import microcode_ctl-20210216-1.20210608.1.el8_4

This commit is contained in:
CentOS Sources 2021-08-09 05:26:03 -04:00 committed by Andrew Lukoshko
parent d869867268
commit 3033a4c08c
19 changed files with 529 additions and 202 deletions

2
.gitignore vendored
View File

@ -4,4 +4,4 @@ SOURCES/06-55-04
SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20210525.tar.gz
SOURCES/microcode-20210608.tar.gz

View File

@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
000cb9ab3260786611f3481bf82d3c32506e91ae SOURCES/microcode-20210525.tar.gz
68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz

View File

@ -1,13 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

View File

@ -1,3 +1,4 @@
model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03
dependency required intel
disable early late

View File

@ -41,6 +41,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.

View File

@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
mc_min_ver_late 0xb000019
dependency required intel skip=success match-model-mode=off
disable early late

View File

@ -28,6 +28,11 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below.

View File

@ -9,14 +9,4 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

View File

@ -47,6 +47,11 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding disabling microcode update is provided below.

View File

@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03
disable early late
dependency required intel

View File

@ -1,12 +1,15 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) have reports of possible system hangs when revision 0xdc
stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order
to address this, microcode update to the newer revision has been disabled
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
0xd6 is used by default for the OS-driven microcode update.
0xd6 was used by default for the OS-driven microcode update. The revision
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
@ -41,32 +44,33 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "force-intel-06-5e-03" inside
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
To avoid addition of the latest microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all

View File

@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01
disable early late
dependency required intel skip=success match-model-mode=off

View File

@ -1,7 +1,9 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
have reports of system hangs when a microcode update, that is included
since microcode-20201110 update, is applied[1]. In order to address this,
microcode update has been disabled by default on these systems.
had reports of system hangs when a microcode update, that was included
since microcode-20201110 update, was applied[1]. In order to address this,
microcode update had been disabled by default on these systems. The revision
0x88 seems to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -11,33 +13,40 @@ microcode revisions in question are listed below:
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version.
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode update is provided below.
The information regarding disabling microcode update is provided below.
To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
version, please create a file "force-intel-06-8c-01" inside
To disable 06-8c-01 microcode updates for a specific kernel
version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
To avoid addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all

View File

@ -1,4 +1,5 @@
path intel-ucode/*
vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
dependency required intel
disable early late

View File

@ -4,14 +4,4 @@ vendor GenuineIntel
## in cases where no model filter is used is too broad, hence
## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
dependency required intel

