commit 541cbbc076e3526e51dbc87d52ed1cb8660f174c Author: CentOS Sources Date: Thu Nov 4 00:47:10 2021 -0400 import microcode_ctl-20210608-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d6a7b0b --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +SOURCES/06-2d-07 +SOURCES/06-4e-03 +SOURCES/06-55-04 +SOURCES/06-5e-03 +SOURCES/microcode-20190918.tar.gz +SOURCES/microcode-20191115.tar.gz +SOURCES/microcode-20210608.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata new file mode 100644 index 0000000..19f5d82 --- /dev/null +++ b/.microcode_ctl.metadata @@ -0,0 +1,7 @@ +bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 +06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 +86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 +bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz +774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz +68f7344d874d50f4c8d836f01abc497707d0baa2 SOURCES/microcode-20210608.tar.gz diff --git a/SOURCES/01-microcode.conf b/SOURCES/01-microcode.conf new file mode 100644 index 0000000..52511c0 --- /dev/null +++ b/SOURCES/01-microcode.conf @@ -0,0 +1 @@ +early_microcode="yes" diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config new file mode 100644 index 0000000..99a8ed7 --- /dev/null +++ b/SOURCES/06-2d-07_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-2d-07 +path intel-ucode/06-2d-07 +dependency required intel diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer new file mode 100644 index 0000000..ae71a34 --- /dev/null +++ b/SOURCES/06-2d-07_disclaimer @@ -0,0 +1,4 @@ +MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, +stepping 7; CPUID 0x206d7) CPUs is disabled. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme new file mode 100644 index 0000000..e5e575b --- /dev/null +++ b/SOURCES/06-2d-07_readme @@ -0,0 +1,58 @@ +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +had issues with MDS-related microcode update that may lead to a system hang +after a microcode update[1][2]. In order to address this, microcode update +to the MDS-related revision 0x718 had been disabled, and the previously +published microcode revision 0x714 is used by default for the OS-driven +microcode update. The revision 0x71a of the microcode is intended to fix +the aforementioned issue, hence it is enabled by default (but can be disabled +explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 + +For the reference, SHA1 checksums of 06-2d-07 microcode files containing +microcode revisions in question are listed below: + * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 + * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + * 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create file "disallow-intel-06-2d-07" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To avoid addition of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4e-03_config b/SOURCES/06-4e-03_config new file mode 100644 index 0000000..7c0e333 --- /dev/null +++ b/SOURCES/06-4e-03_config @@ -0,0 +1,4 @@ +model GenuineIntel 06-4e-03 +path intel-ucode/06-4e-03 +dependency required intel +disable early late diff --git a/SOURCES/06-4e-03_disclaimer b/SOURCES/06-4e-03_disclaimer new file mode 100644 index 0000000..ec27ef7 --- /dev/null +++ b/SOURCES/06-4e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6, +model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4e-03_readme b/SOURCES/06-4e-03_readme new file mode 100644 index 0000000..13cb72a --- /dev/null +++ b/SOURCES/06-4e-03_readme @@ -0,0 +1,79 @@ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + +For the reference, SHA1 checksums of 06-4e-03 microcode files containing +microcode revisions in question are listed below: + * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e + * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c + * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366 + * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel +version, please create a file "force-intel-06-4e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config new file mode 100644 index 0000000..f987150 --- /dev/null +++ b/SOURCES/06-4f-01_config @@ -0,0 +1,15 @@ +model GenuineIntel 06-4f-01 +path intel-ucode/06-4f-01 +kernel 4.17.0 +kernel 3.10.0-894 +kernel 3.10.0-862.6.1 +kernel 3.10.0-693.35.1 +kernel 3.10.0-514.52.1 +kernel 3.10.0-327.70.1 +kernel 2.6.32-754.1.1 +kernel 2.6.32-573.58.1 +kernel 2.6.32-504.71.1 +kernel 2.6.32-431.90.1 +kernel 2.6.32-358.90.1 +dependency required intel skip=success match-model-mode=off +disable early late diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer new file mode 100644 index 0000000..c978958 --- /dev/null +++ b/SOURCES/06-4f-01_disclaimer @@ -0,0 +1,4 @@ +Microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme new file mode 100644 index 0000000..dc33eec --- /dev/null +++ b/SOURCES/06-4f-01_readme @@ -0,0 +1,83 @@ +Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues +with microcode update that may lead to a system hang; while some changes +to the Linux kernel have been made in an attempt to address these issues, +they were not eliminated, so a possibility of unstable system behaviour +after a microcode update performed on a running system is still present even +on a kernels that contain aforementioned changes. As a result, microcode update +for this CPU model has been disabled by default. + +For the reference, kernel versions for the respective RHEL minor versions +that contain the aforementioned changes, are listed below: + * Upstream/RHEL 8: kernel-4.17.0 or newer; + * RHEL 7.6 onwards: kernel-3.10.0-894 or newer; + * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer; + * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer; + * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer; + * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer. + +Please contact you system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding enforcing microcode load is provided below. + +For enforcing addition of this microcode to the firmware directory +for a specific kernel, where it is available for a late microcode update, +please create a file "force-late-intel-06-4f-01" inside +/lib/firmware/ directory and run +"/usr/libexec/microcode_ctl/update_ucode": + + touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01 + /usr/libexec/microcode_ctl/update_ucode + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +For enforcing addition of this microcode to firmware directories for all +kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01" +and run "/usr/libexec/microcode_ctl/update_ucode": + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01 + /usr/libexec/microcode_ctl/update_ucode + +For enforcing early load of this microcode for a specific kernel, please +create a file "force-early-intel-06-4f-01" inside +"/lib/firmware/" directory and run +"dracut -f --kver ": + + touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01 + dracut -f --kver 3.10.0-862.9.1 + +For enforcing early load of this microcode for all kernels, please +create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01" +and run dracut -f --regenerate-all: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01 + dracut -f --regenerate-all + +If you want to avoid removal of the microcode file during cleanup performed by +/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme +file (/lib/firmware//readme-intel-06-4f-01). + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config new file mode 100644 index 0000000..07f06f6 --- /dev/null +++ b/SOURCES/06-55-04_config @@ -0,0 +1,12 @@ +model GenuineIntel 06-55-04 +path intel-ucode/06-55-04 +## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +## affects only SKX-W/X (Workstation and HEDT segments); product segment +## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers +## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +## for Server/FPGA/Fabric segments description; for SKX-W/X no public +## documentation seems to be available). Specific device/function numbers +## are provided for speeding up the search only, VID:DID is the real selector. +## Commented out since revision 0x2006906 seems to fix the issue. +#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 +dependency required intel diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer new file mode 100644 index 0000000..66d71bd --- /dev/null +++ b/SOURCES/06-55-04_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6, +model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system +hangs on reboot, so the previous revision 0x2000064 was used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme new file mode 100644 index 0000000..b8d3618 --- /dev/null +++ b/SOURCES/06-55-04_readme @@ -0,0 +1,81 @@ +Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT +(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports +of system hangs on reboot when revision 0x2000065 of microcode, that was included +from microcode-20191112 update up to microcode-20200520 update, was applied[1]. +In order to address this, microcode update to the newer revision had been +disabled by default on these systems, and the previously published microcode +revision 0x2000064 is used by default for the OS-driven microcode update. + +Since revision 0x2006906 (included with the microcode-20200609 release) +it is reported that the issue is no longer present, so the newer microcode +revision is enabled by default now (but can be disabled explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a + * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 + * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 + * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462 + * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-04" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-5e-03_config b/SOURCES/06-5e-03_config new file mode 100644 index 0000000..ced0abc --- /dev/null +++ b/SOURCES/06-5e-03_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-5e-03 +path intel-ucode/06-5e-03 +dependency required intel diff --git a/SOURCES/06-5e-03_disclaimer b/SOURCES/06-5e-03_disclaimer new file mode 100644 index 0000000..7e3bb16 --- /dev/null +++ b/SOURCES/06-5e-03_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6, +model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system +instability; the previously published revision 0xd6 is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-5e-03_readme b/SOURCES/06-5e-03_readme new file mode 100644 index 0000000..9beb75e --- /dev/null +++ b/SOURCES/06-5e-03_readme @@ -0,0 +1,78 @@ +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) had reports of possible system hangs when revision 0xdc +of microcode, that is included in microcode-20200609 update to address +CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order +to address this, microcode updates to the newer revision had been disabled +by default on these systems, and the previously published microcode revision +0xd6 was used by default for the OS-driven microcode update. The revision +0xea seems[2] to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 + +For the reference, SHA1 checksums of 06-5e-03 microcode files containing +microcode revisions in question are listed below: + * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a + * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 + * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c + * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding disabling microcode update is provided below. + +To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel +version, please create a file "disallow-intel-06-5e-03" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory +where microcode is available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To avoid addition of the latest microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8c-01_config b/SOURCES/06-8c-01_config new file mode 100644 index 0000000..880a419 --- /dev/null +++ b/SOURCES/06-8c-01_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-8c-01 +path intel-ucode/06-8c-01 +dependency required intel skip=success match-model-mode=off diff --git a/SOURCES/06-8c-01_disclaimer b/SOURCES/06-8c-01_disclaimer new file mode 100644 index 0000000..6e02fa6 --- /dev/null +++ b/SOURCES/06-8c-01_disclaimer @@ -0,0 +1,4 @@ +Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1; +CPUID 0x806c1) are disabled as they may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-8c-01_readme b/SOURCES/06-8c-01_readme new file mode 100644 index 0000000..9625c42 --- /dev/null +++ b/SOURCES/06-8c-01_readme @@ -0,0 +1,54 @@ +Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) +had reports of system hangs when a microcode update, that was included +since microcode-20201110 update, was applied[1]. In order to address this, +microcode update had been disabled by default on these systems. The revision +0x88 seems to have fixed the aforementioned issue, hence it is enabled +by default (but can be disabled explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +For the reference, SHA1 checksums of 06-8c-01 microcode files containing +microcode revisions in question are listed below: + * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04 + * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + +The information regarding disabling microcode update is provided below. + +To disable 06-8c-01 microcode updates for a specific kernel +version, please create a file "disallow-intel-06-8c-01" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware +directory where microcode is available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To avoid addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8e-9e-0x-0xca_config b/SOURCES/06-8e-9e-0x-0xca_config new file mode 100644 index 0000000..1162015 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-0xca_config @@ -0,0 +1,5 @@ +path intel-ucode/* +vendor GenuineIntel +dmi mode=fail-equal key=bios_vendor val="Dell Inc." +dependency required intel +disable early late diff --git a/SOURCES/06-8e-9e-0x-0xca_disclaimer b/SOURCES/06-8e-9e-0x-0xca_disclaimer new file mode 100644 index 0000000..e69de29 diff --git a/SOURCES/06-8e-9e-0x-0xca_readme b/SOURCES/06-8e-9e-0x-0xca_readme new file mode 100644 index 0000000..22f47dd --- /dev/null +++ b/SOURCES/06-8e-9e-0x-0xca_readme @@ -0,0 +1,147 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released +by Intel; for the latest revision of the microcode files, please refer to caveat +06-8e-9e-0x-dell. + +For the reference, microarchitectures of the affected CPU models: + * Amber Lake-Y + * Kaby Lake-G/H/S/U/Y/Xeon E3 + * Coffee Lake-H/S/U/Xeon E + * Comet Lake-U 4+2 + * Whiskey Lake-U + +Family names of the affected CPU models: + * 7th Generation Intel® Core™ Processor Family + * 8th Generation Intel® Core™ Processor Family + * 9th Generation Intel® Core™ Processor Family + * 10th Generation Intel® Core™ Processor Family (selected models) + * Intel® Celeron® Processor G Series + * Intel® Celeron® Processor 5000 Series + * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only) + * Intel® Pentium® Gold Processor Series + * Intel® Pentium® Processor Series (selected models) + * Intel® Xeon® Processor E Family + * Intel® Xeon® Processor E3 v6 Family + +SHA1 checksums of the microcode files containing microcode revisions +in question: + * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f + * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d + * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43 + * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0 + * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1 + * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0 + * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95 + * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df + * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317 + + * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083 + * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16 + * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777 + * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace + * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35 + * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4 + * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b + * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408 + * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7 + + * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c + * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4 + * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5 + * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05 + * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f + * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0 + * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef + * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb + * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899 + + * 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f + * 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e + * 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31 + * 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343 + * 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116 + * 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c + * 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312 + * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 + * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c + + * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d + * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8 + * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac + * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3 + * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668 + * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4 + * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c + * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4 + * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-8e-9e-0x-dell_config b/SOURCES/06-8e-9e-0x-dell_config new file mode 100644 index 0000000..f93c350 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_config @@ -0,0 +1,7 @@ +path intel-ucode/* +vendor GenuineIntel +## It is deemed that blacklisting all 06-[89]e-0x models on all hardware +## in cases where no model filter is used is too broad, hence +## no-model-mode=success. +dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." +dependency required intel diff --git a/SOURCES/06-8e-9e-0x-dell_disclaimer b/SOURCES/06-8e-9e-0x-dell_disclaimer new file mode 100644 index 0000000..224a822 --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_disclaimer @@ -0,0 +1,7 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to newer revisions. +In order to address this, microcode update to these newer revision +has been disabled by default on these systems, and the previously published +microcode revisions are used by default for the OS-driven microcode update. