rpms/microcode_ctl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import microcode_ctl-20210608-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-06 13:41:39 -04:00 committed by Stepan Oksanichenko
parent 0c422277ec
commit 08a8884c26
23 changed files with 1014 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -2,7 +2,6 @@ SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
SOURCES/06-8c-01
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20210216.tar.gz
SOURCES/microcode-20210608.tar.gz

3
.microcode_ctl.metadata
View File

@ -2,7 +2,6 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
2204a6dee1688980cd228268fdf4b6ed5904fe04 SOURCES/06-8c-01
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
26608161d98c3d0c965fc41856520434b14c000d SOURCES/microcode-20210216.tar.gz
68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz

12
SOURCES/06-2d-07_config
View File

@ -1,13 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

1
SOURCES/06-4e-03_config
View File

@ -1,3 +1,4 @@
model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03
dependency required intel
disable early late

6
SOURCES/06-4e-03_readme
View File

@ -13,6 +13,7 @@ microcode revisions in question are listed below:
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@ -40,6 +41,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.

8
SOURCES/06-4f-01_config
View File

@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
mc_min_ver_late 0xb000019
dependency required intel skip=success match-model-mode=off
disable early late

5
SOURCES/06-4f-01_readme
View File

@ -28,6 +28,11 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below.

12
SOURCES/06-55-04_config
View File

@ -9,14 +9,4 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

6
SOURCES/06-55-04_readme
View File

@ -19,6 +19,7 @@ microcode revisions in question are listed below:
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@ -46,6 +47,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding disabling microcode update is provided below.

2
SOURCES/06-5e-03_config
View File

@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03
disable early late
dependency required intel

45
SOURCES/06-5e-03_readme
View File

@ -1,18 +1,22 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) have reports of possible system hangs when revision 0xdc
stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order
to address this, microcode update to the newer revision has been disabled
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
0xd6 is used by default for the OS-driven microcode update.
0xd6 was used by default for the OS-driven microcode update. The revision
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
@ -40,32 +44,33 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "force-intel-06-5e-03" inside
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
To avoid addition of the latest microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all

2
SOURCES/06-8c-01_config
View File

@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01
disable early late
dependency required intel skip=success match-model-mode=off

54
SOURCES/06-8c-01_readme
View File

@ -1,38 +1,52 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
have reports of system hangs when a microcode update, that is included
since microcode-20201110 update, is applied[1]. In order to address this,
microcode update has been disabled by default on these systems.
had reports of system hangs when a microcode update, that was included
since microcode-20201110 update, was applied[1]. In order to address this,
microcode update had been disabled by default on these systems. The revision
0x88 seems to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
microcode revisions in question are listed below:
* 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version.
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
version, please create a file "force-intel-06-8c-01" inside
To disable 06-8c-01 microcode updates for a specific kernel
version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
To avoid addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all

1
SOURCES/06-8e-9e-0x-0xca_config
View File

@ -1,4 +1,5 @@
path intel-ucode/*
vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
dependency required intel
disable early late

10
SOURCES/06-8e-9e-0x-0xca_readme
View File

@ -82,6 +82,16 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer

12
SOURCES/06-8e-9e-0x-dell_config
View File

@ -4,14 +4,4 @@ vendor GenuineIntel
## in cases where no model filter is used is too broad, hence
## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

10
SOURCES/06-8e-9e-0x-dell_readme
View File

@ -82,6 +82,16 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer

28
SOURCES/README
View File

@ -22,6 +22,30 @@ microcode files and their usage.
* SECURITY.intel-ucode
"security.md" file from the Intel x86 CPU microcode archive.
* SUMMARY.intel-ucode
Information about supplied microcode files extracted from their headers.
Information about supplied microcode files extracted from their headers,
in a table form. Columns have the following meaning:
* "Path": path to the microcode file under one of the following directories:
* /usr/share/microcode_ctl/ucode_with_caveats/intel
* /usr/share/microcode_ctl/ucode_with_caveats
* /usr/share/microcode_ctl
* /lib/firmware
* /etc/firmware
* "Offset": offset of the microcode blob within the micocode file in bytes.
* "Ext. Offset": offset of the extended signature header within
the microcode file in bytes.
* "Data Size": size of microcode data in bytes. 0 means 2000 bytes.
* "Total Size": size of microcode blob in bytes, incuding headers.
0 means 2048 bytes.
* "CPUID": CPU ID signature (in format returned by the CPUID instruction).
* "Platform ID Mask": mask of suitable Platform IDs (provided in bits
52..50 of MSR 0x17).
* "Revision": microcode revision.
* "Date": microcode creation date.
* "Checksum": sum (in base 1<< 32) of all 32-bit values comprising
the microcode (from Offset up to Offset + Total Size).
* "Codenames": list of known CPU codenames associated with the CPUID
and Platform ID Mask combination.
Please refer to README.cavets, section "Microcode file structure"
for additional information regarding microcode header fields.
* caveats
Directory that contains readme files for specific caveats.
Directory that contains readme files for each specific caveat.

