diff --git a/.gitignore b/.gitignore index 2db0108..d6a7b0b 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ SOURCES/06-2d-07 SOURCES/06-4e-03 SOURCES/06-55-04 SOURCES/06-5e-03 -SOURCES/06-8c-01 SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20191115.tar.gz -SOURCES/microcode-20210216.tar.gz +SOURCES/microcode-20210608.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 46dfad3..19f5d82 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -2,7 +2,6 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 -2204a6dee1688980cd228268fdf4b6ed5904fe04 SOURCES/06-8c-01 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz -26608161d98c3d0c965fc41856520434b14c000d SOURCES/microcode-20210216.tar.gz +68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config index 979455d..99a8ed7 100644 --- a/SOURCES/06-2d-07_config +++ b/SOURCES/06-2d-07_config @@ -1,13 +1,3 @@ model GenuineIntel 06-2d-07 path intel-ucode/06-2d-07 -## The "kernel_early" statements are carried over from the intel caveat config -## in order to avoid enabling this newer microcode on these problematic kernels; -## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme -## (That also means that this caveat has to be enforced separately on these -## kernels.) -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 +dependency required intel diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config index bee51b2..7c0e333 100644 --- a/SOURCES/06-4e-03_config +++ b/SOURCES/06-4e-03_config @@ -1,3 +1,4 @@ model GenuineIntel 06-4e-03 path intel-ucode/06-4e-03 +dependency required intel disable early late diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme index 49373e2..13cb72a 100644 --- a/SOURCES/06-4e-03_readme +++ b/SOURCES/06-4e-03_readme @@ -13,6 +13,7 @@ microcode revisions in question are listed below: * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366 + * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions @@ -40,6 +41,11 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding enforcing microcode update is provided below. diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config index f589fbf..f987150 100644 --- a/SOURCES/06-4f-01_config +++ b/SOURCES/06-4f-01_config @@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1 kernel 2.6.32-504.71.1 kernel 2.6.32-431.90.1 kernel 2.6.32-358.90.1 -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 -mc_min_ver_late 0xb000019 +dependency required intel skip=success match-model-mode=off disable early late diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme index 962c7a6..dc33eec 100644 --- a/SOURCES/06-4f-01_readme +++ b/SOURCES/06-4f-01_readme @@ -28,6 +28,11 @@ to the following knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding enforcing microcode load is provided below. diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config index 373c8ac..07f06f6 100644 --- a/SOURCES/06-55-04_config +++ b/SOURCES/06-55-04_config @@ -9,14 +9,4 @@ path intel-ucode/06-55-04 ## are provided for speeding up the search only, VID:DID is the real selector. ## Commented out since revision 0x2006906 seems to fix the issue. #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 -## The "kernel_early" statements are carried over from the intel caveat config -## in order to avoid enabling this newer microcode on these problematic kernels; -## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme -## (That also means that this caveat has to be enforced separately on these -## kernels.) -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 +dependency required intel diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme index cdec2c2..b8d3618 100644 --- a/SOURCES/06-55-04_readme +++ b/SOURCES/06-55-04_readme @@ -19,6 +19,7 @@ microcode revisions in question are listed below: * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462 + * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions @@ -46,6 +47,11 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 The information regarding disabling microcode update is provided below. diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config index 7482d36..ced0abc 100644 --- a/SOURCES/06-5e-03_config +++ b/SOURCES/06-5e-03_config @@ -1,3 +1,3 @@ model GenuineIntel 06-5e-03 path intel-ucode/06-5e-03 -disable early late +dependency required intel diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme index 9e21ac0..9beb75e 100644 --- a/SOURCES/06-5e-03_readme +++ b/SOURCES/06-5e-03_readme @@ -1,18 +1,22 @@ Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, -stepping 3) have reports of possible system hangs when revision 0xdc +stepping 3) had reports of possible system hangs when revision 0xdc of microcode, that is included in microcode-20200609 update to address -CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order -to address this, microcode update to the newer revision has been disabled +CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order +to address this, microcode updates to the newer revision had been disabled by default on these systems, and the previously published microcode revision -0xd6 is used by default for the OS-driven microcode update. +0xd6 was used by default for the OS-driven microcode update. The revision +0xea seems[2] to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 For the reference, SHA1 checksums of 06-5e-03 microcode files containing microcode revisions in question are listed below: * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c + * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions @@ -40,32 +44,33 @@ to the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 -The information regarding enforcing microcode update is provided below. +The information regarding disabling microcode update is provided below. -To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel -version, please create a file "force-intel-06-5e-03" inside +To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel +version, please create a file "disallow-intel-06-5e-03" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run +"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory +where microcode is available for late microcode update, and run "dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of the latest microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config index c7c5d65..880a419 100644 --- a/SOURCES/06-8c-01_config +++ b/SOURCES/06-8c-01_config @@ -1,3 +1,3 @@ model GenuineIntel 06-8c-01 path intel-ucode/06-8c-01 -disable early late +dependency required intel skip=success match-model-mode=off diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme index 16afb9b..9625c42 100644 --- a/SOURCES/06-8c-01_readme +++ b/SOURCES/06-8c-01_readme @@ -1,38 +1,52 @@ Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) -have reports of system hangs when a microcode update, that is included -since microcode-20201110 update, is applied[1]. In order to address this, -microcode update has been disabled by default on these systems. +had reports of system hangs when a microcode update, that was included +since microcode-20201110 update, was applied[1]. In order to address this, +microcode update had been disabled by default on these systems. The revision +0x88 seems to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 -Please contact your system vendor for a BIOS/firmware update that contains -the latest microcode version. - -The information regarding enforcing microcode update is provided below. +For the reference, SHA1 checksums of 06-8c-01 microcode files containing +microcode revisions in question are listed below: + * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04 + * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290 -To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel -version, please create a file "force-intel-06-8c-01" inside +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding disabling microcode update is provided below. + +To disable 06-8c-01 microcode updates for a specific kernel +version, please create a file "disallow-intel-06-8c-01" inside /lib/firmware/ directory, run -"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory -where microcode will be available for late microcode update, and run +"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware +directory where microcode is available for late microcode update, and run "dracut -f --kver ", so initramfs for this kernel version -is regenerated and the microcode can be loaded early, for example: +is regenerated, for example: - touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 -After that, it is possible