diff --git a/.gitignore b/.gitignore index ccaec8a..84142de 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ SOURCES/06-2d-07 -SOURCES/microcode-20191112.pre.tar.gz +SOURCES/06-55-04 +SOURCES/microcode-20191115.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 30eec48..cc2b497 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,3 +1,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 -7f4a43a1e7d06c7d67e602b43009fa7a39e6d102 SOURCES/microcode-20191112.pre.tar.gz +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme index bfb8743..60c20d4 100644 --- a/SOURCES/06-2d-07_readme +++ b/SOURCES/06-2d-07_readme @@ -1,6 +1,6 @@ -Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues -with MDS-related microcode update that may lead to a system hang after -a microcode update. In order to address this, microcode update +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +have issues with MDS-related microcode update that may lead to a system hang +after a microcode update. In order to address this, microcode update to the MDS-related revision 0x718 has been disabled, and the previously published microcode revision 0x714 is used by default for the OS-driven microcode update. @@ -26,12 +26,12 @@ to the following knowledge base articles: The information regarding enforcing microcode load is provided below. -To enforce usage of this microcode revision, please create a file -"force-intel-06-2d-07" inside /lib/firmware/ directory, -run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware +To enforce usage of the 0x718 microcode revision for a specific kernel version, +please create file "force-intel-06-2d-07" inside /lib/firmware/ +directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory where microcode will be available for late microcode update, -and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version -is regenerated and the microcode can be loaded early: +and run "dracut -f --kver ", so initramfs for this kernel +version is regenerated and the microcode can be loaded early, for example: touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode @@ -41,7 +41,7 @@ After that, it is possible to perform a late microcode update by executing "/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to "/sys/devices/system/cpu/microcode/reload" directly. -To enforce addition of this microcode for all kernels, please create a file +To enforce addition of this microcode for all kernels, please create file "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run "/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, and "dracut -f --regenerate-all" for enabling early microcode updates: diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config new file mode 100644 index 0000000..6ba6d76 --- /dev/null +++ b/SOURCES/06-55-04_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-55-04 +path intel-ucode/06-55-04 +disable early late diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer new file mode 100644 index 0000000..238d233 --- /dev/null +++ b/SOURCES/06-55-04_disclaimer @@ -0,0 +1,6 @@ +Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85, +stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112 +release is disabled as it may cause system instability and the previous revision +0x2000064 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme new file mode 100644 index 0000000..41fb757 --- /dev/null +++ b/SOURCES/06-55-04_readme @@ -0,0 +1,61 @@ +Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85, +stepping 4) have reports of system hangs when revision 0x2000065 of microcode, +that is included since microcode-20191112 update, is applied. In order +to address this, microcode update to this revision has been disabled, +and the previously published microcode revision 0x2000064 is used by default +for the OS-driven microcode update. + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a + * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the 0x2000065 microcode revision for a specific kernel +version, please create a file "force-intel-06-55-04" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 97ae7bc..263a40b 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -392,9 +392,11 @@ when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced -via the aforementioned overriddes. (See sections "check_caveats script" +via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) +Caveat name: intel-06-4f-01 + Affected microcode: intel-ucode/06-4f-01. Mitigation: microcode loading is disabled for the affected CPU model. @@ -421,9 +423,12 @@ from a cpio archive placed at the beginning of the initramfs image. However, when an early microcode update is attempted inside some virtualised environments, that may result in unexpected system behaviour. +Caveat name: intel + Affected microcode: all. -Mitigation: early microcode loading is disabled for all CPU models. +Mitigation: early microcode loading is disabled for all CPU models on kernels +without the fix. Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 @@ -441,14 +446,35 @@ MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP In order to address this, this microcode update is not used and the previous microcode revision is provided instead by default; the microcode file, however, is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overriddes. (See -sections "check_caveats script" and "reload_microcode script" for details.) +a microcode update if it is enforced via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. Mitigation: previously published microcode revision 0x714 is used by default. +Intel Skylake-SP/W/X caveat +--------------------------- +Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X, +family 6, model 85, stepping 4) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overrides. +(See the sections "check_caveats script" and "reload_microcode script" +for details.) + +Caveat name: intel-06-55-04 + +Affected microcode: intel-ucode/06-55-04. + +Mitigation: previously published microcode revision 0x2000064 is used +by default. + + Additional information ====================== @@ -458,8 +484,7 @@ whether more recent BIOS/firmware updates are recommended because additional improvements may be available. Information regarding microcode revisions required for mitigating specific -microarchitectural side-channel attacks is available in the following -knowledge base articles: +Intel CPU vulnerabilities is available in the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): @@ -469,3 +494,8 @@ knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh index 0ecf7aa..c0c6b1d 100755 --- a/SOURCES/gen_provides.sh +++ b/SOURCES/gen_provides.sh @@ -1,4 +1,4 @@ -#! /bin/bash -efux +#! /bin/bash -efu # Generator of RPM "Provides:" tags for Intel microcode files. # diff --git a/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch deleted file mode 100644 index 0abecf8..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20191112.pre.tar.gz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20191115-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20191115-tgz.patch new file mode 100644 index 0000000..0548343 --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20191115-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20191115.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 8e8f528..c57d8c1 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20191112 +%define intel_ucode_version 20191115 %define intel_ucode_file_id 28727 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats @@ -22,16 +22,19 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 53.3%{?dist} +Release: 53.7%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -Source1: microcode-%{intel_ucode_version}.pre.tar.gz +Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + # systemd unit Source10: microcode.service @@ -72,6 +75,12 @@ Source120: 06-2d-07_readme Source121: 06-2d-07_config Source122: 06-2d-07_disclaimer +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -104,6 +113,10 @@ back to the old microcode. %prep %setup -q -n %{name}-%{upstream_version} + +tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ + \*/intel-ucode-with-caveats \*/license \*/releasenote + %patch1 -p1 %patch2 -p1 @@ -131,13 +144,14 @@ make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} #find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list touch ghost_list -tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ - \*/intel-ucode-with-caveats \*/license \*/releasenote - # replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ cp "%{SOURCE2}" intel-ucode/ +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + # man page sed "%{SOURCE40}" \ -e "s/@DATE@/2019-05-09/g" \ @@ -188,7 +202,7 @@ install -m 644 releasenote \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \ +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" # Man page @@ -222,9 +236,18 @@ install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" +# SKL-SP caveat +%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" + # Cleanup rm -f intel-ucode-with-caveats/06-4f-01 rm -f intel-ucode-with-caveats/06-2d-07 +rm -f intel-ucode-with-caveats/06-55-04 rmdir intel-ucode-with-caveats rm -rf intel-ucode @@ -350,6 +373,50 @@ rm -rf %{buildroot} %changelog +* Mon Dec 02 2019 Eugene Syromiatnikov - 2:2.1-53.7 +- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 + by default (#1774329). + +* Wed Nov 20 2019 Eugene Syromiatnikov - 2:2.1-53.6 +- Update Intel CPU microcode to microcode-20191115 release: + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 + up to 0xd6; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision + 0xc6 up to 0xca; + - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 + up to 0xca; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca. + +* Wed Nov 20 2019 Eugene Syromiatnikov - 2:2.1-53.5 +- Update Intel CPU microcode to microcode-20191113 release: + - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6. +- Drop 0001-releasenote-changes-summary-fixes.patch. + +* Wed Nov 20 2019 Eugene Syromiatnikov - 2:2.1-53.4 +- Package the publicy available microcode-20191112 release (#1773962): + - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d; + - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c; + - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16; + - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 + up to 0x1000151; + - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision + 0x2000064 up to 0x2000065; + - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b + up to 0x500002c; + - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32; +- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release. +- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch). +- Update README.caveats with the link to the new Knowledge Base article. + * Thu Nov 07 2019 Eugene Syromiatnikov - 2:2.1-53.3 - Intel CPU microcode update to 20191112, addresses CVE-2017-5715, CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764050, #1764070, #1764949,