import microcode_ctl-20210216-1.20210608.1.el8_4

2021-08-09 05:26:03 -04:00 · 2021-08-09 05:26:03 -04:00 · 3033a4c08c
commit 3033a4c08c
parent d869867268
19 changed files with 529 additions and 202 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,4 +4,4 @@ SOURCES/06-55-04
 SOURCES/06-5e-03
 SOURCES/microcode-20190918.tar.gz
 SOURCES/microcode-20191115.tar.gz
-SOURCES/microcode-20210525.tar.gz
+SOURCES/microcode-20210608.tar.gz
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
-000cb9ab3260786611f3481bf82d3c32506e91ae SOURCES/microcode-20210525.tar.gz
+68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz
--- a/SOURCES/06-2d-07_config
+++ b/SOURCES/06-2d-07_config
@ -1,13 +1,3 @@
 model GenuineIntel 06-2d-07
 path intel-ucode/06-2d-07
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
--- a/SOURCES/06-4e-03_config
+++ b/SOURCES/06-4e-03_config
@ -1,3 +1,4 @@
 model GenuineIntel 06-4e-03
 path intel-ucode/06-4e-03
+dependency required intel
 disable early late
--- a/SOURCES/06-4e-03_readme
+++ b/SOURCES/06-4e-03_readme
@ -41,6 +41,11 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171

 The information regarding enforcing microcode update is provided below.

--- a/SOURCES/06-4f-01_config
+++ b/SOURCES/06-4f-01_config
@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
 kernel 2.6.32-504.71.1
 kernel 2.6.32-431.90.1
 kernel 2.6.32-358.90.1
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
-mc_min_ver_late 0xb000019
+dependency required intel skip=success match-model-mode=off
 disable early late
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@ -28,6 +28,11 @@ to the following knowledge base articles:
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
   ("Microarchitectural Data Sampling"):
   https://access.redhat.com/articles/4138151
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171

 The information regarding enforcing microcode load is provided below.

--- a/SOURCES/06-55-04_config
+++ b/SOURCES/06-55-04_config
@ -9,14 +9,4 @@ path intel-ucode/06-55-04
 ## are provided for speeding up the search only, VID:DID is the real selector.
 ## Commented out since revision 0x2006906 seems to fix the issue.
 #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@ -47,6 +47,11 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171

 The information regarding disabling microcode update is provided below.

--- a/SOURCES/06-5e-03_config
+++ b/SOURCES/06-5e-03_config
@ -1,3 +1,3 @@
 model GenuineIntel 06-5e-03
 path intel-ucode/06-5e-03
-disable early late
+dependency required intel
--- a/SOURCES/06-5e-03_readme
+++ b/SOURCES/06-5e-03_readme
@ -1,12 +1,15 @@
 Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
-stepping 3) have reports of possible system hangs when revision 0xdc
+stepping 3) had reports of possible system hangs when revision 0xdc
 of microcode, that is included in microcode-20200609 update to address
-CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1].  In order
-to address this, microcode update to the newer revision has been disabled
+CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
+to address this, microcode updates to the newer revision had been disabled
 by default on these systems, and the previously published microcode revision
-0xd6 is used by default for the OS-driven microcode update.
+0xd6 was used by default for the OS-driven microcode update.  The revision
+0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).

 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014

 For the reference, SHA1 checksums of 06-5e-03 microcode files containing
 microcode revisions in question are listed below:
@ -41,32 +44,33 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171

-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.

-To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
-version, please create a file "force-intel-06-5e-03" inside
+To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-5e-03" inside
 /lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
+where microcode is available for late microcode update, and run
 "dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:

-    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
+    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1

-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid  addition of the latest microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:

    mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all

--- a/SOURCES/06-8c-01_config
+++ b/SOURCES/06-8c-01_config
@ -1,3 +1,3 @@
 model GenuineIntel 06-8c-01
 path intel-ucode/06-8c-01
-disable early late
+dependency required intel skip=success match-model-mode=off
--- a/SOURCES/06-8c-01_readme
+++ b/SOURCES/06-8c-01_readme
@ -1,7 +1,9 @@
 Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
-have reports of system hangs when a microcode update, that is included
-since microcode-20201110 update, is applied[1].  In order to address this,
-microcode update has been disabled by default on these systems.
+had reports of system hangs when a microcode update, that was included
+since microcode-20201110 update, was applied[1].  In order to address this,
+microcode update had been disabled by default on these systems.  The revision
+0x88 seems to have fixed the aforementioned issue, hence it is enabled
+by default (but can be disabled explicitly; see below).