to perform a late microcode update by executing -"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to -"/sys/devices/system/cpu/microcode/reload" directly. - -To enforce addition of this microcode for all kernels, please create file -"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run -"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, -and "dracut -f --regenerate-all" for enabling early microcode updates: +To avoid addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats - touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all diff --git a/SOURCES/06-8e-9e-0x-0xca_config b/SOURCES/06-8e-9e-0x-0xca_config index 2dbca4a..1162015 100644 --- a/SOURCES/06-8e-9e-0x-0xca_config +++ b/SOURCES/06-8e-9e-0x-0xca_config @@ -1,4 +1,5 @@ path intel-ucode/* vendor GenuineIntel dmi mode=fail-equal key=bios_vendor val="Dell Inc." +dependency required intel disable early late diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme index cef8e9b..22f47dd 100644 --- a/SOURCES/06-8e-9e-0x-0xca_readme +++ b/SOURCES/06-8e-9e-0x-0xca_readme @@ -82,6 +82,16 @@ in question: * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c + * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d + * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8 + * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac + * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3 + * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668 + * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4 + * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c + * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4 + * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a + Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer diff --git a/SOURCES/06-8e-9e-0x-dell_config b/SOURCES/06-8e-9e-0x-dell_config index bc1fe2b..f93c350 100644 --- a/SOURCES/06-8e-9e-0x-dell_config +++ b/SOURCES/06-8e-9e-0x-dell_config @@ -4,14 +4,4 @@ vendor GenuineIntel ## in cases where no model filter is used is too broad, hence ## no-model-mode=success. dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." -## The "kernel_early" statements are carried over from the intel caveat config -## in order to avoid enabling this newer microcode on these problematic kernels; -## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme -## (That also means that this caveat has to be enforced separately on these -## kernels.) -kernel_early 4.10.0 -kernel_early 3.10.0-930 -kernel_early 3.10.0-862.14.1 -kernel_early 3.10.0-693.38.1 -kernel_early 3.10.0-514.57.1 -kernel_early 3.10.0-327.73.1 +dependency required intel diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme index 94b9bb6..0f12fee 100644 --- a/SOURCES/06-8e-9e-0x-dell_readme +++ b/SOURCES/06-8e-9e-0x-dell_readme @@ -82,6 +82,16 @@ in question: * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c + * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d + * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8 + * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac + * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3 + * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668 + * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4 + * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c + * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4 + * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a + Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer diff --git a/SOURCES/README b/SOURCES/README index 8878252..193ee9a 100644 --- a/SOURCES/README +++ b/SOURCES/README @@ -22,6 +22,30 @@ microcode files and their usage. * SECURITY.intel-ucode "security.md" file from the Intel x86 CPU microcode archive. * SUMMARY.intel-ucode - Information about supplied microcode files extracted from their headers. + Information about supplied microcode files extracted from their headers, + in a table form. Columns have the following meaning: + * "Path": path to the microcode file under one of the following directories: + * /usr/share/microcode_ctl/ucode_with_caveats/intel + * /usr/share/microcode_ctl/ucode_with_caveats + * /usr/share/microcode_ctl + * /lib/firmware + * /etc/firmware + * "Offset": offset of the microcode blob within the micocode file in bytes. + * "Ext. Offset": offset of the extended signature header within + the microcode file in bytes. + * "Data Size": size of microcode data in bytes. 0 means 2000 bytes. + * "Total Size": size of microcode blob in bytes, incuding headers. + 0 means 2048 bytes. + * "CPUID": CPU ID signature (in format returned by the CPUID instruction). + * "Platform ID Mask": mask of suitable Platform IDs (provided in bits + 52..50 of MSR 0x17). + * "Revision": microcode revision. + * "Date": microcode creation date. + * "Checksum": sum (in base 1<< 32) of all 32-bit values comprising + the microcode (from Offset up to Offset + Total Size). + * "Codenames": list of known CPU codenames associated with the CPUID + and Platform ID Mask combination. + Please refer to README.cavets, section "Microcode file structure" + for additional information regarding microcode header fields. * caveats - Directory that contains readme files for specific caveats. + Directory that contains readme files for each specific caveat. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index d18c2a5..b15642b 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -89,6 +89,75 @@ installation or removal of a kernel RPM in order to provide microcode files for newly installed kernels and cleanup symlinks for the uninstalled ones. +Microcode file structure +------------------------ +Intel x86 CPU microcode file (that is, one that can be directly consumed +by the CPU/kernel, and not its text representation such as used in microcode.dat +files) is a bundle of concatenated microcode blobs. Each blob has a header, +payload, and an optional additional data, as follows (for additional information +please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual" +[1], Volume 3A, Section 9.11.1 "Microcode Update"): + * Header (48 bytes) + * Header version (unsigned 32-bit integer): version number of the update + header. Must be 0x1. + * Microcode revision (signed 32-bit integer) + * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format + (0x03141592 is 1592-03-14 in ISO 8601) + * CPU signature (unsigned 32-bit integer): CPU ID, as provided + by the CPUID (EAX = 0x1) instruction in the EAX register: + * bits 31..28: reserved + * bits 27..20: "Extended Family", summed with the Family field value + * bits 19..16: "Extended Model", bits 7..4 of the CPU model + * bits 15..14: reserved + * bits 13..12: "Processor Type", non-zero value (other than the "primary + processor") so far used only for the Deschutes (Pentium II) CPU family, + with the processor type of 1, to signify it is an Overdrive processor: + CPUID 0x1632. + * bits 11..08: Family, summed with the Extended Family field value + * bits 07..04: Model (bits 3..0) + * bits 03..00: Stepping + In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds + to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when + uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms + into 0x000w06xz. Please also refer to README.intel-ucode, section "About + Processor Signature, Family, Model, Stepping and Platform ID" + for additional information. + * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all + the 32-bit integers comprising the microcode amounts to 0. + * Loader version (unsigned 32-bit integer): 0x1. + * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set + of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old + (up to Pentium II) microcode blobs the mask may be zero. + * Data size (unsigned 32-bit integer): size of the Payload in bytes, + has to be divisible by 4. 0 means 2000. + * Total size (unsigned 32-bit integer): total microcode blob size (including + header and extended header), has to be divisible by 1024. 