diff --git a/.gitignore b/.gitignore
index 2db0108..d6a7b0b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@ SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
-SOURCES/06-8c-01
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
-SOURCES/microcode-20210216.tar.gz
+SOURCES/microcode-20210608.tar.gz
diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata
index 46dfad3..19f5d82 100644
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@@ -2,7 +2,6 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
-2204a6dee1688980cd228268fdf4b6ed5904fe04 SOURCES/06-8c-01
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
-26608161d98c3d0c965fc41856520434b14c000d SOURCES/microcode-20210216.tar.gz
+68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz
diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config
index 979455d..99a8ed7 100644
--- a/SOURCES/06-2d-07_config
+++ b/SOURCES/06-2d-07_config
@@ -1,13 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config
index bee51b2..7c0e333 100644
--- a/SOURCES/06-4e-03_config
+++ b/SOURCES/06-4e-03_config
@@ -1,3 +1,4 @@
model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03
+dependency required intel
disable early late
diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme
index 49373e2..13cb72a 100644
--- a/SOURCES/06-4e-03_readme
+++ b/SOURCES/06-4e-03_readme
@@ -13,6 +13,7 @@ microcode revisions in question are listed below:
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
+ * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@@ -40,6 +41,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config
index f589fbf..f987150 100644
--- a/SOURCES/06-4f-01_config
+++ b/SOURCES/06-4f-01_config
@@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
-mc_min_ver_late 0xb000019
+dependency required intel skip=success match-model-mode=off
disable early late
diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme
index 962c7a6..dc33eec 100644
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@@ -28,6 +28,11 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below.
diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config
index 373c8ac..07f06f6 100644
--- a/SOURCES/06-55-04_config
+++ b/SOURCES/06-55-04_config
@@ -9,14 +9,4 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme
index cdec2c2..b8d3618 100644
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@@ -19,6 +19,7 @@ microcode revisions in question are listed below:
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
+ * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@@ -46,6 +47,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
The information regarding disabling microcode update is provided below.
diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config
index 7482d36..ced0abc 100644
--- a/SOURCES/06-5e-03_config
+++ b/SOURCES/06-5e-03_config
@@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03
-disable early late
+dependency required intel
diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme
index 9e21ac0..9beb75e 100644
--- a/SOURCES/06-5e-03_readme
+++ b/SOURCES/06-5e-03_readme
@@ -1,18 +1,22 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
-stepping 3) have reports of possible system hangs when revision 0xdc
+stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
-CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order
-to address this, microcode update to the newer revision has been disabled
+CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
+to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
-0xd6 is used by default for the OS-driven microcode update.
+0xd6 was used by default for the OS-driven microcode update. The revision
+0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
+ * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@@ -40,32 +44,33 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.
-To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
-version, please create a file "force-intel-06-5e-03" inside
+To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
+where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
- touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid addition of the latest microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
- touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config
index c7c5d65..880a419 100644
--- a/SOURCES/06-8c-01_config
+++ b/SOURCES/06-8c-01_config
@@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01
-disable early late
+dependency required intel skip=success match-model-mode=off
diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme
index 16afb9b..9625c42 100644
--- a/SOURCES/06-8c-01_readme
+++ b/SOURCES/06-8c-01_readme
@@ -1,38 +1,52 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
-have reports of system hangs when a microcode update, that is included
-since microcode-20201110 update, is applied[1]. In order to address this,
-microcode update has been disabled by default on these systems.
+had reports of system hangs when a microcode update, that was included
+since microcode-20201110 update, was applied[1]. In order to address this,
+microcode update had been disabled by default on these systems. The revision
+0x88 seems to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
-Please contact your system vendor for a BIOS/firmware update that contains
-the latest microcode version.
-
-The information regarding enforcing microcode update is provided below.
+For the reference, SHA1 checksums of 06-8c-01 microcode files containing
+microcode revisions in question are listed below:
+ * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
+ * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
-To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
-version, please create a file "force-intel-06-8c-01" inside
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+ CVE-2020-8696 (Vector Register Leakage-Active),
+ CVE-2020-8698 (Fast Forward Store Predictor):
+ https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
+
+The information regarding disabling microcode update is provided below.
+
+To disable 06-8c-01 microcode updates for a specific kernel
+version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
+directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
- touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
+ touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
- touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
+ touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
diff --git a/SOURCES/06-8e-9e-0x-0xca_config b/SOURCES/06-8e-9e-0x-0xca_config
index 2dbca4a..1162015 100644
--- a/SOURCES/06-8e-9e-0x-0xca_config
+++ b/SOURCES/06-8e-9e-0x-0xca_config
@@ -1,4 +1,5 @@
path intel-ucode/*
vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
+dependency required intel
disable early late
diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme
index cef8e9b..22f47dd 100644
--- a/SOURCES/06-8e-9e-0x-0xca_readme
+++ b/SOURCES/06-8e-9e-0x-0xca_readme
@@ -82,6 +82,16 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
+ * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
+ * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
+ * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
+ * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
+ * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
+ * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
+ * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
+ * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
+ * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
+
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
diff --git a/SOURCES/06-8e-9e-0x-dell_config b/SOURCES/06-8e-9e-0x-dell_config
index bc1fe2b..f93c350 100644
--- a/SOURCES/06-8e-9e-0x-dell_config
+++ b/SOURCES/06-8e-9e-0x-dell_config
@@ -4,14 +4,4 @@ vendor GenuineIntel
## in cases where no model filter is used is too broad, hence
## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme
index 94b9bb6..0f12fee 100644
--- a/SOURCES/06-8e-9e-0x-dell_readme
+++ b/SOURCES/06-8e-9e-0x-dell_readme
@@ -82,6 +82,16 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
+ * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
+ * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
+ * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
+ * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
+ * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
+ * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
+ * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
+ * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
+ * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
+
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
diff --git a/SOURCES/README b/SOURCES/README
index 8878252..193ee9a 100644
--- a/SOURCES/README
+++ b/SOURCES/README
@@ -22,6 +22,30 @@ microcode files and their usage.
* SECURITY.intel-ucode
"security.md" file from the Intel x86 CPU microcode archive.
* SUMMARY.intel-ucode
- Information about supplied microcode files extracted from their headers.
+ Information about supplied microcode files extracted from their headers,
+ in a table form. Columns have the following meaning:
+ * "Path": path to the microcode file under one of the following directories:
+ * /usr/share/microcode_ctl/ucode_with_caveats/intel
+ * /usr/share/microcode_ctl/ucode_with_caveats
+ * /usr/share/microcode_ctl
+ * /lib/firmware
+ * /etc/firmware
+ * "Offset": offset of the microcode blob within the micocode file in bytes.
+ * "Ext. Offset": offset of the extended signature header within
+ the microcode file in bytes.
+ * "Data Size": size of microcode data in bytes. 0 means 2000 bytes.
+ * "Total Size": size of microcode blob in bytes, incuding headers.
+ 0 means 2048 bytes.
+ * "CPUID": CPU ID signature (in format returned by the CPUID instruction).
+ * "Platform ID Mask": mask of suitable Platform IDs (provided in bits
+ 52..50 of MSR 0x17).
+ * "Revision": microcode revision.
+ * "Date": microcode creation date.
+ * "Checksum": sum (in base 1<< 32) of all 32-bit values comprising
+ the microcode (from Offset up to Offset + Total Size).
+ * "Codenames": list of known CPU codenames associated with the CPUID
+ and Platform ID Mask combination.
+ Please refer to README.cavets, section "Microcode file structure"
+ for additional information regarding microcode header fields.
