diff --git a/.gitignore b/.gitignore index c8a5f5d..b1f1a65 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,5 @@ SOURCES/06-2d-07 SOURCES/06-4e-03 SOURCES/06-55-04 SOURCES/06-5e-03 -SOURCES/microcode-20210525.tar.gz +SOURCES/microcode-20210608.tar.gz SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index ca73b24..2472d5c 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -2,5 +2,5 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 -000cb9ab3260786611f3481bf82d3c32506e91ae SOURCES/microcode-20210525.tar.gz +68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz 3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config index 979455d..99a8ed7 100644 --- a/SOURCES/06-2d-07_config +++ b/SOURCES/06-2d-07_config @@ -1,13 +1,3 @@ model GenuineIntel 06-2d-07 path intel-ucode/06-2d-07 -## The "kernel_early" statements are carried over from the intel caveat config -## in order to avoid enabling this newer microcode on these problematic kernels; -## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme -## (That also means that this caveat has to be enforced separately on these -## kernels.) -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 +dependency required intel diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config index bee51b2..7c0e333 100644 --- a/SOURCES/06-4e-03_config +++ b/SOURCES/06-4e-03_config @@ -1,3 +1,4 @@ model GenuineIntel 06-4e-03 path intel-ucode/06-4e-03 +dependency required intel disable early late diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme index 655aeb4..13cb72a 100644 --- a/SOURCES/06-4e-03_readme +++ b/SOURCES/06-4e-03_readme @@ -41,6 +41,11 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config index f589fbf..f987150 100644 --- a/SOURCES/06-4f-01_config +++ b/SOURCES/06-4f-01_config @@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1 kernel 2.6.32-504.71.1 kernel 2.6.32-431.90.1 kernel 2.6.32-358.90.1 -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 -mc_min_ver_late 0xb000019 +dependency required intel skip=success match-model-mode=off disable early late diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index 962c7a6..dc33eec 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -28,6 +28,11 @@ to the following knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding enforcing microcode load is provided below. diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config index 373c8ac..07f06f6 100644 --- a/SOURCES/06-55-04_config +++ b/SOURCES/06-55-04_config @@ -9,14 +9,4 @@ path intel-ucode/06-55-04 ## are provided for speeding up the search only, VID:DID is the real selector. ## Commented out since revision 0x2006906 seems to fix the issue. #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 -## The "kernel_early" statements are carried over from the intel caveat config -## in order to avoid enabling this newer microcode on these problematic kernels; -## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme -## (That also means that this caveat has to be enforced separately on these -## kernels.) -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 +dependency required intel diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index c719501..b8d3618 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -47,6 +47,11 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config index 7482d36..ced0abc 100644 --- a/SOURCES/06-5e-03_config +++ b/SOURCES/06-5e-03_config @@ -1,3 +1,3 @@ model GenuineIntel 06-5e-03 path intel-ucode/06-5e-03 -disable early late +dependency required intel diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme index 1de9002..9beb75e 100644 --- a/SOURCES/06-5e-03_readme +++ b/SOURCES/06-5e-03_readme @@ -1,12 +1,15 @@ Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, -stepping 3) have reports of possible system hangs when revision 0xdc +stepping 3) had reports of possible system hangs when revision 0xdc of microcode, that is included in microcode-20200609 update to address -CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order -to address this, microcode update to the newer revision has been disabled +CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order +to address this, microcode updates to the newer revision had been disabled by default on these systems, and the previously published microcode revision -0xd6 is used by default for the OS-driven microcode update. +0xd6 was used by default for the OS-driven microcode update. The revision +0xea seems[2] to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 For the reference, SHA1 checksums of 06-5e-03 microcode files containing microcode revisions in question are listed below: @@ -41,32 +44,33 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 -The information regarding enforcing microcode update is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel -version, please create a file "force-intel-06-5e-03" inside +To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel +version, please create a file "disallow-intel-06-5e-03" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run +"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory +where microcode is available for late microcode update, and run "dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of the latest microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config index c7c5d65..880a419 100644 --- a/SOURCES/06-8c-01_config +++ b/SOURCES/06-8c-01_config @@ -1,3 +1,3 @@ model GenuineIntel 06-8c-01 path intel-ucode/06-8c-01 -disable early late +dependency required intel skip=success match-model-mode=off diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme index 05b1ab1..9625c42 100644 --- a/SOURCES/06-8c-01_readme +++ b/SOURCES/06-8c-01_readme @@ -1,7 +1,9 @@ Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) -have reports of system hangs when a microcode update, that is included -since microcode-20201110 update, is applied[1]. In order to address this, -microcode update has been disabled by default on these systems. +had reports of system hangs when a microcode update, that was included +since microcode-20201110 update, was applied[1]. In order to address this, +microcode update had been disabled by default on these systems. The revision +0x88 seems to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 @@ -11,33 +13,40 @@ microcode revisions in question are listed below: * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290 Please contact your system vendor for a BIOS/firmware update that contains -the latest microcode version. - -The information regarding enforcing microcode update is provided below. - -To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel -version, please create a file "force-intel-06-8c-01" inside +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding disabling microcode update is provided below. + +To disable 06-8c-01 microcode updates for a specific kernel +version, please create a file "disallow-intel-06-8c-01" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run +"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware +directory where microcode is available for late microcode update, and run "dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index d017d27..8db34b0 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -267,8 +267,9 @@ separated by white space. Currently, the following options are supported: it fails (in accordance with "mode=success-all" semantics). This check fails if "-m" option is not specified. * "dmi" performs checks for specific values available in DMI sysfs files - (present under /sys/devices/virtual/dmi/id/). The check fails if file - is not readable. If "-m" option is specified, then the actual check + (present under /sys/devices/virtual/dmi/id/). The check (when it is actually + performed; see a not about "no-model-mode" below) fails if one of the files + is not readable. If "-m" option is not specified, then the actual check is skipped, and the check returns value in accordance with "no-model-mode" parameter value (see below). Check arguments are a white-space-separated list of "key=value" pairs. The following keys are supported: @@ -278,17 +279,30 @@ separated by white space. Currently, the following options are supported: chassis_type, chassis_vendor, chassis_version, product_family, product_name, product_serial, product_uuid, product_version, sys_vendor. Default is empty string. - * "val" - a string to match DMI data against. Can be enclosed in single - or double quotes. Default is empty string. - * "mode" - check mode, the way matches are interpreted: + * "val" - a string to match DMI data present in "key" against. + Can be enclosed in single or double quotes. Default is empty string. + * "keyval" - a pair of "key" and "val" values (with semantics described + above), separated with either "=", ":", "!=", or "!:" characters. Enables + providing of multiple key-value pairs by means of supplying multiple + keyval= parameters. The exclamation sign ("!") character in separator + enables negated matching (so, non-equality of the value in DMI "key" file + and the value of "val" is). The match considered successful when all + the key/val (non-)equalities are in effect. This parameter works + in addition to the pair provided in "key" and "val" parameters + (but allows to avoid using them). Default is empty. + * "mode" - check mode, the way successful matches are interpreted: * "success-equal" - returns 0 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value - of "val" parameter, otherwise 1. - * "success-equal" - returns 1 if the value present in the file + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 1. + * "fail-equal" - returns 1 