248
SOURCES/README.caveats
View File

@ -89,6 +89,75 @@ installation or removal of a kernel RPM in order to provide microcode files
for newly installed kernels and cleanup symlinks for the uninstalled ones.
Microcode file structure
------------------------
Intel x86 CPU microcode file (that is, one that can be directly consumed
by the CPU/kernel, and not its text representation such as used in microcode.dat
files) is a bundle of concatenated microcode blobs. Each blob has a header,
payload, and an optional additional data, as follows (for additional information
please refer to "Intel® 64 and IA-32 Architectures Software Developers Manual"
[1], Volume 3A, Section 9.11.1 "Microcode Update"):
* Header (48 bytes)
* Header version (unsigned 32-bit integer): version number of the update
header. Must be 0x1.
* Microcode revision (signed 32-bit integer)
* Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
(0x03141592 is 1592-03-14 in ISO 8601)
* CPU signature (unsigned 32-bit integer): CPU ID, as provided
by the CPUID (EAX = 0x1) instruction in the EAX register:
* bits 31..28: reserved
* bits 27..20: "Extended Family", summed with the Family field value
* bits 19..16: "Extended Model", bits 7..4 of the CPU model
* bits 15..14: reserved
* bits 13..12: "Processor Type", non-zero value (other than the "primary
processor") so far used only for the Deschutes (Pentium II) CPU family,
with the processor type of 1, to signify it is an Overdrive processor:
CPUID 0x1632.
* bits 11..08: Family, summed with the Extended Family field value
* bits 07..04: Model (bits 3..0)
* bits 03..00: Stepping
In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
into 0x000w06xz. Please also refer to README.intel-ucode, section "About
Processor Signature, Family, Model, Stepping and Platform ID"
for additional information.
* Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
the 32-bit integers comprising the microcode amounts to 0.
* Loader version (unsigned 32-bit integer): 0x1.
* Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old
(up to Pentium II) microcode blobs the mask may be zero.
* Data size (unsigned 32-bit integer): size of the Payload in bytes,
has to be divisible by 4. 0 means 2000.
* Total size (unsigned 32-bit integer): total microcode blob size (including
header and extended header), has to be divisible by 1024. 0 means 2048.
* Reserved (12 bytes).
* Payload
* Additional data (optional, 20 + 12 * n bytes)
* Extended signature table header (20 bytes)
* Extended signature count (unsigned 32-bit integer)
* Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
of all the 32-bit integers comprising the extender signature table
amounts to 0.
* Reserved (12 bytes).
* Extended signature (12 bytes each)
* CPU signature (unsigned 32-bit integer): see the description of the CPU
signature field in the Header above.
* Platform ID mask (unsigned 32-bit integer): see the description
of the Platform ID mask field in the Header above.
* Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
of all the 32-bit integers comprising the Header (with CPU signature
and Platform ID mask fields replaced with the values from this signature)
and the Payload amounts to 0. Note that since External signature table
header has its own checksum, sum of all its 32-bit values amounts to 0,
so the Checksum in the Header and in the Extended signature will be
the same if the values of CPU signature and Platform ID mask fields
are the same,
[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
Caveat configuration
--------------------
There is a directory for each caveat under
@ -156,10 +225,6 @@ separated by white space. Currently, the following options are supported:
configuration. Argument for the argument is a list of stages ("early",
"late") for which the caveat should be disable. The configuration option
can be provided multiple times in a configuration file.
* "blacklist" is a marker for a start of list of blacklisted model names,
one model name per line. The model name of the running CPU (as reported
in /proc/cpuinfo) is compared against the names in the provided list, and,
if there is a match, caveat check fails.
* "pci_config_val" performs check for specific values in selected parts
of configuration space of specified PCI devices. If "-m" option
is not specified, then the actual check is skipped, and the check returns
@ -204,8 +269,9 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files
(present under /sys/devices/virtual/dmi/id/). The check fails if file
is not readable. If "-m" option is specified, then the actual check
(present under /sys/devices/virtual/dmi/id/). The check (when it is actually
performed; see a not about "no-model-mode" below) fails if one of the files
is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported:
@ -215,17 +281,30 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string.
* "val" - a string to match DMI data against. Can be enclosed in single
or double quotes. Default is empty string.
* "mode" - check mode, the way matches are interpreted:
* "val" - a string to match DMI data present in "key" against.
Can be enclosed in single or double quotes. Default is empty string.
* "keyval" - a pair of "key" and "val" values (with semantics described
above), separated with either "=", ":", "!=", or "!:" characters. Enables
providing of multiple key-value pairs by means of supplying multiple
keyval= parameters. The exclamation sign ("!") character in separator
enables negated matching (so, non-equality of the value in DMI "key" file
and the value of "val" is). The match considered successful when all
the key/val (non-)equalities are in effect. This parameter works
in addition to the pair provided in "key" and "val" parameters
(but allows to avoid using them). Default is empty.
* "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 1.
* "success-equal" - returns 1 if the value present in the file
of "val" parameter and all the pairs provided in "keyval" parameters
are equal and non-equal in accordance with their definition,
otherwise 1.
* "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 0.
of "val" parameter and all the pairs provided in "keyval" parameters
are equal and non-equal in accordance with their definition,
otherwise 0.
Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option)
is not enabled:
@ -237,6 +316,61 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled.
Another example:
dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
