diff --git a/.gitignore b/.gitignore
index b762a2e..200d924 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,6 @@ SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
+SOURCES/microcode-20190918.tar.gz
+SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20200609.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 2eb348d..c0d8e72 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -2,4 +2,6 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
+bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
+774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
c2a433c1f68c2dc5b752bd7dddf204ea89ad5761 SOURCES/microcode-20200609.tar.gz
diff --git a/SOURCES/06-8e-9e-0x-0xca_config b/SOURCES/06-8e-9e-0x-0xca_config
new file mode 100644
index 0000000..2dbca4a
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-0xca_config
@@ -0,0 +1,4 @@
+path intel-ucode/*
+vendor GenuineIntel
+dmi mode=fail-equal key=bios_vendor val="Dell Inc."
+disable early late
diff --git a/SOURCES/06-8e-9e-0x-0xca_disclaimer b/SOURCES/06-8e-9e-0x-0xca_disclaimer
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-0xca_disclaimer
diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme
new file mode 100644
index 0000000..aba1bc7
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-0xca_readme
@@ -0,0 +1,123 @@
+Some Dell systems that use some models of Intel CPUs are susceptible to hangs
+and system instability during or after microcode update to revision 0xc6/0xca
+(included as part of microcode-20191113/microcode-20191115 update that addressed
+CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
+and/or revision 0xd6 (included as part of microcode-20200609 update
+that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
+[1][2][3][4][5][6]. In order to address this, microcode update to the newer
+revision has been disabled by default on these systems, and the previously
+published microcode revisions 0xae/0xb4/0xb8 are used by default
+for the OS-driven microcode update.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
+[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
+[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
+[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
+[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
+
+This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released
+by Intel; for the latest revision of the microcode files, please refer to caveat
+06-8e-9e-0x-dell.
+
+For the reference, microarchitectures of the affected CPU models:
+ * Amber Lake-Y
+ * Kaby Lake-G/H/S/U/Y/Xeon E3
+ * Coffee Lake-H/S/U/Xeon E
+ * Comet Lake-U 4+2
+ * Whiskey Lake-U
+
+Family names of the affected CPU models:
+ * 7th Generation Intel® Core™ Processor Family
+ * 8th Generation Intel® Core™ Processor Family
+ * 9th Generation Intel® Core™ Processor Family
+ * 10th Generation Intel® Core™ Processor Family (selected models)
+ * Intel® Celeron® Processor G Series
+ * Intel® Celeron® Processor 5000 Series
+ * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
+ * Intel® Pentium® Gold Processor Series
+ * Intel® Pentium® Processor Series (selected models)
+ * Intel® Xeon® Processor E Family
+ * Intel® Xeon® Processor E3 v6 Family
+
+SHA1 checksums of the microcode files containing microcode revisions
+in question:
+ * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
+ * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
+ * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
+ * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
+ * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
+ * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
+ * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
+ * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
+ * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
+
+ * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
+ * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
+ * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
+ * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
+ * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
+ * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
+ * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
+ * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
+ * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
+
+ * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
+ * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
+ * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
+ * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
+ * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
+ * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
+ * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
+ * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
+ * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+ https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+ https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+ https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
+ * CVE-2020-0543 (Special Register Buffer Data Sampling),
+ CVE-2020-0548 (Vector Register Data Sampling),
+ CVE-2020-0549 (L1D Cache Eviction Sampling):
+ https://access.redhat.com/solutions/5142751
+
+The information regarding disabling microcode update is provided below.
+
+To disable usage of the newer microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
+used for late microcode updates, and run "dracut -f --kver <kernel_version>"
+so initramfs for this kernel version is regenerated, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+To disable usage of the newer microcode revision for all kernels, please create
+file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca",
+run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
+used for late microcode updates, and run "dracut -f --regenerate-all"
+so initramfs images get regenerated, for example:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/06-8e-9e-0x-dell_config b/SOURCES/06-8e-9e-0x-dell_config
new file mode 100644
index 0000000..bc1fe2b
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-dell_config
@@ -0,0 +1,17 @@
+path intel-ucode/*
+vendor GenuineIntel
+## It is deemed that blacklisting all 06-[89]e-0x models on all hardware
+## in cases where no model filter is used is too broad, hence
+## no-model-mode=success.
+dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
+## The "kernel_early" statements are carried over from the intel caveat config
+## in order to avoid enabling this newer microcode on these problematic kernels;
+## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
+## (That also means that this caveat has to be enforced separately on these
+## kernels.)
+kernel_early 4.10.0
+kernel_early 3.10.0-930
+kernel_early 3.10.0-862.14.1
+kernel_early 3.10.0-693.38.1
+kernel_early 3.10.0-514.57.1
+kernel_early 3.10.0-327.73.1
diff --git a/SOURCES/06-8e-9e-0x-dell_disclaimer b/SOURCES/06-8e-9e-0x-dell_disclaimer
new file mode 100644
index 0000000..224a822
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-dell_disclaimer
@@ -0,0 +1,7 @@
+Some Dell systems that use some models of Intel CPUs are susceptible to hangs
+and system instability during or after microcode update to newer revisions.
+In order to address this, microcode update to these newer revision
+has been disabled by default on these systems, and the previously published
+microcode revisions are used by default for the OS-driven microcode update.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.
diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme
new file mode 100644
index 0000000..0c13193
--- /dev/null
+++ b/SOURCES/06-8e-9e-0x-dell_readme
@@ -0,0 +1,123 @@
+Some Dell systems that use some models of Intel CPUs are susceptible to hangs
+and system instability during or after microcode update to revision 0xc6/0xca
+(included as part of microcode-20191113/microcode-20191115 update that addressed
+CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
+and/or revision 0xd6 (included as part of microcode-20200609 update
+that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
+[1][2][3][4][5][6]. In order to address this, microcode update to the newer
+revision has been disabled by default on these systems, and the previously
+published microcode revisions 0xae/0xb4/0xb8 are used by default
+for the OS-driven microcode update.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
+[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
+[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
+[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
+[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
+
+This caveat contains latest microcode revisions publicly released by Intel;
+for the revision 0xca of the microcode files, please refer to caveat
+06-8e-9e-0x-0xca.
+
+For the reference, microarchitectures of the affected CPU models:
+ * Amber Lake-Y
+ * Kaby Lake-G/H/S/U/X/Y/Xeon E3
+ * Coffee Lake-H/S/U/Xeon E
+ * Comet Lake-U 4+2
+ * Whiskey Lake-U
+
+Family names of the affected CPU models:
+ * 7th Generation Intel® Core™ Processor Family
+ * 8th Generation Intel® Core™ Processor Family
+ * 9th Generation Intel® Core™ Processor Family
+ * 10th Generation Intel® Core™ Processor Family (selected models)
+ * Intel® Celeron® Processor G Series
+ * Intel® Celeron® Processor 5000 Series
+ * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
+ * Intel® Pentium® Gold Processor Series
+ * Intel® Pentium® Processor Series (selected models)
+ * Intel® Xeon® Processor E Family
+ * Intel® Xeon® Processor E3 v6 Family
+
+SHA1 checksums of the microcode files containing microcode revisions
+in question:
+ * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
+ * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
+ * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
+ * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
+ * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
+ * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
+ * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
+ * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
+ * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
+
+ * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
+ * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
+ * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
+ * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
+ * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
+ * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
+ * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
+ * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
+ * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
+
+ * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
+ * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
+ * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
+ * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
+ * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
+ * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
+ * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
+ * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
+ * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+ https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+ https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+ https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+ ("Microarchitectural Data Sampling"):
+ https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+ CVE-2019-0123 (Intel SGX Privilege Escalation),
+ CVE-2019-11135 (TSX Asynchronous Abort),
+ CVE-2019-11139 (Voltage Setting Modulation):
+ https://access.redhat.com/solutions/2019-microcode-nov
+ * CVE-2020-0543 (Special Register Buffer Data Sampling),
+ CVE-2020-0548 (Vector Register Data Sampling),
+ CVE-2020-0549 (L1D Cache Eviction Sampling):
+ https://access.redhat.com/solutions/5142751
+
+The information regarding disabling microcode update is provided below.