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-8e-9e-0x-dell_readme b/SOURCES/06-8e-9e-0x-dell_readme new file mode 100644 index 0000000..0f12fee --- /dev/null +++ b/SOURCES/06-8e-9e-0x-dell_readme @@ -0,0 +1,147 @@ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +This caveat contains latest microcode revisions publicly released by Intel; +for the revision 0xca of the microcode files, please refer to caveat +06-8e-9e-0x-0xca. + +For the reference, microarchitectures of the affected CPU models: + * Amber Lake-Y + * Kaby Lake-G/H/S/U/X/Y/Xeon E3 + * Coffee Lake-H/S/U/Xeon E + * Comet Lake-U 4+2 + * Whiskey Lake-U + +Family names of the affected CPU models: + * 7th Generation Intel® Core™ Processor Family + * 8th Generation Intel® Core™ Processor Family + * 9th Generation Intel® Core™ Processor Family + * 10th Generation Intel® Core™ Processor Family (selected models) + * Intel® Celeron® Processor G Series + * Intel® Celeron® Processor 5000 Series + * Intel® Core™ X-series Processors (i7-7740X, i5-7640X only) + * Intel® Pentium® Gold Processor Series + * Intel® Pentium® Processor Series (selected models) + * Intel® Xeon® Processor E Family + * Intel® Xeon® Processor E3 v6 Family + +SHA1 checksums of the microcode files containing microcode revisions +in question: + * 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f + * 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d + * 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43 + * 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0 + * 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1 + * 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0 + * 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95 + * 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df + * 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317 + + * 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083 + * 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16 + * 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777 + * 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace + * 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35 + * 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4 + * 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b + * 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408 + * 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7 + + * 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c + * 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4 + * 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5 + * 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05 + * 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f + * 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0 + * 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef + * 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb + * 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899 + + * 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f + * 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e + * 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31 + * 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343 + * 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116 + * 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c + * 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312 + * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 + * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c + + * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d + * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8 + * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac + * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3 + * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668 + * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4 + * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c + * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4 + * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/99-microcode-override.conf b/SOURCES/99-microcode-override.conf new file mode 100644 index 0000000..c898801 --- /dev/null +++ b/SOURCES/99-microcode-override.conf @@ -0,0 +1,7 @@ +## Uncomment the following line in order to disable +## microcode_ctl module that is used for $fw_dir variable overriding. +## +## Please refer to /usr/share/doc/microcode_ctl/README.caveats +## for additional information. +## +#omit_dracutmodules+=' microcode_ctl-fw_dir_override ' diff --git a/SOURCES/README b/SOURCES/README new file mode 100644 index 0000000..193ee9a --- /dev/null +++ b/SOURCES/README @@ -0,0 +1,51 @@ +The microcode_ctl package contains microcode files (vendor-provided binary data +and/or code in proprietary format that affects behaviour of a device) for Intel +CPUs that may be loaded into the CPU during boot. + +This directory contains information regarding various aspects of the provided +microcode files and their usage. + + * LICENSE.intel-ucode + "license" file from the Intel x86 CPU microcode archive. + * README + This file. + * README.caveats + Caveats (mechanism for enabling/disabling usage of sets of microcode files + based on caveat configuration and user preferences) documentation. + Also contains general information about microcode update behaviour and links + with additional information about the relevant microarchitectural + vulnerabilities. + * README.intel-ucode + "README.md" file from the Intel x86 CPU microcode archive. + * RELEASE_NOTES.intel-ucode + "releasenote.md" file from the Intel x86 CPU microcode archive. + * SECURITY.intel-ucode + "security.md" file from the Intel x86 CPU microcode archive. + * SUMMARY.intel-ucode + Information about supplied microcode files extracted from their headers, + in a table form. Columns have the following meaning: + * "Path": path to the microcode file under one of the following directories: + * /usr/share/microcode_ctl/ucode_with_caveats/intel + * /usr/share/microcode_ctl/ucode_with_caveats + * /usr/share/microcode_ctl + * /lib/firmware + * /etc/firmware + * "Offset": offset of the microcode blob within the micocode file in bytes. + * "Ext. Offset": offset of the extended signature header within + the microcode file in bytes. + * "Data Size": size of microcode data in bytes. 0 means 2000 bytes. + * "Total Size": size of microcode blob in bytes, incuding headers. + 0 means 2048 bytes. + * "CPUID": CPU ID signature (in format returned by the CPUID instruction). + * "Platform ID Mask": mask of suitable Platform IDs (provided in bits + 52..50 of MSR 0x17). + * "Revision": microcode revision. + * "Date": microcode creation date. + * "Checksum": sum (in base 1<< 32) of all 32-bit values comprising + the microcode (from Offset up to Offset + Total Size). + * "Codenames": list of known CPU codenames associated with the CPUID + and Platform ID Mask combination. + Please refer to README.cavets, section "Microcode file structure" + for additional information regarding microcode header fields. + * caveats + Directory that contains readme files for each specific caveat. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats new file mode 100644 index 0000000..9529de3 --- /dev/null +++ b/SOURCES/README.caveats @@ -0,0 +1,862 @@ +The microcode_ctl package contains microcode files (vendor-provided binary data +and/or code in proprietary format that affects behaviour of a device) for Intel +CPUs that may be loaded into the CPU during boot. + +The microcode_ctl package contains provisions for some issues related +to microcode loading. While those provisions are expected to suit most users, +several knobs are available in order to provide ability to override the default +behaviour. + + +General behaviour +================= +In RHEL 9 (as well as in RHEL 7 and RHEL 8 before it), there are currently +two main handlers for CPU microcode update: + * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file + placed at the beginning of an initramfs image + (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel + version in the same format as provided by "uname -r") as a source + of microcode data, and is performed very early during the boot process + (if the relevant microcode file is available in the aforementioned file). + * On-demand (late) microcode update. It can be triggered by writing "1" to + /sys/devices/system/cpu/microcode/reload file (provided my the "microcode" + module). It relies on request_firmware infrastructure, which searches (and + loads, if found) microcode from a file present in one of the following + directories (in the search order): + /lib/firmware/updates/KERNEL_VERSION/ + /lib/firmware/updates/ + /lib/firmware/KERNEL_VERSION/ + /lib/firmware/ + (there is also an additional directory that can be configured via the + "fw_path_para" module option of the "firmware_class" module; as this module + is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para" + should be used for that purpose; this is out of the document's scope, however) + +The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for +AMD CPUs, a file under "amd-ucode" is searched. + +For Intel CPUs, the name of the specific microcode file the kernel tries to load +has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model +number, and "SS" is the stepping. All those numbers are zero-filled to two digits +and are written in hexadecimal (letters are in the lower case). For AMD CPUs, +the file name has the format "microcode_amd_famFFh.bin", where "FF" is the +family number, written in hexadecimal, letters are in the lower case, not +zero-filled. + +The early microcode is placed into initramfs image by the "dracut" script, which +scans the aforementioned subdirectories of the configured list of firmware +directories (by default, the list consists of two directories in RHEL 9, +"/lib/firmware/updates" and "/lib/firmware"). + +In RHEL 9, AMD CPU microcode is shipped as a part of the linux-firmware package, +and Intel microcode is shipped as a part of the microcode_ctl package. + +The microcode_ctl package currently includes the following: + * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode + directory (currently there are none); + * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override, + that controls which additional firmware directories will be added to dracut's + default configuration; + * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf, + that enables inclusion of early microcode to the generated initramfs + in dracut; + * A dracut configuration file, + /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way + to quickly disable 99microcode_ctl-fw_dir-override dracut module; + * A systemd service file, microcode.service, that triggers microcode reload + late during boot; + * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each + of which contains configuration and related data for various caveats related + to microcode: + * readme - description of caveat and related information, + * config - caveat configuration file, with syntax as described in "Caveat + configuration" section below, + * intel-ucode - directory containing microcode files related to the caveat; + * A set of support scripts, placed in /usr/libexec/microcode_ctl: + * "check_caveats" is an utility script that performs checks of the target + kernel (and running CPU) in accordance with caveat configuration files + in ucode_with_caveats directory and reports whether it passes them or not, + * "reload_microcode" is a script that is called by microcode.service and + triggers microcode reloading (by writing "1" to + /sys/devices/system/cpu/microcode/reload) if the running kernel passes + check_caveats checks, + * "update_ucode" is a script that populates symlinks to microcode files + in /lib/firmware, so it can be picked up by relevant kernels for the late + microcode loading. + +Also, microcode_ctl RPM includes triggers that run update_ucode script on every +installation or removal of a kernel RPM in order to provide microcode files +for newly installed kernels and cleanup symlinks for the uninstalled ones. + + +Microcode file structure +------------------------ +Intel x86 CPU microcode file (that is, one that can be directly consumed +by the CPU/kernel, and not its text representation such as used in microcode.dat +files) is a bundle of concatenated microcode blobs. Each blob has a header, +payload, and an optional additional data, as follows (for additional information +please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual" +[1], Volume 3A, Section 9.11.1 "Microcode Update"): + * Header (48 bytes) + * Header version (unsigned 32-bit integer): version number of the update + header. Must be 0x1. + * Microcode revision (signed 32-bit integer) + * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format + (0x03141592 is 1592-03-14 in ISO 8601) + * CPU signature (unsigned 32-bit integer): CPU ID, as provided + by the CPUID (EAX = 0x1) instruction in the EAX register: + * bits 31..28: reserved + * bits 27..20: "Extended Family", summed with the Family field value + * bits 19..16: "Extended Model", bits 7..4 of the CPU model + * bits 15..14: reserved + * bits 13..12: "Processor Type", non-zero value (other than the "primary + processor") so far used only for the Deschutes (Pentium II) CPU family, + with the processor type of 1, to signify it is an Overdrive processor: + CPUID 0x1632. + * bits 11..08: Family, summed with the Extended Family field value + * bits 07..04: Model (bits 3..0) + * bits 03..00: Stepping + In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds + to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when + uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms + into 0x000w06xz. Please also refer to README.intel-ucode, section "About + Processor Signature, Family, Model, Stepping and Platform ID" + for additional information. + * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all + the 32-bit integers comprising the microcode amounts to 0. + * Loader version (unsigned 32-bit integer): 0x1. + * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set + of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old + (up to Pentium II) microcode blobs the mask may be zero. + * Data size (unsigned 32-bit integer): size of the Payload in bytes, + has to be divisible by 4. 0 means 2000. + * Total size (unsigned 32-bit integer): total microcode blob size (including + header and extended header), has to be divisible by 1024. 