rpms/microcode_ctl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import microcode_ctl-20210216-1.20210608.1.el8_4

Browse Source
This commit is contained in:
CentOS Sources 2021-08-09 05:26:03 -04:00 committed by Andrew Lukoshko
parent d869867268
commit 3033a4c08c
19 changed files with 529 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -4,4 +4,4 @@ SOURCES/06-55-04
SOURCES/06-5e-03 SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20210525.tar.gz SOURCES/microcode-20210608.tar.gz

2
.microcode_ctl.metadata
View File

@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
000cb9ab3260786611f3481bf82d3c32506e91ae SOURCES/microcode-20210525.tar.gz 68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz

12
SOURCES/06-2d-07_config
View File

@ -1,13 +1,3 @@
model GenuineIntel 06-2d-07 model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07 path intel-ucode/06-2d-07
## The "kernel_early" statements are carried over from the intel caveat config dependency required intel
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

1
SOURCES/06-4e-03_config
View File

@ -1,3 +1,4 @@
model GenuineIntel 06-4e-03 model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03 path intel-ucode/06-4e-03
dependency required intel
disable early late disable early late

5
SOURCES/06-4e-03_readme
View File

@ -41,6 +41,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below. The information regarding enforcing microcode update is provided below.

8
SOURCES/06-4f-01_config
View File

@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1 kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1 kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1 kernel 2.6.32-358.90.1
kernel_early 4.10.0 dependency required intel skip=success match-model-mode=off
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
mc_min_ver_late 0xb000019
disable early late disable early late

5
SOURCES/06-4f-01_readme
View File

@ -28,6 +28,11 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"): ("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151 https://access.redhat.com/articles/4138151
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below. The information regarding enforcing microcode load is provided below.

12
SOURCES/06-55-04_config
View File

@ -9,14 +9,4 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector. ## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue. ## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
## The "kernel_early" statements are carried over from the intel caveat config dependency required intel
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

5
SOURCES/06-55-04_readme
View File

@ -47,6 +47,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding disabling microcode update is provided below. The information regarding disabling microcode update is provided below.

2
SOURCES/06-5e-03_config
View File

@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03 model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03 path intel-ucode/06-5e-03
disable early late dependency required intel

44
SOURCES/06-5e-03_readme
View File

@ -1,12 +1,15 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) have reports of possible system hangs when revision 0xdc stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
to address this, microcode update to the newer revision has been disabled to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision by default on these systems, and the previously published microcode revision
0xd6 is used by default for the OS-driven microcode update. 0xd6 was used by default for the OS-driven microcode update. The revision
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below: microcode revisions in question are listed below:
@ -41,32 +44,33 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below. The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "force-intel-06-5e-03" inside version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run /lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory "/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
where microcode will be available for late microcode update, and run where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version "dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example: is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1 dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing To avoid addition of the latest microcode for all kernels, please create file
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
"/sys/devices/system/cpu/microcode/reload" directly. "/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all dracut -f --regenerate-all

2
SOURCES/06-8c-01_config
View File

@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01 model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01 path intel-ucode/06-8c-01
disable early late dependency required intel skip=success match-model-mode=off

49
SOURCES/06-8c-01_readme
View File

@ -1,7 +1,9 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
have reports of system hangs when a microcode update, that is included had reports of system hangs when a microcode update, that was included
since microcode-20201110 update, is applied[1]. In order to address this, since microcode-20201110 update, was applied[1]. In order to address this,
microcode update has been disabled by default on these systems. microcode update had been disabled by default on these systems. The revision
0x88 seems to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -11,33 +13,40 @@ microcode revisions in question are listed below:
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below. The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel To disable 06-8c-01 microcode updates for a specific kernel
version, please create a file "force-intel-06-8c-01" inside version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run /lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory "/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
where microcode will be available for late microcode update, and run directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version "dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example: is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1 dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing To avoid addition of this microcode for all kernels, please create file
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
"/sys/devices/system/cpu/microcode/reload" directly. "/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all dracut -f --regenerate-all

1
SOURCES/06-8e-9e-0x-0xca_config
View File

@ -1,4 +1,5 @@
path intel-ucode/* path intel-ucode/*
vendor GenuineIntel vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc." dmi mode=fail-equal key=bios_vendor val="Dell Inc."
dependency required intel
disable early late disable early late