It blocks the caveat from using when either both
/sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
and /sys/devices/virtual/dmi/id/product_name contains the string
"u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
the string "ThinkSystem SR950", but enables caveat loading for other products
with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
for example.
* "dependency" allows conditional enablement of a caveat based on the check
status of some other caveat(s). It has the following format:
dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
currently is "required".
Options for the "required" dependency type:
* "match-model-mode" - whether model matching mode ("-m" option)
has to be used for the nested configuration check. Possible values:
* "on" - model-matching mode is always used during the nested check;
* "off" - model-matching mode is never used during the nested check;
* "same" - used the same model-matching mode as it is now.
Default is "same".
* "skip" - controls result of the check when the nested check indicated
skipping of the configuration.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "force-skip" - controls result of the check when the nested check
indicated skipping of the configuration caused by the presence
of an override file (see "check_caveats script" section for details).
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "nesting-too-deep" - as a measure against dependency loop, configuration
checking logic implements nesting limit on dependency checks (currently
set at 8). This option controls the behaviour of the check
when the nested check cannot be performed due to this limit.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "fail".
An example of a check:
dependency required intel skip=success match-model-mode=off
It checks "intel" caveat configuration (see the "Early microcode load
inside a virtual machine" section) with model-matching mode being disabled,
treats skipping of the configuration as a success (unless the configuration
is forced to be skipped, in that case the dependent configuration
is to be skipped as well).
check_caveats script
@ -473,6 +607,8 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01.
Dependencies: intel
Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
@ -501,6 +637,8 @@ Caveat name: intel
Affected microcode: all.
Dependencies: (none)
Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix.
@ -537,6 +675,8 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat.
@ -566,35 +706,64 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
----------------------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
hangs when revision 0xdc of microcode, that is included in microcode-20200609
update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
is applied[1][2]. In order to address this, microcode update to the newer
revision has been disabled by default on these systems, and the previously
published microcode revision 0xd6 is used instead; the newer microcode files,
however, are still shipped as part of microcode_ctl package and can be used
for performing a microcode update if they are enforced via the aforementioned
overrides. (See the sections "check_caveats script" and "reload_microcode
script" for details.)
Intel Skylake-U/Y caveat
------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
have reports of system hangs when revision 0xdc of microcode, that is included
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
to the newer revision has been disabled by default on these systems,
and the previously published microcode revision 0xd6 is used instead; the newer
microcode files, however, are still shipped as part of microcode_ctl package
and can be used for performing a microcode update if they are enforced
via the aforementioned overrides. (See the sections "check_caveats script"
and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
Caveat names: intel-06-4e-03, intel-06-5e-03
Caveat name: intel-06-4e-03
Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
Affected microcode: intel-ucode/06-4e-03
Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default.
Intel Skylake-H/S/Xeon E3 v5 caveat
-----------------------------------
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of system hangs when revision 0xdc of microcode,
that is included in microcode-20200609 update to address CVE-2020-0543,
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
microcode update to the newer revision had been disabled by default on these
systems, and the previously published microcode revision 0xd6 was used instead.
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
the latest microcode revision usage it is enabled by default,
but can be disabled explicitly via the aforementioned overrides. (See
the sections "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
Caveat names: intel-06-5e-03
Affected microcode: intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0xd6 is still available as a fallback
as part of "intel" caveat.
Dell caveats
------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -623,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d.
Dependencies: intel
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used.
@ -633,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
Intel Tiger Lake-UP3/UP4 caveat
-------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
stepping 1) have reports of system hangs when a microcode update,
that is included since microcode-20201110 release, is applied[1].
In order to address this, microcode update to a newer revision has been disabled
by default on these systems; the newer microcode file, however, is still shipped
as a part of microcode_ctl package and can be used for performing a microcode
update if it is enforced via the aforementioned overrides. (See the sections
stepping 1) had reports of system hangs when a microcode update,
that was included since microcode-20201110 release, was applied[1].
In order to address this, microcode update to a newer revision had been disabled
by default on these systems. The revision 0x88 seems to have fixed
the aforementioned issue, hence it is enabled by default; however, it is still
can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -647,7 +818,9 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01.
Mitigation: microcode loading is disabled for the affected CPU model.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default.
@ -682,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171