0 means 2048. + * Reserved (12 bytes). + * Payload + * Additional data (optional, 20 + 12 * n bytes) + * Extended signature table header (20 bytes) + * Extended signature count (unsigned 32-bit integer) + * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) + of all the 32-bit integers comprising the extender signature table + amounts to 0. + * Reserved (12 bytes). + * Extended signature (12 bytes each) + * CPU signature (unsigned 32-bit integer): see the description of the CPU + signature field in the Header above. + * Platform ID mask (unsigned 32-bit integer): see the description + of the Platform ID mask field in the Header above. + * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32) + of all the 32-bit integers comprising the Header (with CPU signature + and Platform ID mask fields replaced with the values from this signature) + and the Payload amounts to 0. Note that since External signature table + header has its own checksum, sum of all its 32-bit values amounts to 0, + so the Checksum in the Header and in the Extended signature will be + the same if the values of CPU signature and Platform ID mask fields + are the same, + +[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html + + Caveat configuration -------------------- There is a directory for each caveat under @@ -156,10 +225,6 @@ separated by white space. Currently, the following options are supported: configuration. Argument for the argument is a list of stages ("early", "late") for which the caveat should be disable. The configuration option can be provided multiple times in a configuration file. - * "blacklist" is a marker for a start of list of blacklisted model names, - one model name per line. The model name of the running CPU (as reported - in /proc/cpuinfo) is compared against the names in the provided list, and, - if there is a match, caveat check fails. * "pci_config_val" performs check for specific values in selected parts of configuration space of specified PCI devices. If "-m" option is not specified, then the actual check is skipped, and the check returns @@ -204,8 +269,9 @@ separated by white space. Currently, the following options are supported: it fails (in accordance with "mode=success-all" semantics). This check fails if "-m" option is not specified. * "dmi" performs checks for specific values available in DMI sysfs files - (present under /sys/devices/virtual/dmi/id/). The check fails if file - is not readable. If "-m" option is specified, then the actual check + (present under /sys/devices/virtual/dmi/id/). The check (when it is actually + performed; see a not about "no-model-mode" below) fails if one of the files + is not readable. If "-m" option is not specified, then the actual check is skipped, and the check returns value in accordance with "no-model-mode" parameter value (see below). Check arguments are a white-space-separated list of "key=value" pairs. The following keys are supported: @@ -215,17 +281,30 @@ separated by white space. Currently, the following options are supported: chassis_type, chassis_vendor, chassis_version, product_family, product_name, product_serial, product_uuid, product_version, sys_vendor. Default is empty string. - * "val" - a string to match DMI data against. Can be enclosed in single - or double quotes. Default is empty string. - * "mode" - check mode, the way matches are interpreted: + * "val" - a string to match DMI data present in "key" against. + Can be enclosed in single or double quotes. Default is empty string. + * "keyval" - a pair of "key" and "val" values (with semantics described + above), separated with either "=", ":", "!=", or "!:" characters. Enables + providing of multiple key-value pairs by means of supplying multiple + keyval= parameters. The exclamation sign ("!") character in separator + enables negated matching (so, non-equality of the value in DMI "key" file + and the value of "val" is). The match considered successful when all + the key/val (non-)equalities are in effect. This parameter works + in addition to the pair provided in "key" and "val" parameters + (but allows to avoid using them). Default is empty. + * "mode" - check mode, the way successful matches are interpreted: * "success-equal" - returns 0 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value - of "val" parameter, otherwise 1. - * "success-equal" - returns 1 if the value present in the file + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 1. + * "fail-equal" - returns 1 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value - of "val" parameter, otherwise 0. + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 0. Default is "success-any". * "no-model-mode" - return value if model filter ("-m" option) is not enabled: @@ -237,6 +316,61 @@ separated by white space. Currently, the following options are supported: It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its content is "Dell Inc." (without quotes). It succeeds if "-m" option is not enabled. + Another example: + dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal" + dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950" + It blocks the caveat from using when either both + /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2" + and /sys/devices/virtual/dmi/id/product_name contains the string + "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains + the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains + the string "ThinkSystem SR950", but enables caveat loading for other products + with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values, + for example. + * "dependency" allows conditional enablement of a caveat based on the check + status of some other caveat(s). It has the following format: + dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...] + where DEPENDENCY_NAME is the configuration to be checked, OPTIONs + are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported + currently is "required". + Options for the "required" dependency type: + * "match-model-mode" - whether model matching mode ("-m" option) + has to be used for the nested configuration check. Possible values: + * "on" - model-matching mode is always used during the nested check; + * "off" - model-matching mode is never used during the nested check; + * "same" - used the same model-matching mode as it is now. + Default is "same". + * "skip" - controls result of the check when the nested check indicated + skipping of the configuration. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "force-skip" - controls result of the check when the nested check + indicated skipping of the configuration caused by the presence + of an override file (see "check_caveats script" section for details). + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "nesting-too-deep" - as a measure against dependency loop, configuration + checking logic implements nesting limit on dependency checks (currently + set at 8). This option controls the behaviour of the check + when the nested check cannot be performed due to this limit. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "fail". + An example of a check: + dependency required intel skip=success match-model-mode=off + It checks "intel" caveat configuration (see the "Early microcode load + inside a virtual machine" section) with model-matching mode being disabled, + treats skipping of the configuration as a success (unless the configuration + is forced to be skipped, in that case the dependent configuration + is to be skipped as well). check_caveats script @@ -473,6 +607,8 @@ Caveat name: intel-06-4f-01 Affected microcode: intel-ucode/06-4f-01. +Dependencies: intel + Mitigation: microcode loading is disabled for the affected CPU model. Minimum versions of the kernel package that contain the aforementioned patch @@ -501,6 +637,8 @@ Caveat name: intel Affected microcode: all. +Dependencies: (none) + Mitigation: early microcode loading is disabled for all CPU models on kernels without the fix. @@ -537,6 +675,8 @@ Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. +Dependencies: intel + Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x714 is still available as a fallback as part of "intel" caveat. @@ -566,35 +706,64 @@ Caveat name: intel-06-55-04 Affected microcode: intel-ucode/06-55-04. +Dependencies: intel + Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x2000064 is still available as a fallback as part of "intel" caveat. -Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats ----------------------------------------- -Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; -and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system -hangs when revision 0xdc of microcode, that is included in microcode-20200609 -update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, -is applied[1][2]. In order to address this, microcode update to the newer -revision has been disabled by default on these systems, and the previously -published microcode revision 0xd6 is used instead; the newer microcode files, -however, are still shipped as part of microcode_ctl package and can be used -for performing a microcode update if they are enforced via the aforementioned -overrides. (See the sections "check_caveats script" and "reload_microcode -script" for details.) +Intel