12
SOURCES/06-8e-9e-0x-dell_config
View File

@ -4,14 +4,4 @@ vendor GenuineIntel
## in cases where no model filter is used is too broad, hence ## in cases where no model filter is used is too broad, hence
## no-model-mode=success. ## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
## The "kernel_early" statements are carried over from the intel caveat config dependency required intel
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

175
SOURCES/README.caveats
View File

@ -269,8 +269,9 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified. if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files * "dmi" performs checks for specific values available in DMI sysfs files
(present under /sys/devices/virtual/dmi/id/). The check fails if file (present under /sys/devices/virtual/dmi/id/). The check (when it is actually
is not readable. If "-m" option is specified, then the actual check performed; see a not about "no-model-mode" below) fails if one of the files
is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode" is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported: list of "key=value" pairs. The following keys are supported:
@ -280,17 +281,30 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family, chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor. product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string. Default is empty string.
* "val" - a string to match DMI data against. Can be enclosed in single * "val" - a string to match DMI data present in "key" against.
or double quotes. Default is empty string. Can be enclosed in single or double quotes. Default is empty string.
* "mode" - check mode, the way matches are interpreted: * "keyval" - a pair of "key" and "val" values (with semantics described
above), separated with either "=", ":", "!=", or "!:" characters. Enables
providing of multiple key-value pairs by means of supplying multiple
keyval= parameters. The exclamation sign ("!") character in separator
enables negated matching (so, non-equality of the value in DMI "key" file
and the value of "val" is). The match considered successful when all
the key/val (non-)equalities are in effect. This parameter works
in addition to the pair provided in "key" and "val" parameters
(but allows to avoid using them). Default is empty.
* "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file * "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 1. of "val" parameter and all the pairs provided in "keyval" parameters
* "success-equal" - returns 1 if the value present in the file are equal and non-equal in accordance with their definition,
otherwise 1.
* "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 0. of "val" parameter and all the pairs provided in "keyval" parameters
are equal and non-equal in accordance with their definition,
otherwise 0.
Default is "success-any". Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option) * "no-model-mode" - return value if model filter ("-m" option)
is not enabled: is not enabled:
@ -302,6 +316,61 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled. is not enabled.
Another example:
dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
It blocks the caveat from using when either both
/sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
and /sys/devices/virtual/dmi/id/product_name contains the string
"u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
the string "ThinkSystem SR950", but enables caveat loading for other products
with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
for example.
* "dependency" allows conditional enablement of a caveat based on the check
status of some other caveat(s). It has the following format:
dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
currently is "required".
Options for the "required" dependency type:
* "match-model-mode" - whether model matching mode ("-m" option)
has to be used for the nested configuration check. Possible values:
* "on" - model-matching mode is always used during the nested check;
* "off" - model-matching mode is never used during the nested check;
* "same" - used the same model-matching mode as it is now.
Default is "same".
* "skip" - controls result of the check when the nested check indicated
skipping of the configuration.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "force-skip" - controls result of the check when the nested check
indicated skipping of the configuration caused by the presence
of an override file (see "check_caveats script" section for details).
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "nesting-too-deep" - as a measure against dependency loop, configuration
checking logic implements nesting limit on dependency checks (currently
set at 8). This option controls the behaviour of the check
when the nested check cannot be performed due to this limit.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "fail".
An example of a check:
dependency required intel skip=success match-model-mode=off
It checks "intel" caveat configuration (see the "Early microcode load
inside a virtual machine" section) with model-matching mode being disabled,
treats skipping of the configuration as a success (unless the configuration
is forced to be skipped, in that case the dependent configuration
is to be skipped as well).
check_caveats script check_caveats script
@ -538,6 +607,8 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01. Affected microcode: intel-ucode/06-4f-01.
Dependencies: intel
Mitigation: microcode loading is disabled for the affected CPU model. Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch Minimum versions of the kernel package that contain the aforementioned patch
@ -566,6 +637,8 @@ Caveat name: intel
Affected microcode: all. Affected microcode: all.
Dependencies: (none)
Mitigation: early microcode loading is disabled for all CPU models on kernels Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix. without the fix.
@ -602,6 +675,8 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07. Affected microcode: intel-ucode/06-2d-07.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default; Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat. as part of "intel" caveat.
@ -631,35 +706,64 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04. Affected microcode: intel-ucode/06-55-04.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default; Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat. as a fallback as part of "intel" caveat.
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats Intel Skylake-U/Y caveat
---------------------------------------- ------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system have reports of system hangs when revision 0xdc of microcode, that is included
hangs when revision 0xdc of microcode, that is included in microcode-20200609 in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, and CVE-2020-0549, is applied[1]. In order to address this, microcode update
is applied[1][2]. In order to address this, microcode update to the newer to the newer revision has been disabled by default on these systems,
revision has been disabled by default on these systems, and the previously and the previously published microcode revision 0xd6 is used instead; the newer
published microcode revision 0xd6 is used instead; the newer microcode files, microcode files, however, are still shipped as part of microcode_ctl package
however, are still shipped as part of microcode_ctl package and can be used and can be used for performing a microcode update if they are enforced
for performing a microcode update if they are enforced via the aforementioned via the aforementioned overrides. (See the sections "check_caveats script"
overrides. (See the sections "check_caveats script" and "reload_microcode and "reload_microcode script" for details.)
script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
Caveat names: intel-06-4e-03, intel-06-5e-03 Caveat name: intel-06-4e-03
Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03. Affected microcode: intel-ucode/06-4e-03
Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default. Mitigation: previously published microcode revision 0xd6 is used by default.
Intel Skylake-H/S/Xeon E3 v5 caveat
-----------------------------------
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of system hangs when revision 0xdc of microcode,
that is included in microcode-20200609 update to address CVE-2020-0543,
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
microcode update to the newer revision had been disabled by default on these
systems, and the previously published microcode revision 0xd6 was used instead.
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
the latest microcode revision usage it is enabled by default,
but can be disabled explicitly via the aforementioned overrides. (See
the sections "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
Caveat names: intel-06-5e-03
Affected microcode: intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0xd6 is still available as a fallback
as part of "intel" caveat.
Dell caveats Dell caveats
------------ ------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -688,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d. intel-ucode/06-9e-0d.
Dependencies: intel
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used. "Dell Inc."; otherwise, the latest microcode revision is used.
@ -698,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
Intel Tiger Lake-UP3/UP4 caveat Intel Tiger Lake-UP3/UP4 caveat
------------------------------- -------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
stepping 1) have reports of system hangs when a microcode update, stepping 1) had reports of system hangs when a microcode update,
that is included since microcode-20201110 release, is applied[1]. that was included since microcode-20201110 release, was applied[1].
In order to address this, microcode update to a newer revision has been disabled In order to address this, microcode update to a newer revision had been disabled
by default on these systems; the newer microcode file, however, is still shipped by default on these systems. The revision 0x88 seems to have fixed
as a part of microcode_ctl package and can be used for performing a microcode the aforementioned issue, hence it is enabled by default; however, it is still
update if it is enforced via the aforementioned overrides. (See the sections can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.) "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -712,7 +818,9 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01. Affected microcode: intel-ucode/06-8c-01.
Mitigation: microcode loading is disabled for the affected CPU model. Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default.
@ -747,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171

