diff --git a/.gitignore b/.gitignore
index 7a6b0b6..5eb5de5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,4 @@ SOURCES/06-55-04
SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
-SOURCES/microcode-20201027.tar.gz
+SOURCES/microcode-20201112.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 7bb7733..0367497 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
-8036bee2e4aa101bdb41a96ea051d91d357df514 SOURCES/microcode-20201027.tar.gz
+010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz
diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme
index 016364f..49373e2 100644
--- a/SOURCES/06-4e-03_readme
+++ b/SOURCES/06-4e-03_readme
@@ -36,6 +36,10 @@ to the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
The information regarding enforcing microcode update is provided below.
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
index 7b8051a..5df5775 100644
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@@ -41,6 +41,10 @@ to the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
The information regarding disabling microcode update is provided below.
diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme
index 9255d3f..9e21ac0 100644
--- a/SOURCES/06-5e-03_readme
+++ b/SOURCES/06-5e-03_readme
@@ -36,6 +36,10 @@ to the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
The information regarding enforcing microcode update is provided below.
diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config
new file mode 100644
index 0000000..c7c5d65
--- /dev/null
+++ b/SOURCES/06-8c-01_config
@@ -0,0 +1,3 @@
+model GenuineIntel 06-8c-01
+path intel-ucode/06-8c-01
+disable early late
diff --git a/SOURCES/06-8c-01_disclaimer b/SOURCES/06-8c-01_disclaimer
new file mode 100644
index 0000000..6e02fa6
--- /dev/null
+++ b/SOURCES/06-8c-01_disclaimer
@@ -0,0 +1,4 @@
+Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1;
+CPUID 0x806c1) are disabled as they may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme
new file mode 100644
index 0000000..16afb9b
--- /dev/null
+++ b/SOURCES/06-8c-01_readme
@@ -0,0 +1,40 @@
+Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
+have reports of system hangs when a microcode update, that is included
+since microcode-20201110 update, is applied[1]. In order to address this,
+microcode update has been disabled by default on these systems.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version.
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
+version, please create a file "force-intel-06-8c-01" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme
index ef90fdb..cef8e9b 100644
--- a/SOURCES/06-8e-9e-0x-0xca_readme
+++ b/SOURCES/06-8e-9e-0x-0xca_readme
@@ -104,6 +104,10 @@ to the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
The information regarding disabling microcode update is provided below.
diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme
index d74c679..94b9bb6 100644
--- a/SOURCES/06-8e-9e-0x-dell_readme
+++ b/SOURCES/06-8e-9e-0x-dell_readme
@@ -104,6 +104,10 @@ to the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
The information regarding disabling microcode update is provided below.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index 2220a09..d18c2a5 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -630,6 +630,26 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
as a convenience for the cases where it was working well before.
+Intel Tiger Lake-UP3/UP4 caveat
+-------------------------------
+Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
+stepping 1) have reports of system hangs when a microcode update,
+that is included since microcode-20201110 release, is applied[1].
+In order to address this, microcode update to a newer revision has been disabled
+by default on these systems; the newer microcode file, however, is still shipped
+as a part of microcode_ctl package and can be used for performing a microcode
+update if it is enforced via the aforementioned overrides. (See the sections
+"check_caveats script" and "reload_microcode script" for details.)
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
+
+Caveat names: intel-06-8c-01
+
+Affected microcode: intel-ucode/06-8c-01.
+
+Mitigation: microcode loading is disabled for the affected CPU model.
+
+
Additional information
======================
@@ -658,3 +678,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list
index 502fc92..be1f3d2 100644
--- a/SOURCES/codenames.list
+++ b/SOURCES/codenames.list
@@ -297,6 +297,7 @@ Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
# sources:
# https://en.wikichip.org/wiki/intel/cpuid
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 8fac40b..0b21e40 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,4 +1,4 @@
-%define intel_ucode_version 20201027
+%define intel_ucode_version 20201112
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@@ -17,8 +17,7 @@ Release: 1%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
-#Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
-Source0: microcode-%{intel_ucode_version}.tar.gz
+Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
@@ -112,6 +111,10 @@ Source170: 06-8e-9e-0x-dell_readme
Source171: 06-8e-9e-0x-dell_config
Source172: 06-8e-9e-0x-dell_disclaimer
+# TGL-UP3/UP4 (CPUID 06-8c-01) hangs
+Source180: 06-8c-01_readme
+Source181: 06-8c-01_config
+Source182: 06-8c-01_disclaimer
# "Provides:" RPM tags generator
Source200: gen_provides.sh
@@ -173,6 +176,9 @@ tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \
'*/intel-ucode/06-[89]e-0*'
popd
+# Moving 06-8c-01 microcode to intel-ucode-with-caveats
+mv intel-ucode/06-8c-01 intel-ucode-with-caveats/
+
:
%install
@@ -222,6 +228,7 @@ install -m 644 releasenote.md \
# caveats
install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
"%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \
+ "%{SOURCE180}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"
@@ -291,6 +298,14 @@ install -m 644 "%{SOURCE170}" "%{dell_latest_inst_dir}/readme"
install -m 644 "%{SOURCE171}" "%{dell_latest_inst_dir}/config"
install -m 644 "%{SOURCE172}" "%{dell_latest_inst_dir}/disclaimer"
+# TGL caveat
+%define tgl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8c-01/
+install -m 755 -d "%{tgl_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-8c-01 -t "%{tgl_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme"
+install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config"
+install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer"
+
# SUMMARY.intel-ucode generation
# It is to be done only after file population, so, it is here,
# at the end of the install stage
@@ -528,6 +543,16 @@ rm -rf %{buildroot}
%changelog
+* Fri Nov 13 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201112-1
+- Update Intel CPU microcode to microcode-20201112 release (#1896912):
+ - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28;
+ - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x32 up
+ to 0x34;
+ - Updated releasenote file.
+
+* Fri Nov 13 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201027-2
+- Disable 06-8c-01 (TGL-UP3/UP4 B1) microcode update by default (#1897534).
+
* Thu Oct 29 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201027-1
- Update Intel CPU microcode to microcode-20201027 release, addresses
CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698