0 means 2048. + * Reserved (12 bytes). + * Payload + * Additional data (optional, 20 + 12 * n bytes) + * Extended signature table header (20 bytes) + * Extended signature count (unsigned 32-bit integer) + * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) + of all the 32-bit integers comprising the extender signature table + amounts to 0. + * Reserved (12 bytes). + * Extended signature (12 bytes each) + * CPU signature (unsigned 32-bit integer): see the description of the CPU + signature field in the Header above. + * Platform ID mask (unsigned 32-bit integer): see the description + of the Platform ID mask field in the Header above. + * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32) + of all the 32-bit integers comprising the Header (with CPU signature + and Platform ID mask fields replaced with the values from this signature) + and the Payload amounts to 0. Note that since External signature table + header has its own checksum, sum of all its 32-bit values amounts to 0, + so the Checksum in the Header and in the Extended signature will be + the same if the values of CPU signature and Platform ID mask fields + are the same, + +[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html + + +Caveat configuration +-------------------- +There is a directory for each caveat under +/usr/share/microcode_ctl/ucode_with_caveats, containing the following files: + * "config", a configuration file for the caveat; + * "readme", that contains description of the caveat; + * set of related associated microcode files. + +"config" file is a set of lines each containing option name and its value, +separated by white space. Currently, the following options are supported: + * "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies + to which CPU model the caveat is applicable (check_caveats ignores caveats + with non-matching models if "-m" option is passed to it). Can be set + in the configuration file only once (the last provided value is used). + * "vendor" option specifies CPUs of which vendor (as provided + in the /proc/cpuinfo file) the caveat is applicable to (check_caveats + ignores caveats with non-matching models when it is invoked with "-m" + option). Can be set in the configuration file only once. + * "path" is a glob pattern that specifies set of microcode files associated + with the caveat as a relative path to the caveat directory. This option + is used for populating files in /lib/firmware by update_ucode script and + for matching microcode file when dracut is run in host-only mode + (as in that case it uses only the first directory in firmware directory list + to look for the microcode file applicable to the host CPU). Can be set + in the configuration file multiple times. + * "kernel" is a minimal kernel version that supports proper handling + of the related microcode files during late microcode load. It may be + provided in one of the following formats that affect the way it is compared + to the running kernel version: + * A.B.C (where A, B, and C are decimal numbers), "upstream version". In this + case, simple version comparison against the respective part of the running + kernel version is used, and the running kernel version should be greater + or equal than the version provided in the configuration option in order + for comparison to succeed (that is, the first part, major version number, + of the running kernel version should be greater than the value provided + in the configuration option, or those should be equal and the second part, + minor version number, should be greater than the minor version number + of the kernel version provided in the configuration option, or the first + two parts should be equal and the third part, patch level, should + be greater or equal the patch level of the version in the configuration + option). + * A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version". + In this case, A.B.C part should be equal, and Y part of the running kernel + version should be greater or equal than the Y part of the configuration + option version in order to satisfy the comparison requirement. + * A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers), + "Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2 + part of the running kernel should be greater or equal than the respective + part of the configuration option version (when compared as a version) + for comparison to succeed. + Kernel version check passed if at least one comparison of the running kernel + version against a kernel version provided in a configuration option + succeeded. The "kernel" configuration option can be provided + in the configuration file multiple times. + * "kernel_early" is a minimal kernel version that supports proper handling + of the related microcode during early microcode load. The format of the + option and its semantics is similar to the "kernel" configuration options. + This option can be provided multiple times as well. + * "mc_min_ver_late" is the minimal version of the currently loaded microcode + on the CPU (as reported in /proc/cpuinfo) that supports late microcode + update. Microcode update will be attempted only if the currently loaded + microcode version is greater or equal the microcode version provided + in the configuration option. Can be set in the configuration file only once. + * "disable" is a way to disable a specific caveat from inside its + configuration. Argument for the argument is a list of stages ("early", + "late") for which the caveat should be disable. The configuration option + can be provided multiple times in a configuration file. + * "pci_config_val" performs check for specific values in selected parts + of configuration space of specified PCI devices. If "-m" option + is not specified, then the actual check is skipped, and the check returns + result in accordance with the provided "mode" option (se below). Check + arguments are a white-space-separated list of "key=value" pairs. + The following keys are supported: + * "domain" - PCI domain number, or "*" (an asterisk) for any domain. + Default is "*". + * "bus" - PCI bus number, or "*" (an asterisk) for any bus. Default is "*". + * "device" - PCI device number, or "*" (an asterisk) for any device. + Default is "*". + * "function" - PCI function number, or "*" (an asterisk) for any function. + Default is "*". + * "vid" - PCI vendor ID, or empty string for any vendor ID. Default + is empty string. + * "did" - PCI device ID, or empty string for any device ID. Default + is empty string. + * "offset" - offset in device's configuration space where the value resides. + Default is 0. + * "size" - field size. Possible values are 1, 2, 4, or 8. Default is 4. + * "mask" - mask applied to the values during the check. Default is 0. + * "val" - comma-separated list of matching values. Default is 0. + * "mode" - check mode, the way matches are interpreted: + * "success-any" - check succeeds if there was at least one match, + otherwise it fails. + * "success-all" - check succeeds if there was at least one device checked + and all the checked devices have matches, otherwise the check fails. + * "fail-any" - check fails if there was at least one match, otherwise + it succeeds. + * "fail-all" - check fails if there was at least one device checked + and all the checked devices have matches, otherwise the check succeeds. + Default is "success-any". + An example of a check: + pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 + It interprets 4 bytes at offset 0x84 of special files "config" under + directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3" + as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3 + of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111, + 0b011, or 0b001 in bits 5..3, respectively); if there are such files, + and all the checked values in every checked file has matched at least one + of the aforementioned value, then the check is successful, otherwise + it fails (in accordance with "mode=success-all" semantics). This check fails + if "-m" option is not specified. + * "dmi" performs checks for specific values available in DMI sysfs files + (present under /sys/devices/virtual/dmi/id/). The check (when it is actually + performed; see a not about "no-model-mode" below) fails if one of the files + is not readable. If "-m" option is not specified, then the actual check + is skipped, and the check returns value in accordance with "no-model-mode" + parameter value (see below). Check arguments are a white-space-separated + list of "key=value" pairs. The following keys are supported: + * "key" - DMI file to check. Value can be one of the following: bios_date, + bios_vendor, bios_version, board_asset_tag, board_name, board_serial, + board_vendor, board_version, chassis_asset_tag, chassis_serial, + chassis_type, chassis_vendor, chassis_version, product_family, + product_name, product_serial, product_uuid, product_version, sys_vendor. + Default is empty string. + * "val" - a string to match DMI data present in "key" against. + Can be enclosed in single or double quotes. Default is empty string. + * "keyval" - a pair of "key" and "val" values (with semantics described + above), separated with either "=", ":", "!=", or "!:" characters. Enables + providing of multiple key-value pairs by means of supplying multiple + keyval= parameters. The exclamation sign ("!") character in separator + enables negated matching (so, non-equality of the value in DMI "key" file + and the value of "val" is). The match considered successful when all + the key/val (non-)equalities are in effect. This parameter works + in addition to the pair provided in "key" and "val" parameters + (but allows to avoid using them). Default is empty. + * "mode" - check mode, the way successful matches are interpreted: + * "success-equal" - returns 0 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 1. + * "fail-equal" - returns 1 if the value present in the file + with the name supplied via the "key" parameter file under + /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value + of "val" parameter and all the pairs provided in "keyval" parameters + are equal and non-equal in accordance with their definition, + otherwise 0. + Default is "success-any". + * "no-model-mode" - return value if model filter ("-m" option) + is not enabled: + * "success" - return 0. + * "fail" - return 1. + Default is "success". + An example of a check: + dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." + It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its + content is "Dell Inc." (without quotes). It succeeds if "-m" option + is not enabled. + Another example: + dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal" + dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950" + It blocks the caveat from using when either both + /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2" + and /sys/devices/virtual/dmi/id/product_name contains the string + "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains + the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains + the string "ThinkSystem SR950", but enables caveat loading for other products + with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values, + for example. + * "dependency" allows conditional enablement of a caveat based on the check + status of some other caveat(s). It has the following format: + dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...] + where DEPENDENCY_NAME is the configuration to be checked, OPTIONs + are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported + currently is "required". + Options for the "required" dependency type: + * "match-model-mode" - whether model matching mode ("-m" option) + has to be used for the nested configuration check. Possible values: + * "on" - model-matching mode is always used during the nested check; + * "off" - model-matching mode is never used during the nested check; + * "same" - used the same model-matching mode as it is now. + Default is "same". + * "skip" - controls result of the check when the nested check indicated + skipping of the configuration. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "force-skip" - controls result of the check when the nested check + indicated skipping of the configuration caused by the presence + of an override file (see "check_caveats script" section for details). + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "skip". + * "nesting-too-deep" - as a measure against dependency loop, configuration + checking logic implements nesting limit on dependency checks (currently + set at 8). This option controls the behaviour of the check + when the nested check cannot be performed due to this limit. + * "fail" - the dependent check fails; + * "success" - the dependent check succeeds; + * "skip" - the dependent check indicates that the configuration + is to be skipped. + Default is "fail". + An example of a check: + dependency required intel skip=success match-model-mode=off + It checks "intel" caveat configuration (see the "Early microcode load + inside a virtual machine" section) with model-matching mode being disabled, + treats skipping of the configuration as a success (unless the configuration + is forced to be skipped, in that case the dependent configuration + is to be skipped as well). + + +check_caveats script +-------------------- +"check_caveats" is an utility script (called by update_ucode, reload_microcode, +dracut module) that performs checks of the target kernel (and running CPU) +in accordance with caveat configuration files in directory +"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether +the system passes the checks, or not. + +Usage: + check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]' + +Options: + -e - check for early microcode load possibility (instead of late microcode + load). "kernel_early" caveat configuration options are used for checking + instead of "kernel", and "mc_min_ver_late" is not checked. + -k - target kernel version to check against, $(uname -r) is used otherwise. + -c - caveat(s) to check, all caveat configurations found inside + $MC_CAVEATS_DATA_DIR are checked otherwise. + -m - ignore caveats that do not apply to the current CPU model. + -v - verbose output. + +Environment: + MC_CAVEATS_DATA_DIR - directory that contains caveats configurations, + "/usr/share/microcode_ctl/ucode_with_caveats" + by default. + FW_DIR - directory containing firmware files (per-kernel configuration + overrides are checked there), "/lib/firmware" by default. + CFG_DIR - directory containing global caveats overrides, + "/etc/microcode_ctl/ucode_with_caveats" by default. + +Output: + Script returns information about caveats check results. Output has a format + of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs. + Currently, the following data is issued: + - "cfgs" - list of caveats that have been processed (and not skipped + due to missing "config", "readme", or a disallow-* override described + below); + - "skip_cfgs" - list of caveats that have been skipped (due to missing + config/readme file, or because of overrides); + - "paths" - list of glob patterns matching files associated with caveats + that have been processed; + - "ok_cfgs" - list of caveat configurations that have all the checks passed + (or have enforced by one of force-* overrides described below); + - "ok_paths" - list of glob patterns associated with caveat files from + the "ok_cfgs" list; + - "fail_cfgs" - list of caveats that have one of the checks failed. + - "fail_paths" - list of glob patterns associated with caveats from the + "fail_cfgs" list. + +Return value: + - 0 in case caveats check has passed, 1 otherwise. + - In "-d" mode, 0 is always returned. + +Overrides: + +When check_caveats perform its checks, it also checks for presence of files +in specific places, and, if they exist, check_caveats skips a caveat or ignores +its checks; that mechanism allows overriding the information provided +in configuration on local systems and affect the behaviour of the microcode +update process. + +Current list of overrides (where $FW_DIR and $CFG_DIR are the environment +options described earlier; $kver - the currently processed kernel version, +$s is the requested stage ("early" or "late"), $cfg is the caveat directory +name): + $FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for + a specific kernel version.. + $FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific + kernel version for the requested stage without + performing any checks. + $FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific + kernel version. + $FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage + for a specific kernel version without checks. + $FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage + for a specific kernel version. + $CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all + kernel versions. + $FW_DIR/$kver/force-$s - apply all caveats for a specific stage + for a specific kernel version without checks. + $CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for + all kernel versions without checks. + $FW_DIR/$kver/disallow - skip all caveats for all stages for a specific + kernel version. + $CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel + versions. + $FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel + version without checks. + $CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions + without checks. + $CFG_DIR/disallow-$s - skip all caveat for all kernel versions + for a specific stage. + $CFG_DIR/force-$s - apply all caveats for all kernel versions for specific + stage without checks. + $CFG_DIR/disallow - skip all caveats for all stages for all kernel versions + (disable everything). + $CFG_DIR/force - force all caveats for all stages for all kernel versions + (enable everything). + +The "apply" action above means creating symlinks in /lib/firmware by +update_ucode in case of the "late" stage and adding caveat directory to the list +of firmware directories by dracut plugin in case of the "early" stage. + +The files are checked for existence until the first match, so more specific +overrides can override more broad ones. + +Also, a caveat is ignored if it lacks either config or readme file. + + +update_ucode script +------------------- +"update_ucode" populates symlinks to microcode files in accordance with caveats +configuration. It enables late microcode loading that is invoked by triggering +/sys/devices/system/cpu/microcode/reload file. Since caveats depend +on the kernel version, symlinks are populated inside +"/lib/firmware/KERNEL_VERSION" directory for each installed kernel. +As a consequence, this script is triggered upon each kernel package installation +and removal. + +The script has two parts: common and kernel-version-specific. + +During the common part, files are populated from +/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are +several possibilities to affect the process: + * Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping + the common part of the script. + * The same for "/lib/firmware/intel-ucode-disallow". + +During the kernel-version-specific part, each caveat is checked against every +kernel version, and those combinations, for which caveat check succeeds, +gets the symlinks to the associated microcode files populated. + * Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode + from removing symlinks related to the caveat for specific kernel version. + * Since the check is being done by