359
SOURCES/check_caveats
View File

@ -9,6 +9,8 @@
: ${FW_DIR=/lib/firmware} : ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
MAX_NESTING_LEVEL=8
usage() { usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]' echo ' [-m] [-v]'
@ -261,7 +263,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data # It is needed for filtering by BIOS vendor name that is available in DMI data
# #
# $1 - params in config file, space-separated, in key=value form: # $1 - params in config file, space-separated, in key=value form:
# key= - DMI value to check. Can be one of the following: bios_date, # key= - DMI data record to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial, # bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial, # board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family, # chassis_type, chassis_vendor, chassis_version, product_family,
@ -269,24 +271,31 @@ check_pci_config_val()
# sys_vendor. # sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single # val= - a string to match DMI data against. Can be enclosed in single
# or double quotes. # or double quotes.
# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
# a key-value pair in a single parameter. It is possible to provide
# multiple keyval= parameters. "!" before :/= means negated match.
# The action supplied in the mode= parameter is executed upon
# successful (non-)matching of all the keyval pairs (as well
# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode: # mode=success-equal [ success-equal, fail-equal ] - matching mode:
# success-equal: Returns 0 if the value present in the corresponding file # success-equal: Returns 0 if the all values present in the corresponding
# under /sys/devices/virtual/dmi/id/<key> is equal # files under /sys/devices/virtual/dmi/id/<KEY> are equal
# to the value supplied as a value of "val" parameter, # (or not equal in case of a keyval= with negated match)
# otherwise 1. # to the respective values supplied as the values
# fail-equal: Returns 1 if the value present in the corresponding file # of the keyval= parameters or the pair of key= vand val=
# under /sys/devices/virtual/dmi/id/<key> is equal # parameters, otherwise 1.
# to the value supplied as a value of "val" parameter, # fail-equal: Returns 1 if all the values present in DMI files in sysfs
# otherwise 0. # match (as described above), otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter # no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled: # is not enabled:
# success: Return 0. # success: Return 0.
# fail: Return 1. # fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result # $2 - whether model filter is engaged (if it is not '1', just return the result
# based on "mode" value that assumes that the check has failed). # based on "no-model-mode" value).
check_dmi_val() check_dmi_val()
{ {
local key= val= mode='success-equal' nm_mode='success' local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_= local opts="${1:-}" opt= opt_=
local match_model="${2:-0}" local match_model="${2:-0}"
@ -305,21 +314,44 @@ check_dmi_val()
# Handle possible quoting # Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || { [ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in case "${opt#val=}" in
[']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;; [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;; *) val="${opt#val=}" ;;
esac esac
} }
[ "x${opt#keyval=}" = "x${opt}" ] || {
case "${opt#keyval=}" in
[\']*)
opt_="${opts#keyval=\'}"
keyval="${opt_%%\'*}"
opt="keyval='${keyval}'"
keyvals="${keyvals}
${keyval}"
;;
[\"]*)
opt_="${opts#keyval=\"}"
keyval="${opt_%%\"*}"
opt="keyval=\"${keyval}\""
keyvals="${keyvals}
${keyval}"
;;
*)
keyvals="${keyvals}
${opt#keyval=}"
;;
esac
}
opts="${opts#"${opt}"}" opts="${opts#"${opt}"}"
continue continue
done done
# Check key for validity [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\"" [ -n "x${keyvals}" ] || {
debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2 echo 2
exit return
} }
[ 1 = "$match_model" ] || { [ 1 = "$match_model" ] || {
@ -332,23 +364,171 @@ check_dmi_val()
;; ;;
esac esac
exit return
}
case "$mode" in
success-equal|fail-equal) ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
esac
printf "%s\n" "${keyvals}" | (
while read l; do
[ -n "$l" ] || continue
key="${l%%[=:]*}"
val="${l#${key}[=:]}"
cmp="="
[ "x${key%!}" = "x${key}" ] || {
cmp="!="
key="${key%!}"
}
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
echo 2
return
} }
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || { [ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}" debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3 echo 3
