diff --git a/.gitignore b/.gitignore
index c8a5f5d..b1f1a65 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,5 +2,5 @@ SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
-SOURCES/microcode-20210525.tar.gz
+SOURCES/microcode-20210608.tar.gz
SOURCES/microcode_ctl-2.1-18.tar.xz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index ca73b24..2472d5c 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -2,5 +2,5 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
-000cb9ab3260786611f3481bf82d3c32506e91ae SOURCES/microcode-20210525.tar.gz
+68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz
3959afc5d69a916a730131ce0f768db263e9e4f1 SOURCES/microcode_ctl-2.1-18.tar.xz
diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config
index 979455d..99a8ed7 100644
--- a/SOURCES/06-2d-07_config
+++ b/SOURCES/06-2d-07_config
@@ -1,13 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config
index bee51b2..7c0e333 100644
--- a/SOURCES/06-4e-03_config
+++ b/SOURCES/06-4e-03_config
@@ -1,3 +1,4 @@
model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03
+dependency required intel
disable early late
diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme
index 655aeb4..13cb72a 100644
--- a/SOURCES/06-4e-03_readme
+++ b/SOURCES/06-4e-03_readme
@@ -41,6 +41,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config
index f589fbf..f987150 100644
--- a/SOURCES/06-4f-01_config
+++ b/SOURCES/06-4f-01_config
@@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
-mc_min_ver_late 0xb000019
+dependency required intel skip=success match-model-mode=off
disable early late
diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme
index 962c7a6..dc33eec 100644
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@@ -28,6 +28,11 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below.
diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config
index 373c8ac..07f06f6 100644
--- a/SOURCES/06-55-04_config
+++ b/SOURCES/06-55-04_config
@@ -9,14 +9,4 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
index c719501..b8d3618 100644
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@@ -47,6 +47,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding disabling microcode update is provided below.
diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config
index 7482d36..ced0abc 100644
--- a/SOURCES/06-5e-03_config
+++ b/SOURCES/06-5e-03_config
@@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03
-disable early late
+dependency required intel
diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme
index 1de9002..9beb75e 100644
--- a/SOURCES/06-5e-03_readme
+++ b/SOURCES/06-5e-03_readme
@@ -1,12 +1,15 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
-stepping 3) have reports of possible system hangs when revision 0xdc
+stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
-CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order
-to address this, microcode update to the newer revision has been disabled
+CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
+to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
-0xd6 is used by default for the OS-driven microcode update.
+0xd6 was used by default for the OS-driven microcode update. The revision
+0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
@@ -41,32 +44,33 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.
-To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
-version, please create a file "force-intel-06-5e-03" inside
+To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
+where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
- touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid addition of the latest microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
- touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config
index c7c5d65..880a419 100644
--- a/SOURCES/06-8c-01_config
+++ b/SOURCES/06-8c-01_config
@@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01
-disable early late
+dependency required intel skip=success match-model-mode=off
diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme
index 05b1ab1..9625c42 100644
--- a/SOURCES/06-8c-01_readme
+++ b/SOURCES/06-8c-01_readme
@@ -1,7 +1,9 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
-have reports of system hangs when a microcode update, that is included
-since microcode-20201110 update, is applied[1]. In order to address this,
-microcode update has been disabled by default on these systems.
+had reports of system hangs when a microcode update, that was included
+since microcode-20201110 update, was applied[1]. In order to address this,
+microcode update had been disabled by default on these systems. The revision
+0x88 seems to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@@ -11,33 +13,40 @@ microcode revisions in question are listed below:
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
Please contact your system vendor for a BIOS/firmware update that contains
-the latest microcode version.
-
-The information regarding enforcing microcode update is provided below.
-
-To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
-version, please create a file "force-intel-06-8c-01" inside
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
+
+The information regarding disabling microcode update is provided below.
+
+To disable 06-8c-01 microcode updates for a specific kernel
+version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
+directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
- touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
- touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index d017d27..8db34b0 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -267,8 +267,9 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files
- (present under /sys/devices/virtual/dmi/id/). The check fails if file
- is not readable. If "-m" option is specified, then the actual check
+ (present under /sys/devices/virtual/dmi/id/). The check (when it is actually
+ performed; see a not about "no-model-mode" below) fails if one of the files
+ is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported:
@@ -278,17 +279,30 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string.
- * "val" - a string to match DMI data against. Can be enclosed in single
- or double quotes. Default is empty string.