 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44

@ -11,33 +13,40 @@ microcode revisions in question are listed below:
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290

 Please contact your system vendor for a BIOS/firmware update that contains
-the latest microcode version.
+the latest microcode version.  For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+   CVE-2020-8696 (Vector Register Leakage-Active),
+   CVE-2020-8698 (Fast Forward Store Predictor):
+   https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171

-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.

-To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
-version, please create a file "force-intel-06-8c-01" inside
+To disable 06-8c-01 microcode updates for a specific kernel
+version, please create a file "disallow-intel-06-8c-01" inside
 /lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
-where microcode will be available for late microcode update, and run
+"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
+directory where microcode is available for late microcode update, and run
 "dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:

-    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
+    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1

-After that, it is possible to perform a late microcode update by executing
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
-"/sys/devices/system/cpu/microcode/reload" directly.
-
-To enforce addition of this microcode for all kernels, please create file
-"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
-"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
-and "dracut -f --regenerate-all" for enabling early microcode updates:
+To avoid addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
+and "dracut -f --regenerate-all" for early microcode updates:

    mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all

--- a/SOURCES/06-8e-9e-0x-0xca_config
+++ b/SOURCES/06-8e-9e-0x-0xca_config
@ -1,4 +1,5 @@
 path intel-ucode/*
 vendor GenuineIntel
 dmi mode=fail-equal key=bios_vendor val="Dell Inc."
+dependency required intel
 disable early late
--- a/SOURCES/06-8e-9e-0x-dell_config
+++ b/SOURCES/06-8e-9e-0x-dell_config
@ -4,14 +4,4 @@ vendor GenuineIntel
 ## in cases where no model filter is used is too broad, hence
 ## no-model-mode=success.
 dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
-## The "kernel_early" statements are carried over from the intel caveat config
-## in order to avoid enabling this newer microcode on these problematic kernels;
-## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
-## (That also means that this caveat has to be enforced separately on these
-## kernels.)
-kernel_early 4.10.0
-kernel_early 3.10.0-930
-kernel_early 3.10.0-862.14.1
-kernel_early 3.10.0-693.38.1
-kernel_early 3.10.0-514.57.1
-kernel_early 3.10.0-327.73.1
+dependency required intel
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@ -269,8 +269,9 @@ separated by white space.  Currently, the following options are supported:
   it fails (in accordance with "mode=success-all" semantics).  This check fails
   if "-m" option is not specified.
 * "dmi" performs checks for specific values available in DMI sysfs files
-   (present under /sys/devices/virtual/dmi/id/).  The check fails if file
-   is not readable.  If "-m" option is specified, then the actual check
+   (present under /sys/devices/virtual/dmi/id/).  The check (when it is actually
+   performed; see a not about "no-model-mode" below) fails if one of the files
+   is not readable.  If "-m" option is not specified, then the actual check
   is skipped, and the check returns value in accordance with "no-model-mode"
   parameter value (see below).  Check arguments are a white-space-separated
   list of "key=value" pairs.  The following keys are supported:
@ -280,17 +281,30 @@ separated by white space.  Currently, the following options are supported:
      chassis_type, chassis_vendor, chassis_version, product_family,
      product_name, product_serial, product_uuid, product_version, sys_vendor.
      Default is empty string.
-    * "val" - a string to match DMI data against.  Can be enclosed in single
-      or double quotes.  Default is empty string.
-    * "mode" - check mode, the way matches are interpreted:
+    * "val" - a string to match DMI data present in "key" against.
+      Can be enclosed in single or double quotes.  Default is empty string.
+    * "keyval" - a pair of "key" and "val" values (with semantics described
+      above), separated with either "=", ":", "!=", or "!:" characters.  Enables
+      providing of multiple key-value pairs by means of supplying multiple
+      keyval= parameters.  The exclamation sign ("!") character in separator
+      enables negated matching (so, non-equality of the value in DMI "key" file
+      and the value of "val" is).  The match considered successful when all
+      the key/val (non-)equalities are in effect.  This parameter works
+      in addition to the pair provided in "key" and "val" parameters
+      (but allows to avoid using them).  Default is empty.
+    * "mode" - check mode, the way successful matches are interpreted:
       * "success-equal" - returns 0 if the value present in the file
         with the name supplied via the "key" parameter file under