465
SOURCES/check_caveats
View File

@ -9,6 +9,8 @@
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
MAX_NESTING_LEVEL=8
usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]'
@ -165,7 +167,7 @@ check_pci_config_val()
local checked=0 matched=0 path=''
local dev_path dev_vid dev_did dev_val
local opts="${1:-}"
local match_model="${2:0}"
local match_model="${2:-0}"
set -- $1
while [ "$#" -gt 0 ]; do
@ -261,7 +263,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data
#
# $1 - params in config file, space-separated, in key=value form:
# key= - DMI value to check. Can be one of the following: bios_date,
# key= - DMI data record to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family,
@ -269,26 +271,33 @@ check_pci_config_val()
# sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single
# or double quotes.
# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
# a key-value pair in a single parameter. It is possible to provide
# multiple keyval= parameters. "!" before :/= means negated match.
# The action supplied in the mode= parameter is executed upon
# successful (non-)matching of all the keyval pairs (as well
# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode:
# success-equal: Returns 0 if the value present in the corresponding file
# under /sys/devices/virtual/dmi/id/<key> is equal
# to the value supplied as a value of "val" parameter,
# otherwise 1.
# fail-equal: Returns 1 if the value present in the corresponding file
# under /sys/devices/virtual/dmi/id/<key> is equal
# to the value supplied as a value of "val" parameter,
# otherwise 0.
# success-equal: Returns 0 if the all values present in the corresponding
# files under /sys/devices/virtual/dmi/id/<KEY> are equal
# (or not equal in case of a keyval= with negated match)
# to the respective values supplied as the values
# of the keyval= parameters or the pair of key= vand val=
# parameters, otherwise 1.
# fail-equal: Returns 1 if all the values present in DMI files in sysfs
# match (as described above), otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled:
# success: Return 0.
# fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result
# based on "mode" value that assumes that the check has failed).
# based on "no-model-mode" value).
check_dmi_val()
{
local key= val= mode='success-equal' nm_mode='success'
local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_=
local match_model="${2:0}"
local match_model="${2:-0}"
local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor "
local success=1
@ -305,21 +314,44 @@ check_dmi_val()
# Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in
[']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
[\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
[\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;;
esac
}
[ "x${opt#keyval=}" = "x${opt}" ] || {
case "${opt#keyval=}" in
[\']*)
opt_="${opts#keyval=\'}"
keyval="${opt_%%\'*}"
opt="keyval='${keyval}'"
keyvals="${keyvals}
${keyval}"
;;
[\"]*)
opt_="${opts#keyval=\"}"
keyval="${opt_%%\"*}"
opt="keyval=\"${keyval}\""
keyvals="${keyvals}
${keyval}"
;;
*)
keyvals="${keyvals}
${opt#keyval=}"
;;
esac
}
opts="${opts#"${opt}"}"
continue
done
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
[ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
[ -n "x${keyvals}" ] || {
debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2
exit
return
}
[ 1 = "$match_model" ] || {
@ -332,23 +364,171 @@ check_dmi_val()
;;
esac
exit
return
}
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
exit
}
file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" = "x${file_val}" ] || success=0
case "$mode" in
success-equal) echo "$((1 - $success))" ;;
fail-equal) echo "${success}" ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
success-equal|fail-equal) ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
esac
printf "%s\n" "${keyvals}" | (
while read l; do
[ -n "$l" ] || continue
key="${l%%[=:]*}"
val="${l#${key}[=:]}"
cmp="="
[ "x${key%!}" = "x${key}" ] || {
cmp="!="
key="${key%!}"
}
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
echo 2
return
}
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
return
}
file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" "${cmp}" "x${file_val}" ] || {
case "$mode" in
success-equal) echo 1 ;;
fail-equal) echo 0 ;;
esac
return
}
done
case "$mode" in
success-equal) echo 0 ;;
fail-equal) echo 1 ;;
esac
)
}
# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
# DEP_TYPE:
# required - caveat can be enabled only if dependency is enabled
# (is not forcefully disabled and meets caveat conditions)
# OPTS:
# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
# skip=skip [ fail, skip, success ]
# force-skip=skip [ fail, skip, success ]
# nesting-too-deep=fail [ fail, skip, success ]
# Return values:
# 0 - success
# 1 - fail
# 2 - skip
# 9 - error
check_dependency()
{
local cur_level="$1"
local dep_type="$2"
local dep_name="$3"
local match_model_mode=same old_match_model="${match_model}"
local skip=skip
local force_skip=skip
local nesting_too_deep=fail
local check="Dependency check for ${dep_type} ${dep_name}"
set -- ${4:-}
while [ "$#" -gt 0 ]; do
[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
shift
done
case "${dep_type}" in
required)
[ "x${dep_name%/*}" = "x${dep_name}" ] || {
debug "${check} error: dependency name (${dep_name})" \
"cannot contain slashes"
echo 9
return
}
[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
case "$nesting_too_deep" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: invalid" \
"nesting-too-deep mode" \
"(${nesting_too_deep})"; echo 9 ;;
esac
return
}
case "${match_model_mode}" in
same) ;;
on) match_model=1 ;;
off) match_model=0 ;;
*)
debug "${check} error: invalid match-model-mode" \
"(${match_model_mode})"
echo 9
return
;;
esac
local result=0
debug "${check}: calling check_caveat '${dep_name}'" \
"'$(($cur_level + 1))' match_model=${match_model}"
check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
match_model="${old_match_model}"
case "${result}" in
0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
1) debug "${check} failed: result=${result}"; echo "${result}" ;;
2)
local reason="result=${result} and skip='${skip}'"
case "${skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
3)
local reason="result=${result} and force_skip='${force_skip}'"
case "${force_skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected force-skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unexpected check_caveat result" \
"(${result})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unknown dependency type '${dep_type}'"
echo 9
;;
esac
}
@ -386,6 +566,12 @@ get_mc_path()
AuthenticAMD)
echo "amd-ucode/$2"
;;
*)
# We actually only support Intel ucode, but things may break
# if nothing is printed (input would be gotten from stdin
# otherwise).
echo "invalid"
;;
esac