+
+To disable usage of the newer microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
+used for late microcode updates, and run "dracut -f --kver <kernel_version>"
+so initramfs for this kernel version is regenerated, for example:
+
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --kver 3.10.0-862.9.1
+
+To disable usage of the newer microcode revision for all kernels, please create
+file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell",
+run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
+used for late microcode updates, and run "dracut -f --regenerate-all"
+so initramfs images get regenerated, for example:
+
+ mkdir -p /etc/microcode_ctl/ucode_with_caveats
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell
+ /usr/libexec/microcode_ctl/update_ucode
+ dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index 132d181..2220a09 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -191,6 +191,7 @@ separated by white space. Currently, the following options are supported:
it succeeds.
* "fail-all" - check fails if there was at least one device checked
and all the checked devices have matches, otherwise the check succeeds.
+ Default is "success-any".
An example of a check:
pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
It interprets 4 bytes at offset 0x84 of special files "config" under
@@ -202,7 +203,40 @@ separated by white space. Currently, the following options are supported:
of the aforementioned value, then the check is successful, otherwise
it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified.
-
+ * "dmi" performs checks for specific values available in DMI sysfs files
+ (present under /sys/devices/virtual/dmi/id/). The check fails if file
+ is not readable. If "-m" option is specified, then the actual check
+ is skipped, and the check returns value in accordance with "no-model-mode"
+ parameter value (see below). Check arguments are a white-space-separated
+ list of "key=value" pairs. The following keys are supported:
+ * "key" - DMI file to check. Value can be one of the following: bios_date,
+ bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
+ board_vendor, board_version, chassis_asset_tag, chassis_serial,
+ chassis_type, chassis_vendor, chassis_version, product_family,
+ product_name, product_serial, product_uuid, product_version, sys_vendor.
+ Default is empty string.
+ * "val" - a string to match DMI data against. Can be enclosed in single
+ or double quotes. Default is empty string.
+ * "mode" - check mode, the way matches are interpreted:
+ * "success-equal" - returns 0 if the value present in the file
+ with the name supplied via the "key" parameter file under
+ /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
+ of "val" parameter, otherwise 1.
+ * "success-equal" - returns 1 if the value present in the file
+ with the name supplied via the "key" parameter file under
+ /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
+ of "val" parameter, otherwise 0.
+ Default is "success-any".
+ * "no-model-mode" - return value if model filter ("-m" option)
+ is not enabled:
+ * "success" - return 0.
+ * "fail" - return 1.
+ Default is "success".
+ An example of a check:
+ dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
+ It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
+ content is "Dell Inc." (without quotes). It succeeds if "-m" option
+ is not enabled.
check_caveats script
@@ -561,6 +595,41 @@ Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
Mitigation: previously published microcode revision 0xd6 is used by default.
+Dell caveats
+------------
+Some Dell systems that use some models of Intel CPUs are susceptible to hangs
+and system instability during or after microcode update to revision 0xc6/0xca
+(included as part of microcode-20191113/microcode-20191115 update that addressed
+CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
+and/or revision 0xd6 (included as part of microcode-20200609 update
+that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
+[1][2][3][4][5][6]. In order to address this, microcode update to the newer
+revision has been disabled by default on these systems, and the previously
+published microcode revisions 0xae/0xb4/0xb8 are used by default
+for the OS-driven microcode update.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
+[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
+[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
+[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
+[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
+
+Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca
+
+Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
+ intel-ucode/06-8e-0b, intel-ucode/06-8e-0c,
+ intel-ucode/06-9e-09, intel-ucode/06-9e-0a,
+ intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
+ intel-ucode/06-9e-0d.
+
+Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
+ by default if /sys/devices/virtual/dmi/id/bios_vendor reports
+ "Dell Inc."; otherwise, the latest microcode revision is used.
+ Caveat with revision 0xca of microcode files is provided
+ as a convenience for the cases where it was working well before.