 	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
-	 of "val" parameter, otherwise 1.
-       * "success-equal" - returns 1 if the value present in the file
+	 of "val" parameter and all the pairs provided in "keyval" parameters
+	 are equal and non-equal in accordance with their definition,
+	 otherwise 1.
+       * "fail-equal" - returns 1 if the value present in the file
         with the name supplied via the "key" parameter file under
 	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
-	 of "val" parameter, otherwise 0.
+	 of "val" parameter and all the pairs provided in "keyval" parameters
+	 are equal and non-equal in accordance with their definition,
+	 otherwise 0.
      Default is "success-any".
    * "no-model-mode" - return value if model filter ("-m" option)
      is not enabled:
@ -302,6 +316,61 @@ separated by white space.  Currently, the following options are supported:
   It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
   content is "Dell Inc." (without quotes).  It succeeds if "-m" option
   is not enabled.
+   Another example:
+       dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
+       dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
+   It blocks the caveat from using when either both
+   /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
+   and /sys/devices/virtual/dmi/id/product_name contains the string
+   "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
+   the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
+   the string "ThinkSystem SR950", but enables caveat loading for other products
+   with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
+   for example.
+ * "dependency" allows conditional enablement of a caveat based on the check
+   status of some other caveat(s).  It has the following format:
+       dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
+   where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
+   are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
+   currently is "required".
+   Options for the "required" dependency type:
+    * "match-model-mode" - whether model matching mode ("-m" option)
+      has to be used for the nested configuration check. Possible values:
+       * "on" - model-matching mode is always used during the nested check;
+       * "off" - model-matching mode is never used during the nested check;
+       * "same" - used the same model-matching mode as it is now.
+      Default is "same".
+    * "skip" - controls result of the check when the nested check indicated
+      skipping of the configuration.
+       * "fail" - the dependent check fails;
+       * "success" - the dependent check succeeds;
+       * "skip" - the dependent check indicates that the configuration
+         is to be skipped.
+      Default is "skip".
+    * "force-skip" - controls result of the check when the nested check
+      indicated skipping of the configuration caused by the presence
+      of an override file (see "check_caveats script" section for details).
+       * "fail" - the dependent check fails;
+       * "success" - the dependent check succeeds;
+       * "skip" - the dependent check indicates that the configuration
+         is to be skipped.
+      Default is "skip".
+    * "nesting-too-deep" - as a measure against dependency loop, configuration
+      checking logic implements nesting limit on dependency checks (currently
+      set at 8).  This option controls the behaviour of the check
+      when the nested check cannot be performed due to this limit.
+       * "fail" - the dependent check fails;
+       * "success" - the dependent check succeeds;
+       * "skip" - the dependent check indicates that the configuration
+         is to be skipped.
+      Default is "fail".
+   An example of a check:
+       dependency required intel skip=success match-model-mode=off
+   It checks "intel" caveat configuration (see the "Early microcode load
+   inside a virtual machine" section) with model-matching mode being disabled,
+   treats skipping of the configuration as a success (unless the configuration
+   is forced to be skipped, in that case the dependent configuration
+   is to be skipped as well).


 check_caveats script
@ -538,6 +607,8 @@ Caveat name: intel-06-4f-01

 Affected microcode: intel-ucode/06-4f-01.

+Dependencies: intel
+
 Mitigation: microcode loading is disabled for the affected CPU model.

 Minimum versions of the kernel package that contain the aforementioned patch
@ -566,6 +637,8 @@ Caveat name: intel

 Affected microcode: all.

+Dependencies: (none)
+
 Mitigation: early microcode loading is disabled for all CPU models on kernels
 without the fix.

@ -602,6 +675,8 @@ Caveat name: intel-06-2d-07

 Affected microcode: intel-ucode/06-2d-07.

+Dependencies: intel
+
 Mitigation: None; the latest revision of the microcode file is used by default;
 previously published microcode revision 0x714 is still available as a fallback
 as part of "intel" caveat.
@ -631,35 +706,64 @@ Caveat name: intel-06-55-04

 Affected microcode: intel-ucode/06-55-04.

+Dependencies: intel
+
 Mitigation: None; the latest revision of the microcode file is used by default;
 previously published microcode revision 0x2000064 is still available
 as a fallback as part of "intel" caveat.


-Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
----------------------------------------
-Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
-and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
-hangs when revision 0xdc of microcode, that is included in microcode-20200609
-update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
-is applied[1][2].  In order to address this, microcode update to the newer
-revision has been disabled by default on these systems, and the previously
-published microcode revision 0xd6 is used instead; the newer microcode files,
-however, are still shipped as part of microcode_ctl package and can be used
-for performing a microcode update if they are enforced via the aforementioned
-overrides.  (See the sections "check_caveats script" and "reload_microcode
-script" for details.)
+Intel Skylake-U/Y caveat
+------------------------
+Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
+have reports of system hangs when revision 0xdc of microcode, that is included
+in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
+and CVE-2020-0549, is applied[1].  In order to address this, microcode update
+to the newer revision has been disabled by default on these systems,
+and the previously published microcode revision 0xd6 is used instead; the newer
+microcode files, however, are still shipped as part of microcode_ctl package
+and can be used for performing a microcode update if they are enforced
+via the aforementioned overrides.  (See the sections "check_caveats script"
+and "reload_microcode script" for details.)

 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
-[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826

-Caveat names: intel-06-4e-03, intel-06-5e-03
+Caveat name: intel-06-4e-03

-Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
+Affected microcode: intel-ucode/06-4e-03
+
+Dependencies: intel

 Mitigation: previously published microcode revision 0xd6 is used by default.


+Intel Skylake-H/S/Xeon E3 v5 caveat
+-----------------------------------
+Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
+stepping 3) had reports of system hangs when revision 0xdc of microcode,
+that is included in microcode-20200609 update to address CVE-2020-0543,
+CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order to address this,
+microcode update to the newer revision had been disabled by default on these
+systems, and the previously published microcode revision 0xd6 was used instead.
+The revision 0xea seems[2] to have fixed the aforementioned issue, hence
+the latest microcode revision usage it is enabled by default,
+but can be disabled explicitly via the aforementioned overrides.  (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
+[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
+
+Caveat names: intel-06-5e-03
+
+Affected microcode: intel-ucode/06-5e-03.
+
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default;
+previously published microcode revision 0xd6 is still available as a fallback
+as part of "intel" caveat.
+
+
 Dell caveats
 ------------
 Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -688,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
                    intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
                    intel-ucode/06-9e-0d.

+Dependencies: intel
+
 Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
            by default if /sys/devices/virtual/dmi/id/bios_vendor reports
 	    "Dell Inc."; otherwise, the latest microcode revision is used.
@ -698,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
 Intel Tiger Lake-UP3/UP4 caveat
 -------------------------------
 Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
-stepping 1) have reports of system hangs when a microcode update,
-that is included since microcode-20201110 release, is applied[1].
-In order to address this, microcode update to a newer revision has been disabled
-by default on these systems; the newer microcode file, however, is still shipped
-as a part of microcode_ctl package and can be used for performing a microcode
-update if it is enforced via the aforementioned overrides.  (See the sections
+stepping 1) had reports of system hangs when a microcode update,
+that was included since microcode-20201110 release, was applied[1].
+In order to address this, microcode update to a newer revision had been disabled
+by default on these systems.  The revision 0x88 seems to have fixed
+the aforementioned issue, hence it is enabled by default; however, it is still
+can be disabled via the aforementioned overrides.  (See the sections
 "check_caveats script" and "reload_microcode script" for details.)

 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -712,7 +818,9 @@ Caveat names: intel-06-8c-01

 Affected microcode: intel-ucode/06-8c-01.

-Mitigation: microcode loading is disabled for the affected CPU model.
+Dependencies: intel
+
+Mitigation: None; the latest revision of the microcode file is used by default.



@ -747,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
+ * CVE-2020-24489 (VT-d-related Privilege Escalation),
+   CVE-2020-24511 (Improper Isolation of Shared Resources),
+   CVE-2020-24512 (Observable Timing Discrepancy),
+   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
+   https://access.redhat.com/articles/6101171
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@ -9,6 +9,8 @@
 : ${FW_DIR=/lib/firmware}
 : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}