View File

@ -269,8 +269,9 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files
(present under /sys/devices/virtual/dmi/id/). The check fails if file
is not readable. If "-m" option is specified, then the actual check
(present under /sys/devices/virtual/dmi/id/). The check (when it is actually
performed; see a not about "no-model-mode" below) fails if one of the files
is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported:
@ -280,17 +281,30 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string.
* "val" - a string to match DMI data against. Can be enclosed in single
or double quotes. Default is empty string.
* "mode" - check mode, the way matches are interpreted:
* "val" - a string to match DMI data present in "key" against.
Can be enclosed in single or double quotes. Default is empty string.
* "keyval" - a pair of "key" and "val" values (with semantics described
above), separated with either "=", ":", "!=", or "!:" characters. Enables
providing of multiple key-value pairs by means of supplying multiple
keyval= parameters. The exclamation sign ("!") character in separator
enables negated matching (so, non-equality of the value in DMI "key" file
and the value of "val" is). The match considered successful when all
the key/val (non-)equalities are in effect. This parameter works
in addition to the pair provided in "key" and "val" parameters
(but allows to avoid using them). Default is empty.
* "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 1.
* "success-equal" - returns 1 if the value present in the file
of "val" parameter and all the pairs provided in "keyval" parameters
are equal and non-equal in accordance with their definition,
otherwise 1.
* "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter, otherwise 0.
of "val" parameter and all the pairs provided in "keyval" parameters
are equal and non-equal in accordance with their definition,
otherwise 0.
Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option)
is not enabled:
@ -302,6 +316,61 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled.
Another example:
dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
It blocks the caveat from using when either both
/sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
and /sys/devices/virtual/dmi/id/product_name contains the string
"u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
the string "ThinkSystem SR950", but enables caveat loading for other products
with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
for example.
* "dependency" allows conditional enablement of a caveat based on the check
status of some other caveat(s). It has the following format:
dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
currently is "required".
Options for the "required" dependency type:
* "match-model-mode" - whether model matching mode ("-m" option)
has to be used for the nested configuration check. Possible values:
* "on" - model-matching mode is always used during the nested check;
* "off" - model-matching mode is never used during the nested check;
* "same" - used the same model-matching mode as it is now.
Default is "same".
* "skip" - controls result of the check when the nested check indicated
skipping of the configuration.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "force-skip" - controls result of the check when the nested check
indicated skipping of the configuration caused by the presence
of an override file (see "check_caveats script" section for details).
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "nesting-too-deep" - as a measure against dependency loop, configuration
checking logic implements nesting limit on dependency checks (currently
set at 8). This option controls the behaviour of the check
when the nested check cannot be performed due to this limit.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "fail".
An example of a check:
dependency required intel skip=success match-model-mode=off
It checks "intel" caveat configuration (see the "Early microcode load
inside a virtual machine" section) with model-matching mode being disabled,
treats skipping of the configuration as a success (unless the configuration
is forced to be skipped, in that case the dependent configuration
is to be skipped as well).
check_caveats script
@ -538,6 +607,8 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01.
Dependencies: intel
Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
@ -566,6 +637,8 @@ Caveat name: intel
Affected microcode: all.
Dependencies: (none)
Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix.
@ -602,6 +675,8 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat.
@ -631,35 +706,64 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
----------------------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
hangs when revision 0xdc of microcode, that is included in microcode-20200609
update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
is applied[1][2]. In order to address this, microcode update to the newer
revision has been disabled by default on these systems, and the previously
published microcode revision 0xd6 is used instead; the newer microcode files,
however, are still shipped as part of microcode_ctl package and can be used
for performing a microcode update if they are enforced via the aforementioned
overrides. (See the sections "check_caveats script" and "reload_microcode
script" for details.)
Intel Skylake-U/Y caveat
------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
have reports of system hangs when revision 0xdc of microcode, that is included
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
to the newer revision has been disabled by default on these systems,
and the previously published microcode revision 0xd6 is used instead; the newer
microcode files, however, are still shipped as part of microcode_ctl package
and can be used for performing a microcode update if they are enforced
via the aforementioned overrides. (See the sections "check_caveats script"
and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
Caveat names: intel-06-4e-03, intel-06-5e-03
Caveat name: intel-06-4e-03
Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
Affected microcode: intel-ucode/06-4e-03
Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default.
Intel Skylake-H/S/Xeon E3 v5 caveat
-----------------------------------
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of system hangs when revision 0xdc of microcode,
that is included in microcode-20200609 update to address CVE-2020-0543,
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
microcode update to the newer revision had been disabled by default on these
systems, and the previously published microcode revision 0xd6 was used instead.
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
the latest microcode revision usage it is enabled by default,
but can be disabled explicitly via the aforementioned overrides. (See
the sections "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
Caveat names: intel-06-5e-03
Affected microcode: intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0xd6 is still available as a fallback
as part of "intel" caveat.
Dell caveats
------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -688,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d.
Dependencies: intel
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used.
@ -698,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
Intel Tiger Lake-UP3/UP4 caveat
-------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
stepping 1) have reports of system hangs when a microcode update,
that is included since microcode-20201110 release, is applied[1].
In order to address this, microcode update to a newer revision has been disabled
by default on these systems; the newer microcode file, however, is still shipped
as a part of microcode_ctl package and can be used for performing a microcode
update if it is enforced via the aforementioned overrides. (See the sections
stepping 1) had reports of system hangs when a microcode update,
that was included since microcode-20201110 release, was applied[1].
In order to address this, microcode update to a newer revision had been disabled
by default on these systems. The revision 0x88 seems to have fixed
the aforementioned issue, hence it is enabled by default; however, it is still
can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -712,7 +818,9 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01.
Mitigation: microcode loading is disabled for the affected CPU model.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default.
@ -747,3 +855,8 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171