Skylake-U/Y caveat +------------------------ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used instead; the newer +microcode files, however, are still shipped as part of microcode_ctl package +and can be used for performing a microcode update if they are enforced +via the aforementioned overrides. (See the sections "check_caveats script" +and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 -[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 -Caveat names: intel-06-4e-03, intel-06-5e-03 +Caveat name: intel-06-4e-03 + +Affected microcode: intel-ucode/06-4e-03 -Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. +Dependencies: intel Mitigation: previously published microcode revision 0xd6 is used by default. +Intel Skylake-H/S/Xeon E3 v5 caveat +----------------------------------- +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) had reports of system hangs when revision 0xdc of microcode, +that is included in microcode-20200609 update to address CVE-2020-0543, +CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this, +microcode update to the newer revision had been disabled by default on these +systems, and the previously published microcode revision 0xd6 was used instead. +The revision 0xea seems[2] to have fixed the aforementioned issue, hence +the latest microcode revision usage it is enabled by default, +but can be disabled explicitly via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 + +Caveat names: intel-06-5e-03 + +Affected microcode: intel-ucode/06-5e-03. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0xd6 is still available as a fallback +as part of "intel" caveat. + + Dell caveats ------------ Some Dell systems that use some models of Intel CPUs are susceptible to hangs @@ -623,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a, intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, intel-ucode/06-9e-0d. +Dependencies: intel + Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used by default if /sys/devices/virtual/dmi/id/bios_vendor reports "Dell Inc."; otherwise, the latest microcode revision is used. @@ -633,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used Intel Tiger Lake-UP3/UP4 caveat ------------------------------- Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, -stepping 1) have reports of system hangs when a microcode update, -that is included since microcode-20201110 release, is applied[1]. -In order to address this, microcode update to a newer revision has been disabled -by default on these systems; the newer microcode file, however, is still shipped -as a part of microcode_ctl package and can be used for performing a microcode -update if it is enforced via the aforementioned overrides. (See the sections +stepping 1) had reports of system hangs when a microcode update, +that was included since microcode-20201110 release, was applied[1]. +In order to address this, microcode update to a newer revision had been disabled +by default on these systems. The revision 0x88 seems to have fixed +the aforementioned issue, hence it is enabled by default; however, it is still +can be disabled via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 @@ -647,7 +818,9 @@ Caveat names: intel-06-8c-01 Affected microcode: intel-ucode/06-8c-01. -Mitigation: microcode loading is disabled for the affected CPU model. +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default. @@ -682,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index ee8db57..b821160 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -9,6 +9,8 @@ : ${FW_DIR=/lib/firmware} : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} +MAX_NESTING_LEVEL=8 + usage() { echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' echo ' [-m] [-v]' @@ -165,7 +167,7 @@ check_pci_config_val() local checked=0 matched=0 path='' local dev_path dev_vid dev_did dev_val local opts="${1:-}" - local match_model="${2:0}" + local match_model="${2:-0}" set -- $1 while [ "$#" -gt 0 ]; do @@ -261,7 +263,7 @@ check_pci_config_val() # It is needed for filtering by BIOS vendor name that is available in DMI data # # $1 - params in config file, space-separated, in key=value form: -# key= - DMI value to check. Can be one of the following: bios_date, +# key= - DMI data record to check. Can be one of the following: bios_date, # bios_vendor, bios_version, board_asset_tag, board_name, board_serial, # board_vendor, board_version, chassis_asset_tag, chassis_serial, # chassis_type, chassis_vendor, chassis_version, product_family, @@ -269,26 +271,33 @@ check_pci_config_val() # sys_vendor. # val= - a string to match DMI data against. Can be enclosed in single # or double quotes. +# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL", +# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing +# a key-value pair in a single parameter. It is possible to provide +# multiple keyval= parameters. "!" before :/= means negated match. +# The action supplied in the mode= parameter is executed upon +# successful (non-)matching of all the keyval pairs (as well +# as the pair provided in a pair of key= and val= parameters). # mode=success-equal [ success-equal, fail-equal ] - matching mode: -# success-equal: Returns 0 if the value present in the corresponding file -# under /sys/devices/virtual/dmi/id/ is equal -# to the value supplied as a value of "val" parameter, -# otherwise 1. -# fail-equal: Returns 1 if the value present in the corresponding file -# under /sys/devices/virtual/dmi/id/ is equal -# to the value supplied as a value of "val" parameter, -# otherwise 0. +# success-equal: Returns 0 if the all values present in the corresponding +# files under /sys/devices/virtual/dmi/id/ are equal +# (or not equal in case of a keyval= with negated match) +# to the respective values supplied as the values +# of the keyval= parameters or the pair of key= vand val= +# parameters, otherwise 1. +# fail-equal: Returns 1 if all the values present in DMI files in sysfs +# match (as described above), otherwise 0. # no-model-mode=success [ success, fail ] - return value if model filter # is not enabled: # success: Return 0. # fail: Return 1. # $2 - whether model filter is engaged (if it is not '1', just return the result -# based on "mode" value that assumes that the check has failed). +# based on "no-model-mode" value). check_dmi_val() { - local key= val= mode='success-equal' nm_mode='success' + local key= val= keyval= keyvals= mode='success-equal' nm_mode='success' local opts="${1:-}" opt= opt_= - local match_model="${2:0}" + local match_model="${2:-0}" local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " local success=1 @@ -305,21 +314,44 @@ check_dmi_val() # Handle possible quoting [ "x${opt#val=}" = "x${opt}" ] || { case "${opt#val=}" in - [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;; - ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; + [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;; + [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; *) val="${opt#val=}" ;; esac } + [ "x${opt#keyval=}" = "x${opt}" ] || { + case "${opt#keyval=}" in + [\']*) + opt_="${opts#keyval=\'}" + keyval="${opt_%%\'*}" + opt="keyval='${keyval}'" + keyvals="${keyvals} + ${keyval}" + ;; + [\"]*) + opt_="${opts#keyval=\"}" + keyval="${opt_%%\"*}" + opt="keyval=\"${keyval}\"" + keyvals="${keyvals} + ${keyval}" + ;; + *) + keyvals="${keyvals} + ${opt#keyval=}" + ;; + esac + } opts="${opts#"${opt}"}" continue done - # Check key for validity - [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { - debug "Invalid \"key\" parameter value: \"${key}\"" + [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}" + + [ -n "x${keyvals}" ] || { + debug "Neither key=, val=, nor keyval= parameters were privoded" echo 2 - exit + return } [ 1 = "$match_model" ] || { @@ -332,23 +364,171 @@ check_dmi_val() ;; esac - exit + return } - [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { - debug "Can't access /sys/devices/virtual/dmi/id/${key}" - echo 3 - exit - } + case "$mode" in + success-equal|fail-equal) ;; + *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;; + esac - file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")" + printf "%s\n" "${keyvals}" | ( + while read l; do + [ -n "$l" ] || continue + key="${l%%[=:]*}" + val="${l#${key}[=:]}" + + cmp="=" + [ "x${key%!}" = "x${key}" ] || { + cmp="!=" + key="${key%!