+MAX_NESTING_LEVEL=8
+
 usage() {
 	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
 	echo '                     [-m] [-v]'
@ -261,7 +263,7 @@ check_pci_config_val()
 # It is needed for filtering by BIOS vendor name that is available in DMI data
 #
 # $1 - params in config file, space-separated, in key=value form:
-#   key= - DMI value to check. Can be one of the following: bios_date,
+#   key= - DMI data record to check. Can be one of the following: bios_date,
 #          bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
 #          board_vendor, board_version, chassis_asset_tag, chassis_serial,
 #          chassis_type, chassis_vendor, chassis_version, product_family,
@ -269,24 +271,31 @@ check_pci_config_val()
 #          sys_vendor.
 #   val= - a string to match DMI data against.  Can be enclosed in single
 #          or double quotes.
+#   keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
+#             "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
+#             a key-value pair in a single parameter.  It is possible to provide
+#             multiple keyval= parameters.  "!" before :/= means negated match.
+#             The action supplied in the mode= parameter is executed upon
+#             successful (non-)matching of all the keyval pairs (as well
+#             as the pair provided in a pair of key= and val= parameters).
 #   mode=success-equal [ success-equal, fail-equal ] - matching mode:
-#     success-equal: Returns 0 if the value present in the corresponding file
-#                    under /sys/devices/virtual/dmi/id/<key> is equal
-#                    to the value supplied as a value of "val" parameter,
-#                    otherwise 1.
-#     fail-equal:    Returns 1 if the value present in the corresponding file
-#                    under /sys/devices/virtual/dmi/id/<key> is equal
-#                    to the value supplied as a value of "val" parameter,
-#                    otherwise 0.
+#     success-equal: Returns 0 if the all values present in the corresponding
+#                    files under /sys/devices/virtual/dmi/id/<KEY> are equal
+#                    (or not equal in case of a keyval= with negated match)
+#                    to the respective values supplied as the values
+#                    of the keyval= parameters or the pair of key= vand val=
+#                    parameters, otherwise 1.
+#     fail-equal:    Returns 1 if all the values present in DMI files in sysfs
+#                    match (as described above), otherwise 0.
 #   no-model-mode=success [ success, fail ] - return value if model filter
 #                                             is not enabled:
 #     success: Return 0.
 #     fail:    Return 1.
 # $2 - whether model filter is engaged (if it is not '1', just return the result
-#      based on "mode" value that assumes that the check has failed).
+#      based on "no-model-mode" value).
 check_dmi_val()
 {
-	local key= val= mode='success-equal' nm_mode='success'
+	local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
 	local opts="${1:-}" opt= opt_=
 	local match_model="${2:-0}"

@ -305,21 +314,44 @@ check_dmi_val()
 		# Handle possible quoting
 		[ "x${opt#val=}" = "x${opt}" ] || {
 			case "${opt#val=}" in
-			[']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
-			["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
+			[\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
+			[\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
 			*)    val="${opt#val=}" ;;
 			esac
 		}
+		[ "x${opt#keyval=}" = "x${opt}" ] || {
+			case "${opt#keyval=}" in
+			[\']*)
+				opt_="${opts#keyval=\'}"
+				keyval="${opt_%%\'*}"
+				opt="keyval='${keyval}'"
+				keyvals="${keyvals}
+					${keyval}"
+				;;
+			[\"]*)
+				opt_="${opts#keyval=\"}"
+				keyval="${opt_%%\"*}"
+				opt="keyval=\"${keyval}\""
+				keyvals="${keyvals}
+					${keyval}"
+				;;
+			*)
+				keyvals="${keyvals}
+					${opt#keyval=}"
+				;;
+			esac
+		}

 		opts="${opts#"${opt}"}"
 		continue
 	done

-	# Check key for validity
-	[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
-		debug "Invalid \"key\" parameter value: \"${key}\""
+	[ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
+
+	[ -n "x${keyvals}" ] || {
+		debug "Neither key=, val=, nor keyval= parameters were privoded"
 		echo 2
-		exit
+		return
 	}

 	[ 1 = "$match_model" ] || {
@ -332,23 +364,171 @@ check_dmi_val()
 			;;
 		esac

-		exit
+		return
+	}
+
+	case "$mode" in
+	success-equal|fail-equal) ;;
+	*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
+	esac
+
+	printf "%s\n" "${keyvals}" | (
+		while read l; do
+			[ -n "$l" ] || continue
+			key="${l%%[=:]*}"
+			val="${l#${key}[=:]}"
+
+			cmp="="
+			[ "x${key%!}" = "x${key}" ] || {
+				cmp="!="
+				key="${key%!}"
+			}
+
+			# Check key for validity
+			[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
+				debug "Invalid \"key\" parameter value: \"${key}\""
+				echo 2
+				return
 			}