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value - of "val" parameter, otherwise 0. + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 0. Default is "success-any". * "no-model-mode" - return value if model filter ("-m" option) is not enabled: @@ -300,6 +314,61 @@ separated by white space. Currently, the following options are supported: It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its content is "Dell Inc." (without quotes). It succeeds if "-m" option is not enabled. + Another example: + dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal" + dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950" + It blocks the caveat from using when either both + /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2" + and /sys/devices/virtual/dmi/id/product_name contains the string + "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains + the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains + the string "ThinkSystem SR950", but enables caveat loading for other products + with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values, + for example. + * "dependency" allows conditional enablement of a caveat based on the check + status of some other caveat(s). It has the following format: + dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...] + where DEPENDENCY_NAME is the configuration to be checked, OPTIONs + are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported + currently is "required". + Options for the "required" dependency type: + * "match-model-mode" - whether model matching mode ("-m" option) + has to be used for the nested configuration check. Possible values: + * "on" - model-matching mode is always used during the nested check; + * "off" - model-matching mode is never used during the nested check; + * "same" - used the same model-matching mode as it is now. + Default is "same". + * "skip" - controls result of the check when the nested check indicated + skipping of the configuration. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "force-skip" - controls result of the check when the nested check + indicated skipping of the configuration caused by the presence + of an override file (see "check_caveats script" section for details). + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "nesting-too-deep" - as a measure against dependency loop, configuration + checking logic implements nesting limit on dependency checks (currently + set at 8). This option controls the behaviour of the check + when the nested check cannot be performed due to this limit. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "fail". + An example of a check: + dependency required intel skip=success match-model-mode=off + It checks "intel" caveat configuration (see the "Early microcode load + inside a virtual machine" section) with model-matching mode being disabled, + treats skipping of the configuration as a success (unless the configuration + is forced to be skipped, in that case the dependent configuration + is to be skipped as well). check_caveats script @@ -536,6 +605,8 @@ Caveat name: intel-06-4f-01 Affected microcode: intel-ucode/06-4f-01. +Dependencies: intel + Mitigation: microcode loading is disabled for the affected CPU model. Minimum versions of the kernel package that contain the aforementioned patch @@ -564,6 +635,8 @@ Caveat name: intel Affected microcode: all. +Dependencies: (none) + Mitigation: early microcode loading is disabled for all CPU models on kernels without the fix. @@ -600,6 +673,8 @@ Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. +Dependencies: intel + Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x714 is still available as a fallback as part of "intel" caveat. @@ -629,44 +704,73 @@ Caveat name: intel-06-55-04 Affected microcode: intel-ucode/06-55-04. +Dependencies: intel + Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x2000064 is still available as a fallback as part of "intel" caveat. -Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats ----------------------------------------- -Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; -and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system -hangs when revision 0xdc of microcode, that is included in microcode-20200609 -update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, -is applied[1][2]. In order to address this, microcode update to the newer -revision has been disabled by default on these systems, and the previously -published microcode revision 0xd6 is used instead; the newer microcode files, -however, are still shipped as part of microcode_ctl package and can be used -for performing a microcode update if they are enforced via the aforementioned -overrides. (See the sections "check_caveats script" and "reload_microcode -script" for details.) +Intel Skylake-U/Y caveat +------------------------ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used instead; the newer +microcode files, however, are still shipped as part of microcode_ctl package +and can be used for performing a microcode update if they are enforced +via the aforementioned overrides. (See the sections "check_caveats script" +and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 -[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 -Caveat names: intel-06-4e-03, intel-06-5e-03 +Caveat name: intel-06-4e-03 -Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. +Affected microcode: intel-ucode/06-4e-03 + +Dependencies: intel Mitigation: previously published microcode revision 0xd6 is used by default. +Intel Skylake-H/S/Xeon E3 v5 caveat +----------------------------------- +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) had reports of system hangs when revision 0xdc of microcode, +that is included in microcode-20200609 update to address CVE-2020-0543, +CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this, +microcode update to the newer revision had been disabled by default on these +systems, and the previously published microcode revision 0xd6 was used instead. +The revision 0xea seems[2] to have fixed the aforementioned issue, hence +the latest microcode revision usage it is enabled by default, +but can be disabled explicitly via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 + +Caveat names: intel-06-5e-03 + +Affected microcode: intel-ucode/06-5e-03. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0xd6 is still available as a fallback +as part of "intel" caveat. + + Intel Tiger Lake-UP3/UP4 caveat ------------------------------- Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, -stepping 1) have reports of system hangs when a microcode update, -that is included since microcode-20201110 release, is applied[1]. -In order to address this, microcode update to a newer revision has been disabled -by default on these systems; the newer microcode file, however, is still shipped -as a part of microcode_ctl package and can be used for performing a microcode -update if it is enforced via the aforementioned overrides. (See the sections +stepping 1) had reports of system hangs when a microcode update, +that was included since microcode-20201110 release, was applied[1]. +In order to address this, microcode update to a newer revision had been disabled +by default on these systems. The revision 0x88 seems to have fixed +the aforementioned issue, hence it is enabled by default; however, it is still +can be disabled via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 @@ -675,7 +779,9 @@ Caveat names: intel-06-8c-01 Affected microcode: intel-ucode/06-8c-01. -Mitigation: microcode loading is disabled for the affected CPU model. +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default. @@ -710,3 +816,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index 7612e69..b821160 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -9,6 +9,8 @@ : ${FW_DIR=/lib/firmware} : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} +MAX_NESTING_LEVEL=8 + usage() { echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' echo ' [-m] [-v]' @@ -261,7 +263,7 @@ check_pci_config_val() # It is needed for filtering by BIOS vendor name that is available in DMI data # # $1 - params in config file, space-separated, in key=value form: -# key= - DMI value to check. Can be one of the following: bios_date, +# key= - DMI data record to check. Can be one of the following: bios_date, # bios_vendor, bios_version, board_asset_tag, board_name, board_serial, # board_vendor, board_version, chassis_asset_tag, chassis_serial, # chassis_type, chassis_vendor, chassis_version, product_family, @@ -269,24 +271,31 @@ check_pci_config_val() # sys_vendor. # val= - a string to match DMI data against. Can be enclosed in single # or double quotes. +# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL", +# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing +# a key-value pair in a single parameter. It is possible to provide +# multiple keyval= parameters. "!" before :/= means negated match. +# The action supplied in the mode= parameter is executed upon +# successful (non-)matching of all the keyval pairs (as well +# as the pair provided in a pair of key= and val= parameters). # mode=success-equal [ success-equal, fail-equal ] - matching mode: -# success-equal: Returns 0 if the value present in the corresponding file -# under /sys/devices/virtual/dmi/id/ is equal -# to the value supplied as a value of "val" parameter, -# otherwise 1. -# fail-equal: Returns 1 if the value present in the corresponding file -# under /sys/devices/virtual/dmi/id/ is equal -# to the value supplied as a value of "val" parameter, -# otherwise 0. +# success-equal: Returns 0 if the all values present in the corresponding +# files under /sys/devices/virtual/dmi/id/ are equal +# (or not equal in case of a keyval= with negated match) +# to the respective values supplied as the values +# of the keyval= parameters or the pair of key= vand val= +# parameters, otherwise 1. +# fail-equal: Returns 1 if all the values present in DMI files in sysfs +# match (as described above), otherwise 0. # no-model-mode=success [ success, fail ] - return value if model filter # is not enabled: # success: Return 0. # fail: Return 1. # $2 - whether model filter is engaged (if it is not '1', just return the result -# based on "mode" value that assumes that the check has failed). +# based on "no-model-mode" value). check_dmi_val() { - local key= val= mode='success-equal' nm_mode='success' + local key= val= keyval= keyvals= mode='success-equal' nm_mode='success' local opts="${1:-}" opt= opt_= local match_model="${2:-0}" @@ -305,21 +314,44 @@ check_dmi_val() # Handle possible quoting [ "x${opt#val=}" = "x${opt}" ] || { case "${opt#val=}" in - [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;; - ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; + [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;; + [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; *) val="${opt#val=}" ;; esac } + [ "x${opt#keyval=}" = "x${opt}" ] || { + case "${opt#keyval=}" in + [\']*) + opt_="${opts#keyval=\'}" + keyval="${opt_%%\'*}" + opt="keyval='${keyval}'" + keyvals="${keyvals} + ${keyval}" + ;; + [\"]*) + opt_="${opts#keyval=\"}" + keyval="${opt_%%\"*}" + opt="keyval=\"${keyval}\"" + keyvals="${keyvals} + ${keyval}" + ;; + *) + keyvals="${keyvals} + ${opt#keyval=}" + ;; + esac + } opts="${opts#"${opt}"}" continue done - # Check key for validity - [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { - debug "Invalid \"key\" parameter value: \"${key}\"" + [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}" + + [ -n "x${keyvals}" ] || { + debug "Neither key=, val=, nor keyval= parameters were privoded" echo 2 - exit + return } [ 1 = "$match_model" ] || { @@ -332,23 +364,171 @@ check_dmi_val() ;; esac - exit + return } - [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { - debug "Can't access /sys/devices/virtual/dmi/id/${key}" - echo 3 - exit - } + case "$mode" in + success-equal|fail-equal) ;; + *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;; + esac - file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" + printf "%s\n" "${keyvals}" | ( + while read l; do + [ -n "$l" ] || continue + key="${l%%[=:]*}" + val="${l#${key}[=:]}" + + cmp="=" + [ "x${key%!}" = "x${key}" ] || { + cmp="!=" + key="${key%!}" + } + + # Check key for validity + [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { + debug "Invalid \"key\" parameter value: \"${key}\"" + echo 2 + return + } + + [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { + debug "Can't access /sys/devices/virtual/dmi/id/${key}" + echo 3 + return + } + + file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" + + [ "x${val}" "${cmp}" "x${file_val}" ] || { + case "$mode" in + success-equal) echo 1 ;; + fail-equal) echo 0 ;; + esac + + return + } + done - [ "x${val}" = "x${file_val}" ] || success=0 + case "$mode" in + success-equal) echo 0 ;; + fail-equal) echo 1 ;; + esac + ) +} - case "$mode" in - success-equal) echo "$((1 - $success))" ;; - fail-equal) echo "${success}" ;; - *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;; +# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS +# DEP_TYPE: +# required - caveat can be enabled only if dependency is enabled +# (is not forcefully disabled and meets caveat conditions) +# OPTS: +# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency +# skip=skip [ fail, skip, success ] +# force-skip=skip [ fail, skip, success ] +# nesting-too-deep=fail [ fail, skip, success ] +# Return values: +# 0 - success +# 1 - fail +# 2 - skip +# 9 - error +check_dependency() +{ + local cur_level="$1" + local dep_type="$2" + local dep_name="$3" + local match_model_mode=same old_match_model="${match_model}" + local skip=skip + local force_skip=skip + local nesting_too_deep=fail + + local check="Dependency check for ${dep_type} ${dep_name}" + + set -- ${4:-} + while [ "$#" -gt 0 ]; do + [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}" + [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}" + [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}" + [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}" + + shift + done + + case "${dep_type}" in + required) + [ "x${dep_name%/*}" = "x${dep_name}" ] || { + debug "${check} error: dependency name (${dep_name})" \ + "cannot contain slashes" + echo 9 + return + } + + [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || { + local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'" + + case "$nesting_too_deep" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: invalid" \ + "nesting-too-deep mode" \ + "(${nesting_too_deep})"; echo 9 ;; + esac + + return + } + + case "${match_model_mode}" in + same) ;; + on) match_model=1 ;; + off) match_model=0 ;; + *) + debug "${check} error: invalid match-model-mode" \ + "(${match_model_mode})" + echo 9 + return + ;; + esac + + local result=0 + debug "${check}: calling check_caveat '${dep_name}'" \ + "'$(($cur_level + 1))' match_model=${match_model}" + check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?" + + match_model="${old_match_model}" + + case "${result}" in + 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;; + 1) debug "${check} failed: result=${result}"; echo "${result}" ;; + 2) + local reason="result=${result} and skip='${skip}'" + + case "${skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + 3) + local reason="result=${result} and force_skip='${force_skip}'" + + case "${force_skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected force-skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unexpected check_caveat result" \ + "(${result})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unknown dependency type '${dep_type}'" + echo 9 + ;; esac } @@ -400,23 +580,6 @@ get_mc_ver() /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } -# fail [CHECK_ONLY] -fail() -{ - check_only="${1:-0}" - [ 0 = "$check_only" ] || return - - ret=1 - - fail_cfgs="$fail_cfgs $cfg" - fail_paths="$fail_paths $cfg_path" - - [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ - || /bin/cat "${dir}/disclaimer" -} - -#check_kver "$@" -#get_model_name match_model=0 configs= @@ -477,22 +640,21 @@ else stage="late" fi -# check_caveat CFG [CHECK_ONLY] +# check_caveat CFG [CHECK_LEVEL] # changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, -# skip_cfgs if CHECK_ONLY is set to 0 (default). +# skip_cfgs if CHECK_LEVEL is set to 0 (default). +# CHECK_LEVEL is used for recursive configuration dependency checks, +# and indicates nesting level. # Return value: # 0 - check is successful # 1 - check has been failed # 2 - configuration has been skipped +# 3 - configuration has been skipped due to presence of an override file check_caveat() { local cfg="$1" - local check_only="${2:-0}" + local check_level="${2:-0}" local dir="$MC_CAVEATS_DATA_DIR/$cfg" - # We add cfg to the skip list first and then, if we do not skip it, - # we remove the configuration from the list. - [ 0 != "$check_only" ] || skip_cfgs="$skip_cfgs $cfg" - [ -r "${dir}/readme" ] || { debug "File 'readme' in ${dir} is not found, skipping" return 2 @@ -512,6 +674,7 @@ check_caveat() { local cfg_disable= local cfg_pci= local cfg_dmi= + local cfg_dependency= local key local value @@ -547,6 +710,10 @@ check_caveat() { cfg_dmi="$cfg_dmi $value" ;; + dependency) + cfg_dependency="$cfg_dependency + $value" + ;; '#'*|'') continue ;; @@ -558,6 +725,7 @@ check_caveat() { done < "${dir}/config" debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" + echo "$cfg_path" # Check for override files in the following order: # - disallow early/late specific caveat for specific kernel @@ -619,7 +787,7 @@ check_caveat() { [ 0 -eq "$ignore_cfg" ] || { debug "Configuration \"$cfg\" is ignored due to presence of" \ "\"$override_file\"." - return 2 + return 3 } # Check model if model filter is enabled @@ -667,29 +835,51 @@ check_caveat() { } fi - # Check configuration files - - [ 0 != "$check_only" ] || { - ret_cfgs="$ret_cfgs $cfg" - ret_paths="$ret_paths $cfg_path" - skip_cfgs="${skip_cfgs% $cfg}" - } - + # Has to be performed before dependency checks [ 0 -eq "$force_cfg" ] || { debug "Checks for configuration \"$cfg\" are ignored due to" \ "presence of \"$override_file\"." - [ 0 != "$check_only" ] || { - ok_cfgs="$ok_cfgs $cfg" - ok_paths="$ok_paths $cfg_path" - } - return 0 } + # Check dependencies + # It has to be performed here (before adding configuration + # to $ret_cfgs/$ret_paths) since it may be skipped. + if [ -n "$cfg_dependency" ]; then + dep_line="$(printf "%s\n" "$cfg_dependency" | \ + while read -r dep_type dep_name dep_opts + do + [ -n "$dep_type" ] || continue + dep_res=$(check_dependency "$check_level" \ + "$dep_type" \ + "$dep_name" \ + "$dep_opts") + [ 0 != "$dep_res" ] || continue + echo "$dep_res $dep_type $dep_name $dep_opts" + break + done + echo "0 ")" + + case "${dep_line%% *}" in + 0) ;; + 2) + debug "Dependency check '${dep_line#* }'" \ + "induced configuration skip" + return 2 + ;; + *) + debug "Dependency check '${dep_line#* }'" \ + "failed (with return code ${dep_line%% *})" + return 1 + ;; + esac + fi + + # Check configuration files + [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { debug "${cfg}: caveat is disabled in configuration" - fail "$check_only" return 1 } @@ -698,7 +888,6 @@ check_caveat() { check_kver "$kver" $cfg_kvers || { debug "${cfg}: late load kernel version check for" \ " '$kver' against '$cfg_kvers' failed" - fail "$check_only" return 1 } fi @@ -708,7 +897,6 @@ check_caveat() { check_kver "$kver" $cfg_kvers_early || { debug "${cfg}: early load kernel version check for" \ "'$kver' against '$cfg_kvers_early' failed" - fail "$check_only" return 1 } fi @@ -722,7 +910,6 @@ check_caveat() { debug "${cfg}: CPU microcode version $cpu_mc_ver" \ "failed check (should be at least" \ "${cfg_mc_min_ver_late})" - fail "$check_only" return 1 } fi @@ -744,14 +931,14 @@ check_caveat() { [ -z "${pci_line#* }" ] || { debug "PCI configuration word check '${pci_line#* }'" \ "failed (with return code ${pci_line%% *})" - fail "$check_only" return 1 } fi # Check DMI data if model filter is enabled - # Note that the model filter check is done inside check_pci_config_val - # based on the 'mode=' parameter. + # Note that the model filter check is done inside check_dmi_val + # (which returns the value of 'no-model-mode=' parameter + # if it is disenaged). if [ -n "$cfg_dmi" ]; then dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line do @@ -767,21 +954,43 @@ check_caveat() { [ -z "${dmi_line#* }" ] || { debug "DMI data check '${dmi_line#* }'" \ "failed (with return code ${dmi_line%% *})" - fail "$check_only" return 1 } fi - [ 0 != "$check_only" ] || { - ok_cfgs="$ok_cfgs $cfg" - ok_paths="$ok_paths $cfg_path" - } - return 0 } for cfg in $(echo "${configs}"); do - check_caveat "$cfg" || : + if cfg_path=$(check_caveat "$cfg"; exit "$?") + then + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + ok_cfgs="$ok_cfgs $cfg" + ok_paths="$ok_paths $cfg_path" + else + case "$?" in + 1) + ret=1 + + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + fail_cfgs="$fail_cfgs $cfg" + fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] \ + || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \ + || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" + ;; + 2|3) + skip_cfgs="$skip_cfgs $cfg"; + ;; + *) + debug "Unexpected check_caveat return code '$?'" \ + "for config '$cfg'" + ;; + esac + fi done [ 0 -eq "$print_disclaimers" ] || exit 0 diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list index 8dd68ab..f2eaa75 100644 --- a/SOURCES/codenames.list +++ b/SOURCES/codenames.list @@ -305,7 +305,7 @@ Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile; Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; -Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11; SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; diff --git a/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch deleted file mode 100644 index ab129a4..0000000 --- a/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: microcode_ctl-2.1-18/Makefile -=================================================================== ---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 -+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 -@@ -8,7 +8,7 @@ - # 2 of the License, or (at your option) any later version. - - PROGRAM = intel-microcode2ucode --MICROCODE_INTEL = microcode-20180703.tgz -+MICROCODE_INTEL = microcode-20210525.tar.gz - - INS = install - CC = gcc diff --git a/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch new file mode 100644 index 0000000..ebf634d --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20210608.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 96fd7d8..811a078 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,5 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20210525 +%define intel_ucode_version 20210608 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl @@ -21,14 +21,13 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 73.9%{?dist} +Release: 73.11%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz -Source1: microcode-%{intel_ucode_version}.tar.gz +Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 @@ -99,6 +98,7 @@ Source151: 06-5e-03_config Source152: 06-5e-03_disclaimer # TGL-UP3/UP4 (CPUID 06-8c-01) hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 Source180: 06-8c-01_readme Source181: 06-8c-01_config Source182: 06-8c-01_disclaimer @@ -552,6 +552,17 @@ rm -rf %{buildroot} %changelog +* Fri Jul 23 2021 Eugene Syromiatnikov - 2:2.1-73.11 +- Update Intel CPU microcode to microcode-20210608 release: + - Fixes in releasenote.md file. + +* Fri Jul 23 2021 Eugene Syromiatnikov - 2:2.1-73.10 +- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04, + intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca, + and intel-06-8e-9e-0x-dell caveats dependent on intel caveat. +- Enable 06-8c-01 microcode update by default. +- Enable 06-5e-03 microcode update by default (#1897684). + * Thu May 27 2021 Eugene Syromiatnikov - 2:2.1-73.9 - Update Intel CPU microcode to microcode-20210525 release, addresses CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513