check_caveats, all the overrides that + described there also stay. + +Usage: + update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]* + [--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode] + [--skip-common] [--skip-kernel-specific] + +Options: + --action - action to perform. Currently, the following actions are supported: + * "add" - create new symlinks. + * "remove" - remove old symlinks that are no longer needed. + * "refresh" - re-populate symlinks. + * "list" - list files under control of update_ucode. + By default, "refresh" action is executed. + --kernel - kernel version to process. By default, list of kernel versions + is formed based on contents of /lib/firmware and /lib/modules + directories. + --verbose - verbose output. + --dry-run - do not call commands, just print the invocation lines. + --cleanup - cleanup mode. Used by post-uninstall script during package + upgrades. Removes excess files in accordance to the contents + of the files provided in the arguments to the option. + --skip-common - do not process /lib/firmware directory. + --skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION + directories. + +Return value: + 0 on success, 1 on error. + + +reload_microcode script +----------------------- +"reload_microcode" is a script that is called by microcode.service and +triggers late microcode reloading (by writing "1" to +/sys/devices/system/cpu/microcode/reload) if the following check are passed: + * the microcode update performed not in a virtualised environment; + * running kernel passes "check_caveats" checks that applicable to the current + CPU model. + +For a virtualised environment check, the script searches the "/proc/cpuinfo" +file for presence of the "hypervisor" flag among CPU features (it corresponds +to a CPUID feature bit set by hypervisors in order to inform that the kernel +operates inside a virtual machine). This check can be overridden and skipped +by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag". + +The script has no options and always returns 0. + + +99microcode_ctl-fw_dir_override dracut module +--------------------------------------------- +This dracut module injects directories with microcode files for caveats +that pass "early" check_caveats check (with "-e" flag). In addition +to "check_caveats" overrides, the following abilities to control module's +behaviour are present: + * Presence of one of the following files: + - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check + - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg + - /lib/firmware/$kver/skip-host-only-check + - /lib/firmware/$kver/skip-host-only-check-$cfg + (where "$kver" is the kernel version in question and "$cfg" is the caveat + directory name) allows skipping matching of microcode file name when dracut's + Host-Only mode is enabled. + +When caveats_check succeeds, caveats directory (not its possibly populated +version for late microcode update: "/lib/firmware/KERNEL_VERSION"; +it is done so in order +to have ability to configure list of caveats enabled for early and late +microcode update, independently) is added to dracut's list of firmware search +directories. + +The module can be disabled by running dracut with +"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can +be disabled permanently by uncommenting string +"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in +/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file. + +See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable +"omit_dracutmodules" for additional information. + + +Caveats +======= + +Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat +---------------------------------------------- +Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0, +family 6, model 79, stepping 1) has issues that lead to system instability. +A series of changes for the Linux kernel has been developed in order to work +around those issues; however, as it turned out, some systems have issues even +when a microcode update performed on a kernel that contains those changes. +As a result, microcode update for this CPU model is disabled by default; +the microcode file, however, is still shipped as a part of microcode_ctl +package and can be used for performing a microcode update if it is enforced +via the aforementioned overrides. (See the sections "check_caveats script" +and "reload_microcode script" for details.) + +Caveat name: intel-06-4f-01 + +Affected microcode: intel-ucode/06-4f-01. + +Dependencies: intel + +Mitigation: microcode loading is disabled for the affected CPU model. + +Minimum versions of the kernel package that contain the aforementioned patch +series: + - Upstream/RHEL 8/RHEL 9: 4.17.0 + - RHEL 7.6 onwards: 3.10.0-894 + - RHEL 7.5: 3.10.0-862.6.1 + - RHEL 7.4: 3.10.0-693.35.1 + - RHEL 7.3: 3.10.0-514.52.1 + - RHEL 7.2: 3.10.0-327.70.1 + - RHEL 6.10: 2.6.32-754.1.1 + - RHEL 6.7: 2.6.32-573.58.1 + - RHEL 6.6: 2.6.32-504.71.1 + - RHEL 6.5: 2.6.32-431.90.1 + - RHEL 6.4: 2.6.32-358.90.1 + + +Early microcode load inside a virtual machine +--------------------------------------------- +RHEL 9 kernel supports performing microcode update during early boot stage +from a cpio archive placed at the beginning of the initramfs image. However, +when an early microcode update is attempted inside some virtualised +environments, that may result in unexpected system behaviour. + +Caveat name: intel + +Affected microcode: all. + +Dependencies: (none) + +Mitigation: early microcode loading is disabled for all CPU models on kernels +without the fix. + +Minimum versions of the kernel package that contain the fix: + - Upstream/RHEL 8/RHEL 9: 4.10.0 + - RHEL 7.6 onwards: 3.10.0-930 + - RHEL 7.5: 3.10.0-862.14.1 + - RHEL 7.4: 3.10.0-693.38.1 + - RHEL 7.3: 3.10.0-514.57.1 + - RHEL 7.2: 3.10.0-327.73.1 + + +Intel Sandy Bridge-E/EN/EP caveat +--------------------------------- +Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, +model 45, stepping 7), that was released to address MDS vulnerability, +and was available from microcode-20190618 up to microcode-20190508 release) +could lead to system instability[1][2]. In order to address this, +this microcode update was not used and the previous microcode revision +was provided instead by default; the microcode file, however, was still shipped +as part of microcode_ctl package and could be used for performing a microcode +update if it is enforced via the aforementioned overrides. With the release +of 0x71a revision of the microcode (as art of microcode-20200520 release) +that aims at fixing the aforementioned stability issue, the latest microcode +revision is again used by default; it is still provided via the caveat +mechanism, hovewer, in order to enable ability to disable it in case such +a need arises. (See the sections "check_caveats script" and "reload_microcode +script" for details regarding caveats mechanism operation.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 + +Caveat name: intel-06-2d-07 + +Affected microcode: intel-ucode/06-2d-07. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x714 is still available as a fallback +as part of "intel" caveat. + + +Intel Skylake-SP/W/X caveat +--------------------------- +Microcode revision 0x2000065 (that was provided with microcode releases +microcode-20191112 up to microcode-20200520) for some CPU models that belong +to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, +Workstation/HEDT segments) could lead to hangs during reboot[1]. In order +to address this, by default this microcode update was disabled by default and +and the previous 0x2000064 microcode revision was used instead; the microcode +file with, however, is still shipped as part of microcode_ctl package and can +be used for performing a microcode update if it is enforced +via the aforementioned overrides. With the availability of 0x2006906 revision +of the microcode (in the microcode-20200609 release) that fixes +the aforementioned issue, the latest microcode revision is again used +by default; it is still provided via caveat mechanism, hovewer, in order +to enable ability to disable it in case such a need arises. (See the sections +"check_caveats script" and "reload_microcode script" for details regarding +caveats mechanism operation.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 + +Caveat name: intel-06-55-04 + +Affected microcode: intel-ucode/06-55-04. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0x2000064 is still available +as a fallback as part of "intel" caveat. + + +Intel Skylake-U/Y caveat +------------------------ +Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) +have reports of system hangs when revision 0xdc of microcode, that is included +in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, +and CVE-2020-0549, is applied[1]. In order to address this, microcode update +to the newer revision has been disabled by default on these systems, +and the previously published microcode revision 0xd6 is used instead; the newer +microcode files, however, are still shipped as part of microcode_ctl package +and can be used for performing a microcode update if they are enforced +via the aforementioned overrides. (See the sections "check_caveats script" +and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + +Caveat name: intel-06-4e-03 + +Affected microcode: intel-ucode/06-4e-03 + +Dependencies: intel + +Mitigation: previously published microcode revision 0xd6 is used by default. + + +Intel Skylake-H/S/Xeon E3 v5 caveat +----------------------------------- +Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, +stepping 3) had reports of system hangs when revision 0xdc of microcode, +that is included in microcode-20200609 update to address CVE-2020-0543, +CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this, +microcode update to the newer revision had been disabled by default on these +systems, and the previously published microcode revision 0xd6 was used instead. +The revision 0xea seems[2] to have fixed the aforementioned issue, hence +the latest microcode revision usage it is enabled by default, +but can be disabled explicitly via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 + +Caveat names: intel-06-5e-03 + +Affected microcode: intel-ucode/06-5e-03. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default; +previously published microcode revision 0xd6 is still available as a fallback +as part of "intel" caveat. + + +Dell caveats +------------ +Some Dell systems that use some models of Intel CPUs are susceptible to hangs +and system instability during or after microcode update to revision 0xc6/0xca +(included as part of microcode-20191113/microcode-20191115 update that addressed +CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) +and/or revision 0xd6 (included as part of microcode-20200609 update +that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) +[1][2][3][4][5][6]. In order to address this, microcode update to the newer +revision has been disabled by default on these systems, and the previously +published microcode revisions 0xae/0xb4/0xb8 are used by default +for the OS-driven microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 +[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 +[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 + +Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca + +Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a, + intel-ucode/06-8e-0b, intel-ucode/06-8e-0c, + intel-ucode/06-9e-09, intel-ucode/06-9e-0a, + intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, + intel-ucode/06-9e-0d. + +Dependencies: intel + +Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used + by default if /sys/devices/virtual/dmi/id/bios_vendor reports + "Dell Inc."; otherwise, the latest microcode revision is used. + Caveat with revision 0xca of microcode files is provided + as a convenience for the cases where it was working well before. + + +Intel Tiger Lake-UP3/UP4 caveat +------------------------------- +Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, +stepping 1) had reports of system hangs when a microcode update, +that was included since microcode-20201110 release, was applied[1]. +In order to address this, microcode update to a newer revision had been disabled +by default on these systems. The revision 0x88 seems to have fixed +the aforementioned issue, hence it is enabled by default; however, it is still +can be disabled via the aforementioned overrides. (See the sections +"check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Caveat names: intel-06-8c-01 + +Affected microcode: intel-ucode/06-8c-01. + +Dependencies: intel + +Mitigation: None; the latest revision of the microcode file is used by default. + + + +Additional information +====================== +Red Hat provides updated microcode, developed by its microprocessor partners, +as a customer convenience. Please contact your hardware vendor to determine +whether more recent BIOS/firmware updates are recommended because additional +improvements may be available. + +Information regarding microcode revisions required for mitigating specific +Intel CPU vulnerabilities is available in the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats new file mode 100755 index 0000000..b821160 --- /dev/null +++ b/SOURCES/check_caveats @@ -0,0 +1,1006 @@ +#! /bin/bash -eu + +# Script for checking various microcode caveats +# +# +# SPDX-License-Identifier: CC0-1.0 + +: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats} +: ${FW_DIR=/lib/firmware} +: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} + +MAX_NESTING_LEVEL=8 + +usage() { + echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' + echo ' [-m] [-v]' + echo + echo ' -d - enables disclaimer printing mode' + echo ' -e - check for early microcode load possibility (instead of' + echo ' late microcode load)' + echo ' -k - target version to check against, $(uname -r) is used' + echo ' otherwise' + echo ' -c - caveat config(s) to check, all configs are checked' + echo ' otherwise' + echo ' -m - check that caveats actually apply to the current model' + echo ' -v - verbose output' + echo + echo 'Environment:' + echo ' MC_CAVEATS_DATA_DIR - directory that contains caveats' + echo ' configuration data' +} + +debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } + +# A simplified RPM version comparison that takes into account knowledge about +# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if +# the version against which comparison is performed has appropriate versioning +# scheme). +# +# $1 - kernel version to check +# $* - list of kernel versions to check against +check_kver() +{ + local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest= + local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest= + local cmp_type= + + # IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1" + # "cannot create temp file for here-document: Read-only file system" + # that's why we can't have nice things. + t_major=${1%%.*} + t_rest=${1#${t_major}} + t_rest=${t_rest#.} + t_minor=${t_rest%%.*} + t_rest=${t_rest#${t_minor}} + t_rest=${t_rest#.} + t_patch=${t_rest%%-*} + t_rest=${t_rest#${t_patch}} + t_rest=${t_rest#-} + t_y=${t_rest%%.*} + t_rest=${t_rest#${t_y}} + t_rest=${t_rest#.} + t_z1=${t_rest%%.*} + t_rest=${t_rest#${t_z1}} + t_rest=${t_rest#.} + t_z2=${t_rest%%.*} + + # minor/major/patch/y should be numeric + [ -n "${t_major##*[!0-9]*}" ] || return 1 + [ -n "${t_minor##*[!0-9]*}" ] || return 1 + [ -n "${t_patch##*[!0-9]*}" ] || return 1 + [ -n "${t_y##*[!0-9]*}" ] || return 1 + # reset z1/z2 to zero if non-numeric + [ -n "${t_z1##*[!0-9]*}" ] || t_z1=0 + [ -n "${t_z2##*[!0-9]*}" ] || t_z2=0 + + while [ 1 -lt "$#" ]; do + cmp_type=upstream + + shift + m_major=${1%%.*} + m_rest=${1#${m_major}} + m_rest=${m_rest#.} + m_minor=${m_rest%%.*} + m_rest=${m_rest#${m_minor}} + m_rest=${m_rest#.} + m_patch=${m_rest%%-*} + m_rest=${m_rest#${m_patch}} + m_rest=${m_rest#-} + m_y=${m_rest%%.*} + m_rest=${m_rest#${m_y}} + m_rest=${m_rest#.} + m_z1=${m_rest%%.*} + m_rest=${m_rest#${m_z1}} + m_rest=${m_rest#.} + m_z2=${m_rest%%.*} + + # minor/major/patch should be numeric + [ -n "${m_major##*[!0-9]*}" ] || continue + [ -n "${m_minor##*[!0-9]*}" ] || continue + [ -n "${m_patch##*[!0-9]*}" ] || continue + # reset z1/z2 to zero if non-numeric + [ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0 + [ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0 + [ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0 + + # Comparing versions + case "$cmp_type" in + upstream) + [ "$t_major" -ge "$m_major" ] || continue + [ "$t_minor" -ge "$m_minor" ] || continue + [ "$t_patch" -ge "$m_patch" ] || continue + return 0 + ;; + y) + [ "$t_major" -eq "$m_major" ] || continue + [ "$t_minor" -eq "$m_minor" ] || continue + [ "$t_patch" -eq "$m_patch" ] || continue + [ "$t_y" -ge "$m_y" ] || continue + return 0 + ;; + z) + [ "$t_major" -eq "$m_major" ] || continue + [ "$t_minor" -eq "$m_minor" ] || continue + [ "$t_patch" -eq "$m_patch" ] || continue + [ "$t_y" -eq "$m_y" ] || continue + [ "$t_z1" -ge "$m_z1" ] || continue + [ "$t_z2" -ge "$m_z2" ] || continue + return 0 + ;; + esac + done + + return 1 +} + +# It is needed for SKX[1] for which different product segments +# are differentiated by a value in the CAPID0 field of PCU registers +# device[2]. +# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +# [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +# +# $1 - params in config file, space-separated, in key=value form: +# domain=* - PCI domain, '*' or number +# bus=* - PCI bus, '*' or number +# device=* - PCI device, '*' or number +# function=* - PCI function, '*' or number +# vid= - PCI vendor ID, empty or number +# did= - PCI device ID, empty or number +# offset=0 - offset in configuration space +# size=4 - field size +# mask=0 - mask applied to the data read +# val=0 - comma-separated list of possible values +# mode=success-any [ success-ail, fail-any, fail-all ] - matching mode: +# success-any: Returns 0 if there was at least one match, otherwise 1. +# success-all: Returns 0 if there was at least one device checked and all +# the checked devices have matches, otherwise 1. +# fail-any: Returns 1 if there was at least one match, otherwise 0. +# fail-all: Returns 1 if there was at least one device checked and all +# the checked devices have matches, otherwise 0. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "mode" value that assumes that there were 0 checks/0 matches). +check_pci_config_val() +{ + local domain='*' bus='*' device='*' func='*' vid= did= + local offset=0 size=4 mask=0 val=0 mode=success-any + local checked=0 matched=0 path='' + local dev_path dev_vid dev_did dev_val + local opts="${1:-}" + local match_model="${2:-0}" + + set -- $1 + while [ "$#" -gt 0 ]; do + [ "x${1#domain=}" = "x${1}" ] || domain="${1#domain=}" + [ "x${1#bus=}" = "x${1}" ] || bus="${1#bus=}" + [ "x${1#device=}" = "x${1}" ] || device="${1#device=}" + [ "x${1#function=}" = "x${1}" ] || func="${1#function=}" + [ "x${1#vid=}" = "x${1}" ] || vid="${1#vid=}" + [ "x${1#did=}" = "x${1}" ] || did="${1#did=}" + [ "x${1#offset=}" = "x${1}" ] || offset="${1#offset=}" + [ "x${1#size=}" = "x${1}" ] || size="${1#size=}" + [ "x${1#mask=}" = "x${1}" ] || mask="${1#mask=}" + [ "x${1#val=}" = "x${1}" ] || val="${1#val=}" + [ "x${1#mode=}" = "x${1}" ] || mode="${1#mode=}" + + shift + done + + path="$domain" + if [ "x$bus" = 'x*' ]; then + path="$path:$bus"; + else + path=$(printf '%s:%02x' "$path" "$bus") + fi + if [ "x$device" = 'x*' ]; then + path="$path:$device"; + else + path=$(printf '%s:%02x' "$path" "$device") + fi + if [ "x$func" = 'x*' ]; then + path="$path.$func"; + else + path=$(printf '%s.%01x' "$path" "$func") + fi + + # Normalise VID, DID + [ -n "$vid" ] || vid="$(printf '0x%04x' "$vid")" + [ -n "$did" ] || did="$(printf '0x%04x' "$did")" + + ( [ 1 != "$match_model" ] \ + || /usr/bin/find /sys/bus/pci/devices/ -maxdepth 1 -name "$path" \ + || : ) | ( + while read -r dev_path; do + # Filter VID, DID + if [ -n "$vid" ]; then + dev_vid=$(/bin/cat "$dev_path/vendor") + [ "x$vid" = "x$dev_vid" ] || continue + fi + if [ -n "$did" ]; then + dev_did=$(/bin/cat "$dev_path/device") + [ "x$did" = "x$dev_did" ] || continue + fi + + checked="$((checked + 1))" + + dev_val="$(/usr/bin/od -j "$offset" -N "$size" -A n \ + -t "u$size" "$dev_path/config")" + + val_rest="${val}" + while :; do + cur_val="${val_rest%%,*}" + if [ "$((dev_val & mask))" = "$((cur_val & mask))" ] + then + matched="$((matched + 1))" + break + fi + [ "x${val_rest}" != "x${val_rest#*,}" ] || break + val_rest="${val_rest#*,}" + done + + case "$mode" in + success-any) [ "$matched" -eq 0 ] || { echo 0; exit; } ;; + success-all) [ "$matched" -eq "$checked" ] || { echo 1; exit; } ;; + fail-any) [ "$matched" -eq 0 ] || { echo 1; exit; } ;; + fail-all) [ "$matched" -eq "$checked" ] || { echo 0; exit; } ;; + *) echo 2; exit;; + esac + done + + debug "PCI config value check ($opts): checked $checked," \ + "matched $matched (model check is set to $match_model)" + + case "$mode" in + success-any) if [ "$matched" -eq 0 ]; then echo 1; else echo 0; fi ;; + success-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 0; else echo 1; fi ;; + fail-any) if [ "$matched" -eq 0 ]; then echo 0; else echo 1; fi ;; + fail-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 1; else echo 0; fi ;; + *) echo 2; exit;; + esac + ) +} + +# It is needed for filtering by BIOS vendor name that is available in DMI data +# +# $1 - params in config file, space-separated, in key=value form: +# key= - DMI data record to check. Can be one of the following: bios_date, +# bios_vendor, bios_version, board_asset_tag, board_name, board_serial, +# board_vendor, board_version, chassis_asset_tag, chassis_serial, +# chassis_type, chassis_vendor, chassis_version, product_family, +# product_name, product_serial, product_uuid, product_version, +# sys_vendor. +# val= - a string to match DMI data against. Can be enclosed in single +# or double quotes. +# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL", +# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing +# a key-value pair in a single parameter. It is possible to provide +# multiple keyval= parameters. "!" before :/= means negated match. +# The action supplied in the mode= parameter is executed upon +# successful (non-)matching of all the keyval pairs (as well +# as the pair provided in a pair of key= and val= parameters). +# mode=success-equal [ success-equal, fail-equal ] - matching mode: +# success-equal: Returns 0 if the all values present in the corresponding +# files under /sys/devices/virtual/dmi/id/ are equal +# (or not equal in case of a keyval= with negated match) +# to the respective values supplied as the values +# of the keyval= parameters or the pair of key= vand val= +# parameters, otherwise 1. +# fail-equal: Returns 1 if all the values present in DMI files in sysfs +# match (as described above), otherwise 0. +# no-model-mode=success [ success, fail ] - return value if model filter +# is not enabled: +# success: Return 0. +# fail: Return 1. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "no-model-mode" value). +check_dmi_val() +{ + local key= val= keyval= keyvals= mode='success-equal' nm_mode='success' + local opts="${1:-}" opt= opt_= + local match_model="${2:-0}" + + local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " + local success=1 + + while [ -n "$opts" ]; do + opt="${opts%%[ ]*}" + [ -n "${opt}" ] || { opts="${opts#[ ]}"; continue; } + + [ "x${opt#key=}" = "x${opt}" ] || key="${opt#key=}" + [ "x${opt#mode=}" = "x${opt}" ] || mode="${opt#mode=}" + [ "x${opt#no-model-mode=}" = "x${opt}" ] || \ + nm_mode="${opt#no-model-mode=}" + + # Handle possible quoting + [ "x${opt#val=}" = "x${opt}" ] || { + case "${opt#val=}" in + [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;; + [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; + *) val="${opt#val=}" ;; + esac + } + [ "x${opt#keyval=}" = "x${opt}" ] || { + case "${opt#keyval=}" in + [\']*) + opt_="${opts#keyval=\'}" + keyval="${opt_%%\'*}" + opt="keyval='${keyval}'" + keyvals="${keyvals} + ${keyval}" + ;; + [\"]*) + opt_="${opts#keyval=\"}" + keyval="${opt_%%\"*}" + opt="keyval=\"${keyval}\"" + keyvals="${keyvals} + ${keyval}" + ;; + *) + keyvals="${keyvals} + ${opt#keyval=}" + ;; + esac + } + + opts="${opts#"${opt}"}" + continue + done + + [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}" + + [ -n "x${keyvals}" ] || { + debug "Neither key=, val=, nor keyval= parameters were privoded" + echo 2 + return + } + + [ 1 = "$match_model" ] || { + case "$nm_mode" in + success) echo 0 ;; + fail) echo 1 ;; + *) + debug "Invalid no-model-mode value: \"${nm_mode}\"" + echo 2 + ;; + esac + + return + } + + case "$mode" in + success-equal|fail-equal) ;; + *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;; + esac + + printf "%s\n" "${keyvals}" | ( + while read l; do + [ -n "$l" ] || continue + key="${l%%[=:]*}" + val="${l#${key}[=:]}" + + cmp="=" + [ "x${key%!}" = "x${key}" ] || { + cmp="!=" + key="${key%!}" + } + + # Check key for validity + [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { + debug "Invalid \"key\" parameter value: \"${key}\"" + echo 2 + return + } + + [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { + debug "Can't access /sys/devices/virtual/dmi/id/${key}" + echo 3 + return + } + + file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" + + [ "x${val}" "${cmp}" "x${file_val}" ] || { + case "$mode" in + success-equal) echo 1 ;; + fail-equal) echo 0 ;; + esac + + return + } + done + + case "$mode" in + success-equal) echo 0 ;; + fail-equal) echo 1 ;; + esac + ) +} + +# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS +# DEP_TYPE: +# required - caveat can be enabled only if dependency is enabled +# (is not forcefully disabled and meets caveat conditions) +# OPTS: +# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency +# skip=skip [ fail, skip, success ] +# force-skip=skip [ fail, skip, success ] +# nesting-too-deep=fail [ fail, skip, success ] +# Return values: +# 0 - success +# 1 - fail +# 2 - skip +# 9 - error +check_dependency() +{ + local cur_level="$1" + local dep_type="$2" + local dep_name="$3" + local match_model_mode=same old_match_model="${match_model}" + local skip=skip + local force_skip=skip + local nesting_too_deep=fail + + local check="Dependency check for ${dep_type} ${dep_name}" + + set -- ${4:-} + while [ "$#" -gt 0 ]; do + [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}" + [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}" + [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}" + [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}" + + shift + done + + case "${dep_type}" in + required) + [ "x${dep_name%/*}" = "x${dep_name}" ] || { + debug "${check} error: dependency name (${dep_name})" \ + "cannot contain slashes" + echo 9 + return + } + + [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || { + local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'" + + case "$nesting_too_deep" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: invalid" \ + "nesting-too-deep mode" \ + "(${nesting_too_deep})"; echo 9 ;; + esac + + return + } + + case "${match_model_mode}" in + same) ;; + on) match_model=1 ;; + off) match_model=0 ;; + *) + debug "${check} error: invalid match-model-mode" \ + "(${match_model_mode})" + echo 9 + return + ;; + esac + + local result=0 + debug "${check}: calling check_caveat '${dep_name}'" \ + "'$(($cur_level + 1))' match_model=${match_model}" + check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?" + + match_model="${old_match_model}" + + case "${result}" in + 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;; + 1) debug "${check} failed: result=${result}"; echo "${result}" ;; + 2) + local reason="result=${result} and skip='${skip}'" + + case "${skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + 3) + local reason="result=${result} and force_skip='${force_skip}'" + + case "${force_skip}" in + success) debug "${check} succeeded: ${reason}"; echo 0 ;; + fail) debug "${check} failed: ${reason}"; echo 1 ;; + skip) debug "${check} skipped: ${reason}"; echo 2 ;; + *) debug "${check} error: unexpected force-skip=" \ + "setting (${skip})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unexpected check_caveat result" \ + "(${result})"; echo 9 ;; + esac + ;; + *) + debug "${check} error: unknown dependency type '${dep_type}'" + echo 9 + ;; + esac +} + +# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" +# +# We check only the first processor as we don't expect non-symmetrical setups +# with CPUs with caveats +get_model_string() +{ + /usr/bin/printf "%s %02x-%02x-%02x" \ + $(/bin/sed -rn '1,/^$/{ + s/^vendor_id[[:space:]]*: (.*)$/\1/p; + s/^cpu family[[:space:]]*: (.*)$/\1/p; + s/^model[[:space:]]*: (.*)$/\1/p; + s/^stepping[[:space:]]*: (.*)$/\1/p; + }' /proc/cpuinfo) +} + +get_model_name() +{ + /bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + +get_vendor_id() +{ + /bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + +get_mc_path() +{ + case "$1" in + GenuineIntel) + echo "intel-ucode/$2" + ;; + AuthenticAMD) + echo "amd-ucode/$2" + ;; + *) + # We actually only support Intel ucode, but things may break + # if nothing is printed (input would be gotten from stdin + # otherwise). + echo "invalid" + ;; + esac +} + +get_mc_ver() +{ + /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + + +match_model=0 +configs= +kver=$(/bin/uname -r) +verbose=0 +early_check=0 +print_disclaimers=0 + +ret=0 + +while getopts "dek:c:mv" opt; do + case "${opt}" in + d) + print_disclaimers=1 + early_check=2 + ;; + e) + early_check=1 + ;; + k) + kver="$OPTARG" + ;; + c) + configs="$configs $OPTARG" + ;; + m) + match_model=1 + ;; + v) + verbose=1 + ;; + *) + usage + exit 1; + ;; + esac +done + +: "${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}" + +cpu_model=$(get_model_string) +cpu_model_name=$(get_model_name) +cpu_vendor=$(get_vendor_id) + +ret_paths="" +ok_paths="" +fail_paths="" + +ret_cfgs="" +ok_cfgs="" +fail_cfgs="" + +skip_cfgs="" + +if [ 1 -eq "$early_check" ]; then + stage="early" +else + stage="late" +fi + +# check_caveat CFG [CHECK_LEVEL] +# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, +# skip_cfgs if CHECK_LEVEL is set to 0 (default). +# CHECK_LEVEL is used for recursive configuration dependency checks, +# and indicates nesting level. +# Return value: +# 0 - check is successful +# 1 - check has been failed +# 2 - configuration has been skipped +# 3 - configuration has been skipped due to presence of an override file +check_caveat() { + local cfg="$1" + local check_level="${2:-0}" + local dir="$MC_CAVEATS_DATA_DIR/$cfg" + + [ -r "${dir}/readme" ] || { + debug "File 'readme' in ${dir} is not found, skipping" + return 2 + } + + [ -r "${dir}/config" ] || { + debug "File 'config' in ${dir} is not found, skipping" + return 2 + } + + local cfg_model= + local cfg_vendor= + local cfg_path= + local cfg_kvers= + local cfg_kvers_early= + local cfg_mc_min_ver_late= + local cfg_disable= + local cfg_pci= + local cfg_dmi= + local cfg_dependency= + + local key + local value + + while read -r key value; do + case "$key" in + model) + cfg_model="$value" + ;; + vendor) + cfg_vendor="$value" + ;; + path) + cfg_path="$cfg_path $value" + ;; + kernel) + cfg_kvers="$cfg_kvers $value" + ;; + kernel_early) + cfg_kvers_early="$cfg_kvers_early $value" + ;; + mc_min_ver_late) + cfg_mc_min_ver_late="$value" + ;; + disable) + cfg_disable="$cfg_disable $value " + ;; + pci_config_val) + cfg_pci="$cfg_pci + $value" + ;; + dmi) + cfg_dmi="$cfg_dmi + $value" + ;; + dependency) + cfg_dependency="$cfg_dependency + $value" + ;; + '#'*|'') + continue + ;; + *) + debug "Unknown key '$key' (value '$value') in config" \ + "'$cfg'" + ;; + esac + done < "${dir}/config" + + debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" + echo "$cfg_path" + + # Check for override files in the following order: + # - disallow early/late specific caveat for specific kernel + # - force early/late specific caveat for specific kernel + # - disallow specific caveat for specific kernel + # - force specific caveat for specific kernel + # + # - disallow early/late specific caveat for any kernel + # - disallow early/late any caveat for specific kernel + # - force early/late specific caveat for any kernel + # - force early/late any caveat for specific kernel + # - disallow specific caveat for any kernel + # - disallow any caveat for specific kernel + # - force specific caveat for any kernel + # - force any caveat for specific kernel + # + # - disallow early/late everything + # - force early/late everyhting + # - disallow everything + # - force everyhting + local ignore_cfg=0 + local force_cfg=0 + local override_file="" + local overrides=" + 0:$FW_DIR/$kver/disallow-$stage-$cfg + 1:$FW_DIR/$kver/force-$stage-$cfg + 0:$FW_DIR/$kver/disallow-$cfg + 1:$FW_DIR/$kver/force-$cfg + 0:$FW_DIR/$kver/disallow-$stage + 0:$CFG_DIR/disallow-$stage-$cfg + 1:$FW_DIR/$kver/force-$stage + 1:$CFG_DIR/force-$stage-$cfg + 0:$FW_DIR/$kver/disallow + 0:$CFG_DIR/disallow-$cfg + 1:$FW_DIR/$kver/force + 1:$CFG_DIR/force-$cfg + 0:$CFG_DIR/disallow-$stage + 1:$CFG_DIR/force-$stage + 0:$CFG_DIR/disallow + 1:$CFG_DIR/force" + local o + local o_force + local override_file + for o in $(echo "$overrides"); do + o_force=${o%%:*} + override_file=${o#$o_force:} + + [ -e "$override_file" ] || continue + + if [ 0 -eq "$o_force" ]; then + ignore_cfg=1 + else + force_cfg=1 + fi + + break + done + + [ 0 -eq "$ignore_cfg" ] || { + debug "Configuration \"$cfg\" is ignored due to presence of" \ + "\"$override_file\"." + return 3 + } + + # Check model if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_model" ]; then + [ "x$cpu_model" = "x$cfg_model" ] || { + debug "Current CPU model '$cpu_model' doesn't" \ + "match configuration CPU model '$cfg_model'," \ + "skipping" + return 2 + } + fi + + # Check paths if model filter is enabled + local cpu_mc_path + local cfg_mc_present + if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then + cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ + "$cpu_vendor" "${cpu_model#* }")" + cfg_mc_present=0 + + for p in $(printf "%s" "$cfg_path"); do + /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ + || continue + + cfg_mc_present=1 + break + done + + [ 1 = "$cfg_mc_present" ] || { + debug "No matching microcode files in '$cfg_path'" \ + "for CPU model '$cpu_model', skipping" + return 2 + } + fi + + # Check vendor if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_vendor" ]; then + [ "x$cpu_vendor" = "x$cfg_vendor" ] || { + debug "Current CPU vendor '$cpu_vendor' doesn't" \ + "match configuration CPU vendor '$cfg_vendor'," \ + "skipping" + return 2 + } + fi + + # Has to be performed before dependency checks + [ 0 -eq "$force_cfg" ] || { + debug "Checks for configuration \"$cfg\" are ignored due to" \ + "presence of \"$override_file\"." + + return 0 + } + + # Check dependencies + # It has to be performed here (before adding configuration + # to $ret_cfgs/$ret_paths) since it may be skipped. + if [ -n "$cfg_dependency" ]; then + dep_line="$(printf "%s\n" "$cfg_dependency" | \ + while