}
@ -394,19 +580,6 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}
fail()
{
ret=1
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
|| /bin/cat "${dir}/disclaimer"
}
#check_kver "$@"
#get_model_name
match_model=0
configs=
@ -467,34 +640,44 @@ else
stage="late"
fi
for cfg in $(echo "${configs}"); do
dir="$MC_CAVEATS_DATA_DIR/$cfg"
# We add cfg to the skip list first and then, if we do not skip it,
# we remove the configuration from the list.
skip_cfgs="$skip_cfgs $cfg"
# check_caveat CFG [CHECK_LEVEL]
# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
# skip_cfgs if CHECK_LEVEL is set to 0 (default).
# CHECK_LEVEL is used for recursive configuration dependency checks,
# and indicates nesting level.
# Return value:
# 0 - check is successful
# 1 - check has been failed
# 2 - configuration has been skipped
# 3 - configuration has been skipped due to presence of an override file
check_caveat() {
local cfg="$1"
local check_level="${2:-0}"
local dir="$MC_CAVEATS_DATA_DIR/$cfg"
[ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping"
continue
return 2
}
[ -r "${dir}/config" ] || {
debug "File 'config' in ${dir} is not found, skipping"
continue
return 2
}
cfg_model=
cfg_vendor=
cfg_path=
cfg_kvers=
cfg_kvers_early=
cfg_blacklist=
cfg_mc_min_ver_late=
cfg_disable=
cfg_pci=
cfg_dmi=
local cfg_model=
local cfg_vendor=
local cfg_path=
local cfg_kvers=
local cfg_kvers_early=
local cfg_mc_min_ver_late=
local cfg_disable=
local cfg_pci=
local cfg_dmi=
local cfg_dependency=
local key
local value
while read -r key value; do
case "$key" in
@ -519,13 +702,6 @@ for cfg in $(echo "${configs}"); do
disable)
cfg_disable="$cfg_disable $value "
;;
blacklist)
cfg_blacklist=1
# "blacklist" is special: it stops entity parsing,
# and the rest of file is a list of blacklisted model
# names.
break
;;
pci_config_val)
cfg_pci="$cfg_pci
$value"
@ -534,6 +710,10 @@ for cfg in $(echo "${configs}"); do
cfg_dmi="$cfg_dmi
$value"
;;
dependency)
cfg_dependency="$cfg_dependency
$value"
;;
'#'*|'')
continue
;;
@ -544,12 +724,8 @@ for cfg in $(echo "${configs}"); do
esac
done < "${dir}/config"
[ -z "${cfg_blacklist}" ] || \
cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
/usr/bin/tail -n +2)
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
debug "${cfg}: blacklist '$cfg_blacklist'"
echo "$cfg_path"
# Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel
@ -570,10 +746,10 @@ for cfg in $(echo "${configs}"); do
# - force early/late everyhting
# - disallow everything
# - force everyhting
ignore_cfg=0
force_cfg=0
override_file=""
overrides="
local ignore_cfg=0
local force_cfg=0
local override_file=""
local overrides="
0:$FW_DIR/$kver/disallow-$stage-$cfg
1:$FW_DIR/$kver/force-$stage-$cfg
0:$FW_DIR/$kver/disallow-$cfg
@ -590,6 +766,9 @@ for cfg in $(echo "${configs}"); do
1:$CFG_DIR/force-$stage
0:$CFG_DIR/disallow
1:$CFG_DIR/force"
local o
local o_force
local override_file
for o in $(echo "$overrides"); do
o_force=${o%%:*}
override_file=${o#$o_force:}
@ -608,7 +787,7 @@ for cfg in $(echo "${configs}"); do
[ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"."
continue
return 3
}
# Check model if model filter is enabled
@ -617,11 +796,13 @@ for cfg in $(echo "${configs}"); do
debug "Current CPU model '$cpu_model' doesn't" \
"match configuration CPU model '$cfg_model'," \
"skipping"
continue
return 2
}
fi
# Check paths if model filter is enabled
local cpu_mc_path
local cfg_mc_present
if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then
cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
"$cpu_vendor" "${cpu_model#* }")"
@ -640,7 +821,7 @@ for cfg in $(echo "${configs}"); do
[ 1 = "$cfg_mc_present" ] || {
debug "No matching microcode files in '$cfg_path'" \
"for CPU model '$cpu_model', skipping"
continue
return 2
}
fi
@ -650,30 +831,56 @@ for cfg in $(echo "${configs}"); do
debug "Current CPU vendor '$cpu_vendor' doesn't" \
"match configuration CPU vendor '$cfg_vendor'," \
"skipping"
continue
return 2
}
fi
# Check configuration files
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
skip_cfgs="${skip_cfgs% $cfg}"
# Has to be performed before dependency checks
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
continue
return 0
}
# Check dependencies
# It has to be performed here (before adding configuration
# to $ret_cfgs/$ret_paths) since it may be skipped.
if [ -n "$cfg_dependency" ]; then
dep_line="$(printf "%s\n" "$cfg_dependency" | \
while read -r dep_type dep_name dep_opts
do
[ -n "$dep_type" ] || continue
dep_res=$(check_dependency "$check_level" \
"$dep_type" \
"$dep_name" \
"$dep_opts")
[ 0 != "$dep_res" ] || continue
echo "$dep_res $dep_type $dep_name $dep_opts"
break
done
echo "0 ")"
case "${dep_line%% *}" in
0) ;;
2)
debug "Dependency check '${dep_line#* }'" \
"induced configuration skip"
return 2
;;
*)
debug "Dependency check '${dep_line#* }'" \
"failed (with return code ${dep_line%% *})"
return 1
;;
esac
fi
# Check configuration files
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration"
fail
continue
return 1
}
# Check late load kernel version
@ -681,8 +888,7 @@ for cfg in $(echo "${configs}"); do
check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed"
fail
continue
return 1
}
fi
@ -691,17 +897,7 @@ for cfg in $(echo "${configs}"); do
check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed"
fail
continue
}
fi
# Check model blacklist
if [ -n "$cfg_blacklist" ]; then
echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
debug "${cfg}: model '${cpu_model_name}' is blacklisted"
fail
continue
return 1
}
fi
@ -714,8 +910,7 @@ for cfg in $(echo "${configs}"); do
debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \
"${cfg_mc_min_ver_late})"
fail
continue
return 1
}
fi
@ -736,14 +931,14 @@ for cfg in $(echo "${configs}"); do
[ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})"
fail
continue
return 1
}
fi
# Check DMI data if model filter is enabled
# Note that the model filter check is done inside check_pci_config_val
# based on the 'mode=' parameter.
# Note that the model filter check is done inside check_dmi_val
# (which returns the value of 'no-model-mode=' parameter
# if it is disenaged).
if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do
@ -759,13 +954,43 @@ for cfg in $(echo "${configs}"); do
[ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})"
fail
continue
return 1
}
fi
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
return 0
}
for cfg in $(echo "${configs}"); do
if cfg_path=$(check_caveat "$cfg"; exit "$?")
then
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
else
case "$?" in
1)
ret=1
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] \
|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
;;
2|3)
skip_cfgs="$skip_cfgs $cfg";
;;
*)
debug "Unexpected check_caveat return code '$?'" \
"for config '$cfg'"
;;
esac
fi
done
[ 0 -eq "$print_disclaimers" ] || exit 0