exit return
} }
file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" = "x${file_val}" ] || success=0 [ "x${val}" "${cmp}" "x${file_val}" ] || {
case "$mode" in
success-equal) echo 1 ;;
fail-equal) echo 0 ;;
esac
return
}
done
case "$mode" in case "$mode" in
success-equal) echo "$((1 - $success))" ;; success-equal) echo 0 ;;
fail-equal) echo "${success}" ;; fail-equal) echo 1 ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;; esac
)
}
# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
# DEP_TYPE:
# required - caveat can be enabled only if dependency is enabled
# (is not forcefully disabled and meets caveat conditions)
# OPTS:
# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
# skip=skip [ fail, skip, success ]
# force-skip=skip [ fail, skip, success ]
# nesting-too-deep=fail [ fail, skip, success ]
# Return values:
# 0 - success
# 1 - fail
# 2 - skip
# 9 - error
check_dependency()
{
local cur_level="$1"
local dep_type="$2"
local dep_name="$3"
local match_model_mode=same old_match_model="${match_model}"
local skip=skip
local force_skip=skip
local nesting_too_deep=fail
local check="Dependency check for ${dep_type} ${dep_name}"
set -- ${4:-}
while [ "$#" -gt 0 ]; do
[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
shift
done
case "${dep_type}" in
required)
[ "x${dep_name%/*}" = "x${dep_name}" ] || {
debug "${check} error: dependency name (${dep_name})" \
"cannot contain slashes"
echo 9
return
}
[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
case "$nesting_too_deep" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: invalid" \
"nesting-too-deep mode" \
"(${nesting_too_deep})"; echo 9 ;;
esac
return
}
case "${match_model_mode}" in
same) ;;
on) match_model=1 ;;
off) match_model=0 ;;
*)
debug "${check} error: invalid match-model-mode" \
"(${match_model_mode})"
echo 9
return
;;
esac
local result=0
debug "${check}: calling check_caveat '${dep_name}'" \
"'$(($cur_level + 1))' match_model=${match_model}"
check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
match_model="${old_match_model}"
case "${result}" in
0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
1) debug "${check} failed: result=${result}"; echo "${result}" ;;
2)
local reason="result=${result} and skip='${skip}'"
case "${skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
3)
local reason="result=${result} and force_skip='${force_skip}'"
case "${force_skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected force-skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unexpected check_caveat result" \
"(${result})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unknown dependency type '${dep_type}'"
echo 9
;;
esac esac
} }
@ -400,23 +580,6 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
} }
# fail [CHECK_ONLY]
fail()
{
check_only="${1:-0}"
[ 0 = "$check_only" ] || return
ret=1
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
|| /bin/cat "${dir}/disclaimer"
}
#check_kver "$@"
#get_model_name
match_model=0 match_model=0
configs= configs=
@ -477,22 +640,21 @@ else
stage="late" stage="late"
fi fi
# check_caveat CFG [CHECK_ONLY] # check_caveat CFG [CHECK_LEVEL]
# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, # changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
# skip_cfgs if CHECK_ONLY is set to 0 (default). # skip_cfgs if CHECK_LEVEL is set to 0 (default).
# CHECK_LEVEL is used for recursive configuration dependency checks,
# and indicates nesting level.
# Return value: # Return value:
# 0 - check is successful # 0 - check is successful
# 1 - check has been failed # 1 - check has been failed
# 2 - configuration has been skipped # 2 - configuration has been skipped
# 3 - configuration has been skipped due to presence of an override file
check_caveat() { check_caveat() {
local cfg="$1" local cfg="$1"
local check_only="${2:-0}" local check_level="${2:-0}"
local dir="$MC_CAVEATS_DATA_DIR/$cfg" local dir="$MC_CAVEATS_DATA_DIR/$cfg"
# We add cfg to the skip list first and then, if we do not skip it,
# we remove the configuration from the list.
[ 0 != "$check_only" ] || skip_cfgs="$skip_cfgs $cfg"
[ -r "${dir}/readme" ] || { [ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping" debug "File 'readme' in ${dir} is not found, skipping"
return 2 return 2
@ -512,6 +674,7 @@ check_caveat() {
local cfg_disable= local cfg_disable=
local cfg_pci= local cfg_pci=
local cfg_dmi= local cfg_dmi=
local cfg_dependency=
local key local key
local value local value
@ -547,6 +710,10 @@ check_caveat() {
cfg_dmi="$cfg_dmi cfg_dmi="$cfg_dmi
$value" $value"
;; ;;
dependency)