 			[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
 				debug "Can't access /sys/devices/virtual/dmi/id/${key}"
 				echo 3
-		exit
+				return
 			}

 			file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"

-	[ "x${val}" = "x${file_val}" ] || success=0
+			[ "x${val}" "${cmp}" "x${file_val}" ] || {
+				case "$mode" in
+				success-equal) echo 1 ;;
+				fail-equal)    echo 0 ;;
+				esac
+
+				return
+			}
+		done

 		case "$mode" in
-	success-equal) echo "$((1 - $success))" ;;
-	fail-equal)    echo "${success}" ;;
-	*)             debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
+		success-equal) echo 0 ;;
+		fail-equal)    echo 1 ;;
+		esac
+	)
+}
+
+# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
+# DEP_TYPE:
+#   required - caveat can be enabled only if dependency is enabled
+#              (is not forcefully disabled and meets caveat conditions)
+# OPTS:
+#   match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
+#   skip=skip [ fail, skip, success ]
+#   force-skip=skip [ fail, skip, success ]
+#   nesting-too-deep=fail [ fail, skip, success ]
+# Return values:
+#   0 - success
+#   1 - fail
+#   2 - skip
+#   9 - error
+check_dependency()
+{
+	local cur_level="$1"
+	local dep_type="$2"
+	local dep_name="$3"
+	local match_model_mode=same old_match_model="${match_model}"
+	local skip=skip
+	local force_skip=skip
+	local nesting_too_deep=fail
+
+	local check="Dependency check for ${dep_type} ${dep_name}"
+
+	set -- ${4:-}
+	while [ "$#" -gt 0 ]; do
+		[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
+		[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
+		[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
+		[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
+
+		shift
+	done
+
+	case "${dep_type}" in
+	required)
+		[ "x${dep_name%/*}" = "x${dep_name}" ] || {
+			debug "${check} error: dependency name (${dep_name})" \
+			      "cannot contain slashes"
+			echo 9
+			return
+		}
+
+		[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
+			local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
+
+			case "$nesting_too_deep" in
+			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
+			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
+			*)       debug "${check} error: invalid" \
+				       "nesting-too-deep mode" \
+				       "(${nesting_too_deep})"; echo 9 ;;
+			esac
+
+			return
+		}
+
+		case "${match_model_mode}" in
+		same) ;;
+		on)   match_model=1 ;;
+		off)  match_model=0 ;;
+		*)
+			debug "${check} error: invalid match-model-mode" \
+			      "(${match_model_mode})"
+			echo 9
+			return
+			;;
+		esac
+
+		local result=0
+		debug "${check}: calling check_caveat '${dep_name}'" \
+		      "'$(($cur_level + 1))' match_model=${match_model}"
+		check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
+
+		match_model="${old_match_model}"
+
+		case "${result}" in
+		0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
+		1) debug "${check} failed: result=${result}"; echo "${result}" ;;
+		2)
+			local reason="result=${result} and skip='${skip}'"
+
+			case "${skip}" in
+			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
+			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
+			*)       debug "${check} error: unexpected skip=" \
+				       "setting (${skip})"; echo 9 ;;
+			esac
+			;;
+		3)
+			local reason="result=${result} and force_skip='${force_skip}'"
+
+			case "${force_skip}" in
+			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
+			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
+			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
+			*)       debug "${check} error: unexpected force-skip=" \
+				       "setting (${skip})"; echo 9 ;;
+			esac
+			;;
+		*)
+			debug "${check} error: unexpected check_caveat result" \
+			      "(${result})"; echo 9 ;;
+		esac
+		;;
+	*)
+		debug "${check} error: unknown dependency type '${dep_type}'"
+		echo 9
+		;;
 	esac
 }

@ -400,23 +580,6 @@ get_mc_ver()
 	/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
 }