- * "mode" - check mode, the way matches are interpreted:
+ * "val" - a string to match DMI data present in "key" against.
+ Can be enclosed in single or double quotes. Default is empty string.
+ * "keyval" - a pair of "key" and "val" values (with semantics described
+ above), separated with either "=", ":", "!=", or "!:" characters. Enables
+ providing of multiple key-value pairs by means of supplying multiple
+ keyval= parameters. The exclamation sign ("!") character in separator
+ enables negated matching (so, non-equality of the value in DMI "key" file
+ and the value of "val" is). The match considered successful when all
+ the key/val (non-)equalities are in effect. This parameter works
+ in addition to the pair provided in "key" and "val" parameters
+ (but allows to avoid using them). Default is empty.
+ * "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
- of "val" parameter, otherwise 1.
- * "success-equal" - returns 1 if the value present in the file
+ of "val" parameter and all the pairs provided in "keyval" parameters
+ are equal and non-equal in accordance with their definition,
+ otherwise 1.
+ * "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
- of "val" parameter, otherwise 0.
+ of "val" parameter and all the pairs provided in "keyval" parameters
+ are equal and non-equal in accordance with their definition,
+ otherwise 0.
Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option)
is not enabled:
@@ -300,6 +314,61 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled.
+ Another example:
+ dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
+ dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
+ It blocks the caveat from using when either both
+ /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
+ and /sys/devices/virtual/dmi/id/product_name contains the string
+ "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
+ the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
+ the string "ThinkSystem SR950", but enables caveat loading for other products
+ with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
+ for example.
+ * "dependency" allows conditional enablement of a caveat based on the check
+ status of some other caveat(s). It has the following format:
+ dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
+ where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
+ are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
+ currently is "required".
+ Options for the "required" dependency type:
+ * "match-model-mode" - whether model matching mode ("-m" option)
+ has to be used for the nested configuration check. Possible values:
+ * "on" - model-matching mode is always used during the nested check;
+ * "off" - model-matching mode is never used during the nested check;
+ * "same" - used the same model-matching mode as it is now.
+ Default is "same".
+ * "skip" - controls result of the check when the nested check indicated
+ skipping of the configuration.
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "skip".
+ * "force-skip" - controls result of the check when the nested check
+ indicated skipping of the configuration caused by the presence
+ of an override file (see "check_caveats script" section for details).
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "skip".
+ * "nesting-too-deep" - as a measure against dependency loop, configuration
+ checking logic implements nesting limit on dependency checks (currently
+ set at 8). This option controls the behaviour of the check
+ when the nested check cannot be performed due to this limit.
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "fail".
+ An example of a check:
+ dependency required intel skip=success match-model-mode=off
+ It checks "intel" caveat configuration (see the "Early microcode load
+ inside a virtual machine" section) with model-matching mode being disabled,
+ treats skipping of the configuration as a success (unless the configuration
+ is forced to be skipped, in that case the dependent configuration
+ is to be skipped as well).
check_caveats script
@@ -536,6 +605,8 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01.
+Dependencies: intel
+
Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
@@ -564,6 +635,8 @@ Caveat name: intel
Affected microcode: all.
+Dependencies: (none)
+
Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix.
@@ -600,6 +673,8 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
+Dependencies: intel
+
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat.
@@ -629,44 +704,73 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04.
+Dependencies: intel
+
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
-Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
-----------------------------------------
-Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
-and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
-hangs when revision 0xdc of microcode, that is included in microcode-20200609
-update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
-is applied[1][2]. In order to address this, microcode update to the newer
-revision has been disabled by default on these systems, and the previously
-published microcode revision 0xd6 is used instead; the newer microcode files,
-however, are still shipped as part of microcode_ctl package and can be used
-for performing a microcode update if they are enforced via the aforementioned
-overrides. (See the sections "check_caveats script" and "reload_microcode
-script" for details.)
+Intel Skylake-U/Y caveat
+------------------------
+Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
+have reports of system hangs when revision 0xdc of microcode, that is included
+in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
+and CVE-2020-0549, is applied[1]. In order to address this, microcode update
+to the newer revision has been disabled by default on these systems,
+and the previously published microcode revision 0xd6 is used instead; the newer
+microcode files, however, are still shipped as part of microcode_ctl package
+and can be used for performing a microcode update if they are enforced
+via the aforementioned overrides. (See the sections "check_caveats script"
+and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
-[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
-Caveat names: intel-06-4e-03, intel-06-5e-03
+Caveat name: intel-06-4e-03
-Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
+Affected microcode: intel-ucode/06-4e-03
+
+Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default.