+
+
Additional information
======================
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index f43fb4a..ab02a02 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -138,7 +138,7 @@ check_kver()
# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
# [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
#
-# $1 - params in config file, space-spearated, in key=value form:
+# $1 - params in config file, space-separated, in key=value form:
# domain=* - PCI domain, '*' or number
# bus=* - PCI bus, '*' or number
# device=* - PCI device, '*' or number
@@ -258,6 +258,100 @@ check_pci_config_val()
)
}
+# It is needed for filtering by BIOS vendor name that is available in DMI data
+#
+# $1 - params in config file, space-separated, in key=value form:
+# key= - DMI value to check. Can be one of the following: bios_date,
+# bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
+# board_vendor, board_version, chassis_asset_tag, chassis_serial,
+# chassis_type, chassis_vendor, chassis_version, product_family,
+# product_name, product_serial, product_uuid, product_version,
+# sys_vendor.
+# val= - a string to match DMI data against. Can be enclosed in single
+# or double quotes.
+# mode=success-equal [ success-equal, fail-equal ] - matching mode:
+# success-equal: Returns 0 if the value present in the corresponding file
+# under /sys/devices/virtual/dmi/id/<key> is equal
+# to the value supplied as a value of "val" parameter,
+# otherwise 1.
+# fail-equal: Returns 1 if the value present in the corresponding file
+# under /sys/devices/virtual/dmi/id/<key> is equal
+# to the value supplied as a value of "val" parameter,
+# otherwise 0.
+# no-model-mode=success [ success, fail ] - return value if model filter
+# is not enabled:
+# success: Return 0.
+# fail: Return 1.
+# $2 - whether model filter is engaged (if it is not '1', just return the result
+# based on "mode" value that assumes that the check has failed).
+check_dmi_val()
+{
+ local key= val= mode='success-equal' nm_mode='success'
+ local opts="${1:-}" opt= opt_=
+ local match_model="${2:0}"
+
+ local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor "
+ local success=1
+
+ while [ -n "$opts" ]; do
+ opt="${opts%%[ ]*}"
+ [ -n "${opt}" ] || { opts="${opts#[ ]}"; continue; }
+
+ [ "x${opt#key=}" = "x${opt}" ] || key="${opt#key=}"
+ [ "x${opt#mode=}" = "x${opt}" ] || mode="${opt#mode=}"
+ [ "x${opt#no-model-mode=}" = "x${opt}" ] || \
+ nm_mode="${opt#no-model-mode=}"
+
+ # Handle possible quoting
+ [ "x${opt#val=}" = "x${opt}" ] || {
+ case "${opt#val=}" in
+ [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
+ ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
+ *) val="${opt#val=}" ;;
+ esac
+ }
+
+ opts="${opts#"${opt}"}"
+ continue
+ done
+
+ # Check key for validity
+ [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
+ debug "Invalid \"key\" parameter value: \"${key}\""
+ echo 2
+ exit
+ }
+
+ [ 1 = "$match_model" ] || {
+ case "$nm_mode" in
+ success) echo 0 ;;
+ fail) echo 1 ;;
+ *)
+ debug "Invalid no-model-mode value: \"${nm_mode}\""
+ echo 2
+ ;;
+ esac
+
+ exit
+ }
+
+ [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
+ debug "Can't access /sys/devices/virtual/dmi/id/${key}"
+ echo 3
+ exit
+ }
+
+ file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")"
+
+ [ "x${val}" = "x${file_val}" ] || success=0
+
+ case "$mode" in
+ success-equal) echo "$((1 - $success))" ;;
+ fail-equal) echo "${success}" ;;
+ *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
+ esac
+}
+
# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING"
#
# We check only the first processor as we don't expect non-symmetrical setups
@@ -400,6 +494,7 @@ for cfg in $(echo "${configs}"); do
cfg_mc_min_ver_late=
cfg_disable=
cfg_pci=
+ cfg_dmi=
while read -r key value; do
case "$key" in
@@ -426,11 +521,19 @@ for cfg in $(echo "${configs}"); do
;;
blacklist)
cfg_blacklist=1
+ # "blacklist" is special: it stops entity parsing,
+ # and the rest of file is a list of blacklisted model
+ # names.