-# fail [CHECK_ONLY]
-fail()
-{
-	check_only="${1:-0}"
-	[ 0 = "$check_only" ] || return
-
-	ret=1
-
-	fail_cfgs="$fail_cfgs $cfg"
-	fail_paths="$fail_paths $cfg_path"
-
-	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
-		|| /bin/cat "${dir}/disclaimer"
-}
-
-#check_kver "$@"
-#get_model_name

 match_model=0
 configs=
@ -477,22 +640,21 @@ else
 	stage="late"
 fi

-# check_caveat CFG [CHECK_ONLY]
+# check_caveat CFG [CHECK_LEVEL]
 # changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
-# skip_cfgs if CHECK_ONLY is set to 0 (default).
+# skip_cfgs if CHECK_LEVEL is set to 0 (default).
+# CHECK_LEVEL is used for recursive configuration dependency checks,
+# and indicates nesting level.
 # Return value:
 #  0 - check is successful
 #  1 - check has been failed
 #  2 - configuration has been skipped
+#  3 - configuration has been skipped due to presence of an override file
 check_caveat() {
 	local cfg="$1"
-	local check_only="${2:-0}"
+	local check_level="${2:-0}"
 	local dir="$MC_CAVEATS_DATA_DIR/$cfg"

-	# We add cfg to the skip list first and then, if we do not skip it,
-	# we remove the configuration from the list.
-	[ 0 != "$check_only" ] || skip_cfgs="$skip_cfgs $cfg"
-
 	[ -r "${dir}/readme" ] || {
 		debug "File 'readme' in ${dir} is not found, skipping"
 		return 2
@ -512,6 +674,7 @@ check_caveat() {
 	local cfg_disable=
 	local cfg_pci=
 	local cfg_dmi=
+	local cfg_dependency=

 	local key
 	local value
@ -547,6 +710,10 @@ check_caveat() {
 			cfg_dmi="$cfg_dmi
 				$value"
 			;;
+		dependency)
+			cfg_dependency="$cfg_dependency
+				$value"
+			;;
 		'#'*|'')
 			continue
 			;;
@ -558,6 +725,7 @@ check_caveat() {
 	done < "${dir}/config"

 	debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
+	echo "$cfg_path"

 	# Check for override files in the following order:
 	#  - disallow early/late specific caveat for specific kernel
@ -619,7 +787,7 @@ check_caveat() {
 	[ 0 -eq "$ignore_cfg" ] || {
 		debug "Configuration \"$cfg\" is ignored due to presence of" \
 		      "\"$override_file\"."
-		return 2
+		return 3
 	}

 	# Check model if model filter is enabled
@ -667,29 +835,51 @@ check_caveat() {
 		}
 	fi

-	# Check configuration files
-
-	[ 0 != "$check_only" ] || {
-		ret_cfgs="$ret_cfgs $cfg"
-		ret_paths="$ret_paths $cfg_path"
-		skip_cfgs="${skip_cfgs% $cfg}"
-	}
-
+	# Has to be performed before dependency checks
 	[ 0 -eq "$force_cfg" ] || {
 		debug "Checks for configuration \"$cfg\" are ignored due to" \
 		      "presence of \"$override_file\"."

-		[ 0 != "$check_only" ] || {
-			ok_cfgs="$ok_cfgs $cfg"
-			ok_paths="$ok_paths $cfg_path"
-		}
-
 		return 0
 	}

+	# Check dependencies
+	# It has to be performed here (before adding configuration
+	# to $ret_cfgs/$ret_paths) since it may be skipped.
+	if [ -n "$cfg_dependency" ]; then
+		dep_line="$(printf "%s\n" "$cfg_dependency" | \
+			while read -r dep_type dep_name dep_opts
+			do
+				[ -n "$dep_type" ] || continue
+				dep_res=$(check_dependency "$check_level" \
+							   "$dep_type" \
+							   "$dep_name" \
+							   "$dep_opts")
+				[ 0 != "$dep_res" ] || continue
+				echo "$dep_res $dep_type $dep_name $dep_opts"
+				break
+			done
+			echo "0 ")"
+
+		case "${dep_line%% *}" in
+		0) ;;
+		2)
+			debug "Dependency check '${dep_line#* }'" \
+			      "induced configuration skip"
+			return 2
+			;;
+		*)
+			debug "Dependency check '${dep_line#* }'" \
+			      "failed (with return code ${dep_line%% *})"
+			return 1
+			;;
+		esac
+	fi
+
+	# Check configuration files
+
 	[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
 		debug "${cfg}: caveat is disabled in configuration"
-		fail "$check_only"
 		return 1
 	}