}" + } + + # Check key for validity + [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { + debug "Invalid \"key\" parameter value: \"${key}\"" + echo 2 + return + } + + [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { + debug "Can't access /sys/devices/virtual/dmi/id/${key}" + echo 3 + return + } + + file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" + + [ "x${val}" "${cmp}" "x${file_val}" ] || { + case "$mode" in + success-equal) echo 1 ;; + fail-equal) echo 0 ;; + esac + + return + } + done - [ "x${val}" = "x${file_val}" ] || success=0 + case "$mode" in + success-equal) echo 0 ;; + fail-equal) echo 1 ;; + esac + ) +} - case "$mode" in - success-equal) echo "$((1 - $success))" ;; - fail-equal) echo "${success}" ;; - *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;; +# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS +# DEP_TYPE: +# required - caveat can be enabled only if dependency is enabled +# (is not forcefully disabled and meets caveat conditions) +# OPTS: +# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency +# skip=skip [ fail, skip, success ] +# force-skip=skip [ fail, skip, success ] +# nesting-too-deep=fail [ fail, skip, success ] +# Return values: +# 0 - success +# 1 - fail +# 2 - skip +# 9 - error +check_dependency() +{ + local cur_level="$1" + local dep_type="$2" + local dep_name="$3" + local match_model_mode=same old_match_model="${match_model}" + local skip=skip + local force_skip=skip + local nesting_too_deep=fail + + local check="Dependency check for ${dep_type} ${dep_name}" + + set -- ${4:-} + while [ "$#" -gt 0 ]; do + [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}" + [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}" + [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}" + [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}" + + shift + done + + case "${dep_type}" in + required) + [ "x${dep_name%/*}" = "x${dep_name}" ] || { + debug "${check} error: dependency name (${dep_name})" \ + "cannot contain slashes" + echo 9 + return + } + + [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || { + local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'" + + case "$nesting_too_deep" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: invalid" \ + "nesting-too-deep mode" \ + "(${nesting_too_deep})"; echo 9 ;; + esac + + return + } + + case "${match_model_mode}" in + same) ;; + on) match_model=1 ;; + off) match_model=0 ;; + *) + debug "${check} error: invalid match-model-mode" \ + "(${match_model_mode})" + echo 9 + return + ;; + esac + + local result=0 + debug "${check}: calling check_caveat '${dep_name}'" \ + "'$(($cur_level + 1))' match_model=${match_model}" + check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?" + + match_model="${old_match_model}" + + case "${result}" in + 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;; + 1) debug "${check} failed: result=${result}"; echo "${result}" ;; + 2) + local reason="result=${result} and skip='${skip}'" + + case "${skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + 3) + local reason="result=${result} and force_skip='${force_skip}'" + + case "${force_skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected force-skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unexpected check_caveat result" \ + "(${result})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unknown dependency type '${dep_type}'" + echo 9 + ;; esac } @@ -386,6 +566,12 @@ get_mc_path() AuthenticAMD) echo "amd-ucode/$2" ;; + *) + # We actually only support Intel ucode, but things may break + # if nothing is printed (input would be gotten from stdin + # otherwise). + echo "invalid" + ;; esac } @@ -394,19 +580,6 @@ get_mc_ver() /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } -fail() -{ - ret=1 - - fail_cfgs="$fail_cfgs $cfg" - fail_paths="$fail_paths $cfg_path" - - [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ - || /bin/cat "${dir}/disclaimer" -} - -#check_kver "$@" -#get_model_name match_model=0 configs= @@ -467,34 +640,44 @@ else stage="late" fi - -for cfg in $(echo "${configs}"); do - dir="$MC_CAVEATS_DATA_DIR/$cfg" - - # We add cfg to the skip list first and then, if we do not skip it, - # we remove the configuration from the list. - skip_cfgs="$skip_cfgs $cfg" +# check_caveat CFG [CHECK_LEVEL] +# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, +# skip_cfgs if CHECK_LEVEL is set to 0 (default). +# CHECK_LEVEL is used for recursive configuration dependency checks, +# and indicates nesting level. +# Return value: +# 0 - check is successful +# 1 - check has been failed +# 2 - configuration has been skipped +# 3 - configuration has been skipped due to presence of an override file +check_caveat() { + local cfg="$1" + local check_level="${2:-0}" + local dir="$MC_CAVEATS_DATA_DIR/$cfg" [ -r "${dir}/readme" ] || { debug "File 'readme' in ${dir} is not found, skipping" - continue + return 2 } [ -r "${dir}/config" ] || { debug "File 'config' in ${dir} is not found, skipping" - continue + return 2 } - cfg_model= - cfg_vendor= - cfg_path= - cfg_kvers= - cfg_kvers_early= - cfg_blacklist= - cfg_mc_min_ver_late= - cfg_disable= - cfg_pci= - cfg_dmi= + local cfg_model= + local cfg_vendor= + local cfg_path= + local cfg_kvers= + local cfg_kvers_early= + local cfg_mc_min_ver_late= + local cfg_disable= + local cfg_pci= + local cfg_dmi= + local cfg_dependency= + + local key + local value while read -r key value; do case "$key" in @@ -519,13 +702,6 @@ for cfg in $(echo "${configs}"); do disable) cfg_disable="$cfg_disable $value " ;; - blacklist) - cfg_blacklist=1 - # "blacklist" is special: it stops entity parsing, - # and the rest of file is a list of blacklisted model - # names. - break - ;; pci_config_val) cfg_pci="$cfg_pci $value" @@ -534,6 +710,10 @@ for cfg in $(echo "${configs}"); do cfg_dmi="$cfg_dmi $value" ;; + dependency) + cfg_dependency="$cfg_dependency + $value" + ;; '#'*|'') continue ;; @@ -544,12 +724,8 @@ for cfg in $(echo "${configs}"); do esac done < "${dir}/config" - [ -z "${cfg_blacklist}" ] || \ - cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" | - /usr/bin/tail -n +2) - debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" - debug "${cfg}: blacklist '$cfg_blacklist'" + echo "$cfg_path" # Check for override files in the following order: # - disallow early/late specific caveat for specific kernel @@ -570,10 +746,10 @@ for cfg in $(echo "${configs}"); do # - force early/late everyhting # - disallow everything # - force everyhting - ignore_cfg=0 - force_cfg=0 - override_file="" - overrides=" + local ignore_cfg=0 + local force_cfg=0 + local override_file="" + local overrides=" 0:$FW_DIR/$kver/disallow-$stage-$cfg 1:$FW_DIR/$kver/force-$stage-$cfg 0:$FW_DIR/$kver/disallow-$cfg @@ -590,6 +766,9 @@ for cfg in $(echo "${configs}"); do 1:$CFG_DIR/force-$stage 0:$CFG_DIR/disallow 1:$CFG_DIR/force" + local o + local o_force + local override_file for o in $(echo "$overrides"); do o_force=${o%%:*} override_file=${o#$o_force:} @@ -608,7 +787,7 @@ for cfg in $(echo "${configs}"); do [ 0 -eq "$ignore_cfg" ] || { debug "Configuration \"$cfg\" is ignored due to presence of" \ "\"$override_file\"." - continue + return 3 } # Check model if model filter is enabled @@ -617,11 +796,13 @@ for cfg in $(echo "${configs}"); do debug "Current CPU model '$cpu_model' doesn't" \ "match configuration CPU model '$cfg_model'," \ "skipping" - continue + return 2 } fi # Check paths if model filter is enabled + local cpu_mc_path + local cfg_mc_present if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ "$cpu_vendor" "${cpu_model#* }")" @@ -640,7 +821,7 @@ for cfg in $(echo "${configs}"); do [ 1 = "$cfg_mc_present" ] || { debug "No matching microcode files in '$cfg_path'" \ "for CPU model '$cpu_model', skipping" - continue + return 2 } fi @@ -650,30 +831,56 @@ for cfg in $(echo "${configs}"); do debug "Current CPU vendor '$cpu_vendor' doesn't" \ "match configuration CPU vendor '$cfg_vendor'," \ "skipping" - continue + return 2 } fi - # Check configuration files - - ret_cfgs="$ret_cfgs $cfg" - ret_paths="$ret_paths $cfg_path" - skip_cfgs="${skip_cfgs% $cfg}" - + # Has to be performed before dependency checks [ 0 -eq "$force_cfg" ] || { debug "Checks for configuration \"$cfg\" are ignored due to" \ "presence of \"$override_file\"." - ok_cfgs="$ok_cfgs $cfg" - ok_paths="$ok_paths $cfg_path" - - continue + return 0 } + # Check dependencies + # It has to be performed here (before adding configuration + # to $ret_cfgs/$ret_paths) since it may be skipped. + if [ -n "$cfg_dependency" ]; then + dep_line="$(printf "%s\n" "$cfg_dependency" | \ + while read -r dep_type dep_name dep_opts + do + [ -n "$dep_type" ] || continue + dep_res=$(check_dependency "$check_level" \ + "$dep_type" \ + "$dep_name" \ + "$dep_opts") + [ 0 != "$dep_res" ] || continue + echo "$dep_res $dep_type $dep_name $dep_opts" + break + done + echo "0 ")" + + case "${dep_line%% *}" in + 0) ;; + 2) + debug "Dependency check '${dep_line#* }'" \ + "induced configuration skip" + return 2 + ;; + *) + debug "Dependency check '${dep_line#* }'" \ + "failed (with return code ${dep_line%% *})" + return 1 + ;; + esac + fi + + # Check configuration files + [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { debug "${cfg}: caveat is disabled in configuration" - fail - continue + return 1 } # Check late load kernel version @@ -681,8 +888,7 @@ for cfg in $(echo "${configs}"); do check_kver "$kver" $cfg_kvers || { debug "${cfg}: late load kernel version check for" \ " '$kver' against '$cfg_kvers' failed" - fail - continue + return 1 } fi @@ -691,17 +897,7 @@ for cfg in $(echo "${configs}"); do check_kver "$kver" $cfg_kvers_early || { debug "${cfg}: early load kernel version check for" \ "'$kver' against '$cfg_kvers_early' failed" - fail - continue - } - fi - - # Check model blacklist - if [ -n "$cfg_blacklist" ]; then - echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || { - debug "${cfg}: model '${cpu_model_name}' is blacklisted" - fail - continue + return 1 } fi @@ -714,8 +910,7 @@ for cfg in $(echo "${configs}"); do debug "${cfg}: CPU microcode version $cpu_mc_ver" \ "failed check (should be at least" \ "${cfg_mc_min_ver_late})" - fail - continue + return 1 } fi @@ -736,14 +931,14 @@ for cfg in $(echo "${configs}"); do [ -z "${pci_line#* }" ] || { debug "PCI configuration word check '${pci_line#* }'" \ "failed (with return code ${pci_line%% *})" - fail - continue + return 1 } fi # Check DMI data if model filter is enabled - # Note that the model filter check is done inside check_pci_config_val - # based on the 'mode=' parameter. + # Note that the model filter check is done inside check_dmi_val + # (which returns the value of 'no-model-mode=' parameter + # if it is disenaged). if [ -n "$cfg_dmi" ]; then dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line do @@ -759,13 +954,43 @@ for cfg in $(echo "${configs}"); do [ -z "${dmi_line#* }" ] || { debug "DMI data check '${dmi_line#* }'" \ "failed (with return code ${dmi_line%% *})" - fail - continue + return 1 } fi - ok_cfgs="$ok_cfgs $cfg" - ok_paths="$ok_paths $cfg_path" + return 0 +} + +for cfg in $(echo "${configs}"); do + if cfg_path=$(check_caveat "$cfg"; exit "$?") + then + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + ok_cfgs="$ok_cfgs $cfg" + ok_paths="$ok_paths $cfg_path" + else + case "$?" in + 1) + ret=1 + + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + fail_cfgs="$fail_cfgs $cfg" + fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] \ + || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \ + || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" + ;; + 2|3) + skip_cfgs="$skip_cfgs $cfg"; + ;; + *) + debug "Unexpected check_caveat return code '$?'" \ + "for config '$cfg'" + ;; + esac + fi done [ 0 -eq "$print_disclaimers" ] || exit 0 diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list index be1f3d2..f2eaa75 100644 --- a/SOURCES/codenames.list +++ b/SOURCES/codenames.list @@ -242,6 +242,7 @@ Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable; Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX; Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable; Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx; +Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2; Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2; Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;; Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2; @@ -262,11 +263,17 @@ Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5; SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx; SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272 Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile; +Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3; +Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3; SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100 SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile; -Server;;Knights Mill;A0;08;80650;KNM;;Xeon hi 72x5;Xeon Phi 7235, 7285, 7295 +Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295 +SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB; +SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB; Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile; +Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile; +Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile; Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile; Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile; Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile; @@ -277,6 +284,7 @@ Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile; Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile; Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile; Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile; +SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E; Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7; Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile; Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6; @@ -292,11 +300,13 @@ Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E; Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop; Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile; Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E; +SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105; Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile; Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; -Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11; SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; # sources: diff --git a/SOURCES/gen_updates2.py b/SOURCES/gen_updates2.py index c5e7a8f..51056f9 100755 --- a/SOURCES/gen_updates2.py +++ b/SOURCES/gen_updates2.py @@ -3,6 +3,7 @@ import argparse import errno +import fnmatch import io import itertools import os @@ -10,6 +11,7 @@ import re import shutil import struct import sys +import tarfile import tempfile from subprocess import PIPE, Popen, STDOUT @@ -34,6 +36,7 @@ except: log_level = 0 print_date = False +file_glob = ["*??-??-??", "*microcode*.dat"] def log_status(msg, level=0): @@ -96,13 +99,15 @@ def file_walk(args, yield_dirs=False): def cpuid_fname(c): + # Note that the Extended Family is summed up with the Family, + # while the Extended Model is concatenated with the Model. return "%02x-%02x-%02x" % ( - ((c >> 16) & 0xff0) + ((c >> 8) & 0xf), + ((c >> 20) & 0xff) + ((c >> 8) & 0xf), ((c >> 12) & 0xf0) + ((c >> 4) & 0xf), c & 0xf) -def read_revs_dir(path, src=None, ret=None): +def read_revs_dir(path, args, src=None, ret=None): if ret is None: ret = [] @@ -156,18 +161,24 @@ def read_revs_dir(path, src=None, ret=None): while cur_offs < offs + hdr[8] \ and ext_sig_cnt <= ext_tbl[0]: ext_sig = struct.unpack("III", f.read(12)) - ret.append({"path": rp, "src": src or path, - "cpuid": ext_sig[0], "pf": ext_sig[1], - "rev": hdr[1], "date": hdr[2], - "offs": offs, "ext_offs": cur_offs, - "cksum": hdr[4], - "ext_cksum": ext_sig[2], - "data_size": hdr[7], - "total_size": hdr[8]}) + ignore = args.ignore_ext_dups and \ + (ext_sig[0] == hdr[3]) + if not ignore: + ret.append({"path": rp, "src": src or path, + "cpuid": ext_sig[0], + "pf": ext_sig[1], + "rev": hdr[1], "date": hdr[2], + "offs": offs, "ext_offs": cur_offs, + "cksum": hdr[4], + "ext_cksum": ext_sig[2], + "data_size": hdr[7], + "total_size": hdr[8]}) log_status(("Got ext sig %#x/%#x for " + - "%s:%#x:%#x/%#x") % - (ext_sig[0], ext_sig[1], rp, offs, - hdr[3], hdr[6]), level=2) + "%s:%#x:%#x/%#x%s") % + (ext_sig[0], ext_sig[1], + rp, offs, hdr[3], hdr[6], + " (ignored)" if ignore else ""), + level=2) cur_offs += 12 ext_sig_cnt += 1 @@ -180,7 +191,7 @@ def read_revs_dir(path, src=None, ret=None): return ret -def read_revs_rpm(path, ret=None): +def read_revs_rpm(path, args, ret=None): if ret is None: ret = [] @@ -191,7 +202,7 @@ def read_revs_rpm(path, ret=None): rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE, close_fds=True) - cpio = Popen(args=["cpio", "-idmv", "*??-??