cfg_dependency="$cfg_dependency
$value"
;;
'#'*|'') '#'*|'')
continue continue
;; ;;
@ -558,6 +725,7 @@ check_caveat() {
done < "${dir}/config" done < "${dir}/config"
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
echo "$cfg_path"
# Check for override files in the following order: # Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel # - disallow early/late specific caveat for specific kernel
@ -619,7 +787,7 @@ check_caveat() {
[ 0 -eq "$ignore_cfg" ] || { [ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \ debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"." "\"$override_file\"."
return 2 return 3
} }
# Check model if model filter is enabled # Check model if model filter is enabled
@ -667,29 +835,51 @@ check_caveat() {
} }
fi fi
# Check configuration files # Has to be performed before dependency checks
[ 0 != "$check_only" ] || {
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
skip_cfgs="${skip_cfgs% $cfg}"
}
[ 0 -eq "$force_cfg" ] || { [ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \ debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"." "presence of \"$override_file\"."
[ 0 != "$check_only" ] || {
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
}
return 0 return 0
} }
# Check dependencies
# It has to be performed here (before adding configuration
# to $ret_cfgs/$ret_paths) since it may be skipped.
if [ -n "$cfg_dependency" ]; then
dep_line="$(printf "%s\n" "$cfg_dependency" | \
while read -r dep_type dep_name dep_opts
do
[ -n "$dep_type" ] || continue
dep_res=$(check_dependency "$check_level" \
"$dep_type" \
"$dep_name" \
"$dep_opts")
[ 0 != "$dep_res" ] || continue
echo "$dep_res $dep_type $dep_name $dep_opts"
break
done
echo "0 ")"
case "${dep_line%% *}" in
0) ;;
2)
debug "Dependency check '${dep_line#* }'" \
"induced configuration skip"
return 2
;;
*)
debug "Dependency check '${dep_line#* }'" \
"failed (with return code ${dep_line%% *})"
return 1
;;
esac
fi
# Check configuration files
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration" debug "${cfg}: caveat is disabled in configuration"
fail "$check_only"
return 1 return 1
} }
@ -698,7 +888,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers || { check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \ debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed" " '$kver' against '$cfg_kvers' failed"
fail "$check_only"
return 1 return 1
} }
fi fi
@ -708,7 +897,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers_early || { check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \ debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed" "'$kver' against '$cfg_kvers_early' failed"
fail "$check_only"
return 1 return 1
} }
fi fi
@ -722,7 +910,6 @@ check_caveat() {
debug "${cfg}: CPU microcode version $cpu_mc_ver" \ debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \ "failed check (should be at least" \
"${cfg_mc_min_ver_late})" "${cfg_mc_min_ver_late})"
fail "$check_only"
return 1 return 1
} }
fi fi
@ -744,14 +931,14 @@ check_caveat() {
[ -z "${pci_line#* }" ] || { [ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \ debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})" "failed (with return code ${pci_line%% *})"
fail "$check_only"
return 1 return 1
} }
fi fi
# Check DMI data if model filter is enabled # Check DMI data if model filter is enabled
# Note that the model filter check is done inside check_pci_config_val # Note that the model filter check is done inside check_dmi_val
# based on the 'mode=' parameter. # (which returns the value of 'no-model-mode=' parameter
# if it is disenaged).
if [ -n "$cfg_dmi" ]; then if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do do
@ -767,21 +954,43 @@ check_caveat() {
[ -z "${dmi_line#* }" ] || { [ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \ debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})" "failed (with return code ${dmi_line%% *})"
fail "$check_only"
return 1 return 1
} }
fi fi
[ 0 != "$check_only" ] || {
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
}
return 0 return 0
} }
for cfg in $(echo "${configs}"); do for cfg in $(echo "${configs}"); do
check_caveat "$cfg" || : if cfg_path=$(check_caveat "$cfg"; exit "$?")
then
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
else
case "$?" in
1)
ret=1
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] \
|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
;;
2|3)
skip_cfgs="$skip_cfgs $cfg";
;;
*)
debug "Unexpected check_caveat return code '$?'" \
"for config '$cfg'"
;;
esac
fi
done done
[ 0 -eq "$print_disclaimers" ] || exit 0 [ 0 -eq "$print_disclaimers" ] || exit 0