+Intel Skylake-H/S/Xeon E3 v5 caveat
+-----------------------------------
+Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
+stepping 3) had reports of system hangs when revision 0xdc of microcode,
+that is included in microcode-20200609 update to address CVE-2020-0543,
+CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
+microcode update to the newer revision had been disabled by default on these
+systems, and the previously published microcode revision 0xd6 was used instead.
+The revision 0xea seems[2] to have fixed the aforementioned issue, hence
+the latest microcode revision usage it is enabled by default,
+but can be disabled explicitly via the aforementioned overrides. (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
+
+Caveat names: intel-06-5e-03
+
+Affected microcode: intel-ucode/06-5e-03.
+
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default;
+previously published microcode revision 0xd6 is still available as a fallback
+as part of "intel" caveat.
+
+
Intel Tiger Lake-UP3/UP4 caveat
-------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
-stepping 1) have reports of system hangs when a microcode update,
-that is included since microcode-20201110 release, is applied[1].
-In order to address this, microcode update to a newer revision has been disabled
-by default on these systems; the newer microcode file, however, is still shipped
-as a part of microcode_ctl package and can be used for performing a microcode
-update if it is enforced via the aforementioned overrides. (See the sections
+stepping 1) had reports of system hangs when a microcode update,
+that was included since microcode-20201110 release, was applied[1].
+In order to address this, microcode update to a newer revision had been disabled
+by default on these systems. The revision 0x88 seems to have fixed
+the aforementioned issue, hence it is enabled by default; however, it is still
+can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@@ -675,7 +779,9 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01.
-Mitigation: microcode loading is disabled for the affected CPU model.
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default.
@@ -710,3 +816,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index 7612e69..b821160 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -9,6 +9,8 @@
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
+MAX_NESTING_LEVEL=8
+
usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]'
@@ -261,7 +263,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data
#
# $1 - params in config file, space-separated, in key=value form:
-# key= - DMI value to check. Can be one of the following: bios_date,
+# key= - DMI data record to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family,
@@ -269,24 +271,31 @@ check_pci_config_val()
# sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single
# or double quotes.
+# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
+# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
+# a key-value pair in a single parameter. It is possible to provide
+# multiple keyval= parameters. "!" before :/= means negated match.
+# The action supplied in the mode= parameter is executed upon
+# successful (non-)matching of all the keyval pairs (as well
+# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode:
-# success-equal: Returns 0 if the value present in the corresponding file
-# under /sys/devices/virtual/dmi/id/<key> is equal
-# to the value supplied as a value of "val" parameter,
-# otherwise 1.
-# fail-equal: Returns 1 if the value present in the corresponding file
-# under /sys/devices/virtual/dmi/id/<key> is equal
-# to the value supplied as a value of "val" parameter,
-# otherwise 0.
+# success-equal: Returns 0 if the all values present in the corresponding
+# files under /sys/devices/virtual/dmi/id/<KEY> are equal
+# (or not equal in case of a keyval= with negated match)
+# to the respective values supplied as the values
+# of the keyval= parameters or the pair of key= vand val=
+# parameters, otherwise 1.
+# fail-equal: Returns 1 if all the values present in DMI files in sysfs
+# match (as described above), otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled:
# success: Return 0.
# fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result
-# based on "mode" value that assumes that the check has failed).
+# based on "no-model-mode" value).