14
SOURCES/codenames.list
View File

@ -242,6 +242,7 @@ Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable;
Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX;
Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable;
Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx;
Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2;
Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2;
Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;;
Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2;
@ -262,11 +263,17 @@ Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5;
SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx;
SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272
Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile;
Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3;
Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3;
SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile;
Server;;Knights Mill;A0;08;80650;KNM;;Xeon hi 72x5;Xeon Phi 7235, 7285, 7295
Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295
SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB;
SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB;
Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile;
Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile;
Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile;
Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile;
Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile;
Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile;
@ -277,6 +284,7 @@ Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile;
Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile;
SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E;
Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7;
Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile;
Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6;
@ -292,11 +300,13 @@ Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E;
Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop;
Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile;
Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E;
SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105;
Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
# sources:

240
SOURCES/gen_updates2.py
View File

@ -3,6 +3,7 @@
import argparse
import errno
import fnmatch
import io
import itertools
import os
@ -10,6 +11,7 @@ import re
import shutil
import struct
import sys
import tarfile
import tempfile
from subprocess import PIPE, Popen, STDOUT
@ -34,6 +36,7 @@ except:
log_level = 0
print_date = False
file_glob = ["*??-??-??", "*microcode*.dat"]
def log_status(msg, level=0):
@ -96,13 +99,15 @@ def file_walk(args, yield_dirs=False):
def cpuid_fname(c):
# Note that the Extended Family is summed up with the Family,
# while the Extended Model is concatenated with the Model.
return "%02x-%02x-%02x" % (
((c >> 16) & 0xff0) + ((c >> 8) & 0xf),
((c >> 20) & 0xff) + ((c >> 8) & 0xf),
((c >> 12) & 0xf0) + ((c >> 4) & 0xf),
c & 0xf)
def read_revs_dir(path, src=None, ret=None):
def read_revs_dir(path, args, src=None, ret=None):
if ret is None:
ret = []
@ -156,18 +161,24 @@ def read_revs_dir(path, src=None, ret=None):
while cur_offs < offs + hdr[8] \
and ext_sig_cnt <= ext_tbl[0]:
ext_sig = struct.unpack("III", f.read(12))
ret.append({"path": rp, "src": src or path,
"cpuid": ext_sig[0], "pf": ext_sig[1],
"rev": hdr[1], "date": hdr[2],
"offs": offs, "ext_offs": cur_offs,
"cksum": hdr[4],
"ext_cksum": ext_sig[2],
"data_size": hdr[7],
"total_size": hdr[8]})
ignore = args.ignore_ext_dups and \
(ext_sig[0] == hdr[3])
if not ignore:
ret.append({"path": rp, "src": src or path,
"cpuid": ext_sig[0],
"pf": ext_sig[1],
"rev": hdr[1], "date": hdr[2],
"offs": offs, "ext_offs": cur_offs,
"cksum": hdr[4],
"ext_cksum": ext_sig[2],
"data_size": hdr[7],
"total_size": hdr[8]})
log_status(("Got ext sig %#x/%#x for " +
"%s:%#x:%#x/%#x") %
(ext_sig[0], ext_sig[1], rp, offs,
hdr[3], hdr[6]), level=2)
"%s:%#x:%#x/%#x%s") %
(ext_sig[0], ext_sig[1],
rp, offs, hdr[3], hdr[6],
" (ignored)" if ignore else ""),
level=2)
cur_offs += 12
ext_sig_cnt += 1
@ -180,7 +191,7 @@ def read_revs_dir(path, src=None, ret=None):
return ret
def read_revs_rpm(path, ret=None):
def read_revs_rpm(path, args, ret=None):
if ret is None:
ret = []
@ -191,7 +202,7 @@ def read_revs_rpm(path, ret=None):
rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE,
close_fds=True)
cpio = Popen(args=["cpio", "-idmv", "*??-??-??", "*microcode*.dat"],
cpio = Popen(args=["cpio", "-idmv"] + file_glob,
cwd=dir_tmp, stdin=rpm2cpio.stdout,
stdout=PIPE, stderr=STDOUT)
out, cpio_stderr = cpio.communicate()
@ -210,20 +221,58 @@ def read_revs_rpm(path, ret=None):
log_info("cpio stderr:\n%s" % cpio_stderr, level=3)
if rpm2cpio_ret == 0 and cpio_ret == 0:
ret = read_revs_dir(dir_tmp, path)
ret = read_revs_dir(dir_tmp, args, path)
shutil.rmtree(dir_tmp)
return ret
def read_revs(path, ret=None):
def read_revs_tar(path, args, ret=None):
if ret is None:
ret = []
dir_tmp = tempfile.mkdtemp()
log_status("Trying to extract files from tarball \"%s\"..." % path,
level=1)
try:
with tarfile.open(path, "r:*") as tar:
for ti in tar:
if any(fnmatch.fnmatchcase(ti.name, p) for p in file_glob):
d = os.path.normpath(os.path.join("/",
os.path.dirname(ti.name)))
# For now, strip exactl one level
d = os.path.join(*(d.split(os.path.sep)[2:]))
n = os.path.join(d, os.path.basename(ti.name))
if not os.path.exists(d):
os.makedirs(d)
t = tar.extractfile(ti)
with open(n, "wb") as f:
shutil.copyfileobj(t, f)
t.close()
ret = read_revs_dir(dir_tmp, args, path)
except Exception as err:
log_error("Error while reading \"%s\" as a tarball: \"%s\"" %
(path, str(err)))
shutil.rmtree(dir_tmp)
return ret
def read_revs(path, args, ret=None):
if ret is None:
ret = []
if os.path.isdir(path):
return read_revs_dir(path, ret)
return read_revs_dir(path, args, ret)
elif tarfile.is_tarfile(path):
return read_revs_tar(path, args, ret)
else:
return read_revs_rpm(path, ret)
return read_revs_rpm(path, args, ret)
def gen_mc_map(mc_data, merge=False, merge_path=False):
@ -307,7 +356,8 @@ class mcnm:
MCNM_CODENAME = 4
def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True,
segment=False):
if not isinstance(mc, dict):
mc = mc_from_mc_key(mc)
sig = mc["cpuid"]
@ -350,6 +400,9 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
else:
cname = c["codename"]
if segment:
cname = c["segment"] + " " + cname
if cname not in suffices:
suffices[cname] = set()
if "variant" in c and c["variant"]:
@ -361,28 +414,28 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
steppings[cname] |= set(c["stepping"])
for cname in sorted(steppings.keys()):
cname_str = cname
cname_res = [cname]
if len(suffices[cname]):
cname_str += "-" + "/".join(sorted(suffices[cname]))
cname_res[0] += "-" + "/".join(sorted(suffices[cname]))
if len(steppings[cname]):
cname_str += " " + "/".join(sorted(steppings[cname]))
res.append(cname_str)
cname_res.append("/".join(sorted(steppings[cname])))
res.append(" ".join(cname_res) if stringify else cname_res)
return ", ".join(res) or None
return (", ".join(res) or None) if stringify else res
def mc_from_mc_key(k):
return dict(zip(("path", "cpuid", "pf"), k))
def mc_path(mc, pf_sfx=True, midword=None, cmap=None):