read -r dep_type dep_name dep_opts + do + [ -n "$dep_type" ] || continue + dep_res=$(check_dependency "$check_level" \ + "$dep_type" \ + "$dep_name" \ + "$dep_opts") + [ 0 != "$dep_res" ] || continue + echo "$dep_res $dep_type $dep_name $dep_opts" + break + done + echo "0 ")" + + case "${dep_line%% *}" in + 0) ;; + 2) + debug "Dependency check '${dep_line#* }'" \ + "induced configuration skip" + return 2 + ;; + *) + debug "Dependency check '${dep_line#* }'" \ + "failed (with return code ${dep_line%% *})" + return 1 + ;; + esac + fi + + # Check configuration files + + [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { + debug "${cfg}: caveat is disabled in configuration" + return 1 + } + + # Check late load kernel version + if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then + check_kver "$kver" $cfg_kvers || { + debug "${cfg}: late load kernel version check for" \ + " '$kver' against '$cfg_kvers' failed" + return 1 + } + fi + + # Check early load kernel version + if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then + check_kver "$kver" $cfg_kvers_early || { + debug "${cfg}: early load kernel version check for" \ + "'$kver' against '$cfg_kvers_early' failed" + return 1 + } + fi + + # Check current microcode version for the late update + if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \ + "x$cpu_model" = "x$cfg_model" ]; then + cpu_mc_ver="$(get_mc_ver)" + + [ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || { + debug "${cfg}: CPU microcode version $cpu_mc_ver" \ + "failed check (should be at least" \ + "${cfg_mc_min_ver_late})" + return 1 + } + fi + + # Check PCI devices if model filter is enabled + # Note that the model filter check is done inside check_pci_config_val + # based on the 'mode=' parameter. + if [ -n "$cfg_pci" ]; then + pci_line="$(printf "%s\n" "$cfg_pci" | while read -r pci_line; do + [ -n "$pci_line" ] || continue + pci_res=$(check_pci_config_val "$pci_line" \ + "$match_model") + [ 0 != "$pci_res" ] || continue + echo "$pci_res $pci_line" + break + done + echo "0 ")" + + [ -z "${pci_line#* }" ] || { + debug "PCI configuration word check '${pci_line#* }'" \ + "failed (with return code ${pci_line%% *})" + return 1 + } + fi + + # Check DMI data if model filter is enabled + # Note that the model filter check is done inside check_dmi_val + # (which returns the value of 'no-model-mode=' parameter + # if it is disenaged). + if [ -n "$cfg_dmi" ]; then + dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line + do + [ -n "$dmi_line" ] || continue + dmi_res=$(check_dmi_val "$dmi_line" \ + "$match_model") + [ 0 != "$dmi_res" ] || continue + echo "$dmi_res $dmi_line" + break + done + echo "0 ")" + + [ -z "${dmi_line#* }" ] || { + debug "DMI data check '${dmi_line#* }'" \ + "failed (with return code ${dmi_line%% *})" + return 1 + } + fi + + return 0 +} + +for cfg in $(echo "${configs}"); do + if cfg_path=$(check_caveat "$cfg"; exit "$?") + then + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + ok_cfgs="$ok_cfgs $cfg" + ok_paths="$ok_paths $cfg_path" + else + case "$?" in + 1) + ret=1 + + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + fail_cfgs="$fail_cfgs $cfg" + fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] \ + || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \ + || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" + ;; + 2|3) + skip_cfgs="$skip_cfgs $cfg"; + ;; + *) + debug "Unexpected check_caveat return code '$?'" \ + "for config '$cfg'" + ;; + esac + fi +done + +[ 0 -eq "$print_disclaimers" ] || exit 0 + +echo "cfgs$ret_cfgs" +echo "skip_cfgs$skip_cfgs" +echo "paths$ret_paths" +echo "ok_cfgs$ok_cfgs" +echo "ok_paths$ok_paths" +echo "fail_cfgs$fail_cfgs" +echo "fail_paths$fail_paths" + +exit $ret diff --git a/SOURCES/codenames.list b/SOURCES/codenames.list new file mode 100644 index 0000000..f2eaa75 --- /dev/null +++ b/SOURCES/codenames.list @@ -0,0 +1,323 @@ +# format=extended +# SPDX-License-Identifier: CC0-1.0 +# Segment; Unused; Codename; Stepping; PF; CPUID; Abbreviation; Variant(s); Families; Models + +Server;;Pentium Pro;B0;00;611;;;Pentium Pro; +Server;;Pentium Pro;C0;00;612;;;Pentium Pro; +Server;;Pentium Pro;sA0;00;616;;;Pentium Pro; +Server;;Pentium Pro;sA1;00;617;;;Pentium Pro; +Server;;Pentium Pro;sB1;00;619;;;Pentium Pro; +Desktop;;Klamath (PII);C0;ff;633;;;Pentium II; +Desktop;;Klamath (PII);C1;ff;634;;;Pentium II; +Desktop;;Deschutes SEPP (PII);A0;01;650;;;Celeron; +Mobile;;Deschutes Mini-Cart (PII);A0;02;650;;;Pentium II Mobile; +Server;;Deschutes SECC (PII);A0;04;650;;;Pentium II Xeon; +Mobile;;Deschutes MMC1/MMC2 (PII);A0;08;650;;;Pentium II Mobile; +Mobile;;Deschutes Micro-PGA1 (PII);A0;20;650;;;Pentium II Mobile; +Mobile;;Deschutes (PII);A0;80;650;;;Pentium II Mobile; +Desktop;;Deschutes SECC/SECC2 (PII);A1;01;651;;;Celeron; +Desktop;;Deschutes SEPP (PII);A1;01;651;;;Celeron; +Mobile;;Deschutes Mini-Cart (PII);A1;02;651;;;Pentium II Mobile; +Mobile;;Deschutes MMC1/MMC2 (PII);A1;08;651;;;Pentium II Mobile; +Desktop;;Deschutes SECC/SECC2 (PII);B0;01;652;;;Pentium II; +Mobile;;Deschutes Mini-Cart (PII);B0;02;652;;;Pentium II Mobile; +Server;;Deschutes SECC (PII);B0;04;652;;;Pentium II Xeon; +Mobile;;Deschutes MMC1/MMC2 (PII);B0;08;652;;;Pentium II Mobile; +Desktop;;Deschutes SECC/SECC2 (PII);B1;01;653;;;Pentium II; +Mobile;;Deschutes Mini-Cart (PII);B1;02;653;;;Pentium II Mobile; +Server;;Deschutes SECC (PII);B1;04;653;;;Pentium II Xeon; +Mobile;;Deschutes MMC1/MMC2 (PII);B1;08;653;;;Pentium II Mobile; +Desktop;;Mendocino SEPP (PII);A0;01;660;;;Celeron; +Desktop;;Mendocino PPGA (PII);B0;10;665;;;Celeron; +Mobile;;Dixon Mini-Cart (PII);A1;02;66a;;;Pentium II Mobile; +Mobile;;Dixon MMC1/MMC2 (PII);A1;08;66a;;;Pentium II Mobile, Celeron Mobile; +Mobile;;Dixon Micro-PGA1 (PII);A1;20;66a;;;Pentium II Mobile, Celeron Mobile; +Mobile;;Dixon Mini-Cart (PII);A1;02;66d;;;Pentium II Mobile; +Mobile;;Dixon MMC1/MMC2 (PII);A1;08;66d;;;Pentium II Mobile; +Mobile;;Dixon Micro-PGA1 (PII);A1;20;66d;;;Pentium II Mobile; +Desktop;;Katmai SECC/SECC2 (PIII);B0;01;671;;;Pentium III; +Server;;Tanner SECC (PIII);B0;04;671;;;Pentium III Xeon; +Desktop;;Katmai SECC/SECC2 (PIII);B0;01;672;;;Pentium III; +Server;;Tanner SECC (PIII);B0;04;672;;;Pentium III Xeon; +Desktop;;Katmai SECC/SECC2 (PIII);C0;01;673;;;Pentium III; +Server;;Tanner SECC (PIII);C0;04;673;;;Pentium III Xeon; +Desktop;;Coppermine SECC/SECC2 (PIII);A2;01;681;;;Pentium III; +Server;;Cascades SECC (PIII);A2;04;681;;;Pentium III Xeon; +Mobile;;Coppermine MMC2 (PIII);A2;08;681;;;Pentium III Mobile; +Desktop;;Coppermine FC-PGA (PIII);A2;10;681;;;Pentium III; +Mobile;;Coppermine Micro-PGA2 (PIII);A2;20;681;;;Pentium III Mobile; +Desktop;;Coppermine SECC/SECC2 (PIII);B0;01;683;;;Pentium III; +Server;;Cascades SECC (PIII);B0;04;683;;;Pentium III Xeon; +Mobile;;Coppermine MMC2 (PIII);B0;08;683;;;Pentium III Mobile; +Desktop;;Coppermine FC-PGA (PIII);B0;10;683;;;Pentium III; +Mobile;;Coppermine Micro-PGA2 (PIII);B0;20;683;;;Pentium III Mobile; +Desktop;;Coppermine SECC/SECC2 (PIII);C0;01;686;;;Pentium III; +Mobile;;Coppermine (PIII);C0;02;686;;;Pentium III Mobile; +Server;;Cascades SECC (PIII);C0;04;686;;;Pentium III Xeon; +Mobile;;Coppermine MMC2 (PIII);C0;08;686;;;Pentium III Mobile; +Desktop;;Coppermine FC-PGA (PIII);C0;10;686;;;Pentium III; +Mobile;;Coppermine Micro-PGA2 (PIII);C0;20;686;;;Pentium III Mobile; +Desktop;;Coppermine FC-PGA2 (PIII);C0;20;686;;;Pentium III; +Desktop;;Coppermine (PIII);C0;80;686;;;Pentium III; +Desktop;;Coppermine (PIII);D0;ff;68a;;;Pentium III; +Mobile;;Banias (P-M);B1;b0;695;;;Pentium M, Celeron M; +Server;;Cascades (PIII);A0;04;6a0;;;Pentium III Xeon; +Server;;Cascades (PIII);A1;04;6a1;;;Pentium III Xeon; +Server;;Cascades (PIII);B0;04;6a4;;;Pentium III Xeon; +Desktop;;Tualatin FC-PGA2 (PIII);A0;10;6b0;;;Pentium III; +Desktop;;Tualatin FC-PGA2 (PIII);A1;10;6b1;;;Pentium III; +Mobile;;Tualatin Micro-PGA2 (PIII);A1;20;6b1;;;Pentium III Mobile; +Desktop;;Tualatin FC-PGA2 (PIII);B1;10;6b4;;;Pentium III; +Mobile;;Tualatin Micro-PGA2 (PIII);B1;20;6b4;;;Pentium III Mobile; +Mobile;;Dothan (P-M);B0;20;6d6;;;Pentium M; +Mobile;;Dothan (P-M);C0;20;6d8;;;Pentium M; +Mobile;;Yonah;B0;20;6e4;;;Core Duo, Core Solo; +Mobile;;Yonah;C0;20;6e8;;;Core Duo, Core Solo; +Server;;Sossaman (Yonah);C0;00;6e8;;;Xeon LV; +Mobile;;Yonah;E0;a0;6ec;;;Core Duo, Core Solo; +Server;;Sossaman (Yonah);D0;00;6ec;;;Xeon LV, Xeon ULV; +Mobile;;Yonah;M0;20;6ed;;;Core Duo Mobile; +Desktop;;Conroe (Merom);L2;01;6f2;;;Core2 Duo E4xxx, E6xxx; +Mobile;;Merom;L2;20;6f2;;;Core2 Duo Mobile; +Server;;Conroe Xeon (Merom);L2;01;6f2;;;;Xeon 3040, 3050 +Desktop;;Conroe (Merom);B0;01;6f4;;;Core2 Duo E4xxx, E6xxx; +Server;;Woodcrest (Merom);B0;04;6f4;;;Xeon 51xx; +Desktop;;Conroe (Merom);B2;01;6f6;;;Core2 Duo E4xxx, E6xxx; +Mobile;;Merom;B2;20;6f6;;;Core2 Duo Mobile; +Server;;Conroe Xeon (Merom);B2;01;6f6;;;;Xeon 3040, 3050, 3060, 3070 +Server;;Woodcrest (Merom);B2;04;6f6;;;;Xeon 5110, 5120, 5130, 5140, 5150, 5160, Xeon LV 5128, 5133, 5138, 5148 +Desktop;;Kentsfield (Merom);B3;10;6f7;;;; +Server;;Kentsfield Xeon (Merom);B3;10;6f7;;;;Xeon X3210, X3220 +Server;;Clovertown (Merom);B3;40;6f7;;;;Xeon E5310, E5320, E5335, E5345, X5355, X5365, L5310, L5320 +Desktop;;Tigerton (Merom);E0;01;6f9;;;; +Mobile;;Merom;E1;80;6fa;;;Core 2 Duo Mobile, Celeron Processor 500; +Desktop;;Conroe (Merom);G0;01;6fb;;;; +Desktop;;Kentsfield (Merom);G0;10;6fb;;;; +Mobile;;Merom;G0;a0;6fb;;;; +Server;;Conroe Xeon (Merom);G0;01;6fb;;;;Xeon 3065, 3075, 3085 +Server;;Woodcrest (Merom);G0;04;6fb;;;;Xeon 5110, 5120, 5130, 5140, 5150, 5160, Xeon LV 5113, 5128, 5133, 5138, 5148 +Server;;Tigerton (Merom);G0;08;6fb;;;;Xeon E7210, E7220, E7310, E7320, E7330, E7340, X7350, L7345 +Server;;Kentsfield Xeon (Merom);G0;10;6fb;;;;Xeon X3210, X3220, X3230 +Server;;Clovertown (Merom);G0;40;6fb;;;;Xeon E5310, E5320, E5335, E5345, X5355, X5365, L5310, L5318, L5320, L5335 +Desktop;;Conroe (Merom);M0;01;6fd;;;; +Mobile;;Merom;M0;a0;6fd;;;; +Desktop;;Willamette (NetBurst);B2;01;f07;;;Pentium 4 (Socket 423); +Server;;Foster DP (NetBurst);B2;02;f07;;;Pentium 4 Xeon (Socket 603); +Desktop;;Willamette (NetBurst);B2;04;f07;;;Pentium 4 (Willamette, Socket 478); +Desktop;;Willamette (NetBurst);C1;01;f0a;;;Pentium 4 (Socket 423); +Server;;Foster DP (NetBurst);C1;02;f0a;;;Pentium 4 Xeon (Socket 603); +Desktop;;Willamette (NetBurst);C1;04;f0a;;;Pentium 4 (Willamette, Socket 478); +Server;;Foster MP (NetBurst);C0;02;f11;;;Pentium 4 Xeon MP (Socket 603); +Desktop;;Willamette (NetBurst);D0;01;f12;;;Pentium 4 (Socket 423); +Server;;Foster DP (NetBurst);D0;02;f12;;;Pentium 4 Xeon (Socket 603); +Desktop;;Willamette (NetBurst);D0;04;f12;;;Pentium 4 (Willamette, Socket 478); +Desktop;;Willamette (NetBurst);E0;04;f13;;;Pentium 4 (Willamette, Socket 478), Celeron (Willamette, Socket 478); +Server;;Prestonia (NetBurst);A0;02;f22;;;Pentium 4 Xeon MP (Socket 603); +Desktop;;Northwood (NetBurst);B0;04;f24;;;Pentium 4 (Northwood); +Mobile;;Northwood (NetBurst);B0;08;f24;;;Pentium 4-M; +Mobile;;Northwood (NetBurst);B0;10;f24;;;Pentium 4 Mobile; +Server;;Prestonia (NetBurst);B0;02;f24;;;Pentium 4 Xeon (Socket 603/604); +Desktop;;Northwood (NetBurst);B1,M0;14;f25;;;Pentium 4 (Northwood); +Server;;Prestonia (NetBurst);B1,M0;01;f25;;;Pentium 4 Xeon (Socket 603/604); +Server;;Gallatin (NetBurst);B1;02;f25;;;Pentium 4 Xeon (Socket 603/604); +Server;;Gallatin (NetBurst);B1;02;f26;;;Pentium 4 Xeon (Socket 603/604); +Desktop;;Northwood (NetBurst);C1;04;f27;;;Pentium 4 (Northwood), Celeron (Northwood); +Mobile;;Northwood (NetBurst);C1;08;f27;;;Pentium 4-M, Celeron Mobile; +Server;;Prestonia (NetBurst);C1;02;f27;;;Pentium 4 Xeon (Socket 603/604); +Desktop;;Northwood (NetBurst);D1;04;f29;;;Pentium 4 (Northwood), Celeron (Northwood); +Mobile;;Northwood (NetBurst);D1;08;f29;;;Pentium 4-M, Celeron Mobile; +Server;;Prestonia (NetBurst);D1;02;f29;;;Pentium 4 Xeon (Socket 603/604); +Desktop;;Prescott (NetBurst);B1;0d;f32;;;Pentium 4 (Prescott); +Desktop;;Prescott (NetBurst);C0;0d;f33;;;Pentium 4 (Prescott), Celeron D; +Desktop;;Prescott (NetBurst);D0;1d;f34;;;Pentium 4 (Prescott), Celeron D; +Server;;Nocona (NetBurst);D0;1d;f34;;;Pentium 4 (Prescott); +Desktop;;Prescott (NetBurst);E0;bd;f41;;;Pentium 4 (Prescott), Celeron D; +Server;;Protomac (NetBurst);C0;02;f41;;;Pentium 4 Xeon MP (Socket 604); +Server;;Cranford (NetBurst);A0;bd;f41;;;Pentium 4 Xeon MP (Socket 604); +Server;;Nocona (NetBurst);E0;bd;f41;;;Pentium 4 Xeon (Socket 604); +Desktop;;Prescott (NetBurst);N0;9d;f43;;;Pentium 4 (Prescott); +Server;;Irwindale (NetBurst);N0;9d;f43;;;Pentium 4 Xeon (Socket 604); +Desktop;;Smithfield (NetBurst);A0;9d;f44;;;Pentium D 8x0 (Smithfield); +Desktop;;Smithfield (NetBurst);B0;9d;f47;;;Pentium D 8x0 (Smithfield); +Server;;Paxwille (NetBurst);A0;01;f48;;;Pentium 4 Dual-Core Xeon 70xx; +Server;;Paxwille (NetBurst);A0;02;f48;;;Pentium 4 Dual-Core Xeon MP 70xx; +Desktop;;Prescott (NetBurst);G1;bd;f49;;;Pentium 4 (Prescott), Celeron D; +Server;;Cranford (NetBurst);B0;bd;f49;;;Pentium 4 Xeon MP (Socket 604); +Server;;Nocona (NetBurst);G1;bd;f49;;;Pentium 4 Xeon (Socket 604); +Desktop;;Prescott (NetBurst);R0;5c;f4a;;;Pentium 4 (Prescott); +Server;;Irwindale (NetBurst);R0;5d;f4a;;;Pentium 4 Xeon (Socket 604); +Desktop;;Cedar Mill (NetBurst);B1;04;f62;;;;Pentium 4 HT 631, 641, 651, 661 +Desktop;;Presler (NetBurst);B1;04;f62;;;;Pentium D 920, 930, 940, 950, Pentium Extreme Edition 955 +Desktop;;Cedar Mill (NetBurst);C1;34;f64;;;;Pentium 4 HT 631, 641, 651, 661, Celeron D 347, 352, 356 +Desktop;;Presler (NetBurst);C1;34;f64;;;;Pentium D 915, 920, 925, 930, 940, 945, 950, 960, Pentium Extreme Edition 965 +Server;;Dempsey (NetBurst);C1;01;f64;;;Xeon 50xx; +Desktop;;Cedar Mill (NetBurst);D0;04;f65;;;;Pentium 4 HT 631, 641, 651, 661, Celeron D 347, 352, 356, 360, 365 +Desktop;;Presler (NetBurst);D0;04;f65;;;;Pentium D 915, 925, 935, 945, 950, 960 +Server;;Dempsey (NetBurst);D0;01;f65;;;Xeon 50xx; +Server;;Tulsa (NetBurst);B0;22;f68;;;;Xeon 7110N, 7110M, 7120N, 7120M, 7130N, 7130M, 7140N, 7140M, 7150N +Server;;Deschutes (PII);B0;00;01632;;;Pentium II Xeon; +SOC;;Tolapai (P-M);B0;ff;10650;;;;EP80579 +Desktop;;Conroe-L (Merom);A1;01;10661;;;;Celeron 220, 420, 430, 440, 450 +Mobile;;Merom-L;A1;82;10661;;;; +Desktop;;Wolfdale (Penryn);M0;91;10676;;;;Core2 Duo E7200, E7300, E8190, E8200, E8300, E8400, E8500, Core2 Quad Q9450, Q9550, Core2 Extreme QX9650, QX9770, QX9775 +Desktop;;Yorkfield (Penryn);C0;91;10676;;;;Core2 Quad Q9450, Q9550, Core2 Extreme QX9650, QX9770, QX9775 +Mobile;;Penryn;C0;91;10676;;;;Core2 Duo E8135, E8235, E8335, E8435, T8100, T8300, T9300, T9400, T9500, T9600, P7350, P7450, P8400, P8600, P9500, SP9300, SP9400, SL9300, SL9380, SL9400, SU9300, SU9400, Core2 Extreme X9000, X9100 +Server;;Wolfdale Xeon (Penryn);C0;91;10676;;;;Xeon E3110 +Server;;Yorkfield Xeon (Penryn);C0;91;10676;;;;Xeon X3350, X3360 +Server;;Wolfdale-DP (Penryn);M0;04;10676;;;;Xeon E5205, E5220, E5240, X5260, X5272 +Server;;Harpertown (Penryn);C0;40;10676;;;;Xeon L5408, L5410, L5420, E5405,E5410,E5420,E5430, E5440, E5450, E5462, E5472, X5450, X5460, X5470, X5472, X5482 +Desktop;;Yorkfield (Penryn);C1,M1;10;10677;;;Core2 Extreme, Core2 Quad;Core2 Extreme QX9650, QX9770, QX9775, Core2 Quad Q8200, Q8200S, Q8400, Q8400S, Q9300, Q9400, Q9400S, Q9450, Q9500, Q9505, Q9505S, Q9550, Q9550S, Q9650 +Server;;Yorkfield Xeon (Penryn);C1,M1;10;10677;;;Xeon L33xx, X33xx;Xeon L3360, X3320, X3330, X3350, X3360, X3370, X3380 +Desktop;;Wolfdale (Penryn);E0,R0;b1;1067a;;;Core2 Extreme, Core2 Quad, Core2 Duo;Core2 Extreme QX9650, QX9770, QX9775, Core2 Quad Q8200, Q8200S, Q8300, Q8400, Q8400S, Q9300, Q9400, Q9400S, Q9450, Q9500, Q9505, Q9505S, Q9550, Q9550S, Q9650, Core2 Duo E7200, E7300, E7400, E7500, E7600, E8190, E8200, E8300, E8400, E8500, E8600, Pentium E5200, E5300, E5400, E5500, E5700, E5800, E6300, E6500, E6500K, E6600, E6700, E6800, Celeron E3200, E3300, E3400, E3500 +Mobile;;Wolfdale (Penryn);E0,R0;b1;1067a;;;Core2 Extreme, Core2 Quad, Core2 Duo, Core2 Solo, Pentium T4x00;Core2 Extreme QX9300, X9000, X9100, Core2 Quad Q9000, Q9100, Core2 Duo T6400, T6500, T6670, T8100, T8300, T9300, T9400, T9500, T9550, T9600, T9800, T9900, SU9300, SU9400, SU9600, SP9300, SP9400, SP9600, SL9380, SL9400, SL9600, SL9300, P7350, P7370, P7450, P7550, P7570, P8400, P8600, P8700, P8800, P9500, P9600, P9700, Core2 Solo SU3500, ULV SU3500, ULV SU3300, Pentium T4200, T4300, T4400, T4500, Celeron 900, 925, SU2300, T3100, T3300, T3500, ULV 763, Celeron M Processor ULV 722, ULV 723, ULV 743 +Server;;Harpertown (Penryn);E0;44;1067a;;;;Xeon L5408, L5410, L5420, L5430, E5405, E5410, E5420, E5430, E5440, E5450, E5462, E5472, X5450, X5460, X5470, X5492 +Server;;Wolfdale-DP (Penryn);E0;44;1067a;;;;Xeon E3110, E3120, E5205, E5220, L3110, L5215, L5240, X5260, X5270, X5272 +Dekstop;;Bloomfield (Nehalem);C0;03;106a4;NHM;;Core i7-9xx; +Dekstop;;Bloomfield (Nehalem);D0;03;106a5;NHM;;Core i7-9xx; +Server;;Bloomfield Xeon (Nehalem);D0;03;106a5;NHM;EP,WS;Xeon E/L/X/W55xx; +Mobile;;Silverthorne (Bonnell);C0;01;106c2;;;Intel Atom Z5x0; +Desktop;;Diamondville (Bonnell);C0;04;106c2;;;;Intel Atom 230 +Desktop;;Diamondville (Bonnell);C0;08;106c2;;;;Intel Atom 330 +Mobile;;Diamondville (Bonnell);C0;04;106c2;;;;Intel Atom N270, N280 +Desktop;;Pineview (Bonnell);A0;05;106ca;;;;Intel Atom D410, D425 +Desktop;;Pineview (Bonnell);B0;18;106ca;;;;Intel Atom D510, D525 +Mobile;;Pineview (Bonnell);A0;05;106ca;;;;Intel Atom N435, N450, N455, N470, N475 +Mobile;;Pineview (Bonnell);B0;18;106ca;;;;Intel Atom N550, N570 +Server;;Dunnington (Penryn);A1;08;106d1;;;Intel Xeon MP;Intel Xeon