+ break
;;
pci_config_val)
cfg_pci="$cfg_pci
$value"
;;
+ dmi)
+ cfg_dmi="$cfg_dmi
+ $value"
+ ;;
'#'*|'')
continue
;;
@@ -639,6 +742,29 @@ for cfg in $(echo "${configs}"); do
}
fi
+ # Check DMI data if model filter is enabled
+ # Note that the model filter check is done inside check_pci_config_val
+ # based on the 'mode=' parameter.
+ if [ -n "$cfg_dmi" ]; then
+ dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
+ do
+ [ -n "$dmi_line" ] || continue
+ dmi_res=$(check_dmi_val "$dmi_line" \
+ "$match_model")
+ [ 0 != "$dmi_res" ] || continue
+ echo "$dmi_res $dmi_line"
+ break
+ done
+ echo "0 ")"
+
+ [ -z "${dmi_line#* }" ] || {
+ debug "DMI data check '${dmi_line#* }'" \
+ "failed (with return code ${dmi_line%% *})"
+ fail
+ continue
+ }
+ fi
+
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
done
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index a0aebed..b425ef5 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -12,8 +12,8 @@
Summary: CPU microcode updates for Intel x86 processors
Name: microcode_ctl
-Version: 20191115
-Release: 4.%{intel_ucode_version}.1%{?dist}
+Version: %{intel_ucode_version}
+Release: 2%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
@@ -29,6 +29,11 @@ Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03
Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03
+# microcode-20190918 release,containing revision 0xb4/0xb8 of 06-[89]e-0X microcode
+Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz
+# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode
+Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz
+
# systemd unit
Source10: microcode.service
@@ -86,6 +91,25 @@ Source150: 06-5e-03_readme
Source151: 06-5e-03_config
Source152: 06-5e-03_disclaimer
+# Dell 06-[89]e-0x hangs - intermediate 0xca microcode revision
+# https://bugzilla.redhat.com/show_bug.cgi?id=1807960
+# https://bugzilla.redhat.com/show_bug.cgi?id=1846097
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
+# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862751
+Source160: 06-8e-9e-0x-0xca_readme
+Source161: 06-8e-9e-0x-0xca_config
+Source162: 06-8e-9e-0x-0xca_disclaimer
+
+# Dell 06-[89]e-0x hangs - latest microcode revision
+# https://bugzilla.redhat.com/show_bug.cgi?id=1807960
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
+# https://bugs.debian.org/962757
+# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943
+Source170: 06-8e-9e-0x-dell_readme
+Source171: 06-8e-9e-0x-dell_config
+Source172: 06-8e-9e-0x-dell_disclaimer
+
# "Provides:" RPM tags generator
Source200: gen_provides.sh
@@ -133,6 +157,18 @@ cp "%{SOURCE4}" intel-ucode/
mv intel-ucode/06-5e-03 intel-ucode-with-caveats/
cp "%{SOURCE5}" intel-ucode/
+# Replacing the latest 06-[89]e-0x caveat with pre-20191112 version
+mv intel-ucode/06-[89]e-0* intel-ucode-with-caveats/
+tar xvvf "%{SOURCE6}" --wildcards --strip-components=1 \
+ '*/intel-ucode/06-[89]e-0*'
+
+# Unpacking intermediate 06-[89]e-0x microcode revision 0xca (from microcode-20191115)
+mkdir -p intel-ucode-0xca
+pushd intel-ucode-0xca
+tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \
+ '*/intel-ucode/06-[89]e-0*'
+popd
+
:
%install
@@ -177,7 +213,7 @@ install -m 644 releasenote \
# caveats
install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
- "%{SOURCE140}" "%{SOURCE150}" \
+ "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"
@@ -231,6 +267,22 @@ install -m 644 "%{SOURCE150}" "%{skl_hs_inst_dir}/readme"
install -m 644 "%{SOURCE151}" "%{skl_hs_inst_dir}/config"
install -m 644 "%{SOURCE152}" "%{skl_hs_inst_dir}/disclaimer"
+# Dell 06-[89]e-0x 0xca caveat
+%define dell_0xca_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-0xca/
+install -m 755 -d "%{dell_0xca_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-0xca/06-[89]e-0? -t "%{dell_0xca_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE160}" "%{dell_0xca_inst_dir}/readme"
+install -m 644 "%{SOURCE161}" "%{dell_0xca_inst_dir}/config"
+install -m 644 "%{SOURCE162}" "%{dell_0xca_inst_dir}/disclaimer"
+
+# Dell 06-[89]e-0x latest caveat
+%define dell_latest_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-dell/
+install -m 755 -d "%{dell_latest_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-[89]e-0? -t "%{dell_latest_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE170}" "%{dell_latest_inst_dir}/readme"
+install -m 644 "%{SOURCE171}" "%{dell_latest_inst_dir}/config"