check_dmi_val()
{
- local key= val= mode='success-equal' nm_mode='success'
+ local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_=
local match_model="${2:-0}"
@@ -305,21 +314,44 @@ check_dmi_val()
# Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in
- [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
- ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
+ [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
+ [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;;
esac
}
+ [ "x${opt#keyval=}" = "x${opt}" ] || {
+ case "${opt#keyval=}" in
+ [\']*)
+ opt_="${opts#keyval=\'}"
+ keyval="${opt_%%\'*}"
+ opt="keyval='${keyval}'"
+ keyvals="${keyvals}
+ ${keyval}"
+ ;;
+ [\"]*)
+ opt_="${opts#keyval=\"}"
+ keyval="${opt_%%\"*}"
+ opt="keyval=\"${keyval}\""
+ keyvals="${keyvals}
+ ${keyval}"
+ ;;
+ *)
+ keyvals="${keyvals}
+ ${opt#keyval=}"
+ ;;
+ esac
+ }
opts="${opts#"${opt}"}"
continue
done
- # Check key for validity
- [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
- debug "Invalid \"key\" parameter value: \"${key}\""
+ [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
+
+ [ -n "x${keyvals}" ] || {
+ debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2
- exit
+ return
}
[ 1 = "$match_model" ] || {
@@ -332,23 +364,171 @@ check_dmi_val()
;;
esac
- exit
+ return
}
- [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
- debug "Can't access /sys/devices/virtual/dmi/id/${key}"
- echo 3
- exit
- }
+ case "$mode" in
+ success-equal|fail-equal) ;;
+ *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
+ esac
- file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
+ printf "%s\n" "${keyvals}" | (
+ while read l; do
+ [ -n "$l" ] || continue
+ key="${l%%[=:]*}"
+ val="${l#${key}[=:]}"
+
+ cmp="="
+ [ "x${key%!}" = "x${key}" ] || {
+ cmp="!="
+ key="${key%!}"
+ }
+
+ # Check key for validity
+ [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
+ debug "Invalid \"key\" parameter value: \"${key}\""
+ echo 2
+ return
+ }
+
+ [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
+ debug "Can't access /sys/devices/virtual/dmi/id/${key}"
+ echo 3
+ return
+ }
+
+ file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
+
+ [ "x${val}" "${cmp}" "x${file_val}" ] || {
+ case "$mode" in
+ success-equal) echo 1 ;;
+ fail-equal) echo 0 ;;
+ esac
+
+ return
+ }
+ done
- [ "x${val}" = "x${file_val}" ] || success=0
+ case "$mode" in
+ success-equal) echo 0 ;;
+ fail-equal) echo 1 ;;
+ esac
+ )
+}
- case "$mode" in
- success-equal) echo "$((1 - $success))" ;;
- fail-equal) echo "${success}" ;;
- *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
+# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
+# DEP_TYPE:
+# required - caveat can be enabled only if dependency is enabled
+# (is not forcefully disabled and meets caveat conditions)
+# OPTS:
+# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
+# skip=skip [ fail, skip, success ]
+# force-skip=skip [ fail, skip, success ]
+# nesting-too-deep=fail [ fail, skip, success ]
+# Return values:
+# 0 - success
+# 1 - fail
+# 2 - skip
+# 9 - error
+check_dependency()
+{
+ local cur_level="$1"
+ local dep_type="$2"
+ local dep_name="$3"
+ local match_model_mode=same old_match_model="${match_model}"
+ local skip=skip
+ local force_skip=skip
+ local nesting_too_deep=fail
+
+ local check="Dependency check for ${dep_type} ${dep_name}"
+
+ set -- ${4:-}
+ while [ "$#" -gt 0 ]; do
+ [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
+ [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
+ [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
+ [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
+
+ shift
+ done
+
+ case "${dep_type}" in
+ required)
+ [ "x${dep_name%/*}" = "x${dep_name}" ] || {
+ debug "${check} error: dependency name (${dep_name})" \
+ "cannot contain slashes"
+ echo 9
+ return
+ }
+
+ [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
+ local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
+
+ case "$nesting_too_deep" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: invalid" \
+ "nesting-too-deep mode" \
+ "(${nesting_too_deep})"; echo 9 ;;
+ esac
+
+ return
+ }
+
+ case "${match_model_mode}" in
+ same) ;;
+ on) match_model=1 ;;
+ off) match_model=0 ;;
+ *)
+ debug "${check} error: invalid match-model-mode" \
+ "(${match_model_mode})"
+ echo 9
+ return
+ ;;
+ esac
+
+ local result=0
+ debug "${check}: calling check_caveat '${dep_name}'" \
+ "'$(($cur_level + 1))' match_model=${match_model}"
+ check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
+
+ match_model="${old_match_model}"
+
+ case "${result}" in
+ 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
+ 1) debug "${check} failed: result=${result}"; echo "${result}" ;;
+ 2)
+ local reason="result=${result} and skip='${skip}'"
+
+ case "${skip}" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: unexpected skip=" \
+ "setting (${skip})"; echo 9 ;;
+ esac
+ ;;
+ 3)
+ local reason="result=${result} and force_skip='${force_skip}'"
+
+ case "${force_skip}" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: unexpected force-skip=" \
+ "setting (${skip})"; echo 9 ;;
+ esac
+ ;;
+ *)
+ debug "${check} error: unexpected check_caveat result" \
+ "(${result})"; echo 9 ;;
+ esac
+ ;;
+ *)
+ debug "${check} error: unknown dependency type '${dep_type}'"
+ echo 9
+ ;;
esac
}
@@ -400,23 +580,6 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}
-# fail [CHECK_ONLY]
-fail()
-{
- check_only="${1:-0}"
- [ 0 = "$check_only" ] || return
-
- ret=1
-
- fail_cfgs="$fail_cfgs $cfg"
- fail_paths="$fail_paths $cfg_path"
-
- [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
- || /bin/cat "${dir}/disclaimer"
-}
-
-#check_kver "$@"
-#get_model_name
match_model=0
configs=
@@ -477,22 +640,21 @@ else
stage="late"
fi
-# check_caveat CFG [CHECK_ONLY]
+# check_caveat CFG [CHECK_LEVEL]
# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
-# skip_cfgs if CHECK_ONLY is set to 0 (default).