E7420, E7430, E7440, E7450, E7458, L7445, X7460 +Server;;Jasper Forest (Nehalem);B0;09;106e4;NHM;;;Xeon EC3528, EC3529, EC5509, EC5539, EC5549, LC3518, LC3528, LC5518, LC5528, Celeron P1053 +Dekstop;;Lynnfield (Nehalem);B1;13;106e5;NHM;;Core i7-8xx, i5-7xx; +Mobile;;Clarksfield (Nehalem);B1;13;106e5;NHM;;Core i7-9xxXM, i7-8xxQM, i7-7xxQM; +Server;;Lynnfield Xeon (Nehalem);B1;13;106e5;NHM;;Xeon L3426, X24xx; +Desktop;;Westmere;K0,C2;12;20652;WSM;;Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeon P45xx/U3xxx; +Mobile;;Westmere;K0,C2;12;20652;WSM;;Core i7-6xxM, i5-6xxM/4xxM, i3-5xxM/3xxM; +Server;;Westmere;K0,C2;12;20652;WSM;;Xeon L3406; +Desktop;;Clarkdale (Westmere);K0;92;20655;WSM;;Core i7-6xxE/LE/UE, i5-5xxE, i3-3xxE; +Mobile;;Arrandale (Westmere);K0;92;20655;WSM;;Core i7-6xxM/LM/UM, i5-5xxM/UM, i3-3xxM/UM, Pentium Mobile P6xxx/U5xxx, Celeron Mobile P4xxx/U3xxx; +SOC;;Lincroft (Bonnell);C0;01;20661;;;;Intel Atom Z600, Z605, Z610, Z612, Z615, Z620, Z625, Z650, Z670 +SOC;;Tunnell Creek (Bonnell);B0,B1;02;20661;;;;Intel Atom E620, E620T, E640, E640T, E660, E660T, E680, E680T +Desktop;;Sandy Bridge;D2,J1,Q0;12;206a7;SNB;;Core Gen2; +Mobile;;Sandy Bridge;D2,J1,Q0;12;206a7;SNB;;Core Gen2 Mobile; +Server;;Sandy Bridge;D2,Q0;12;206a7;SNB;Xeon E3;Xeon E3; +Desktop;;Gulftown (Westmere);B1;03;206c2;WSM;;;Core i7-970/980/980X/990X +Server;;Westmere-EP;B1;03;206c2;WSM;EP;Xeon E/L/X56xx; +Server;;Westmere-WS;B1;03;206c2;WSM;WS;Xeon W36xx; +Desktop;;Sandy Bridge;C1,M0;6d;206d6;SNB;E;Core i7-39xx, i7-38xx; +Server;;Sandy Bridge;C1,M0;6d;206d6;SNB;EN,EP;Xeon E5; +Desktop;;Sandy Bridge;C2,M1;6d;206d7;SNB;E;Core i7-39xx, i7-38xx; +Server;;Sandy Bridge;C2,M1;6d;206d7;SNB;EN,EP;Xeon E5; +Server;;Nehalem;D0;04;206e6;NHM;EX;Xeon E/L/X65xx/75xx; +Server;;Westmere-EX;A2;05;206f2;WSM;EX;Xeon E7; +SOC;;Valleyview;C0;02;30678;VLV;;Atom Z36xx, Z37xx, Z38xx, Z39xx; +SOC;;Valleyview;C0;0C;30678;VLV;;Celeron N2xxx, Pentium N35xx; +SOC;;Valleyview;D0;0F;30679;VLV;;Atom E38xx; +Desktop;;Ivy Bridge;E1,E2,L1;12;306a9;IVB;;Core Gen3; +Mobile;;Ivy Bridge;E1,E2,L1;12;306a9;IVB;;Core Gen3 Mobile; +Server;;Ivy Bridge;E1,E2,L1;12;306a9;IVB;;Xeon E3 v2; +Desktop;;Haswell;Cx,Dx;32;306c3;HSW;S;Core Gen4; +Mobile;;Haswell;Cx,Dx;32;306c3;HSW;H;Core Gen4 Mobile; +Server;;Haswell;Cx,Dx;32;306c3;HSW;Xeon E3;Xeon E3 v3; +Mobile;;Broadwell;E0,F0;c0;306d4;BDW;U,Y;Core Gen5 Mobile; +Desktop;;Ivy Bridge;S1;ed;306e4;IVB;E;Core-i7 49xx/48xx;Core i7-4960X/4930K/4820K +Server;;Ivy Bridge;C0,C1,M1,S1;ed;306e4;IVB;EP;Xeon E5 v2; +Server;;Ivy Bridge;;ed;306e6;IVB;EX;Xeon E7 v2 ES; +Server;;Ivy Bridge;D1;ed;306e7;IVB;EX;Xeon E7 v2; +Desktop;;Haswell;C0,C1,M1,R2;6f;306f2;HSX;E;Core i7-59xx/58xx; +Server;;Haswell;C0,C1,M1,R2;6f;306f2;HSX;EN,EP,EP 4S;Xeon E5 v3; +Server;;Haswell;E0;80;306f4;HSX;EX;Xeon E7 v3; +Mobile;;Haswell;Cx,Dx;72;40651;HSW;U;Core Gen4 Mobile; +Desktop;;Broadwell;E0,G0;22;40671;BDW;S;Core Gen5; +Mobile;;Broadwell;E0,G0;22;40671;BDW;H;Core Gen5 Mobile; +Server;;Broadwell;E0,G0;22;40671;BDW;Xeon E3;Xeon E3 v4; +Desktop;;Haswell;Cx,Dx;32;40661;HSW;R;Core Gen4; +Mobile;;Haswell;Cx,Dx;32;40661;HSW;H;Core Gen4 Mobile; +SOC;;Cherry View;C0;01;406c3;CHV;;Atom x5-Zxxxx; +SOC;;Cherry View;D0;01;406c4;CHV;;Celeron Jxxxx, N3xxx, Pentium J3xxx, N3xxx, Atom x5-E8000; +SOC;;Avoton;B0,C0;01;406d8;AVN;;Atom C2xxx; +Mobile;;Skylake;D0;c0;406e3;SKL;U,Y;Core Gen6 Mobile; +Mobile;;Skylake;K1;c0;406e3;SKL;U 2+3e;Core Gen6 Mobile; +Desktop;;Broadwell;B0,M0,R0;ef;406f1;BDX;E;Core i7-69xx/68xx; +Server;;Broadwell;B0,M0,R0;ef;406f1;BDX;EP,EX;Xeon E5/E7 v4; +Server;;Broadwell;B0,M0,R0;ef;406f1;BDX;ML;Xeon E5/E7 v4; +Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable; +Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX; +Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable; +Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx; +Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2; +Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2; +Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;; +Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2; +Server;;Cascade Lake;B1,L1;bf;50657;CLX;W;;Xeon W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223 +Server;;Cooper Lake;A1;bf;5065b;CPX;SP;Xeon Scalable Gen3; +Server;;Broadwell;V1;10;50662;BDX;DE;;Xeon D-1520/40 +Server;;Broadwell;V2,V3;10;50663;BDX;DE;;Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 +Server;;Broadwell;Y0;10;50664;BDX;DE;;Xeon D-1557/59/67/71/77/81/87 +Server;;Broadwell;A0,A1;10;50665;BDX;NS;;Xeon D-1513N/23/33/43/53 +Server;;Hewitt Lake (Broadwell);A1;10;50665;HWL;;;Xeon D-1602/22/23N/27/33N/37/49N/53N +Server;;Knights Landing;B0;78;50671;KNL;;Xeon Phi x200;Xeon Phi 7210, 7210F, 7230, 7230F, 7250, 7250F, 7290, 7290F +SOC;;Broxton;C0;01;506c2;BXT;;Atom T5500/5700 +SOC;;Apollo Lake;D0;03;506c9;APL;;Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx; +SOC;;Apollo Lake;B1,F1;03;506ca;APL;;Atom 3900 Series;Atom x5-E3930, x5-E3940, x7-E3950 +Desktop;;Skylake;N0,R0,S0;36;506e3;SKL;S;Core Gen6; +Mobile;;Skylake;N0,R0,S0;36;506e3;SKL;H;Core Gen6 Mobile; +Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5; +SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx; +SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272 +Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile; +Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3; +Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3; +SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100 +SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 +Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile; +Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295 +SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB; +SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB; +Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile; +Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile; +Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile; +Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile; +Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile; +Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile; +Mobile;;Coffee Lake;D0;c0;806ea;CFL;U 4+3e;Core Gen8 Mobile; +Mobile;;Kaby Lake;Y0;c0;806ea;KBL;R;Core Gen8 Mobile; +Mobile;;Amber Lake;V0;94;806ec;AML;Y 4+2;Core Gen10 Mobile; +Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile; +Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile; +Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile; +Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile; +SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E; +Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7; +Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile; +Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6; +Desktop;;Coffee Lake;U0;22;906ea;CFL;S;Core Gen8 Desktop; +Mobile;;Coffee Lake;U0;22;906ea;CFL;H;Core Gen8 Mobile; +Server;;Coffee Lake;U0;22;906ea;CFL;Xeon E;Xeon E; +Desktop;;Coffee Lake;B0;02;906eb;CFL;S;Core Gen8 Desktop; +Mobile;;Coffee Lake;B0;02;906eb;CFL;H;Core Gen8 Mobile; +Server;;Coffee Lake;B0;02;906eb;CFL;E;Xeon E; +Desktop;;Coffee Lake;P0;22;906ec;CFL;S;Core Gen9 Desktop; +Mobile;;Coffee Lake;P0;22;906ec;CFL;H;Core Gen9 Mobile; +Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E; +Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop; +Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile; +Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E; +SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105; +Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile; +Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; +Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; +Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; +Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11; +SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; + +# sources: +# https://en.wikichip.org/wiki/intel/cpuid +# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/intel-family.h +# releasenote from microcode releases +# https://software.intel.com/security-software-guidance/processors-affected-transient-execution-attack-mitigation-product-cpu-model +# https://en.wikipedia.org/wiki/Cascade_Lake_(microarchitecture) +# https://en.wikipedia.org/wiki/List_of_Intel_Broadwell-based_Xeon_microprocessors +# https://github.com/InstLatx64/InstLatx64 +# https://fossies.org/linux/cpuid/cpuid.c +# https://software.intel.com/content/www/us/en/develop/articles/intel-architecture-and-processor-identification-with-cpuid-model-and-family-numbers.html +# http://ixbtlabs.com/articles/cpuerrata/index.html +# http://bios.rom.by/ROMutils/BIOS_Patcher/ALLCODES.TXT diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh new file mode 100755 index 0000000..854e278 --- /dev/null +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -0,0 +1,132 @@ +#!/bin/bash + +# Hack in additional firmware directories for supported caveats. +# +# SPDX-License-Identifier: CC0-1.0 + +check() { + return 0 +} + +install() { + local FW_DIR=/lib/firmware + local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats + local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats" + local check_caveats=/usr/libexec/microcode_ctl/check_caveats + + local verbose_opt + local cc_out + local path + local ignored + local do_skip_host_only + local p + + verbose_opt= + [ 4 -gt "$stdloglvl" ] || verbose_opt="-v" + + # HACK: we override external fw_dir variable in order to get + # an additional ucode based on the kernel version. + dinfo " microcode_ctl module: mangling fw_dir" + + [ -z "$fw_dir_l" ] || { + dinfo " microcode_ctl: avoid touching fw_dir as" \ + "it has been changed (fw_dir_l is '$fw_dir_l')" + + return 0 + } + + # Reset fw_dir to avoid inclusion of kernel-version-specific directories + # populated with microcode for the late load + [ "x$fw_dir" != \ + "x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" ] || { + fw_dir="/lib/firmware/updates /lib/firmware" + dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\"" + } + + fw_dir_add="" + while read -d $'\n' -r i; do + dinfo " microcode_ctl: processing data directory " \ + "\"$DATA_DIR/$i\"..." + + if [ "x" != "x$hostonly" ]; then + do_skip_host_only=0 + + local sho_overrides=" + $CFG_DIR/skip-host-only-check + $CFG_DIR/skip-host-only-check-$i + $FW_DIR/$kernel/skip-host-only-check + $FW_DIR/$kernel/skip-host-only-check-$i" + + for p in $(echo "$sho_overrides"); do + [ -e "$p" ] || continue + + do_skip_host_only=1 + dinfo " microcode_ctl: $i; skipping" \ + "Host-Only check, since \"$p\" exists." + break + done + else + do_skip_host_only=1 + fi + + match_model_opt="" + [ 1 = "$do_skip_host_only" ] || match_model_opt="-m" + + if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" \ + $verbose_opt $match_model_opt) + then + dinfo " microcode_ctl: kernel version \"$kernel\"" \ + "failed early load check for \"$i\", skipping" + continue + fi + + path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') + [ -n "$path" ] || { + ignored=$(printf "%s" "$cc_out" | \ + sed -n 's/^skip_cfgs //p') + + if [ -n "$ignored" ]; then + dinfo " microcode_ctl: configuration" \ + "\"$i\" is ignored" + else + dinfo " microcode_ctl: no microcode paths" \ + "are associated with \"$i\", skipping" + fi + + continue + } + + dinfo " microcode_ctl: $i: caveats check for kernel" \ + "version \"$kernel\" passed, adding" \ + "\"$DATA_DIR/$i\" to fw_dir variable" + + if [ 0 -eq "$do_skip_host_only" ]; then + fw_dir_add="$DATA_DIR/$i " + else + fw_dir_add="$DATA_DIR/$i $fw_dir_add" + fi + # The list of directories is reverse-sorted in order to preserve the + # "last wins" policy in case of presence of multiple microcode + # revisions. + # + # In case of hostonly == 0, all microcode revisions will be included, + # but since the microcode search is done with the "first wins" policy + # by the (early) microcode loading code, the correct microcode revision + # still has to be picked. + # + # Note that dracut without patch [1] puts only the last directory + # in the early cpio; we try to address this by putting only the last + # matching caveat in the search path, but that workaround works only + # for host-only mode; non-host-only mode early cpio generation is still + # broken without that patch. + # + # [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b + done <<-EOF + $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \ + | LC_ALL=C sort) + EOF + + fw_dir="${fw_dir_add}${fw_dir}" + dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\"" +} + diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh new file mode 100755 index 0000000..16abba1 --- /dev/null +++ b/SOURCES/gen_provides.sh @@ -0,0 +1,197 @@ +#! /bin/bash -efu + +# Generator of RPM "Provides:" tags for Intel microcode files. +# +# SPDX-License-Identifier: CC0-1.0 + +IFS=$'\n' +UPDATED="intel-beta" +CODENAMES="codenames" + +if [ "$#" -ge 1 ]; then + CODENAMES="$1" + shift +fi + +# Match only FF-MM-SS ucode files under intel-ucode/intel-ucode-with-caveats +# directories. +for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]$'); do + ucode=$(basename "$f") + ucode_caveat="$(basename "$(dirname "$(dirname "$f")")")" + ucode_fname="$ucode_caveat/$ucode" + file_sz="$(stat -c "%s" "$f")" + skip=0 + ext_hdr=0 + ext_sig_cnt=0 + ext_sig_pos=0 + next_skip=0 + + # Microcode header format description: + # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c + while :; do + [ "$skip" -lt "$file_sz" ] || break + + # Do we parse ext_sig table or another microcode header? + if [ 0 != "$next_skip" ]; then + # Check whether we should abort ext_sig table parsing + [ \( "${skip}" -lt "${next_skip}" \) -a \ + \( "${ext_sig_pos}" -lt "${ext_sig_cnt}" \) ] || { + skip="${next_skip}" + next_skip=0 + continue + } + + # ext_sig, 12 bytes in size + IFS=' ' read cpuid pf_mask <<- EOF + $(dd if="$f" ibs=1 skip="$skip" count=8 status=none \ + | xxd -e -g4 | xxd -r | hexdump -n 8 \ + -e '"" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"') + EOF + # Converting values from the constructed %#08x format + pf_mask="$((pf_mask))" + + skip="$((skip + 12))" + ext_sig_pos="$((ext_sig_pos + 1))" + else + # Microcode header, 48 bytes, last 3 fields reserved + # cksum, ldrver are ignored + IFS=' ' read hdrver rev \ + date_m date_d date_y \ + cpuid cksum ldrver \ + pf_mask datasz totalsz <<- EOF + $(dd if="$f" ibs=1 skip="$skip" count=36 status=none \ + | xxd -e -g4 | xxd -r | hexdump -n 36 \ + -e '"0x" 4/1 "%02x" " 0x" 4/1 "%02x" " " \ + 1/1 "%02x " 1/1 "%02x " 2/1 "%02x" " " \ + 4/1 "%02x" " 0x" 4/1 "%02x" " 0x" 4/1 "%02x" \ + " 0x" 4/1 "%x" \ + " 0x" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"') + EOF + + # Converting values from the constructed %#08x format + rev="$(printf '%#x' "$((rev))")" + pf_mask="$((pf_mask))" + datasz="$((datasz))" + totalsz="$((totalsz))" + + # Skipping files with unexpected hdrver value + [ 1 = "$((hdrver))" ] || { + echo "$f+$skip@$file_sz: incorrect hdrver $((hdrver))" >&2 + break + } + + [ 0 != "$datasz" ] || datasz=2000 + [ 0 != "$totalsz" ] || totalsz=2048 + + # TODO: add some sanity/safety checks here. As of now, + # there's a (pretty fragile) assumption that all + # the matched files are valid Intel microcode + # files in the expected format. + + # ext_sig table is after the microcode payload, + # check for its presence + if [ 48 -lt "$((totalsz - datasz))" ]; then + next_skip="$((skip + totalsz))" + skip="$((skip + datasz + 48))" + ext_sig_pos=0 + + # ext_sig table header, 20 bytes in size, + # last 3 fields are reserved. + IFS=' ' read ext_sig_cnt <<- EOF + $(dd if="$f" ibs=1 skip="$skip" count=4 status=none \ + | xxd -e -g4 | hexdump -n 4 \ + -e '"0x" 4/1 "%02x" "\n"') + EOF + # Converting values from the constructed format + ext_sig_cnt="$((ext_sig_cnt))" + + skip="$((skip + 20))" + else + skip="$((skip + totalsz))" + next_skip=0 + fi + fi + + #[ -n "$rev" ] || continue + + # Basic "Provides:" tag. Everything else is bells and whistles. + # It's possible that microcode files for different platform_id's + # and the same CPUID have the same version, that's why "sort -u" + # in the end. + printf "firmware(intel-ucode/%s) = %s\n" "$ucode" "$rev" + + # Generate extended "Provides:" tags with additional + # information, which allow more precise matching. + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$date_y" "$date_m" "$date_d" + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$rev" + + # Generate tags for each possible platform_id + _pf=1 + _pf_mask="$pf_mask" + while [ 0 -lt "$_pf_mask" ]; do + [ 1 -ne "$((_pf_mask % 2))" ] || \ + # We try to provide a more specific firmware() + # dependency here. It has incorrect file name, + # but allows constructing a required RPM + # capability name by (directly) using + # the contents of /proc/cpuinfo and + # /sys/devices/system/cpu/cpu*/microcode/processor_flags + # (except for a Deschutes CPU with sig 0x1632) + printf "iucode_rev(fname:%s;platform_id:0x%x) = %s\n" \ + "$ucode_fname" "$_pf" "$rev" + + _pf_mask=$((_pf_mask / 2)) + _pf=$((_pf * 2)) + done + + # Generate tags with codename information, in case + # it is available + if [ -e "$CODENAMES" ]; then + cpuid_up="$(echo "$cpuid" | tr 'a-z' 'A-Z')" + cpuid_short="$(printf "%x" "0x$cpuid")" + (grep ' '"$cpuid_up"' ' "$CODENAMES" || :; grep ';'"$cpuid_short"';' "$CODENAMES" || :) \ + | while IFS=$';\t' read segm int_fname codename stepping candidate_pf cpuid_cn cname variants rest; do + [ "x${segm###}" = "x$segm" ] || continue + [ -n "${segm}" ] || continue + codename=$(echo "$codename" | tr ' (),' '_[];') + candidate_pf=$(printf "%u" "0x${candidate_pf}") + (IFS=','; for s in $stepping; do + [ \( 0 -ne "$pf_mask" \) -a \ + \( 0 -eq "$((candidate_pf & pf_mask))" \) ] || { \ + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$s" "$candidate_pf" \ + "$rev"; + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$s" "$candidate_pf" \ + "$date_y" "$date_m" "$date_d"; + if [ "$cpuid_short" = "$cpuid_cn" -a -n "$variants" ]; then + (IFS=','; for v in $variants; do + v=$(echo "$v" | tr ' (),' '_[];') + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s_%s\";stepping:\"%s\";pf_model:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$v" "$s" "$candidate_pf" \ + "$rev"; + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s_%s\";stepping:\"%s\";pf_model:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$v" "$s" "$candidate_pf" \ + "$date_y" "$date_m" "$date_d"; + done) + fi + } + done) + done + fi + + # Kludge squared: generate additional "Provides:" tags + # for the files in the overrides tarball (that a placed + # in a separate caveat with a specific name) + [ "x${ucode_caveat}" != "x${UPDATED}" ] || { + printf "firmware_updated(intel-ucode/%s) = %s\n" \ + "$ucode" "$rev"; + } + done +done | sort -u diff --git a/SOURCES/gen_updates2.py b/SOURCES/gen_updates2.py new file mode 100755 index 0000000..e0bb6c6 --- /dev/null +++ b/SOURCES/gen_updates2.py @@ -0,0 +1,999 @@ +#! /usr/bin/python +# SPDX-License-Identifier: CC0-1.0 + +import argparse +import errno +import fnmatch +import io +import itertools +import os +import re +import shutil +import struct +import sys +import tarfile +import tempfile +from subprocess import PIPE, Popen, STDOUT + +# Python 3 shims +try: + from functools import reduce +except: + pass +try: + from itertools import zip_longest as izip_longest +except: + from itertools import izip_longest + +# revs: +# [ { "path", "cpuid", "pf", "rev", "date" } ] + +# artifacts: +# * content summary (per-file) +# * overlay summary (per-fms/pf) +# * changelog (per-file?) +# * discrepancies (per-fms/pf) + +log_level = 0 +print_date = False +file_glob = ["*??