* caveats
- Directory that contains readme files for specific caveats.
+ Directory that contains readme files for each specific caveat.
diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats
index d18c2a5..b15642b 100644
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@@ -89,6 +89,75 @@ installation or removal of a kernel RPM in order to provide microcode files
for newly installed kernels and cleanup symlinks for the uninstalled ones.
+Microcode file structure
+------------------------
+Intel x86 CPU microcode file (that is, one that can be directly consumed
+by the CPU/kernel, and not its text representation such as used in microcode.dat
+files) is a bundle of concatenated microcode blobs. Each blob has a header,
+payload, and an optional additional data, as follows (for additional information
+please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual"
+[1], Volume 3A, Section 9.11.1 "Microcode Update"):
+ * Header (48 bytes)
+ * Header version (unsigned 32-bit integer): version number of the update
+ header. Must be 0x1.
+ * Microcode revision (signed 32-bit integer)
+ * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
+ (0x03141592 is 1592-03-14 in ISO 8601)
+ * CPU signature (unsigned 32-bit integer): CPU ID, as provided
+ by the CPUID (EAX = 0x1) instruction in the EAX register:
+ * bits 31..28: reserved
+ * bits 27..20: "Extended Family", summed with the Family field value
+ * bits 19..16: "Extended Model", bits 7..4 of the CPU model
+ * bits 15..14: reserved
+ * bits 13..12: "Processor Type", non-zero value (other than the "primary
+ processor") so far used only for the Deschutes (Pentium II) CPU family,
+ with the processor type of 1, to signify it is an Overdrive processor:
+ CPUID 0x1632.
+ * bits 11..08: Family, summed with the Extended Family field value
+ * bits 07..04: Model (bits 3..0)
+ * bits 03..00: Stepping
+ In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
+ to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
+ uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
+ into 0x000w06xz. Please also refer to README.intel-ucode, section "About
+ Processor Signature, Family, Model, Stepping and Platform ID"
+ for additional information.
+ * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
+ the 32-bit integers comprising the microcode amounts to 0.
+ * Loader version (unsigned 32-bit integer): 0x1.
+ * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
+ of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old
+ (up to Pentium II) microcode blobs the mask may be zero.
+ * Data size (unsigned 32-bit integer): size of the Payload in bytes,
+ has to be divisible by 4. 0 means 2000.
+ * Total size (unsigned 32-bit integer): total microcode blob size (including
+ header and extended header), has to be divisible by 1024. 0 means 2048.
+ * Reserved (12 bytes).
+ * Payload
+ * Additional data (optional, 20 + 12 * n bytes)
+ * Extended signature table header (20 bytes)
+ * Extended signature count (unsigned 32-bit integer)
+ * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
+ of all the 32-bit integers comprising the extender signature table
+ amounts to 0.
+ * Reserved (12 bytes).
+ * Extended signature (12 bytes each)
+ * CPU signature (unsigned 32-bit integer): see the description of the CPU
+ signature field in the Header above.
+ * Platform ID mask (unsigned 32-bit integer): see the description
+ of the Platform ID mask field in the Header above.
+ * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
+ of all the 32-bit integers comprising the Header (with CPU signature
+ and Platform ID mask fields replaced with the values from this signature)
+ and the Payload amounts to 0. Note that since External signature table
+ header has its own checksum, sum of all its 32-bit values amounts to 0,
+ so the Checksum in the Header and in the Extended signature will be
+ the same if the values of CPU signature and Platform ID mask fields
+ are the same,
+
+[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
+
+
Caveat configuration
--------------------
There is a directory for each caveat under
@@ -156,10 +225,6 @@ separated by white space. Currently, the following options are supported:
configuration. Argument for the argument is a list of stages ("early",
"late") for which the caveat should be disable. The configuration option
can be provided multiple times in a configuration file.
- * "blacklist" is a marker for a start of list of blacklisted model names,
- one model name per line. The model name of the running CPU (as reported
- in /proc/cpuinfo) is compared against the names in the provided list, and,
- if there is a match, caveat check fails.
* "pci_config_val" performs check for specific values in selected parts
of configuration space of specified PCI devices. If "-m" option
is not specified, then the actual check is skipped, and the check returns
@@ -204,8 +269,9 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files
- (present under /sys/devices/virtual/dmi/id/). The check fails if file
- is not readable. If "-m" option is specified, then the actual check
+ (present under /sys/devices/virtual/dmi/id/). The check (when it is actually
+ performed; see a not about "no-model-mode" below) fails if one of the files
+ is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported:
@@ -215,17 +281,30 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string.
- * "val" - a string to match DMI data against. Can be enclosed in single
- or double quotes. Default is empty string.
- * "mode" - check mode, the way matches are interpreted:
+ * "val" - a string to match DMI data present in "key" against.
+ Can be enclosed in single or double quotes. Default is empty string.
+ * "keyval" - a pair of "key" and "val" values (with semantics described
+ above), separated with either "=", ":", "!=", or "!:" characters. Enables
+ providing of multiple key-value pairs by means of supplying multiple
+ keyval= parameters. The exclamation sign ("!") character in separator
+ enables negated matching (so, non-equality of the value in DMI "key" file
+ and the value of "val" is). The match considered successful when all
+ the key/val (non-)equalities are in effect. This parameter works
+ in addition to the pair provided in "key" and "val" parameters
+ (but allows to avoid using them). Default is empty.
+ * "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
- of "val" parameter, otherwise 1.
- * "success-equal" - returns 1 if the value present in the file
+ of "val" parameter and all the pairs provided in "keyval" parameters
+ are equal and non-equal in accordance with their definition,
+ otherwise 1.
+ * "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
- of "val" parameter, otherwise 0.
+ of "val" parameter and all the pairs provided in "keyval" parameters
+ are equal and non-equal in accordance with their definition,
+ otherwise 0.
Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option)
is not enabled:
@@ -237,6 +316,61 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled.
+ Another example:
+ dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
+ dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
+ It blocks the caveat from using when either both
+ /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
+ and /sys/devices/virtual/dmi/id/product_name contains the string
+ "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
+ the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
+ the string "ThinkSystem SR950", but enables caveat loading for other products
+ with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
+ for example.
+ * "dependency" allows conditional enablement of a caveat based on the check
+ status of some other caveat(s). It has the following format:
+ dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
+ where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
+ are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
+ currently is "required".
+ Options for the "required" dependency type:
+ * "match-model-mode" - whether model matching mode ("-m" option)
+ has to be used for the nested configuration check. Possible values:
+ * "on" - model-matching mode is always used during the nested check;
+ * "off" - model-matching mode is never used during the nested check;
+ * "same" - used the same model-matching mode as it is now.
+ Default is "same".
+ * "skip" - controls result of the check when the nested check indicated
+ skipping of the configuration.
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "skip".
+ * "force-skip" - controls result of the check when the nested check
+ indicated skipping of the configuration caused by the presence
+ of an override file (see "check_caveats script" section for details).
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "skip".
+ * "nesting-too-deep" - as a measure against dependency loop, configuration
+ checking logic implements nesting limit on dependency checks (currently
+ set at 8). This option controls the behaviour of the check
+ when the nested check cannot be performed due to this limit.
+ * "fail" - the dependent check fails;
+ * "success" - the dependent check succeeds;
+ * "skip" - the dependent check indicates that the configuration
+ is to be skipped.
+ Default is "fail".