def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False):
if not isinstance(mc, dict):
mc = mc_from_mc_key(mc)
path = mc_stripped_path(mc) if mc["path"] is not None else None
cpuid_fn = cpuid_fname(mc["cpuid"])
fname = os.path.basename(mc["path"] or cpuid_fn)
midword = "" if midword is None else " " + midword
cname = get_mc_cnames(mc, cmap)
cname = get_mc_cnames(mc, cmap, segment=cname_segment)
cname_str = " (" + cname + ")" if cname else ""
if pf_sfx:
@ -492,22 +545,22 @@ def mc_rev(mc, date=None):
return "%#x" % rev
def print_changelog(clog, cmap, args):
for e, old, new in sorted(clog):
def print_changelog_rpm(clog, cmap, args):
for e, old, new in clog:
mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old,
midword="microcode",
cmap=cmap, cname_segment=args.segment)
if e == ChangeLogEntry.ADDED:
print("Addition of %s at revision %s" %
(mc_path(new, midword="microcode", cmap=cmap), mc_rev(new)))
print("Addition of %s at revision %s" % (mc_str, mc_rev(new)))
elif e == ChangeLogEntry.REMOVED:
print("Removal of %s at revision %s" %
(mc_path(old, midword="microcode", cmap=cmap), mc_rev(old)))
print("Removal of %s at revision %s" % (mc_str, mc_rev(old)))
elif e == ChangeLogEntry.UPDATED:
print("Update of %s from revision %s up to %s" %
(mc_path(old, midword="microcode", cmap=cmap),
mc_rev(old), mc_rev(new)))
(mc_str, mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.DOWNGRADED:
print("Downgrade of %s from revision %s down to %s" %
(mc_path(old, midword="microcode", cmap=cmap),
mc_rev(old), mc_rev(new)))
(mc_str, mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.OTHER:
print("Other change in %s:" % old["path"])
print(" old: %#x/%#x: rev %s (offs %#x)" %
@ -516,6 +569,70 @@ def print_changelog(clog, cmap, args):
(new["cpuid"], new["pf"], mc_rev(new), new["offs"]))
def print_changelog_intel(clog, cmap, args):
def clog_sort_key(x):
res = str(x[0])
if x[0] != ChangeLogEntry.ADDED:
res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"])
else:
res += "0" * 10
if x[0] != ChangeLogEntry.REMOVED:
res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"])
else:
res += "0" * 10
return res
sorted_clog = sorted(clog, key=clog_sort_key)
sections = (("New Platforms", (ChangeLogEntry.ADDED, )),
("Updated Platforms", (ChangeLogEntry.UPDATED,
ChangeLogEntry.DOWNGRADED)),
("Removed Platforms", (ChangeLogEntry.REMOVED, )))
def print_line(e, old, new, types):
if e not in types:
return
if not print_line.hdr:
print("""
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------""")
print_line.hdr = True
mc = new if e == ChangeLogEntry.ADDED else old
cnames = get_mc_cnames(mc, cmap, stringify=False,
segment=args.segment) or (("???", ""), )
for cn in cnames:
cname = cn[0]
stepping = cn[1] if len(cn) > 1 else ""
print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" %
(cname,
stepping,
cpuid_fname(mc["cpuid"]), mc["pf"],
("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "",
("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "",
get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES,
segment=args.segment) or ""))
for h, types in sections:
print("\n### %s" % h)
print_line.hdr = False
for e, old, new in sorted_clog:
print_line(e, old, new, types)
def print_changelog(clog, cmap, args):
if args.format == "rpm":
print_changelog_rpm(clog, cmap, args)
elif args.format == "intel":
print_changelog_intel(clog, cmap, args)
else:
log_error(("unknown changelog format: \"%s\". " +
"Supported formats are: rpm, intel.") % args.format)
class TableStyles:
TS_CSV = 0
TS_FANCY = 1
@ -552,9 +669,9 @@ def print_summary(revs, cmap, args):
header = []
if args.header:
header.append(["Path", "Offset", "Ext. Offset", "CPUID",
"Platform ID Mask", "Revision", "Date", "Checksum",
"Codenames"] +
header.append(["Path", "Offset", "Ext. Offset", "Data Size",
"Total Size", "CPUID", "Platform ID Mask", "Revision",
"Date", "Checksum", "Codenames"] +
(["Models"] if args.models else []))
tbl = []
for k in sorted(m.keys()):
@ -562,14 +679,19 @@ def print_summary(revs, cmap, args):
tbl.append([mc_stripped_path(mc),
"0x%x" % mc["offs"],
"0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-",
"0x%05x" % mc["data_size"],
"0x%05x" % mc["total_size"],
"0x%05x" % mc["cpuid"],
"0x%02x" % mc["pf"],
mc_rev(mc, date=False),
mc_date(mc),
"0x%08x" % mc["cksum"],
get_mc_cnames(mc, cmap, cnames_mode) or ""] +
"0x%08x" % (mc["ext_cksum"]
if "ext_cksum" in mc else mc["cksum"]),
get_mc_cnames(mc, cmap, cnames_mode,
segment=args.segment) or ""] +
([get_mc_cnames(mc, cmap,
mcnm.MCNM_FAMILIES_MODELS)]
mcnm.MCNM_FAMILIES_MODELS,
segment=args.segment)]
if args.models else []))
print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -685,7 +807,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
if print_out and print_date:
if args.models:
out.append(get_mc_cnames(s, cmap) or "")
out.append(get_mc_cnames(s, cmap, segment=args.segment) or "")
tbl.append(out)
print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -694,7 +816,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
def cmd_summary(args):
revs = []
for p in args.filelist:
revs = read_revs(p, ret=revs)
revs = read_revs(p, args, ret=revs)
codenames_map = read_codenames_file(args.codenames)
@ -708,8 +830,8 @@ def cmd_changelog(args):
base_path = args.filelist[0]
upd_path = args.filelist[1]
base = read_revs(base_path)
upd = read_revs(upd_path)
base = read_revs(base_path, args)
upd = read_revs(upd_path, args)
print_changelog(gen_changelog(base, upd), codenames_map, args)
@ -750,7 +872,7 @@ def cmd_discrepancies(args):
(orig_path, dep))
return 1
deps.append((path, name, deps[dep][0] if dep is not None else None))
rev_map[path] = gen_fn_map(read_revs(path), merge=args.merge,
rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge,
merge_path=True)
print_discrepancies(rev_map, deps, codenames_map, args)
@ -766,6 +888,22 @@ def parse_cli():
help="Code names file")
root_parser.add_argument("-v", "--verbose", action="count", default=0,
help="Increase output verbosity")
root_parser.add_argument("-E", "--no-ignore-ext-duplicates",
action="store_const", dest="ignore_ext_dups",
default=False, const=False,
help="Do not ignore duplicates of the main " +
"signature in the extended signature header")
root_parser.add_argument("-e", "--ignore-ext-duplicates",
action="store_const", dest="ignore_ext_dups",
const=True,
help="Ignore duplicates of the main signature " +
"in the extended signature header")
root_parser.add_argument("-t", "--print-segment", action="store_const",
dest="segment", const=True,
help="Print model segment")
root_parser.add_argument("-T", "--no-print-segment", action="store_const",
dest="segment", const=False, default=False,
help="Do not print model segment")
cmdparsers = root_parser.add_subparsers(title="Commands",
help="main gen_updates commands")
@ -794,6 +932,8 @@ def parse_cli():
parser_c = cmdparsers.add_parser("changelog",
help="Generate changelog")
parser_c.add_argument("-F", "--format", choices=["rpm", "intel"],
default="rpm", help="Changelog format")
parser_c.add_argument("filelist", nargs=2,
help="RPMs/directories to compare")
parser_c.set_defaults(func=cmd_changelog)
@ -840,6 +980,10 @@ def parse_cli():
if not hasattr(args, "func"):
root_parser.print_help()
return None
global log_level
log_level = args.verbose
return args