View File

@ -9,6 +9,8 @@
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
MAX_NESTING_LEVEL=8
usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]'
@ -261,7 +263,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data
#
# $1 - params in config file, space-separated, in key=value form:
# key= - DMI value to check. Can be one of the following: bios_date,
# key= - DMI data record to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family,
@ -269,24 +271,31 @@ check_pci_config_val()
# sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single
# or double quotes.
# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
# a key-value pair in a single parameter. It is possible to provide
# multiple keyval= parameters. "!" before :/= means negated match.
# The action supplied in the mode= parameter is executed upon
# successful (non-)matching of all the keyval pairs (as well
# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode:
# success-equal: Returns 0 if the value present in the corresponding file
# under /sys/devices/virtual/dmi/id/<key> is equal
# to the value supplied as a value of "val" parameter,
# otherwise 1.
# fail-equal: Returns 1 if the value present in the corresponding file
# under /sys/devices/virtual/dmi/id/<key> is equal
# to the value supplied as a value of "val" parameter,
# otherwise 0.
# success-equal: Returns 0 if the all values present in the corresponding
# files under /sys/devices/virtual/dmi/id/<KEY> are equal
# (or not equal in case of a keyval= with negated match)
# to the respective values supplied as the values
# of the keyval= parameters or the pair of key= vand val=
# parameters, otherwise 1.
# fail-equal: Returns 1 if all the values present in DMI files in sysfs
# match (as described above), otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled:
# success: Return 0.
# fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result
# based on "mode" value that assumes that the check has failed).
# based on "no-model-mode" value).
check_dmi_val()
{
local key= val= mode='success-equal' nm_mode='success'
local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_=
local match_model="${2:-0}"
@ -305,21 +314,44 @@ check_dmi_val()
# Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in
[']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
[\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
[\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;;
esac
}
[ "x${opt#keyval=}" = "x${opt}" ] || {
case "${opt#keyval=}" in
[\']*)
opt_="${opts#keyval=\'}"
keyval="${opt_%%\'*}"
opt="keyval='${keyval}'"
keyvals="${keyvals}
${keyval}"
;;
[\"]*)
opt_="${opts#keyval=\"}"
keyval="${opt_%%\"*}"
opt="keyval=\"${keyval}\""
keyvals="${keyvals}
${keyval}"
;;
*)
keyvals="${keyvals}
${opt#keyval=}"
;;
esac
}
opts="${opts#"${opt}"}"
continue
done
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
[ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
[ -n "x${keyvals}" ] || {
debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2
exit
return
}
[ 1 = "$match_model" ] || {
@ -332,23 +364,171 @@ check_dmi_val()
;;
esac
exit
return
}
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
exit
}
file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" = "x${file_val}" ] || success=0
case "$mode" in
success-equal) echo "$((1 - $success))" ;;
fail-equal) echo "${success}" ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
success-equal|fail-equal) ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
esac
printf "%s\n" "${keyvals}" | (
while read l; do
[ -n "$l" ] || continue
key="${l%%[=:]*}"
val="${l#${key}[=:]}"
cmp="="
[ "x${key%!}" = "x${key}" ] || {
cmp="!="
key="${key%!}"
}
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
echo 2
return
}
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
return
}
file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" "${cmp}" "x${file_val}" ] || {
case "$mode" in
success-equal) echo 1 ;;
fail-equal) echo 0 ;;
esac
return
}
done
case "$mode" in
success-equal) echo 0 ;;
fail-equal) echo 1 ;;
esac
)
}
# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