+ An example of a check:
+ dependency required intel skip=success match-model-mode=off
+ It checks "intel" caveat configuration (see the "Early microcode load
+ inside a virtual machine" section) with model-matching mode being disabled,
+ treats skipping of the configuration as a success (unless the configuration
+ is forced to be skipped, in that case the dependent configuration
+ is to be skipped as well).
check_caveats script
@@ -473,6 +607,8 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01.
+Dependencies: intel
+
Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
@@ -501,6 +637,8 @@ Caveat name: intel
Affected microcode: all.
+Dependencies: (none)
+
Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix.
@@ -537,6 +675,8 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
+Dependencies: intel
+
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat.
@@ -566,35 +706,64 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04.
+Dependencies: intel
+
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
-Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
-----------------------------------------
-Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
-and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
-hangs when revision 0xdc of microcode, that is included in microcode-20200609
-update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
-is applied[1][2]. In order to address this, microcode update to the newer
-revision has been disabled by default on these systems, and the previously
-published microcode revision 0xd6 is used instead; the newer microcode files,
-however, are still shipped as part of microcode_ctl package and can be used
-for performing a microcode update if they are enforced via the aforementioned
-overrides. (See the sections "check_caveats script" and "reload_microcode
-script" for details.)
+Intel Skylake-U/Y caveat
+------------------------
+Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
+have reports of system hangs when revision 0xdc of microcode, that is included
+in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
+and CVE-2020-0549, is applied[1]. In order to address this, microcode update
+to the newer revision has been disabled by default on these systems,
+and the previously published microcode revision 0xd6 is used instead; the newer
+microcode files, however, are still shipped as part of microcode_ctl package
+and can be used for performing a microcode update if they are enforced
+via the aforementioned overrides. (See the sections "check_caveats script"
+and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
-[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
-Caveat names: intel-06-4e-03, intel-06-5e-03
+Caveat name: intel-06-4e-03
+
+Affected microcode: intel-ucode/06-4e-03
-Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
+Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default.
+Intel Skylake-H/S/Xeon E3 v5 caveat
+-----------------------------------
+Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
+stepping 3) had reports of system hangs when revision 0xdc of microcode,
+that is included in microcode-20200609 update to address CVE-2020-0543,
+CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
+microcode update to the newer revision had been disabled by default on these
+systems, and the previously published microcode revision 0xd6 was used instead.
+The revision 0xea seems[2] to have fixed the aforementioned issue, hence
+the latest microcode revision usage it is enabled by default,
+but can be disabled explicitly via the aforementioned overrides. (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
+
+Caveat names: intel-06-5e-03
+
+Affected microcode: intel-ucode/06-5e-03.
+
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default;
+previously published microcode revision 0xd6 is still available as a fallback
+as part of "intel" caveat.
+
+
Dell caveats
------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@@ -623,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d.
+Dependencies: intel
+
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used.
@@ -633,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
Intel Tiger Lake-UP3/UP4 caveat
-------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
-stepping 1) have reports of system hangs when a microcode update,
-that is included since microcode-20201110 release, is applied[1].
-In order to address this, microcode update to a newer revision has been disabled
-by default on these systems; the newer microcode file, however, is still shipped
-as a part of microcode_ctl package and can be used for performing a microcode
-update if it is enforced via the aforementioned overrides. (See the sections
+stepping 1) had reports of system hangs when a microcode update,
+that was included since microcode-20201110 release, was applied[1].
+In order to address this, microcode update to a newer revision had been disabled
+by default on these systems. The revision 0x88 seems to have fixed
+the aforementioned issue, hence it is enabled by default; however, it is still
+can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@@ -647,7 +818,9 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01.
-Mitigation: microcode loading is disabled for the affected CPU model.
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default.
@@ -682,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+ CVE-2020-24511 (Improper Isolation of Shared Resources),
+ CVE-2020-24512 (Observable Timing Discrepancy),
+ CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+ https://access.redhat.com/articles/6101171
diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats
index ee8db57..b821160 100755
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@@ -9,6 +9,8 @@
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
+MAX_NESTING_LEVEL=8
+
usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]'
@@ -165,7 +167,7 @@ check_pci_config_val()
local checked=0 matched=0 path=''
local dev_path dev_vid dev_did dev_val
local opts="${1:-}"
- local match_model="${2:0}"
+ local match_model="${2:-0}"
set -- $1
while [ "$#" -gt 0 ]; do
@@ -261,7 +263,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data
#
# $1 - params in config file, space-separated, in key=value form:
-# key= - DMI value to check. Can be one of the following: bios_date,
+# key= - DMI data record to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family,
@@ -269,26 +271,33 @@ check_pci_config_val()
# sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single
# or double quotes.
+# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
+# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
+# a key-value pair in a single parameter. It is possible to provide
+# multiple keyval= parameters. "!" before :/= means negated match.
+# The action supplied in the mode= parameter is executed upon
+# successful (non-)matching of all the keyval pairs (as well
+# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode:
-# success-equal: Returns 0 if the value present in the corresponding file
-# under /sys/devices/virtual/dmi/id/<key> is equal
-# to the value supplied as a value of "val" parameter,
-# otherwise 1.
-# fail-equal: Returns 1 if the value present in the corresponding file
-# under /sys/devices/virtual/dmi/id/<key> is equal
-# to the value supplied as a value of "val" parameter,
-# otherwise 0.
+# success-equal: Returns 0 if the all values present in the corresponding
+# files under /sys/devices/virtual/dmi/id/<KEY> are equal
+# (or not equal in case of a keyval= with negated match)
+# to the respective values supplied as the values
+# of the keyval= parameters or the pair of key= vand val=
+# parameters, otherwise 1.
+# fail-equal: Returns 1 if all the values present in DMI files in sysfs
+# match (as described above), otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled:
# success: Return 0.
# fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result
-# based on "mode" value that assumes that the check has failed).
+# based on "no-model-mode" value).
