucode/06-4e-03 intel-ucode-with-caveats/ @@ -189,7 +211,7 @@ install -m 755 -d \ # systemd unit install -m 755 -d "%{buildroot}/%{_unitdir}" -install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/" +install -m 644 "%{SOURCE15}" -t "%{buildroot}/%{_unitdir}/" # dracut %define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override" @@ -228,7 +250,7 @@ install -m 644 releasenote.md \ # caveats install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \ - "%{SOURCE180}" \ + "%{SOURCE180}" "%{SOURCE190}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -261,7 +283,7 @@ install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" # SKL-SP caveat %define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode" -install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/" +install -m 644 intel-ucode-with-caveats/06-55-04.20200609 "%{skl_sp_inst_dir}/intel-ucode/06-55-04" install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme" install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config" install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer" @@ -306,10 +328,18 @@ install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme" install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config" install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer" +# SKX-SP/CLX-SP HPE Superdome caveat +%define skx_clx_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-0x-ipu-2020.2/ +install -m 755 -d "%{skx_clx_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-0[467] -t "%{skx_clx_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE190}" "%{skx_clx_inst_dir}/readme" +install -m 644 "%{SOURCE191}" "%{skx_clx_inst_dir}/config" +install -m 644 "%{SOURCE192}" "%{skx_clx_inst_dir}/disclaimer" + # SUMMARY.intel-ucode generation # It is to be done only after file population, so, it is here, # at the end of the install stage -/usr/libexec/platform-python "%{SOURCE202}" -C "%{SOURCE201}" \ +/usr/libexec/platform-python "%{SOURCE1002}" -C "%{SOURCE1001}" \ summary -A "%{buildroot}" \ > "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode" @@ -543,6 +573,11 @@ rm -rf %{buildroot} %changelog +* Tue Dec 01 2020 Eugene Syromiatnikov - 4:20201112-2 +- Do not use "grep -q" in a pipe in check_caveats (#1902021). +- Add 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats + (#1902884). + * Fri Nov 13 2020 Eugene Syromiatnikov - 4:20201112-1 - Update Intel CPU microcode to microcode-20201112 release (#1896912): - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28;