+install -m 644 "%{SOURCE172}" "%{dell_latest_inst_dir}/disclaimer"
+
%post
%systemd_post microcode.service
@@ -461,30 +513,33 @@ rm -rf %{buildroot}
%changelog
-* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200609.1
-- Update Intel CPU microcode to microcode-20200609 release (#1848504):
+* Mon Jun 22 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200609-2
+- Blacklist latest microcode revision for 06-[89]e-0x CPUs (AML-Y,
+ CFL-H/S/U/Xeon E, CML-Y, KBL-G/H/S/X/U/Y/Xeon E3 v6, WHL-U) on Dell systems,
+ use revision 0xae/0xb4/0xb8 by default, provide the latest revision
+ and intermediate revision 0xca in caveats (#1807960, #1846097).
+
+* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200609-1
+- Update Intel CPU microcode to microcode-20200609 release (#1845967):
- Fixed a typo in the release note file.
-* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200602.5
+* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200602-5
- Enable 06-2d-07 (SNB-E/EN/EP) caveat by default.
-* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200602.4
+* Mon Jun 15 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200602-4
- Enable 06-55-04 (SKL-X/W) caveat by default.
-* Sun Jun 14 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200602.3
+* Sun Jun 14 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200602-3
- Do not update 06-4e-03 (SKL-U/Y) and 06-5e-03 (SKL-H/S/Xeon E3 v5) to revision
- 0xdc, use 0xd6 by default (#1848440).
+ 0xdc, use 0xd6 by default (#1846119).
-* Thu Jun 04 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200602.2
-- Avoid temporary file creation, used for here-documents in check_caveats.
+* Thu Jun 04 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200602-2
+- Avoid temporary file creation, used for here-documents in check_caveats
+ (#1839163).
-* Wed Jun 03 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20200602.1
+* Wed Jun 03 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200602-1
- Update Intel CPU microcode to microcode-20200602 release, addresses
- CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1827183):
- - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f
- up to 0x621;
- - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718
- up to 0x71a;
+ CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1795354, #1795356, #1827184):
- Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28;
- Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e
up to 0x2f;
@@ -506,8 +561,6 @@ rm -rf %{buildroot}
up to 0x5002f01;
- Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6
up to 0xdc;
- - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46
- up to 0x78;
- Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca
up to 0xd6;
- Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca
@@ -526,16 +579,28 @@ rm -rf %{buildroot}
- Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca
up to 0xd6;
- Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6.
+
+* Fri May 22 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200520-1
+- Update Intel CPU microcode to microcode-20200520 release (#1783103):
+ - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f
+ up to 0x621;
+ - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718
+ up to 0x71a.
+
+* Tue May 12 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20200508-1
+- Update Intel CPU microcode to microcode-20200508 release (#1783103):
+ - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46
+ up to 0x78.
- Change the URL to point to the GitHub repository since the microcode download
section at Intel Download Center does not exist anymore.
-* Wed Jun 03 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20191115.6
+* Thu May 07 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-6
- Narrow down SKL-SP/W/X blacklist to exclude Server/FPGA/Fabric segment
- models.
+ models (#1833036).
-* Wed Jun 03 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4.20191115.5
+* Wed Apr 29 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-5
- Re-generate initramfs not only for the currently running kernel,
- but for several recently installed kernels as well.
+ but for several recently installed kernels as well (#1773338).
* Mon Dec 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4
- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script