-??", "*microcode*.dat"], + cpio = Popen(args=["cpio", "-idmv"] + file_glob, cwd=dir_tmp, stdin=rpm2cpio.stdout, stdout=PIPE, stderr=STDOUT) out, cpio_stderr = cpio.communicate() @@ -210,20 +221,58 @@ def read_revs_rpm(path, ret=None): log_info("cpio stderr:\n%s" % cpio_stderr, level=3) if rpm2cpio_ret == 0 and cpio_ret == 0: - ret = read_revs_dir(dir_tmp, path) + ret = read_revs_dir(dir_tmp, args, path) shutil.rmtree(dir_tmp) return ret -def read_revs(path, ret=None): +def read_revs_tar(path, args, ret=None): + if ret is None: + ret = [] + + dir_tmp = tempfile.mkdtemp() + + log_status("Trying to extract files from tarball \"%s\"..." % path, + level=1) + + try: + with tarfile.open(path, "r:*") as tar: + for ti in tar: + if any(fnmatch.fnmatchcase(ti.name, p) for p in file_glob): + d = os.path.normpath(os.path.join("/", + os.path.dirname(ti.name))) + # For now, strip exactl one level + d = os.path.join(*(d.split(os.path.sep)[2:])) + n = os.path.join(d, os.path.basename(ti.name)) + + if not os.path.exists(d): + os.makedirs(d) + t = tar.extractfile(ti) + with open(n, "wb") as f: + shutil.copyfileobj(t, f) + t.close() + + ret = read_revs_dir(dir_tmp, args, path) + except Exception as err: + log_error("Error while reading \"%s\" as a tarball: \"%s\"" % + (path, str(err))) + + shutil.rmtree(dir_tmp) + + return ret + + +def read_revs(path, args, ret=None): if ret is None: ret = [] if os.path.isdir(path): - return read_revs_dir(path, ret) + return read_revs_dir(path, args, ret) + elif tarfile.is_tarfile(path): + return read_revs_tar(path, args, ret) else: - return read_revs_rpm(path, ret) + return read_revs_rpm(path, args, ret) def gen_mc_map(mc_data, merge=False, merge_path=False): @@ -307,7 +356,8 @@ class mcnm: MCNM_CODENAME = 4 -def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV): +def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True, + segment=False): if not isinstance(mc, dict): mc = mc_from_mc_key(mc) sig = mc["cpuid"] @@ -350,6 +400,9 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV): else: cname = c["codename"] + if segment: + cname = c["segment"] + " " + cname + if cname not in suffices: suffices[cname] = set() if "variant" in c and c["variant"]: @@ -361,28 +414,28 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV): steppings[cname] |= set(c["stepping"]) for cname in sorted(steppings.keys()): - cname_str = cname + cname_res = [cname] if len(suffices[cname]): - cname_str += "-" + "/".join(sorted(suffices[cname])) + cname_res[0] += "-" + "/".join(sorted(suffices[cname])) if len(steppings[cname]): - cname_str += " " + "/".join(sorted(steppings[cname])) - res.append(cname_str) + cname_res.append("/".join(sorted(steppings[cname]))) + res.append(" ".join(cname_res) if stringify else cname_res) - return ", ".join(res) or None + return (", ".join(res) or None) if stringify else res def mc_from_mc_key(k): return dict(zip(("path", "cpuid", "pf"), k)) -def mc_path(mc, pf_sfx=True, midword=None, cmap=None): +def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False): if not isinstance(mc, dict): mc = mc_from_mc_key(mc) path = mc_stripped_path(mc) if mc["path"] is not None else None cpuid_fn = cpuid_fname(mc["cpuid"]) fname = os.path.basename(mc["path"] or cpuid_fn) midword = "" if midword is None else " " + midword - cname = get_mc_cnames(mc, cmap) + cname = get_mc_cnames(mc, cmap, segment=cname_segment) cname_str = " (" + cname + ")" if cname else "" if pf_sfx: @@ -492,22 +545,22 @@ def mc_rev(mc, date=None): return "%#x" % rev -def print_changelog(clog, cmap, args): - for e, old, new in sorted(clog): +def print_changelog_rpm(clog, cmap, args): + for e, old, new in clog: + mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old, + midword="microcode", + cmap=cmap, cname_segment=args.segment) + if e == ChangeLogEntry.ADDED: - print("Addition of %s at revision %s" % - (mc_path(new, midword="microcode", cmap=cmap), mc_rev(new))) + print("Addition of %s at revision %s" % (mc_str, mc_rev(new))) elif e == ChangeLogEntry.REMOVED: - print("Removal of %s at revision %s" % - (mc_path(old, midword="microcode", cmap=cmap), mc_rev(old))) + print("Removal of %s at revision %s" % (mc_str, mc_rev(old))) elif e == ChangeLogEntry.UPDATED: print("Update of %s from revision %s up to %s" % - (mc_path(old, midword="microcode", cmap=cmap), - mc_rev(old), mc_rev(new))) + (mc_str, mc_rev(old), mc_rev(new))) elif e == ChangeLogEntry.DOWNGRADED: print("Downgrade of %s from revision %s down to %s" % - (mc_path(old, midword="microcode", cmap=cmap), - mc_rev(old), mc_rev(new))) + (mc_str, mc_rev(old), mc_rev(new))) elif e == ChangeLogEntry.OTHER: print("Other change in %s:" % old["path"]) print(" old: %#x/%#x: rev %s (offs %#x)" % @@ -516,6 +569,70 @@ def print_changelog(clog, cmap, args): (new["cpuid"], new["pf"], mc_rev(new), new["offs"])) +def print_changelog_intel(clog, cmap, args): + def clog_sort_key(x): + res = str(x[0]) + + if x[0] != ChangeLogEntry.ADDED: + res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"]) + else: + res += "0" * 10 + + if x[0] != ChangeLogEntry.REMOVED: + res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"]) + else: + res += "0" * 10 + + return res + + sorted_clog = sorted(clog, key=clog_sort_key) + sections = (("New Platforms", (ChangeLogEntry.ADDED, )), + ("Updated Platforms", (ChangeLogEntry.UPDATED, + ChangeLogEntry.DOWNGRADED)), + ("Removed Platforms", (ChangeLogEntry.REMOVED, ))) + + def print_line(e, old, new, types): + if e not in types: + return + + if not print_line.hdr: + print(""" +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:---------""") + print_line.hdr = True + + mc = new if e == ChangeLogEntry.ADDED else old + cnames = get_mc_cnames(mc, cmap, stringify=False, + segment=args.segment) or (("???", ""), ) + for cn in cnames: + cname = cn[0] + stepping = cn[1] if len(cn) > 1 else "" + print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" % + (cname, + stepping, + cpuid_fname(mc["cpuid"]), mc["pf"], + ("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "", + ("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "", + get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES, + segment=args.segment) or "")) + + for h, types in sections: + print("\n### %s" % h) + print_line.hdr = False + for e, old, new in sorted_clog: + print_line(e, old, new, types) + + +def print_changelog(clog, cmap, args): + if args.format == "rpm": + print_changelog_rpm(clog, cmap, args) + elif args.format == "intel": + print_changelog_intel(clog, cmap, args) + else: + log_error(("unknown changelog format: \"%s\". " + + "Supported formats are: rpm, intel.") % args.format) + + class TableStyles: TS_CSV = 0 TS_FANCY = 1 @@ -552,9 +669,9 @@ def print_summary(revs, cmap, args): header = [] if args.header: - header.append(["Path", "Offset", "Ext. Offset", "CPUID", - "Platform ID Mask", "Revision", "Date", "Checksum", - "Codenames"] + + header.append(["Path", "Offset", "Ext. Offset", "Data Size", + "Total Size", "CPUID", "Platform ID Mask", "Revision", + "Date", "Checksum", "Codenames"] + (["Models"] if args.models else [])) tbl = [] for k in sorted(m.keys()): @@ -562,14 +679,19 @@ def print_summary(revs, cmap, args): tbl.append([mc_stripped_path(mc), "0x%x" % mc["offs"], "0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-", + "0x%05x" % mc["data_size"], + "0x%05x" % mc["total_size"], "0x%05x" % mc["cpuid"], "0x%02x" % mc["pf"], mc_rev(mc, date=False), mc_date(mc), - "0x%08x" % mc["cksum"], - get_mc_cnames(mc, cmap, cnames_mode) or ""] + + "0x%08x" % (mc["ext_cksum"] + if "ext_cksum" in mc else mc["cksum"]), + get_mc_cnames(mc, cmap, cnames_mode, + segment=args.segment) or ""] + ([get_mc_cnames(mc, cmap, - mcnm.MCNM_FAMILIES_MODELS)] + mcnm.MCNM_FAMILIES_MODELS, + segment=args.segment)] if args.models else [])) print_table(tbl, header, style=TableStyles.TS_FANCY) @@ -685,7 +807,7 @@ def print_discrepancies(rev_map, deps, cmap, args): if print_out and print_date: if args.models: - out.append(get_mc_cnames(s, cmap) or "") + out.append(get_mc_cnames(s, cmap, segment=args.segment) or "") tbl.append(out) print_table(tbl, header, style=TableStyles.TS_FANCY) @@ -694,7 +816,7 @@ def print_discrepancies(rev_map, deps, cmap, args): def cmd_summary(args): revs = [] for p in args.filelist: - revs = read_revs(p, ret=revs) + revs = read_revs(p, args, ret=revs) codenames_map = read_codenames_file(args.codenames) @@ -708,8 +830,8 @@ def cmd_changelog(args): base_path = args.filelist[0] upd_path = args.filelist[1] - base = read_revs(base_path) - upd = read_revs(upd_path) + base = read_revs(base_path, args) + upd = read_revs(upd_path, args) print_changelog(gen_changelog(base, upd), codenames_map, args) @@ -750,7 +872,7 @@ def cmd_discrepancies(args): (orig_path, dep)) return 1 deps.append((path, name, deps[dep][0] if dep is not None else None)) - rev_map[path] = gen_fn_map(read_revs(path), merge=args.merge, + rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge, merge_path=True) print_discrepancies(rev_map, deps, codenames_map, args) @@ -766,6 +888,22 @@ def parse_cli(): help="Code names