# DEP_TYPE:
# required - caveat can be enabled only if dependency is enabled
# (is not forcefully disabled and meets caveat conditions)
# OPTS:
# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
# skip=skip [ fail, skip, success ]
# force-skip=skip [ fail, skip, success ]
# nesting-too-deep=fail [ fail, skip, success ]
# Return values:
# 0 - success
# 1 - fail
# 2 - skip
# 9 - error
check_dependency()
{
local cur_level="$1"
local dep_type="$2"
local dep_name="$3"
local match_model_mode=same old_match_model="${match_model}"
local skip=skip
local force_skip=skip
local nesting_too_deep=fail
local check="Dependency check for ${dep_type} ${dep_name}"
set -- ${4:-}
while [ "$#" -gt 0 ]; do
[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
shift
done
case "${dep_type}" in
required)
[ "x${dep_name%/*}" = "x${dep_name}" ] || {
debug "${check} error: dependency name (${dep_name})" \
"cannot contain slashes"
echo 9
return
}
[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
case "$nesting_too_deep" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: invalid" \
"nesting-too-deep mode" \
"(${nesting_too_deep})"; echo 9 ;;
esac
return
}
case "${match_model_mode}" in
same) ;;
on) match_model=1 ;;
off) match_model=0 ;;
*)
debug "${check} error: invalid match-model-mode" \
"(${match_model_mode})"
echo 9
return
;;
esac
local result=0
debug "${check}: calling check_caveat '${dep_name}'" \
"'$(($cur_level + 1))' match_model=${match_model}"
check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
match_model="${old_match_model}"
case "${result}" in
0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
1) debug "${check} failed: result=${result}"; echo "${result}" ;;
2)
local reason="result=${result} and skip='${skip}'"
case "${skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
3)
local reason="result=${result} and force_skip='${force_skip}'"
case "${force_skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected force-skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unexpected check_caveat result" \
"(${result})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unknown dependency type '${dep_type}'"
echo 9
;;
esac
}
@ -400,23 +580,6 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}
# fail [CHECK_ONLY]
fail()
{
check_only="${1:-0}"
[ 0 = "$check_only" ] || return
ret=1
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
|| /bin/cat "${dir}/disclaimer"
}
#check_kver "$@"
#get_model_name
match_model=0
configs=
@ -477,22 +640,21 @@ else
stage="late"
fi
# check_caveat CFG [CHECK_ONLY]
# check_caveat CFG [CHECK_LEVEL]
# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
# skip_cfgs if CHECK_ONLY is set to 0 (default).
# skip_cfgs if CHECK_LEVEL is set to 0 (default).
# CHECK_LEVEL is used for recursive configuration dependency checks,
# and indicates nesting level.
# Return value:
# 0 - check is successful
# 1 - check has been failed
# 2 - configuration has been skipped
# 3 - configuration has been skipped due to presence of an override file
check_caveat() {
local cfg="$1"
local check_only="${2:-0}"
local check_level="${2:-0}"
local dir="$MC_CAVEATS_DATA_DIR/$cfg"
# We add cfg to the skip list first and then, if we do not skip it,
# we remove the configuration from the list.
[ 0 != "$check_only" ] || skip_cfgs="$skip_cfgs $cfg"
[ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping"
return 2
@ -512,6 +674,7 @@ check_caveat() {
local cfg_disable=
local cfg_pci=
local cfg_dmi=
local cfg_dependency=
local key
local value
@ -547,6 +710,10 @@ check_caveat() {
cfg_dmi="$cfg_dmi
$value"
;;
dependency)
cfg_dependency="$cfg_dependency
$value"
;;
'#'*|'')
continue
;;
@ -558,6 +725,7 @@ check_caveat() {
done < "${dir}/config"
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
echo "$cfg_path"
# Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel
@ -619,7 +787,7 @@ check_caveat() {
[ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"."
return 2
return 3
}
# Check model if model filter is enabled
@ -667,29 +835,51 @@ check_caveat() {
}
fi
# Check configuration files
[ 0 != "$check_only" ] || {
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
skip_cfgs="${skip_cfgs% $cfg}"
}