check_dmi_val()
{
- local key= val= mode='success-equal' nm_mode='success'
+ local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_=
- local match_model="${2:0}"
+ local match_model="${2:-0}"
local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor "
local success=1
@@ -305,21 +314,44 @@ check_dmi_val()
# Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in
- [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
- ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
+ [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
+ [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;;
esac
}
+ [ "x${opt#keyval=}" = "x${opt}" ] || {
+ case "${opt#keyval=}" in
+ [\']*)
+ opt_="${opts#keyval=\'}"
+ keyval="${opt_%%\'*}"
+ opt="keyval='${keyval}'"
+ keyvals="${keyvals}
+ ${keyval}"
+ ;;
+ [\"]*)
+ opt_="${opts#keyval=\"}"
+ keyval="${opt_%%\"*}"
+ opt="keyval=\"${keyval}\""
+ keyvals="${keyvals}
+ ${keyval}"
+ ;;
+ *)
+ keyvals="${keyvals}
+ ${opt#keyval=}"
+ ;;
+ esac
+ }
opts="${opts#"${opt}"}"
continue
done
- # Check key for validity
- [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
- debug "Invalid \"key\" parameter value: \"${key}\""
+ [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
+
+ [ -n "x${keyvals}" ] || {
+ debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2
- exit
+ return
}
[ 1 = "$match_model" ] || {
@@ -332,23 +364,171 @@ check_dmi_val()
;;
esac
- exit
+ return
}
- [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
- debug "Can't access /sys/devices/virtual/dmi/id/${key}"
- echo 3
- exit
- }
+ case "$mode" in
+ success-equal|fail-equal) ;;
+ *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
+ esac
- file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")"
+ printf "%s\n" "${keyvals}" | (
+ while read l; do
+ [ -n "$l" ] || continue
+ key="${l%%[=:]*}"
+ val="${l#${key}[=:]}"
+
+ cmp="="
+ [ "x${key%!}" = "x${key}" ] || {
+ cmp="!="
+ key="${key%!}"
+ }
+
+ # Check key for validity
+ [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
+ debug "Invalid \"key\" parameter value: \"${key}\""
+ echo 2
+ return
+ }
+
+ [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
+ debug "Can't access /sys/devices/virtual/dmi/id/${key}"
+ echo 3
+ return
+ }
+
+ file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
+
+ [ "x${val}" "${cmp}" "x${file_val}" ] || {
+ case "$mode" in
+ success-equal) echo 1 ;;
+ fail-equal) echo 0 ;;
+ esac
+
+ return
+ }
+ done
- [ "x${val}" = "x${file_val}" ] || success=0
+ case "$mode" in
+ success-equal) echo 0 ;;
+ fail-equal) echo 1 ;;
+ esac
+ )
+}
- case "$mode" in
- success-equal) echo "$((1 - $success))" ;;
- fail-equal) echo "${success}" ;;
- *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
+# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
+# DEP_TYPE:
+# required - caveat can be enabled only if dependency is enabled
+# (is not forcefully disabled and meets caveat conditions)
+# OPTS:
+# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
+# skip=skip [ fail, skip, success ]
+# force-skip=skip [ fail, skip, success ]
+# nesting-too-deep=fail [ fail, skip, success ]
+# Return values:
+# 0 - success
+# 1 - fail
+# 2 - skip
+# 9 - error
+check_dependency()
+{
+ local cur_level="$1"
+ local dep_type="$2"
+ local dep_name="$3"
+ local match_model_mode=same old_match_model="${match_model}"
+ local skip=skip
+ local force_skip=skip
+ local nesting_too_deep=fail
+
+ local check="Dependency check for ${dep_type} ${dep_name}"
+
+ set -- ${4:-}
+ while [ "$#" -gt 0 ]; do
+ [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
+ [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
+ [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
+ [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
+
+ shift
+ done
+
+ case "${dep_type}" in
+ required)
+ [ "x${dep_name%/*}" = "x${dep_name}" ] || {
+ debug "${check} error: dependency name (${dep_name})" \
+ "cannot contain slashes"
+ echo 9
+ return
+ }
+
+ [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
+ local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
+
+ case "$nesting_too_deep" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: invalid" \
+ "nesting-too-deep mode" \
+ "(${nesting_too_deep})"; echo 9 ;;
+ esac
+
+ return
+ }
+
+ case "${match_model_mode}" in
+ same) ;;
+ on) match_model=1 ;;
+ off) match_model=0 ;;
+ *)
+ debug "${check} error: invalid match-model-mode" \
+ "(${match_model_mode})"
+ echo 9
+ return
+ ;;
+ esac
+
+ local result=0
+ debug "${check}: calling check_caveat '${dep_name}'" \
+ "'$(($cur_level + 1))' match_model=${match_model}"
+ check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
+
+ match_model="${old_match_model}"
+
+ case "${result}" in
+ 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
+ 1) debug "${check} failed: result=${result}"; echo "${result}" ;;
+ 2)
+ local reason="result=${result} and skip='${skip}'"
+
+ case "${skip}" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: unexpected skip=" \
+ "setting (${skip})"; echo 9 ;;
+ esac
+ ;;
+ 3)
+ local reason="result=${result} and force_skip='${force_skip}'"
+
+ case "${force_skip}" in
+ success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+ fail) debug "${check} failed: ${reason}"; echo 1 ;;
+ skip) debug "${check} skipped: ${reason}"; echo 2 ;;
+ *) debug "${check} error: unexpected force-skip=" \
+ "setting (${skip})"; echo 9 ;;
+ esac
+ ;;
+ *)
+ debug "${check} error: unexpected check_caveat result" \
+ "(${result})"; echo 9 ;;
+ esac
+ ;;
+ *)
+ debug "${check} error: unknown dependency type '${dep_type}'"
+ echo 9
+ ;;
esac
}
@@ -386,6 +566,12 @@ get_mc_path()
AuthenticAMD)
echo "amd-ucode/$2"
;;
+ *)
+ # We actually only support Intel ucode, but things may break
+ # if nothing is printed (input would be gotten from stdin
+ # otherwise).
+ echo "invalid"
+ ;;
esac
}
@@ -394,19 +580,6 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}
-fail()
-{
- ret=1
-
- fail_cfgs="$fail_cfgs $cfg"
- fail_paths="$fail_paths $cfg_path"
-
- [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
- || /bin/cat "${dir}/disclaimer"
-}
-
-#check_kver "$@"
-#get_model_name
match_model=0
configs=
@@ -467,34 +640,44 @@ else
stage="late"
fi
-
-for cfg in $(echo "${configs}"); do
- dir="$MC_CAVEATS_DATA_DIR/$cfg"
-
- # We add cfg to the skip list first and then, if we do not skip it,
- # we remove the configuration from the list.
- skip_cfgs="$skip_cfgs $cfg"
+# check_caveat CFG [CHECK_LEVEL]
+# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
+# skip_cfgs if CHECK_LEVEL is set to 0 (default).
+# CHECK_LEVEL is used for recursive configuration dependency checks,
+# and indicates nesting level.
+# Return value:
+# 0 - check is successful
+# 1 - check has been failed
+# 2 - configuration has been skipped
+# 3 - configuration has been skipped due to presence of an override file
+check_caveat() {
+ local cfg="$1"
+ local check_level="${2:-0}"
+ local dir="$MC_CAVEATS_DATA_DIR/$cfg"
[ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping"
- continue
+ return 2
}
[ -r "${dir}/config" ] || {
debug "File 'config' in ${dir} is not found, skipping"
- continue
+ return 2
}
- cfg_model=
- cfg_vendor=
- cfg_path=
- cfg_kvers=
- cfg_kvers_early=
- cfg_blacklist=
- cfg_mc_min_ver_late=
- cfg_disable=
- cfg_pci=
- cfg_dmi=
+ local cfg_model=
+ local cfg_vendor=
+ local cfg_path=
+ local cfg_kvers=
+ local cfg_kvers_early=
+ local cfg_mc_min_ver_late=
+ local cfg_disable=
+ local cfg_pci=
+ local cfg_dmi=
+ local cfg_dependency=
+
+ local key
+ local value
while read -r key value; do
case "$key" in
@@ -519,13 +702,6 @@ for cfg in $(echo "${configs}"); do
disable)
cfg_disable="$cfg_disable $value "
;;
- blacklist)
- cfg_blacklist=1
- # "blacklist" is special: it stops entity parsing,
- # and the rest of file is a list of blacklisted model
- # names.
- break
- ;;
pci_config_val)
cfg_pci="$cfg_pci
$value"
@@ -534,6 +710,10 @@ for cfg in $(echo "${configs}"); do
cfg_dmi="$cfg_dmi
$value"
;;
+ dependency)
+ cfg_dependency="$cfg_dependency
+ $value"
+ ;;
'#'*|'')
continue
;;
@@ -544,12 +724,8 @@ for cfg in $(echo "${configs}"); do
esac
done < "${dir}/config"
- [ -z "${cfg_blacklist}" ] || \
- cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
- /usr/bin/tail -n +2)
-
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
- debug "${cfg}: blacklist '$cfg_blacklist'"
+ echo "$cfg_path"
# Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel
@@ -570,10 +746,10 @@ for cfg in $(echo "${configs}"); do
# - force early/late everyhting
# - disallow everything
# - force everyhting
- ignore_cfg=0
- force_cfg=0
- override_file=""
- overrides="
+ local ignore_cfg=0
+ local force_cfg=0
+ local override_file=""
+ local overrides="
0:$FW_DIR/$kver/disallow-$stage-$cfg
1:$FW_DIR/$kver/force-$stage-$cfg
0:$FW_DIR/$kver/disallow-$cfg
@@ -590,6 +766,9 @@ for cfg in $(echo "${configs}"); do
1:$CFG_DIR/force-$stage
0:$CFG_DIR/disallow
1:$CFG_DIR/force"
+ local o
+ local o_force
+ local override_file
for o in $(echo "$overrides"); do
o_force=${o%%:*}
override_file=${o#$o_force:}
@@ -608,7 +787,7 @@ for cfg in $(echo "${configs}"); do
[ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"."