+# skip_cfgs if CHECK_LEVEL is set to 0 (default).
+# CHECK_LEVEL is used for recursive configuration dependency checks,
+# and indicates nesting level.
# Return value:
# 0 - check is successful
# 1 - check has been failed
# 2 - configuration has been skipped
+# 3 - configuration has been skipped due to presence of an override file
check_caveat() {
local cfg="$1"
- local check_only="${2:-0}"
+ local check_level="${2:-0}"
local dir="$MC_CAVEATS_DATA_DIR/$cfg"
- # We add cfg to the skip list first and then, if we do not skip it,
- # we remove the configuration from the list.
- [ 0 != "$check_only" ] || skip_cfgs="$skip_cfgs $cfg"
-
[ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping"
return 2
@@ -512,6 +674,7 @@ check_caveat() {
local cfg_disable=
local cfg_pci=
local cfg_dmi=
+ local cfg_dependency=
local key
local value
@@ -547,6 +710,10 @@ check_caveat() {
cfg_dmi="$cfg_dmi
$value"
;;
+ dependency)
+ cfg_dependency="$cfg_dependency
+ $value"
+ ;;
'#'*|'')
continue
;;
@@ -558,6 +725,7 @@ check_caveat() {
done < "${dir}/config"
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
+ echo "$cfg_path"
# Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel
@@ -619,7 +787,7 @@ check_caveat() {
[ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"."
- return 2
+ return 3
}
# Check model if model filter is enabled
@@ -667,29 +835,51 @@ check_caveat() {
}
fi
- # Check configuration files
-
- [ 0 != "$check_only" ] || {
- ret_cfgs="$ret_cfgs $cfg"
- ret_paths="$ret_paths $cfg_path"
- skip_cfgs="${skip_cfgs% $cfg}"
- }
-
+ # Has to be performed before dependency checks
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
- [ 0 != "$check_only" ] || {
- ok_cfgs="$ok_cfgs $cfg"
- ok_paths="$ok_paths $cfg_path"
- }
-
return 0
}
+ # Check dependencies
+ # It has to be performed here (before adding configuration
+ # to $ret_cfgs/$ret_paths) since it may be skipped.
+ if [ -n "$cfg_dependency" ]; then
+ dep_line="$(printf "%s\n" "$cfg_dependency" | \
+ while read -r dep_type dep_name dep_opts
+ do
+ [ -n "$dep_type" ] || continue
+ dep_res=$(check_dependency "$check_level" \
+ "$dep_type" \
+ "$dep_name" \
+ "$dep_opts")
+ [ 0 != "$dep_res" ] || continue
+ echo "$dep_res $dep_type $dep_name $dep_opts"
+ break
+ done
+ echo "0 ")"
+
+ case "${dep_line%% *}" in
+ 0) ;;
+ 2)
+ debug "Dependency check '${dep_line#* }'" \
+ "induced configuration skip"
+ return 2
+ ;;
+ *)
+ debug "Dependency check '${dep_line#* }'" \
+ "failed (with return code ${dep_line%% *})"
+ return 1
+ ;;
+ esac
+ fi
+
+ # Check configuration files
+
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration"
- fail "$check_only"
return 1
}
@@ -698,7 +888,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed"
- fail "$check_only"
return 1
}
fi
@@ -708,7 +897,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed"
- fail "$check_only"
return 1
}
fi
@@ -722,7 +910,6 @@ check_caveat() {
debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \
"${cfg_mc_min_ver_late})"
- fail "$check_only"
return 1
}
fi
@@ -744,14 +931,14 @@ check_caveat() {
[ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})"
- fail "$check_only"
return 1
}
fi
# Check DMI data if model filter is enabled
- # Note that the model filter check is done inside check_pci_config_val
- # based on the 'mode=' parameter.