# Has to be performed before dependency checks
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
[ 0 != "$check_only" ] || {
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
}
return 0
}
# Check dependencies
# It has to be performed here (before adding configuration
# to $ret_cfgs/$ret_paths) since it may be skipped.
if [ -n "$cfg_dependency" ]; then
dep_line="$(printf "%s\n" "$cfg_dependency" | \
while read -r dep_type dep_name dep_opts
do
[ -n "$dep_type" ] || continue
dep_res=$(check_dependency "$check_level" \
"$dep_type" \
"$dep_name" \
"$dep_opts")
[ 0 != "$dep_res" ] || continue
echo "$dep_res $dep_type $dep_name $dep_opts"
break
done
echo "0 ")"
case "${dep_line%% *}" in
0) ;;
2)
debug "Dependency check '${dep_line#* }'" \
"induced configuration skip"
return 2
;;
*)
debug "Dependency check '${dep_line#* }'" \
"failed (with return code ${dep_line%% *})"
return 1
;;
esac
fi
# Check configuration files
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration"
fail "$check_only"
return 1
}
@ -698,7 +888,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed"
fail "$check_only"
return 1
}
fi
@ -708,7 +897,6 @@ check_caveat() {
check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed"
fail "$check_only"
return 1
}
fi
@ -722,7 +910,6 @@ check_caveat() {
debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \
"${cfg_mc_min_ver_late})"
fail "$check_only"
return 1
}
fi
@ -744,14 +931,14 @@ check_caveat() {
[ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})"
fail "$check_only"
return 1
}
fi
# Check DMI data if model filter is enabled
# Note that the model filter check is done inside check_pci_config_val
# based on the 'mode=' parameter.
# Note that the model filter check is done inside check_dmi_val
# (which returns the value of 'no-model-mode=' parameter
# if it is disenaged).
if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do
@ -767,21 +954,43 @@ check_caveat() {
[ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})"
fail "$check_only"
return 1
}
fi
[ 0 != "$check_only" ] || {
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
}
return 0
}
for cfg in $(echo "${configs}"); do
check_caveat "$cfg" || :
if cfg_path=$(check_caveat "$cfg"; exit "$?")
then
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
else
case "$?" in
1)
ret=1
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] \
|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
;;
2|3)
skip_cfgs="$skip_cfgs $cfg";
;;
*)
debug "Unexpected check_caveat return code '$?'" \
"for config '$cfg'"
;;
esac
fi
done
[ 0 -eq "$print_disclaimers" ] || exit 0

View File

@ -305,7 +305,7 @@ Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;

View File

@ -1,4 +1,4 @@
%define intel_ucode_version 20210525
%define intel_ucode_version 20210608
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
@ -17,8 +17,7 @@ Release: 1.%{intel_ucode_version}.1%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
#Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
Source0: microcode-%{intel_ucode_version}.tar.gz
Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
@ -113,6 +112,7 @@ Source171: 06-8e-9e-0x-dell_config
Source172: 06-8e-9e-0x-dell_disclaimer
# TGL-UP3/UP4 (CPUID 06-8c-01) hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Source180: 06-8c-01_readme
Source181: 06-8c-01_config
Source182: 06-8c-01_disclaimer
@ -544,6 +544,17 @@ rm -rf %{buildroot}
%changelog
* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210608.1
- Update Intel CPU microcode to microcode-20210608 release:
- Fixes in releasenote.md file.
* Thu Jul 22 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.2
- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04,
intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca,
and intel-06-8e-9e-0x-dell caveats dependent on intel caveat.
- Enable 06-8c-01 microcode update by default (#1972328).
- Enable 06-5e-03 microcode update by default (#1972325).
* Thu May 27 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210216-1.20210525.1
- Update Intel CPU microcode to microcode-20210525 release, addresses
CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513