- continue
+ return 3
}
# Check model if model filter is enabled
@@ -617,11 +796,13 @@ for cfg in $(echo "${configs}"); do
debug "Current CPU model '$cpu_model' doesn't" \
"match configuration CPU model '$cfg_model'," \
"skipping"
- continue
+ return 2
}
fi
# Check paths if model filter is enabled
+ local cpu_mc_path
+ local cfg_mc_present
if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then
cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
"$cpu_vendor" "${cpu_model#* }")"
@@ -640,7 +821,7 @@ for cfg in $(echo "${configs}"); do
[ 1 = "$cfg_mc_present" ] || {
debug "No matching microcode files in '$cfg_path'" \
"for CPU model '$cpu_model', skipping"
- continue
+ return 2
}
fi
@@ -650,30 +831,56 @@ for cfg in $(echo "${configs}"); do
debug "Current CPU vendor '$cpu_vendor' doesn't" \
"match configuration CPU vendor '$cfg_vendor'," \
"skipping"
- continue
+ return 2
}
fi
- # Check configuration files
-
- ret_cfgs="$ret_cfgs $cfg"
- ret_paths="$ret_paths $cfg_path"
- skip_cfgs="${skip_cfgs% $cfg}"
-
+ # Has to be performed before dependency checks
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
- ok_cfgs="$ok_cfgs $cfg"
- ok_paths="$ok_paths $cfg_path"
-
- continue
+ return 0
}
+ # Check dependencies
+ # It has to be performed here (before adding configuration
+ # to $ret_cfgs/$ret_paths) since it may be skipped.
+ if [ -n "$cfg_dependency" ]; then
+ dep_line="$(printf "%s\n" "$cfg_dependency" | \
+ while read -r dep_type dep_name dep_opts
+ do
+ [ -n "$dep_type" ] || continue
+ dep_res=$(check_dependency "$check_level" \
+ "$dep_type" \
+ "$dep_name" \
+ "$dep_opts")
+ [ 0 != "$dep_res" ] || continue
+ echo "$dep_res $dep_type $dep_name $dep_opts"
+ break
+ done
+ echo "0 ")"
+
+ case "${dep_line%% *}" in
+ 0) ;;
+ 2)
+ debug "Dependency check '${dep_line#* }'" \
+ "induced configuration skip"
+ return 2
+ ;;
+ *)
+ debug "Dependency check '${dep_line#* }'" \
+ "failed (with return code ${dep_line%% *})"
+ return 1
+ ;;
+ esac
+ fi
+
+ # Check configuration files
+
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration"
- fail
- continue
+ return 1
}
# Check late load kernel version
@@ -681,8 +888,7 @@ for cfg in $(echo "${configs}"); do
check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed"
- fail
- continue
+ return 1
}
fi
@@ -691,17 +897,7 @@ for cfg in $(echo "${configs}"); do
check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed"
- fail
- continue
- }
- fi
-
- # Check model blacklist
- if [ -n "$cfg_blacklist" ]; then
- echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
- debug "${cfg}: model '${cpu_model_name}' is blacklisted"
- fail
- continue
+ return 1
}
fi
@@ -714,8 +910,7 @@ for cfg in $(echo "${configs}"); do
debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \
"${cfg_mc_min_ver_late})"
- fail
- continue
+ return 1
}
fi
@@ -736,14 +931,14 @@ for cfg in $(echo "${configs}"); do
[ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})"
- fail
- continue
+ return 1
}
fi
# Check DMI data if model filter is enabled
- # Note that the model filter check is done inside check_pci_config_val
- # based on the 'mode=' parameter.
+ # Note that the model filter check is done inside check_dmi_val
+ # (which returns the value of 'no-model-mode=' parameter
+ # if it is disenaged).
if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do
@@ -759,13 +954,43 @@ for cfg in $(echo "${configs}"); do
[ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})"
- fail
- continue
+ return 1
}
fi
- ok_cfgs="$ok_cfgs $cfg"
- ok_paths="$ok_paths $cfg_path"
+ return 0
+}
+
+for cfg in $(echo "${configs}"); do
+ if cfg_path=$(check_caveat "$cfg"; exit "$?")
+ then
+ ret_cfgs="$ret_cfgs $cfg"
+ ret_paths="$ret_paths $cfg_path"
+ ok_cfgs="$ok_cfgs $cfg"
+ ok_paths="$ok_paths $cfg_path"
+ else
+ case "$?" in
+ 1)
+ ret=1
+
+ ret_cfgs="$ret_cfgs $cfg"
+ ret_paths="$ret_paths $cfg_path"
+ fail_cfgs="$fail_cfgs $cfg"
+ fail_paths="$fail_paths $cfg_path"
+
+ [ 0 -eq "$print_disclaimers" ] \
+ || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
+ || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
+ ;;
+ 2|3)
+ skip_cfgs="$skip_cfgs $cfg";
+ ;;
+ *)
+ debug "Unexpected check_caveat return code '$?'" \
+ "for config '$cfg'"
+ ;;
+ esac
+ fi
done
[ 0 -eq "$print_disclaimers" ] || exit 0
diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list
index be1f3d2..f2eaa75 100644
--- a/SOURCES/codenames.list
+++ b/SOURCES/codenames.list
@@ -242,6 +242,7 @@ Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable;
Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX;
Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable;
Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx;
+Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2;
Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2;
Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;;
Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2;
@@ -262,11 +263,17 @@ Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5;
SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx;
SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272
Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile;
+Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3;
+Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3;
SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile;
-Server;;Knights Mill;A0;08;80650;KNM;;Xeon hi 72x5;Xeon Phi 7235, 7285, 7295
+Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295
+SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB;
+SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB;
Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile;
+Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile;
+Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile;
Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile;
Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile;
Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile;
@@ -277,6 +284,7 @@ Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile;
Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile;
+SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E;
Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7;
Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile;
Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6;
@@ -292,11 +300,13 @@ Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E;
Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop;
Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile;
Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E;
+SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105;
Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
-Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
# sources:
diff --git a/SOURCES/gen_updates2.py b/SOURCES/gen_updates2.py
index c5e7a8f..51056f9 100755
--- a/SOURCES/gen_updates2.py
+++ b/SOURCES/gen_updates2.py
@@ -3,6 +3,7 @@
import argparse
import errno
+import fnmatch
import io
import itertools
import os
@@ -10,6 +11,7 @@ import re
import shutil
import struct
import sys
+import tarfile
import tempfile
from subprocess import PIPE, Popen, STDOUT
@@ -34,6 +36,7 @@ except:
log_level = 0
print_date = False
+file_glob = ["*??-??-??", "*microcode*.dat"]
def log_status(msg, level=0):
@@ -96,13 +99,15 @@ def file_walk(args, yield_dirs=False):
def cpuid_fname(c):
+ # Note that the Extended Family is summed up with the Family,
+ # while the Extended Model is concatenated with the Model.