+ # Note that the model filter check is done inside check_dmi_val
+ # (which returns the value of 'no-model-mode=' parameter
+ # if it is disenaged).
if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do
@@ -767,21 +954,43 @@ check_caveat() {
[ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})"
- fail "$check_only"
return 1
}
fi
- [ 0 != "$check_only" ] || {
- ok_cfgs="$ok_cfgs $cfg"
- ok_paths="$ok_paths $cfg_path"
- }
-
return 0
}
for cfg in $(echo "${configs}"); do
- check_caveat "$cfg" || :
+ if cfg_path=$(check_caveat "$cfg"; exit "$?")
+ then
+ ret_cfgs="$ret_cfgs $cfg"
+ ret_paths="$ret_paths $cfg_path"
+ ok_cfgs="$ok_cfgs $cfg"
+ ok_paths="$ok_paths $cfg_path"
+ else
+ case "$?" in
+ 1)
+ ret=1
+
+ ret_cfgs="$ret_cfgs $cfg"
+ ret_paths="$ret_paths $cfg_path"
+ fail_cfgs="$fail_cfgs $cfg"
+ fail_paths="$fail_paths $cfg_path"
+
+ [ 0 -eq "$print_disclaimers" ] \
+ || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
+ || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
+ ;;
+ 2|3)
+ skip_cfgs="$skip_cfgs $cfg";
+ ;;
+ *)
+ debug "Unexpected check_caveat return code '$?'" \
+ "for config '$cfg'"
+ ;;
+ esac
+ fi
done
[ 0 -eq "$print_disclaimers" ] || exit 0
diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list
index 8dd68ab..f2eaa75 100644
--- a/SOURCES/codenames.list
+++ b/SOURCES/codenames.list
@@ -305,7 +305,7 @@ Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
-Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
diff --git a/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch
deleted file mode 100644
index ab129a4..0000000
--- a/SOURCES/microcode_ctl-use-microcode-20210525-tgz.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: microcode_ctl-2.1-18/Makefile
-===================================================================
---- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200
-+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200
-@@ -8,7 +8,7 @@
- # 2 of the License, or (at your option) any later version.
-
- PROGRAM = intel-microcode2ucode
--MICROCODE_INTEL = microcode-20180703.tgz
-+MICROCODE_INTEL = microcode-20210525.tar.gz
-
- INS = install
- CC = gcc
diff --git a/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch
new file mode 100644
index 0000000..ebf634d
--- /dev/null
+++ b/SOURCES/microcode_ctl-use-microcode-20210608-tgz.patch
@@ -0,0 +1,13 @@
+Index: microcode_ctl-2.1-18/Makefile
+===================================================================
+--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200
++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200
+@@ -8,7 +8,7 @@
+ # 2 of the License, or (at your option) any later version.
+
+ PROGRAM = intel-microcode2ucode
+-MICROCODE_INTEL = microcode-20180703.tgz
++MICROCODE_INTEL = microcode-20210608.tar.gz
+
+ INS = install
+ CC = gcc
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 96fd7d8..811a078 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,5 +1,5 @@
%define upstream_version 2.1-18
-%define intel_ucode_version 20210525
+%define intel_ucode_version 20210608
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl
@@ -21,14 +21,13 @@
Summary: Tool to transform and deploy CPU microcode update for x86.
Name: microcode_ctl
Version: 2.1
-Release: 73.9%{?dist}
+Release: 73.11%{?dist}
Epoch: 2
Group: System Environment/Base
License: GPLv2+ and Redistributable, no modification permitted
URL: https://pagure.io/microcode_ctl
Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz
-#Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
-Source1: microcode-%{intel_ucode_version}.tar.gz
+Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
@@ -99,6 +98,7 @@ Source151: 06-5e-03_config
Source152: 06-5e-03_disclaimer
# TGL-UP3/UP4 (CPUID 06-8c-01) hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Source180: 06-8c-01_readme
Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer
@@ -552,6 +552,17 @@ rm -rf %{buildroot}
%changelog
+* Fri Jul 23 2021 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-73.11
+- Update Intel CPU microcode to microcode-20210608 release:
+ - Fixes in releasenote.md file.
+
+* Fri Jul 23 2021 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-73.10
+- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
+ intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
+ and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
+- Enable 06-8c-01 microcode update by default.
+- Enable 06-5e-03 microcode update by default (#1897684).
+
* Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-73.9
- Update Intel CPU microcode to microcode-20210525 release, addresses
CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513