@ -698,7 +888,6 @@ check_caveat() {
 		check_kver "$kver" $cfg_kvers || {
 			debug "${cfg}: late load kernel version check for" \
 			      " '$kver' against '$cfg_kvers' failed"
-			fail "$check_only"
 			return 1
 		}
 	fi
@ -708,7 +897,6 @@ check_caveat() {
 		check_kver "$kver" $cfg_kvers_early || {
 			debug "${cfg}: early load kernel version check for" \
 			      "'$kver' against '$cfg_kvers_early' failed"
-			fail "$check_only"
 			return 1
 		}
 	fi
@ -722,7 +910,6 @@ check_caveat() {
 			debug "${cfg}: CPU microcode version $cpu_mc_ver" \
 			      "failed check (should be at least" \
 			      "${cfg_mc_min_ver_late})"
-			fail "$check_only"
 			return 1
 		}
 	fi
@ -744,14 +931,14 @@ check_caveat() {
 		[ -z "${pci_line#* }" ] || {
 			debug "PCI configuration word check '${pci_line#* }'" \
 			      "failed (with return code ${pci_line%% *})"
-			fail "$check_only"
 			return 1
 		}
 	fi

 	# Check DMI data if model filter is enabled
-	# Note that the model filter check is done inside check_pci_config_val
-	# based on the 'mode=' parameter.
+	# Note that the model filter check is done inside check_dmi_val
+	# (which returns the value of 'no-model-mode=' parameter
+	# if it is disenaged).
 	if [ -n "$cfg_dmi" ]; then
 		dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
 			do
@ -767,21 +954,43 @@ check_caveat() {
 		[ -z "${dmi_line#* }" ] || {
 			debug "DMI data check '${dmi_line#* }'" \
 			      "failed (with return code ${dmi_line%% *})"
-			fail "$check_only"
 			return 1
 		}
 	fi

-	[ 0 != "$check_only" ] || {
-		ok_cfgs="$ok_cfgs $cfg"
-		ok_paths="$ok_paths $cfg_path"
-	}
-
 	return 0
 }

 for cfg in $(echo "${configs}"); do
-	check_caveat "$cfg" || :
+	if cfg_path=$(check_caveat "$cfg"; exit "$?")
+	then
+		ret_cfgs="$ret_cfgs $cfg"
+		ret_paths="$ret_paths $cfg_path"
+		ok_cfgs="$ok_cfgs $cfg"
+		ok_paths="$ok_paths $cfg_path"
+	else
+		case "$?" in
+		1)
+			ret=1
+
+			ret_cfgs="$ret_cfgs $cfg"
+			ret_paths="$ret_paths $cfg_path"
+			fail_cfgs="$fail_cfgs $cfg"
+			fail_paths="$fail_paths $cfg_path"
+
+			[ 0 -eq "$print_disclaimers" ] \
+				|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
+				|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
+			;;
+		2|3)
+			skip_cfgs="$skip_cfgs $cfg";
+			;;
+		*)
+			debug "Unexpected check_caveat return code '$?'" \
+			      "for config '$cfg'"
+			;;
+		esac
+	fi
 done

 [ 0 -eq "$print_disclaimers" ] || exit 0
--- a/SOURCES/codenames.list
+++ b/SOURCES/codenames.list
@ -305,7 +305,7 @@ Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
 Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
 Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
 Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
-Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
 Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
 SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;

--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec
@ -1,4 +1,4 @@
-%define intel_ucode_version 20210525
+%define intel_ucode_version 20210608
 %global debug_package %{nil}

 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@ -17,8 +17,7 @@ Release:        1.%{intel_ucode_version}.1%{?dist}
 Epoch:          4
 License:        CC0 and Redistributable, no modification permitted
 URL:            https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
-#Source0:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
-Source0:        microcode-%{intel_ucode_version}.tar.gz
+Source0:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz

 # (Pre-MDS) revision 0x714 of 06-2d-07 microcode
 Source2:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
@ -113,6 +112,7 @@ Source171:      06-8e-9e-0x-dell_config
 Source172:      06-8e-9e-0x-dell_disclaimer

 # TGL-UP3/UP4 (CPUID 06-8c-01) hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
 Source180:      06-8c-01_readme
 Source181:      06-8c-01_config
 Source182:      06-8c-01_disclaimer
@ -544,6 +544,17 @@ rm -rf %{buildroot}


 %changelog
+* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210608.1
+- Update Intel CPU microcode to microcode-20210608 release:
+  - Fixes in releasenote.md file.
+
+* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.2
+- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
+  intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
+  and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
+- Enable 06-8c-01 microcode update by default (#1972328).
+- Enable 06-5e-03 microcode update by default (#1972325).
+
 * Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.1
 - Update Intel CPU microcode to microcode-20210525 release, addresses
  CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513