return "%02x-%02x-%02x" % (
- ((c >> 16) & 0xff0) + ((c >> 8) & 0xf),
+ ((c >> 20) & 0xff) + ((c >> 8) & 0xf),
((c >> 12) & 0xf0) + ((c >> 4) & 0xf),
c & 0xf)
-def read_revs_dir(path, src=None, ret=None):
+def read_revs_dir(path, args, src=None, ret=None):
if ret is None:
ret = []
@@ -156,18 +161,24 @@ def read_revs_dir(path, src=None, ret=None):
while cur_offs < offs + hdr[8] \
and ext_sig_cnt <= ext_tbl[0]:
ext_sig = struct.unpack("III", f.read(12))
- ret.append({"path": rp, "src": src or path,
- "cpuid": ext_sig[0], "pf": ext_sig[1],
- "rev": hdr[1], "date": hdr[2],
- "offs": offs, "ext_offs": cur_offs,
- "cksum": hdr[4],
- "ext_cksum": ext_sig[2],
- "data_size": hdr[7],
- "total_size": hdr[8]})
+ ignore = args.ignore_ext_dups and \
+ (ext_sig[0] == hdr[3])
+ if not ignore:
+ ret.append({"path": rp, "src": src or path,
+ "cpuid": ext_sig[0],
+ "pf": ext_sig[1],
+ "rev": hdr[1], "date": hdr[2],
+ "offs": offs, "ext_offs": cur_offs,
+ "cksum": hdr[4],
+ "ext_cksum": ext_sig[2],
+ "data_size": hdr[7],
+ "total_size": hdr[8]})
log_status(("Got ext sig %#x/%#x for " +
- "%s:%#x:%#x/%#x") %
- (ext_sig[0], ext_sig[1], rp, offs,
- hdr[3], hdr[6]), level=2)
+ "%s:%#x:%#x/%#x%s") %
+ (ext_sig[0], ext_sig[1],
+ rp, offs, hdr[3], hdr[6],
+ " (ignored)" if ignore else ""),
+ level=2)
cur_offs += 12
ext_sig_cnt += 1
@@ -180,7 +191,7 @@ def read_revs_dir(path, src=None, ret=None):
return ret
-def read_revs_rpm(path, ret=None):
+def read_revs_rpm(path, args, ret=None):
if ret is None:
ret = []
@@ -191,7 +202,7 @@ def read_revs_rpm(path, ret=None):
rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE,
close_fds=True)
- cpio = Popen(args=["cpio", "-idmv", "*??-??-??", "*microcode*.dat"],
+ cpio = Popen(args=["cpio", "-idmv"] + file_glob,
cwd=dir_tmp, stdin=rpm2cpio.stdout,
stdout=PIPE, stderr=STDOUT)
out, cpio_stderr = cpio.communicate()
@@ -210,20 +221,58 @@ def read_revs_rpm(path, ret=None):
log_info("cpio stderr:\n%s" % cpio_stderr, level=3)
if rpm2cpio_ret == 0 and cpio_ret == 0:
- ret = read_revs_dir(dir_tmp, path)
+ ret = read_revs_dir(dir_tmp, args, path)
shutil.rmtree(dir_tmp)
return ret
-def read_revs(path, ret=None):
+def read_revs_tar(path, args, ret=None):
+ if ret is None:
+ ret = []
+
+ dir_tmp = tempfile.mkdtemp()
+
+ log_status("Trying to extract files from tarball \"%s\"..." % path,
+ level=1)
+
+ try:
+ with tarfile.open(path, "r:*") as tar:
+ for ti in tar:
+ if any(fnmatch.fnmatchcase(ti.name, p) for p in file_glob):
+ d = os.path.normpath(os.path.join("/",
+ os.path.dirname(ti.name)))
+ # For now, strip exactl one level
+ d = os.path.join(*(d.split(os.path.sep)[2:]))
+ n = os.path.join(d, os.path.basename(ti.name))
+
+ if not os.path.exists(d):
+ os.makedirs(d)
+ t = tar.extractfile(ti)
+ with open(n, "wb") as f:
+ shutil.copyfileobj(t, f)
+ t.close()
+
+ ret = read_revs_dir(dir_tmp, args, path)
+ except Exception as err:
+ log_error("Error while reading \"%s\" as a tarball: \"%s\"" %
+ (path, str(err)))
+
+ shutil.rmtree(dir_tmp)
+
+ return ret
+
+
+def read_revs(path, args, ret=None):
if ret is None:
ret = []
if os.path.isdir(path):
- return read_revs_dir(path, ret)
+ return read_revs_dir(path, args, ret)
+ elif tarfile.is_tarfile(path):
+ return read_revs_tar(path, args, ret)
else:
- return read_revs_rpm(path, ret)
+ return read_revs_rpm(path, args, ret)
def gen_mc_map(mc_data, merge=False, merge_path=False):
@@ -307,7 +356,8 @@ class mcnm:
MCNM_CODENAME = 4
-def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
+def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True,
+ segment=False):
if not isinstance(mc, dict):
mc = mc_from_mc_key(mc)
sig = mc["cpuid"]
@@ -350,6 +400,9 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
else:
cname = c["codename"]
+ if segment:
+ cname = c["segment"] + " " + cname
+
if cname not in suffices:
suffices[cname] = set()
if "variant" in c and c["variant"]:
@@ -361,28 +414,28 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
steppings[cname] |= set(c["stepping"])
for cname in sorted(steppings.keys()):
- cname_str = cname
+ cname_res = [cname]
if len(suffices[cname]):
- cname_str += "-" + "/".join(sorted(suffices[cname]))
+ cname_res[0] += "-" + "/".join(sorted(suffices[cname]))
if len(steppings[cname]):
- cname_str += " " + "/".join(sorted(steppings[cname]))
- res.append(cname_str)
+ cname_res.append("/".join(sorted(steppings[cname])))
+ res.append(" ".join(cname_res) if stringify else cname_res)
- return ", ".join(res) or None
+ return (", ".join(res) or None) if stringify else res
def mc_from_mc_key(k):
return dict(zip(("path", "cpuid", "pf"), k))
-def mc_path(mc, pf_sfx=True, midword=None, cmap=None):
+def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False):
if not isinstance(mc, dict):
mc = mc_from_mc_key(mc)
path = mc_stripped_path(mc) if mc["path"] is not None else None
cpuid_fn = cpuid_fname(mc["cpuid"])
fname = os.path.basename(mc["path"] or cpuid_fn)
midword = "" if midword is None else " " + midword
- cname = get_mc_cnames(mc, cmap)
+ cname = get_mc_cnames(mc, cmap, segment=cname_segment)
cname_str = " (" + cname + ")" if cname else ""
if pf_sfx:
@@ -492,22 +545,22 @@ def mc_rev(mc, date=None):
return "%#x" % rev
-def print_changelog(clog, cmap, args):
- for e, old, new in sorted(clog):
+def print_changelog_rpm(clog, cmap, args):
+ for e, old, new in clog:
+ mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old,
+ midword="microcode",
+ cmap=cmap, cname_segment=args.segment)
+
if e == ChangeLogEntry.ADDED:
- print("Addition of %s at revision %s" %
- (mc_path(new, midword="microcode", cmap=cmap), mc_rev(new)))
+ print("Addition of %s at revision %s" % (mc_str, mc_rev(new)))
elif e == ChangeLogEntry.REMOVED:
- print("Removal of %s at revision %s" %
- (mc_path(old, midword="microcode", cmap=cmap), mc_rev(old)))
+ print("Removal of %s at revision %s" % (mc_str, mc_rev(old)))
elif e == ChangeLogEntry.UPDATED:
print("Update of %s from revision %s up to %s" %
- (mc_path(old, midword="microcode", cmap=cmap),
- mc_rev(old), mc_rev(new)))
+ (mc_str, mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.DOWNGRADED:
print("Downgrade of %s from revision %s down to %s" %
- (mc_path(old, midword="microcode", cmap=cmap),
- mc_rev(old), mc_rev(new)))
+ (mc_str, mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.OTHER:
print("Other change in %s:" % old["path"])
print(" old: %#x/%#x: rev %s (offs %#x)" %
@@ -516,6 +569,70 @@ def print_changelog(clog, cmap, args):
(new["cpuid"], new["pf"], mc_rev(new), new["offs"]))