130
SPECS/microcode_ctl.spec
View File

@ -1,4 +1,4 @@
%define intel_ucode_version 20210216
%define intel_ucode_version 20210608
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@ -33,11 +33,6 @@ Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz
# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode
Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz
# microcode-20201118 has removed 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode update
# at revision 0x68; it is, however, may still be useful for some[1], so it is
# to be preserved in a caveat.
# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/39
Source8: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20201112/intel-ucode/06-8c-01
# systemd unit
@ -117,14 +112,15 @@ Source171: 06-8e-9e-0x-dell_config
Source172: 06-8e-9e-0x-dell_disclaimer
# TGL-UP3/UP4 (CPUID 06-8c-01) hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Source180: 06-8c-01_readme
Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer
# "Provides:" RPM tags generator
Source1000: gen_provides.sh
Source1001: codenames.list
Source1002: gen_updates2.py
Source1000: gen_provides.sh
Source1001: codenames.list
Source1002: gen_updates2.py
ExclusiveArch: %{ix86} x86_64
BuildRequires: systemd-units
@ -182,7 +178,7 @@ tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \
popd
# Moving 06-8c-01 microcode to intel-ucode-with-caveats
cp "%{SOURCE8}" intel-ucode-with-caveats/
mv intel-ucode/06-8c-01 intel-ucode-with-caveats/
:
@ -548,6 +544,120 @@ rm -rf %{buildroot}
%changelog
* Mon Jul 05 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210608-1
- Update Intel CPU microcode to microcode-20210608 release (#1921773):
- Fixes in releasenote.md file.
* Mon Jun 14 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210525-2
- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
- Enable 06-8c-01 microcode update by default (#1970611).
- Enable 06-5e-03 microcode update by default (#1897673).
* Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210525-1
- Update Intel CPU microcode to microcode-20210525 release, addresses
CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513
(#1962664, #1962714, #1962734, #1962680):
- Addition of 06-55-05/0xb7 (CLX-SP A0) microcode at revision 0x3000010;
- Addition of 06-6a-05/0x87 (ICX-SP C0) microcode at revision 0xc0002f0;
- Addition of 06-6a-06/0x87 (ICX-SP D0) microcode at revision 0xd0002a0;
- Addition of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f;
- Addition of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04)
at revision 0xb00000f;
- Addition of 06-86-04/0x01 (SNR B0) microcode (in intel-ucode/06-86-05)
at revision 0xb00000f;
- Addition of 06-86-05/0x01 (SNR B1) microcode at revision 0xb00000f;
- Addition of 06-8c-02/0xc2 (TGL-R C0) microcode at revision 0x16;
- Addition of 06-8d-01/0xc2 (TGL-H R0) microcode at revision 0x2c;
- Addition of 06-96-01/0x01 (EHL B1) microcode at revision 0x11;
- Addition of 06-9c-00/0x01 (JSL A0/A1) microcode at revision 0x1d;
- Addition of 06-a7-01/0x02 (RKL-S B0) microcode at revision 0x40;
- Update of 06-4e-03/0xc0 (SKL-U/U 2+3e/Y D0/K1) microcode (in
intel-06-4e-03/intel-ucode/06-4e-03) from revision 0xe2 up to 0xea;
- Update of 06-4f-01/0xef (BDX-E/EP/EX/ML B0/M0/R0) microcode (in
intel-06-4f-01/intel-ucode/06-4f-01) from revision 0xb000038 up
to 0xb00003e;
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a0a up
to 0x2006b06;
- Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 N0/R0/S0) microcode (in
intel-06-5e-03/intel-ucode/06-5e-03) from revision 0xe2 up to 0xea;
- Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in
intel-06-8c-01/intel-ucode/06-8c-01) from revision 0x68 up to 0x88;
- Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up
to 0xea;
- Update of 06-8e-09/0xc0 (KBL-U/U 2+3e/Y H0/J1) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up
to 0xea;
- Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0, KBL-R Y0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0a) from revision 0xe0 up
to 0xea;
- Update of 06-8e-0b/0xd0 (WHL-U W0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0b) from revision 0xde up
to 0xea;
- Update of 06-8e-0c/0x94 (AML-Y 4+2 V0, CML-U 4+2 V0, WHL-U V0)
microcode (in intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0c) from
revision 0xde up to 0xea;
- Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-9e-09) from revision 0xde up
to 0xea;
- Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0a) from revision 0xde up
to 0xea;
- Update of 06-9e-0b/0x02 (CFL-E/H/S B0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0b) from revision 0xde up
to 0xea;
- Update of 06-9e-0c/0x22 (CFL-H/S/Xeon E P0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0c) from revision 0xde up
to 0xea;
- Update of 06-9e-0d/0x22 (CFL-H/S/Xeon E R0) microcode (in
intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0d) from revision 0xde up
to 0xea;
- Update of 06-3f-02/0x6f (HSX-E/EN/EP/EP 4S C0/C1/M1/R2) microcode
from revision 0x44 up to 0x46;
- Update of 06-3f-04/0x80 (HSX-EX E0) microcode from revision 0x16 up
to 0x19;
- Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000159
up to 0x100015b;
- Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003006
up to 0x4003102;
- Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision
0x5003006 up to 0x5003102;
- Update of 06-55-0b/0xbf (CPX-SP A1) microcode from revision 0x700001e
up to 0x7002302;
- Update of 06-56-03/0x10 (BDX-DE V2/V3) microcode from revision
0x7000019 up to 0x700001b;
- Update of 06-56-04/0x10 (BDX-DE Y0) microcode from revision 0xf000017
up to 0xf000019;
- Update of 06-56-05/0x10 (BDX-NS A0/A1, HWL A1) microcode from revision
0xe00000f up to 0xe000012;
- Update of 06-5c-09/0x03 (APL D0) microcode from revision 0x40 up
to 0x44;
- Update of 06-5c-0a/0x03 (APL B1/F1) microcode from revision 0x1e up
to 0x20;
- Update of 06-5f-01/0x01 (DNV B0) microcode from revision 0x2e up
to 0x34;
- Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x34 up
to 0x36;
- Update of 06-7a-08/0x01 (GLK-R R0) microcode from revision 0x18 up
to 0x1a;
- Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0xa0
up to 0xa6;
- Update of 06-8a-01/0x10 (LKF B2/B3) microcode from revision 0x28 up
to 0x2a;
- Update of 06-a5-02/0x20 (CML-H R1) microcode from revision 0xe0 up
to 0xea;
- Update of 06-a5-03/0x22 (CML-S 6+2 G1) microcode from revision 0xe0
up to 0xea;
- Update of 06-a5-05/0x22 (CML-S 10+2 Q0) microcode from revision 0xe0
up to 0xec;
- Update of 06-a6-00/0x80 (CML-U 6+2 A0) microcode from revision 0xe0
up to 0xe8;
- Update of 06-a6-01/0x80 (CML-U 6+2 v2 K0) microcode from revision
0xe0 up to 0xea.
* Wed Feb 17 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1
- Update Intel CPU microcode to microcode-20210216 release (#1902884):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in