2
SOURCES/codenames.list
View File

@ -305,7 +305,7 @@ Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11; Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;

17
SPECS/microcode_ctl.spec
View File

@ -1,4 +1,4 @@
%define intel_ucode_version 20210525 %define intel_ucode_version 20210608
%global debug_package %{nil} %global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@ -17,8 +17,7 @@ Release: 1.%{intel_ucode_version}.1%{?dist}
Epoch: 4 Epoch: 4
License: CC0 and Redistributable, no modification permitted License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
#Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
Source0: microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode # (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
@ -113,6 +112,7 @@ Source171: 06-8e-9e-0x-dell_config
Source172: 06-8e-9e-0x-dell_disclaimer Source172: 06-8e-9e-0x-dell_disclaimer
# TGL-UP3/UP4 (CPUID 06-8c-01) hangs # TGL-UP3/UP4 (CPUID 06-8c-01) hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Source180: 06-8c-01_readme Source180: 06-8c-01_readme
Source181: 06-8c-01_config Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer Source182: 06-8c-01_disclaimer
@ -544,6 +544,17 @@ rm -rf %{buildroot}
%changelog %changelog
* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210608.1
- Update Intel CPU microcode to microcode-20210608 release:
- Fixes in releasenote.md file.
* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.2
- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
- Enable 06-8c-01 microcode update by default (#1972328).
- Enable 06-5e-03 microcode update by default (#1972325).
* Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.1 * Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.1
- Update Intel CPU microcode to microcode-20210525 release, addresses - Update Intel CPU microcode to microcode-20210525 release, addresses
CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513 CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513