+def print_changelog_intel(clog, cmap, args):
+ def clog_sort_key(x):
+ res = str(x[0])
+
+ if x[0] != ChangeLogEntry.ADDED:
+ res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"])
+ else:
+ res += "0" * 10
+
+ if x[0] != ChangeLogEntry.REMOVED:
+ res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"])
+ else:
+ res += "0" * 10
+
+ return res
+
+ sorted_clog = sorted(clog, key=clog_sort_key)
+ sections = (("New Platforms", (ChangeLogEntry.ADDED, )),
+ ("Updated Platforms", (ChangeLogEntry.UPDATED,
+ ChangeLogEntry.DOWNGRADED)),
+ ("Removed Platforms", (ChangeLogEntry.REMOVED, )))
+
+ def print_line(e, old, new, types):
+ if e not in types:
+ return
+
+ if not print_line.hdr:
+ print("""
+| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
+|:---------------|:---------|:------------|:---------|:---------|:---------""")
+ print_line.hdr = True
+
+ mc = new if e == ChangeLogEntry.ADDED else old
+ cnames = get_mc_cnames(mc, cmap, stringify=False,
+ segment=args.segment) or (("???", ""), )
+ for cn in cnames:
+ cname = cn[0]
+ stepping = cn[1] if len(cn) > 1 else ""
+ print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" %
+ (cname,
+ stepping,
+ cpuid_fname(mc["cpuid"]), mc["pf"],
+ ("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "",
+ ("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "",
+ get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES,
+ segment=args.segment) or ""))
+
+ for h, types in sections:
+ print("\n### %s" % h)
+ print_line.hdr = False
+ for e, old, new in sorted_clog:
+ print_line(e, old, new, types)
+
+
+def print_changelog(clog, cmap, args):
+ if args.format == "rpm":
+ print_changelog_rpm(clog, cmap, args)
+ elif args.format == "intel":
+ print_changelog_intel(clog, cmap, args)
+ else:
+ log_error(("unknown changelog format: \"%s\". " +
+ "Supported formats are: rpm, intel.") % args.format)
+
+
class TableStyles:
TS_CSV = 0
TS_FANCY = 1
@@ -552,9 +669,9 @@ def print_summary(revs, cmap, args):
header = []
if args.header:
- header.append(["Path", "Offset", "Ext. Offset", "CPUID",
- "Platform ID Mask", "Revision", "Date", "Checksum",
- "Codenames"] +
+ header.append(["Path", "Offset", "Ext. Offset", "Data Size",
+ "Total Size", "CPUID", "Platform ID Mask", "Revision",
+ "Date", "Checksum", "Codenames"] +
(["Models"] if args.models else []))
tbl = []
for k in sorted(m.keys()):
@@ -562,14 +679,19 @@ def print_summary(revs, cmap, args):
tbl.append([mc_stripped_path(mc),
"0x%x" % mc["offs"],
"0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-",
+ "0x%05x" % mc["data_size"],
+ "0x%05x" % mc["total_size"],
"0x%05x" % mc["cpuid"],
"0x%02x" % mc["pf"],
mc_rev(mc, date=False),
mc_date(mc),
- "0x%08x" % mc["cksum"],
- get_mc_cnames(mc, cmap, cnames_mode) or ""] +
+ "0x%08x" % (mc["ext_cksum"]
+ if "ext_cksum" in mc else mc["cksum"]),
+ get_mc_cnames(mc, cmap, cnames_mode,
+ segment=args.segment) or ""] +
([get_mc_cnames(mc, cmap,
- mcnm.MCNM_FAMILIES_MODELS)]
+ mcnm.MCNM_FAMILIES_MODELS,
+ segment=args.segment)]
if args.models else []))
print_table(tbl, header, style=TableStyles.TS_FANCY)
@@ -685,7 +807,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
if print_out and print_date:
if args.models:
- out.append(get_mc_cnames(s, cmap) or "")
+ out.append(get_mc_cnames(s, cmap, segment=args.segment) or "")
tbl.append(out)
print_table(tbl, header, style=TableStyles.TS_FANCY)
@@ -694,7 +816,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
def cmd_summary(args):
revs = []
for p in args.filelist:
- revs = read_revs(p, ret=revs)
+ revs = read_revs(p, args, ret=revs)
codenames_map = read_codenames_file(args.codenames)
@@ -708,8 +830,8 @@ def cmd_changelog(args):
base_path = args.filelist[0]
upd_path = args.filelist[1]
- base = read_revs(base_path)
- upd = read_revs(upd_path)
+ base = read_revs(base_path, args)
+ upd = read_revs(upd_path, args)
print_changelog(gen_changelog(base, upd), codenames_map, args)
@@ -750,7 +872,7 @@ def cmd_discrepancies(args):
(orig_path, dep))
return 1
deps.append((path, name, deps[dep][0] if dep is not None else None))
- rev_map[path] = gen_fn_map(read_revs(path), merge=args.merge,
+ rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge,
merge_path=True)
print_discrepancies(rev_map, deps, codenames_map, args)
@@ -766,6 +888,22 @@ def parse_cli():
help="Code names file")
root_parser.add_argument("-v", "--verbose", action="count", default=0,
help="Increase output verbosity")
+ root_parser.add_argument("-E", "--no-ignore-ext-duplicates",
+ action="store_const", dest="ignore_ext_dups",
+ default=False, const=False,
+ help="Do not ignore duplicates of the main " +
+ "signature in the extended signature header")
+ root_parser.add_argument("-e", "--ignore-ext-duplicates",
+ action="store_const", dest="ignore_ext_dups",
+ const=True,
+ help="Ignore duplicates of the main signature " +
+ "in the extended signature header")
+ root_parser.add_argument("-t", "--print-segment", action="store_const",
+ dest="segment", const=True,
+ help="Print model segment")
+ root_parser.add_argument("-T", "--no-print-segment", action="store_const",
+ dest="segment", const=False, default=False,
+ help="Do not print model segment")
cmdparsers = root_parser.add_subparsers(title="Commands",
help="main gen_updates commands")
@@ -794,6 +932,8 @@ def parse_cli():
parser_c = cmdparsers.add_parser("changelog",
help="Generate changelog")
+ parser_c.add_argument("-F", "--format", choices=["rpm", "intel"],
+ default="rpm", help="Changelog format")
parser_c.add_argument("filelist", nargs=2,
help="RPMs/directories to compare")
parser_c.set_defaults(func=cmd_changelog)
@@ -840,6 +980,10 @@ def parse_cli():
if not hasattr(args, "func"):
root_parser.print_help()
return None
+
+ global log_level
+ log_level = args.verbose
+
return args
diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec
index 09226d7..8818c45 100644
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@@ -1,4 +1,4 @@
-%define intel_ucode_version 20210216
+%define intel_ucode_version 20210608
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@@ -33,11 +33,6 @@ Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz
# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode
Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz
-# microcode-20201118 has removed 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode update
-# at revision 0x68; it is, however, may still be useful for some[1], so it is
-# to be preserved in a caveat.
-# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/39
-Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20201112/intel-ucode/06-8c-01
# systemd unit
@@ -117,14 +112,15 @@ Source171: 06-8e-9e-0x-dell_config
Source172: 06-8e-9e-0x-dell_disclaimer
# TGL-UP3/UP4 (CPUID 06-8c-01) hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Source180: 06-8c-01_readme
Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer
# "Provides:" RPM tags generator
-Source1000: gen_provides.sh
-Source1001: codenames.list
-Source1002: gen_updates2.py
+Source1000: gen_provides.sh
+Source1001: codenames.list
+Source1002: gen_updates2.py
ExclusiveArch: %{ix86} x86_64
BuildRequires: systemd-units
@@ -182,7 +178,7 @@ tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \
popd
# Moving 06-8c-01 microcode to intel-ucode-with-caveats
-cp "%{SOURCE8}" intel-ucode-with-caveats/
+mv intel-ucode/06-8c-01 intel-ucode-with-caveats/
:
@@ -548,6 +544,120 @@ rm -rf %{buildroot}
%changelog
+* Mon Jul 05 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210608-1
+- Update Intel CPU microcode to microcode-20210608 release (#1921773):
+ - Fixes in releasenote.md file.
+
+* Mon Jun 14 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210525-2
+- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
+ intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
+ and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
+- Enable 06-8c-01 microcode update by default (#1970611).
+- Enable 06-5e-03 microcode update by default (#1897673).
+
+* Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210525-1
+- Update Intel CPU microcode to microcode-20210525 release, addresses
+ CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513
+ (#1962664, #1962714, #1962734, #1962680):
+ - Addition of 06-55-05/0xb7 (CLX-SP A0) microcode at revision 0x3000010;
+ - Addition of 06-6a-05/0x87 (ICX-SP C0) microcode at revision 0xc0002f0;
+ - Addition of 06-6a-06/0x87 (ICX-SP D0) microcode at revision 0xd0002a0;
+ - Addition of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f;
+ - Addition of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04)
+ at revision 0xb00000f;
+ - Addition of 06-86-04/0x01 (SNR B0) microcode (in intel-ucode/06-86-05)
+ at revision 0xb00000f;
+ - Addition of 06-86-05/0x01 (SNR B1) microcode at revision 0xb00000f;
+ - Addition of 06-8c-02/0xc2 (TGL-R C0) microcode at revision 0x16;
+ - Addition of 06-8d-01/0xc2 (TGL-H R0) microcode at revision 0x2c;
+ - Addition of 06-96-01/0x01 (EHL B1) microcode at revision 0x11;
+ - Addition of 06-9c-00/0x01 (JSL A0/A1) microcode at revision 0x1d;
+ - Addition of 06-a7-01/0x02 (RKL-S B0) microcode at revision 0x40;
+ - Update of 06-4e-03/0xc0 (SKL-U/U 2+3e/Y D0/K1) microcode (in
+ intel-06-4e-03/intel-ucode/06-4e-03) from revision 0xe2 up to 0xea;
+ - Update of 06-4f-01/0xef (BDX-E/EP/EX/ML B0/M0/R0) microcode (in
+ intel-06-4f-01/intel-ucode/06-4f-01) from revision 0xb000038 up
+ to 0xb00003e;
+ - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
+ intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a0a up
+ to 0x2006b06;
+ - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 N0/R0/S0) microcode (in
+ intel-06-5e-03/intel-ucode/06-5e-03) from revision 0xe2 up to 0xea;
+ - Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in
+ intel-06-8c-01/intel-ucode/06-8c-01) from revision 0x68 up to 0x88;
+ - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up
+ to 0xea;
+ - Update of 06-8e-09/0xc0 (KBL-U/U 2+3e/Y H0/J1) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up
+ to 0xea;
+ - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0, KBL-R Y0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0a) from revision 0xe0 up
+ to 0xea;
+ - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0b) from revision 0xde up
+ to 0xea;
+ - Update of 06-8e-0c/0x94 (AML-Y 4+2 V0, CML-U 4+2 V0, WHL-U V0)
+ microcode (in intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0c) from
+ revision 0xde up to 0xea;
+ - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-9e-09) from revision 0xde up
+ to 0xea;
+ - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0a) from revision 0xde up
+ to 0xea;
+ - Update of 06-9e-0b/0x02 (CFL-E/H/S B0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0b) from revision 0xde up
+ to 0xea;
+ - Update of 06-9e-0c/0x22 (CFL-H/S/Xeon E P0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0c) from revision 0xde up
+ to 0xea;
+ - Update of 06-9e-0d/0x22 (CFL-H/S/Xeon E R0) microcode (in
+ intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0d) from revision 0xde up
+ to 0xea;
+ - Update of 06-3f-02/0x6f (HSX-E/EN/EP/EP 4S C0/C1/M1/R2) microcode
+ from revision 0x44 up to 0x46;
+ - Update of 06-3f-04/0x80 (HSX-EX E0) microcode from revision 0x16 up
+ to 0x19;
+ - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000159
+ up to 0x100015b;
+ - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003006
+ up to 0x4003102;
+ - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision
+ 0x5003006 up to 0x5003102;
+ - Update of 06-55-0b/0xbf (CPX-SP A1) microcode from revision 0x700001e
+ up to 0x7002302;
+ - Update of 06-56-03/0x10 (BDX-DE V2/V3) microcode from revision
+ 0x7000019 up to 0x700001b;
+ - Update of 06-56-04/0x10 (BDX-DE Y0) microcode from revision 0xf000017
+ up to 0xf000019;
+ - Update of 06-56-05/0x10 (BDX-NS A0/A1, HWL A1) microcode from revision
+ 0xe00000f up to 0xe000012;
+ - Update of 06-5c-09/0x03 (APL D0) microcode from revision 0x40 up
+ to 0x44;
+ - Update of 06-5c-0a/0x03 (APL B1/F1) microcode from revision 0x1e up
+ to 0x20;
+ - Update of 06-5f-01/0x01 (DNV B0) microcode from revision 0x2e up
+ to 0x34;
+ - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x34 up
+ to 0x36;
+ - Update of 06-7a-08/0x01 (GLK-R R0) microcode from revision 0x18 up
+ to 0x1a;
+ - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0xa0
+ up to 0xa6;
+ - Update of 06-8a-01/0x10 (LKF B2/B3) microcode from revision 0x28 up
+ to 0x2a;
+ - Update of 06-a5-02/0x20 (CML-H R1) microcode from revision 0xe0 up
+ to 0xea;
+ - Update of 06-a5-03/0x22 (CML-S 6+2 G1) microcode from revision 0xe0
+ up to 0xea;
+ - Update of 06-a5-05/0x22 (CML-S 10+2 Q0) microcode from revision 0xe0
+ up to 0xec;
+ - Update of 06-a6-00/0x80 (CML-U 6+2 A0) microcode from revision 0xe0
+ up to 0xe8;
+ - Update of 06-a6-01/0x80 (CML-U 6+2 v2 K0) microcode from revision
+ 0xe0 up to 0xea.
+
* Wed Feb 17 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1
- Update Intel CPU microcode to microcode-20210216 release (#1902884):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in