file") root_parser.add_argument("-v", "--verbose", action="count", default=0, help="Increase output verbosity") + root_parser.add_argument("-E", "--no-ignore-ext-duplicates", + action="store_const", dest="ignore_ext_dups", + default=False, const=False, + help="Do not ignore duplicates of the main " + + "signature in the extended signature header") + root_parser.add_argument("-e", "--ignore-ext-duplicates", + action="store_const", dest="ignore_ext_dups", + const=True, + help="Ignore duplicates of the main signature " + + "in the extended signature header") + root_parser.add_argument("-t", "--print-segment", action="store_const", + dest="segment", const=True, + help="Print model segment") + root_parser.add_argument("-T", "--no-print-segment", action="store_const", + dest="segment", const=False, default=False, + help="Do not print model segment") cmdparsers = root_parser.add_subparsers(title="Commands", help="main gen_updates commands") @@ -794,6 +932,8 @@ def parse_cli(): parser_c = cmdparsers.add_parser("changelog", help="Generate changelog") + parser_c.add_argument("-F", "--format", choices=["rpm", "intel"], + default="rpm", help="Changelog format") parser_c.add_argument("filelist", nargs=2, help="RPMs/directories to compare") parser_c.set_defaults(func=cmd_changelog) @@ -840,6 +980,10 @@ def parse_cli(): if not hasattr(args, "func"): root_parser.print_help() return None + + global log_level + log_level = args.verbose + return args diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 09226d7..8818c45 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,4 +1,4 @@ -%define intel_ucode_version 20210216 +%define intel_ucode_version 20210608 %global debug_package %{nil} %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats @@ -33,11 +33,6 @@ Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz # microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz -# microcode-20201118 has removed 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode update -# at revision 0x68; it is, however, may still be useful for some[1], so it is -# to be preserved in a caveat. -# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/39 -Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20201112/intel-ucode/06-8c-01 # systemd unit @@ -117,14 +112,15 @@ Source171: 06-8e-9e-0x-dell_config Source172: 06-8e-9e-0x-dell_disclaimer # TGL-UP3/UP4 (CPUID 06-8c-01) hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 Source180: 06-8c-01_readme Source181: 06-8c-01_config Source182: 06-8c-01_disclaimer # "Provides:" RPM tags generator -Source1000: gen_provides.sh -Source1001: codenames.list -Source1002: gen_updates2.py +Source1000: gen_provides.sh +Source1001: codenames.list +Source1002: gen_updates2.py ExclusiveArch: %{ix86} x86_64 BuildRequires: systemd-units @@ -182,7 +178,7 @@ tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \ popd # Moving 06-8c-01 microcode to intel-ucode-with-caveats -cp "%{SOURCE8}" intel-ucode-with-caveats/ +mv intel-ucode/06-8c-01 intel-ucode-with-caveats/ : @@ -548,6 +544,120 @@ rm -rf %{buildroot} %changelog +* Mon Jul 05 2021 Eugene Syromiatnikov - 4:20210608-1 +- Update Intel CPU microcode to microcode-20210608 release (#1921773): + - Fixes in releasenote.md file. + +* Mon Jun 14 2021 Eugene Syromiatnikov - 4:20210525-2 +- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04, + intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca, + and intel-06-8e-9e-0x-dell caveats dependent on intel caveat. +- Enable 06-8c-01 microcode update by default (#1970611). +- Enable 06-5e-03 microcode update by default (#1897673). + +* Thu May 27 2021 Eugene Syromiatnikov - 4:20210525-1 +- Update Intel CPU microcode to microcode-20210525 release, addresses + CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513 + (#1962664, #1962714, #1962734, #1962680): + - Addition of 06-55-05/0xb7 (CLX-SP A0) microcode at revision 0x3000010; + - Addition of 06-6a-05/0x87 (ICX-SP C0) microcode at revision 0xc0002f0; + - Addition of 06-6a-06/0x87 (ICX-SP D0) microcode at revision 0xd0002a0; + - Addition of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f; + - Addition of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04) + at revision 0xb00000f; + - Addition of 06-86-04/0x01 (SNR B0) microcode (in intel-ucode/06-86-05) + at revision 0xb00000f; + - Addition of 06-86-05/0x01 (SNR B1) microcode at revision 0xb00000f; + - Addition of 06-8c-02/0xc2 (TGL-R C0) microcode at revision 0x16; + - Addition of 06-8d-01/0xc2 (TGL-H R0) microcode at revision 0x2c; + - Addition of 06-96-01/0x01 (EHL B1) microcode at revision 0x11; + - Addition of 06-9c-00/0x01 (JSL A0/A1) microcode at revision 0x1d; + - Addition of 06-a7-01/0x02 (RKL-S B0) microcode at revision 0x40; + - Update of 06-4e-03/0xc0 (SKL-U/U 2+3e/Y D0/K1) microcode (in + intel-06-4e-03/intel-ucode/06-4e-03) from revision 0xe2 up to 0xea; + - Update of 06-4f-01/0xef (BDX-E/EP/EX/ML B0/M0/R0) microcode (in + intel-06-4f-01/intel-ucode/06-4f-01) from revision 0xb000038 up + to 0xb00003e; + - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in + intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a0a up + to 0x2006b06; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 N0/R0/S0) microcode (in + intel-06-5e-03/intel-ucode/06-5e-03) from revision 0xe2 up to 0xea; + - Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in + intel-06-8c-01/intel-ucode/06-8c-01) from revision 0x68 up to 0x88; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up + to 0xea; + - Update of 06-8e-09/0xc0 (KBL-U/U 2+3e/Y H0/J1) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up + to 0xea; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0, KBL-R Y0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0a) from revision 0xe0 up + to 0xea; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0b) from revision 0xde up + to 0xea; + - Update of 06-8e-0c/0x94 (AML-Y 4+2 V0, CML-U 4+2 V0, WHL-U V0) + microcode (in intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0c) from + revision 0xde up to 0xea; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-09) from revision 0xde up + to 0xea; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0a) from revision 0xde up + to 0xea; + - Update of 06-9e-0b/0x02 (CFL-E/H/S B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0b) from revision 0xde up + to 0xea; + - Update of 06-9e-0c/0x22 (CFL-H/S/Xeon E P0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0c) from revision 0xde up + to 0xea; + - Update of 06-9e-0d/0x22 (CFL-H/S/Xeon E R0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0d) from revision 0xde up + to 0xea; + - Update of 06-3f-02/0x6f (HSX-E/EN/EP/EP 4S C0/C1/M1/R2) microcode + from revision 0x44 up to 0x46; + - Update of 06-3f-04/0x80 (HSX-EX E0) microcode from revision 0x16 up + to 0x19; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000159 + up to 0x100015b; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003006 + up to 0x4003102; + - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision + 0x5003006 up to 0x5003102; + - Update of 06-55-0b/0xbf (CPX-SP A1) microcode from revision 0x700001e + up to 0x7002302; + - Update of 06-56-03/0x10 (BDX-DE V2/V3) microcode from revision + 0x7000019 up to 0x700001b; + - Update of 06-56-04/0x10 (BDX-DE Y0) microcode from revision 0xf000017 + up to 0xf000019; + - Update of 06-56-05/0x10 (BDX-NS A0/A1, HWL A1) microcode from revision + 0xe00000f up to 0xe000012; + - Update of 06-5c-09/0x03 (APL D0) microcode from revision 0x40 up + to 0x44; + - Update of 06-5c-0a/0x03 (APL B1/F1) microcode from revision 0x1e up + to 0x20; + - Update of 06-5f-01/0x01 (DNV B0) microcode from revision 0x2e up + to 0x34; + - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x34 up + to 0x36; + - Update of 06-7a-08/0x01 (GLK-R R0) microcode from revision 0x18 up + to 0x1a; + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0xa0 + up to 0xa6; + - Update of 06-8a-01/0x10 (LKF B2/B3) microcode from revision 0x28 up + to 0x2a; + - Update of 06-a5-02/0x20 (CML-H R1) microcode from revision 0xe0 up + to 0xea; + - Update of 06-a5-03/0x22 (CML-S 6+2 G1) microcode from revision 0xe0 + up to 0xea; + - Update of 06-a5-05/0x22 (CML-S 10+2 Q0) microcode from revision 0xe0 + up to 0xec; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) microcode from revision 0xe0 + up to 0xe8; + - Update of 06-a6-01/0x80 (CML-U 6+2 v2 K0) microcode from revision + 0xe0 up to 0xea. + * Wed Feb 17 2021 Eugene Syromiatnikov - 4:20210216-1 - Update Intel CPU microcode to microcode-20210216 release (#1902884): - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in