-??-??", "*microcode*.dat"] + + +def log_status(msg, level=0): + global log_level + + if log_level >= level: + sys.stderr.write(msg + "\n") + + +def log_info(msg, level=2): + global log_level + + if log_level >= level: + sys.stderr.write("INFO: " + msg + "\n") + + +def log_warn(msg, level=1): + global log_level + + if log_level >= level: + sys.stderr.write("WARNING: " + msg + "\n") + + +def log_error(msg, level=-1): + global log_level + + if log_level >= level: + sys.stderr.write("ERROR: " + msg + "\n") + + +def remove_prefix(text, prefix): + if isinstance(prefix, str): + prefix = [prefix, ] + + for p in prefix: + pfx = p if p.endswith(os.sep) else p + os.sep + if text.startswith(pfx): + return text[len(pfx):] + + return text + + +def file_walk(args, yield_dirs=False): + for content in args: + if os.path.isdir(content): + if yield_dirs: + yield ("", content) + for root, dirs, files in os.walk(content): + if yield_dirs: + for f in dirs: + p = os.path.join(root, f) + yield (remove_prefix(p, content), p) + for f in files: + p = os.path.join(root, f) + yield (remove_prefix(p, content), p) + elif os.path.exists(content): + yield ("", content) + else: + raise IOError(errno.ENOENT, os.strerror(errno.ENOENT), content) + + +def cpuid_fname(c): + # Note that the Extended Family is summed up with the Family, + # while the Extended Model is concatenated with the Model. + return "%02x-%02x-%02x" % ( + ((c >> 20) & 0xff) + ((c >> 8) & 0xf), + ((c >> 12) & 0xf0) + ((c >> 4) & 0xf), + c & 0xf) + + +def read_revs_dir(path, args, src=None, ret=None): + if ret is None: + ret = [] + + ucode_re = re.compile('[0-9a-f]{2}-[0-9a-f]{2}-0[0-9a-f]$') + ucode_dat_re = re.compile('microcode.*\.dat$') + + for rp, ap in file_walk([path, ]): + rp_fname = os.path.basename(rp) + if not ucode_re.match(rp_fname) and not ucode_dat_re.match(rp_fname): + continue + + # Text-based format + data = None + if ucode_dat_re.match(rp_fname): + data = io.BytesIO() + with open(ap, "r") as f: + for line in f: + if line.startswith("/"): + continue + vals = line.split(",") + for val in vals: + val = val.strip() + if not val: + continue + data.write(struct.pack(" 48: + f.seek(hdr[7], os.SEEK_CUR) + ext_tbl = struct.unpack(" 0: + if cur_pf & 1 and not (merge and pid in res[key] + and res[key][pid]["rev"][0] >= mc["rev"]): + if pid not in res[cpuid] or merge: + res[cpuid][pid] = [] + res[cpuid][pid].append(mc) + + cur_pf = cur_pf / 2 + pid = pid * 2 + + return res + + +def gen_fn_map(mc_data, merge=False, merge_path=False): + res = dict() + + for mc in mc_data: + key = (None if merge_path else mc["path"], mc["cpuid"], mc["pf"]) + if key in res: + log_warn("Duplicate path/cpuid/pf: %s/%#x/%#x" % key) + else: + res[key] = [] + if merge and len(res[key]): + if mc["rev"] > res[key][0]["rev"]: + res[key][0] = mc + else: + res[key].append(mc) + + return res + + +def revcmp(a, b): + return b["rev"] - a["rev"] + + +class ChangeLogEntry: + ADDED = 0 + REMOVED = 1 + UPDATED = 2 + DOWNGRADED = 3 + OTHER = 4 + + +def mc_stripped_path(mc): + paths = ("usr/share/microcode_ctl/ucode_with_caveats/intel", + "usr/share/microcode_ctl/ucode_with_caveats", + "usr/share/microcode_ctl", + "lib/firmware", + "etc/firmware", + ) + + return remove_prefix(mc["path"], paths) + + +class mcnm: + MCNM_ABBREV = 0 + MCNM_FAMILIES = 1 + MCNM_MODELS = 2 + MCNM_FAMILIES_MODELS = 3 + MCNM_CODENAME = 4 + + +def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True, + segment=False): + if not isinstance(mc, dict): + mc = mc_from_mc_key(mc) + sig = mc["cpuid"] + pf = mc["pf"] + res = [] + + if not cmap: + return None + if sig not in cmap: + log_info("No codename information for sig %#x" % sig) + return None + + cnames = cmap[sig] + + if mode in (mcnm.MCNM_FAMILIES, mcnm.MCNM_MODELS, + mcnm.MCNM_FAMILIES_MODELS): + for c in cnames: + if not (pf & c["pf_mask"]): + continue + for m, f in ((mcnm.MCNM_FAMILIES, "families"), + (mcnm.MCNM_MODELS, "models")): + if m & mode == 0: + continue + if f not in c or not c[f]: + log_info("No %s for sig %#x in %r" % (f, sig, c)) + continue + + res.append(c[f]) + + return ", ".join(res) or None + + steppings = dict() + suffices = dict() + for c in cnames: + if pf and not (pf & c["pf_mask"]): + continue + + if mode == mcnm.MCNM_ABBREV and "abbrev" in c and c["abbrev"]: + cname = c["abbrev"] + else: + cname = c["codename"] + + if segment: + cname = c["segment"] + " " + cname + + if cname not in suffices: + suffices[cname] = set() + if "variant" in c and c["variant"]: + suffices[cname] |= set(c["variant"]) + + if cname not in steppings: + steppings[cname] = set() + if c["stepping"]: + steppings[cname] |= set(c["stepping"]) + + for cname in sorted(steppings.keys()): + cname_res = [cname] + if len(suffices[cname]): + cname_res[0] += "-" + "/".join(sorted(suffices[cname])) + if len(steppings[cname]): + cname_res.append("/".join(sorted(steppings[cname]))) + res.append(" ".join(cname_res) if stringify else cname_res) + + return (", ".join(res) or None) if stringify else res + + +def mc_from_mc_key(k): + return dict(zip(("path", "cpuid", "pf"), k)) + + +def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False): + if not isinstance(mc, dict): + mc = mc_from_mc_key(mc) + path = mc_stripped_path(mc) if mc["path"] is not None else None + cpuid_fn = cpuid_fname(mc["cpuid"]) + fname = os.path.basename(mc["path"] or cpuid_fn) + midword = "" if midword is None else " " + midword + cname = get_mc_cnames(mc, cmap, segment=cname_segment) + cname_str = " (" + cname + ")" if cname else "" + + if pf_sfx: + sfx = "/0x%02x" % mc["pf"] + else: + sfx = "" + + if not path or path == os.path.join("intel-ucode", cpuid_fn): + return "%s%s%s%s" % (fname, sfx, cname_str, midword) + else: + return "%s%s%s%s (in %s)" % (cpuid_fn, sfx, cname_str, midword, path) + + +def gen_changelog_file(old, new): + pass + + +def mc_cmp(old_mc, new_mc): + res = [] + + old_mc_revs = [x["rev"] for x in old_mc] + new_mc_revs = [x["rev"] for x in new_mc] + common = set(old_mc_revs) & set(new_mc_revs) + old_rev_list = [x for x in sorted(old_mc_revs) if x not in common] + new_rev_list = [x for x in sorted(new_mc_revs) if x not in common] + + if len(old_rev_list) != 1 or len(new_rev_list) != 1: + for i in new_mc: + if i["rev"] in new_rev_list: + res.append((ChangeLogEntry.ADDED, None, i)) + for i in old_mc: + if i["rev"] in old_rev_list: + res.append((ChangeLogEntry.REMOVED, i, None)) + else: + for old in old_mc: + if old["rev"] == old_rev_list[0]: + break + for new in new_mc: + if new["rev"] == new_rev_list[0]: + break + if new["rev"] > old["rev"]: + res.append((ChangeLogEntry.UPDATED, old, new)) + elif new["rev"] < old["rev"]: + res.append((ChangeLogEntry.DOWNGRADED, old, new)) + + return res + + +def gen_changelog(old, new): + res = [] + + old_map = gen_fn_map(old) + new_map = gen_fn_map(new) + + old_files = set(old_map.keys()) + new_files = set(new_map.keys()) + + both = old_files & new_files + added = new_files - old_files + removed = old_files - new_files + + for f in sorted(added): + p = mc_path(new_map[f][0]) + for old_f in sorted(removed): + old_p = mc_path(old_map[old_f][0]) + if p == old_p and f[1] == old_f[1] and f[2] == old_f[2]: + log_info("Matched %s (%s and %s)" % + (p, old_map[old_f][0]["path"], new_map[f][0]["path"])) + added.remove(f) + removed.remove(old_f) + + res += mc_cmp(old_map[old_f], new_map[f]) + + for f in sorted(added): + for i in new_map[f]: + res.append((ChangeLogEntry.ADDED, None, i)) + for f in sorted(removed): + for i in old_map[f]: + res.append((ChangeLogEntry.REMOVED, i, None)) + for f in sorted(both): + res += mc_cmp(old_map[f], new_map[f]) + + return res + + +def mc_date(mc): + if isinstance(mc, dict): + mc = mc["date"] + return "%04x-%02x-%02x" % (mc & 0xffff, mc >> 24, (mc >> 16) & 0xff) + + +def mc_rev(mc, date=None): + ''' + While revision is signed for comparison purposes, historically + it is printed as unsigned, Oh well. + ''' + global print_date + + if mc["rev"] < 0: + rev = 2**32 + mc["rev"] + else: + rev = mc["rev"] + + if date if date is not None else print_date: + return "%#x (%s)" % (rev, mc_date(mc)) + else: + return "%#x" % rev + + +def print_changelog_rpm(clog, cmap, args): + for e, old, new in clog: + mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old, + midword="microcode", + cmap=cmap, cname_segment=args.segment) + + if e == ChangeLogEntry.ADDED: + print("Addition of %s at revision %s" % (mc_str, mc_rev(new))) + elif e == ChangeLogEntry.REMOVED: + print("Removal of %s at revision %s" % (mc_str, mc_rev(old))) + elif e == ChangeLogEntry.UPDATED: + print("Update of %s from revision %s up to %s" % + (mc_str, mc_rev(old), mc_rev(new))) + elif e == ChangeLogEntry.DOWNGRADED: + print("Downgrade of %s from revision %s down to %s" % + (mc_str, mc_rev(old), mc_rev(new))) + elif e == ChangeLogEntry.OTHER: + print("Other change in %s:" % old["path"]) + print(" old: %#x/%#x: rev %s (offs %#x)" % + (old["cpuid"], old["pf"], mc_rev(old), old["offs"])) + print(" new: %#x/%#x: rev %s (offs %#x)" % + (new["cpuid"], new["pf"], mc_rev(new), new["offs"])) + + +def print_changelog_intel(clog, cmap, args): + def clog_sort_key(x): + res = str(x[0]) + + if x[0] != ChangeLogEntry.ADDED: + res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"]) + else: + res += "0" * 10 + + if x[0] != ChangeLogEntry.REMOVED: + res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"]) + else: + res += "0" * 10 + + return res + + sorted_clog = sorted(clog, key=clog_sort_key) + sections = (("New Platforms", (ChangeLogEntry.ADDED, )), + ("Updated Platforms", (ChangeLogEntry.UPDATED, + ChangeLogEntry.DOWNGRADED)), + ("Removed Platforms", (ChangeLogEntry.REMOVED, ))) + + def print_line(e, old, new, types): + if e not in types: + return + + if not print_line.hdr: + print(""" +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:---------""") + print_line.hdr = True + + mc = new if e == ChangeLogEntry.ADDED else old + cnames = get_mc_cnames(mc, cmap, stringify=False, + segment=args.segment) or (("???", ""), ) + for cn in cnames: + cname = cn[0] + stepping = cn[1] if len(cn) > 1 else "" + print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" % + (cname, + stepping, + cpuid_fname(mc["cpuid"]), mc["pf"], + ("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "", + ("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "", + get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES, + segment=args.segment) or "")) + + for h, types in sections: + print("\n### %s" % h) + print_line.hdr = False + for e, old, new in sorted_clog: + print_line(e, old, new, types) + + +def print_changelog(clog, cmap, args): + if args.format == "rpm": + print_changelog_rpm(clog, cmap, args) + elif args.format == "intel": + print_changelog_intel(clog, cmap, args) + else: + log_error(("unknown changelog format: \"%s\". " + + "Supported formats are: rpm, intel.") % args.format) + + +class TableStyles: + TS_CSV = 0 + TS_FANCY = 1 + + +def print_line(line, column_sz): + print(" | ".join([str(x).ljust(column_sz[i]) + for i, x in zip(itertools.count(), + itertools.chain(line, + [""] * (len(column_sz) - + len(line))))]).rstrip()) + + +def print_table(items, header=[], style=TableStyles.TS_CSV): + if style == TableStyles.TS_CSV: + for i in items: + print(";".join(i)) + elif style == TableStyles.TS_FANCY: + column_sz = list(reduce(lambda x, y: + map(max, izip_longest(x, y, fillvalue=0)), + [[len(x) for x in i] + for i in itertools.chain(header, items)])) + for i in header: + print_line(i, column_sz) + if header: + print("-+-".join(["-" * x for x in column_sz])) + for i in items: + print_line(i, column_sz) + + +def print_summary(revs, cmap, args): + m = gen_fn_map(revs) + cnames_mode = mcnm.MCNM_ABBREV if args.abbrev else mcnm.MCNM_CODENAME + + header = [] + if args.header: + header.append(["Path", "Offset", "Ext. Offset", "Data Size", + "Total Size", "CPUID", "Platform ID Mask", "Revision", + "Date", "Checksum", "Codenames"] + + (["Models"] if args.models else [])) + tbl = [] + for k in sorted(m.keys()): + for mc in m[k]: + tbl.append([mc_stripped_path(mc), + "0x%x" % mc["offs"], + "0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-", + "0x%05x" % mc["data_size"], + "0x%05x" % mc["total_size"], + "0x%05x" % mc["cpuid"], + "0x%02x" % mc["pf"], + mc_rev(mc, date=False), + mc_date(mc), + "0x%08x" % (mc["ext_cksum"] + if "ext_cksum" in mc else mc["cksum"]), + get_mc_cnames(mc, cmap, cnames_mode, + segment=args.segment) or ""] + + ([get_mc_cnames(mc, cmap, + mcnm.MCNM_FAMILIES_MODELS, + segment=args.segment)] + if args.models else [])) + + print_table(tbl, header, style=TableStyles.TS_FANCY) + + +def read_codenames_file(path): + ''' + Supports two formats: new and old + * old: tab-separated. Field order: + Segment, (unused), Codename, (dash-separated) Stepping, + Platform ID mask, CPUID, (unused) Update link, (unused) Specs link + * new: semicolon-separated; support comments. Distinguished + by the first line that starts with octothorp. Field order: + Segment, Unused, Codename, Stepping, Platform ID mask, CPUID, + Abbreviation, Variant(s), Families, Models + ''' + old_fields = ["segment", "_", "codename", "stepping", "pf_mask", "sig", + "_update", "_specs"] + new_fields = ["segment", "_", "codename", "stepping", "pf_mask", "sig", + "abbrev", "variant", "families", "models"] + new_fmt = False + field_names = old_fields + + res = dict() + + try: + with open(path, "r") as f: + for line in f: + line = line.strip() + if len(line) == 0: + continue + if line[0] == '#': + new_fmt = True + field_names = new_fields + continue + + fields = line.split(";" if new_fmt else "\t", + 1 + len(field_names)) + fields = dict(zip(field_names, fields)) + if "sig" not in fields: + log_warn("Skipping %r (from \"%s\")" % (fields, line)) + continue + + sig = fields["sig"] = int(fields["sig"], 16) + fields["pf_mask"] = int(fields["pf_mask"], 16) + fields["stepping"] = fields["stepping"].split(",") + if "variant" in fields: + if fields["variant"]: + fields["variant"] = fields["variant"].split(",") + else: + fields["variant"] = [] + + if sig not in res: + res[sig] = list() + res[sig].append(fields) + except Exception as e: + log_error("a problem occurred while reading code names: %s" % e) + + return res + + +def print_discrepancies(rev_map, deps, cmap, args): + """ + rev_map: dict "name": revs + deps: list of tuples (name, parent/None) + """ + sigs = set() + + for p, r in rev_map.items(): + sigs |= set(r.keys()) + + if args.header: + header1 = ["sig"] + if args.print_vs: + header2 = [""] + for p, n, d in deps: + header1.append(n) + if args.print_vs: + add = "" + if d: + for pd, nd, dd in deps: + if pd == d: + add = "(vs. %s)" % nd + break + header2.append(add) + if args.models: + header1.append("Model names") + if args.print_vs: + header2.append("") + header = [header1] + ([header2] if args.print_vs else []) + + tbl = [] + for s in sorted(sigs): + out = [mc_path(s)] + print_out = not args.print_filter + print_date = args.min_date is None + + for p, n, d in deps: + cur = dict([(x["rev"], x) for x in rev_map[p][s]]) \ + if s in rev_map[p] else [] + v = "/".join([mc_rev(y) for x, y in sorted(cur.items())]) \ + if cur else "-" + if d is not None: + prev = [x["rev"] for x in rev_map[d][s]] if s in rev_map[d] \ + else [] + if [x for x in cur if x not in prev]: + v += " (*)" + print_out = True + if args.min_date is not None and s in rev_map[p]: + for x in rev_map[p][s]: + print_date |= mc_date(x) > args.min_date + out.append(v) + + if print_out and print_date: + if args.models: + out.append(get_mc_cnames(s, cmap, segment=args.segment) or "") + tbl.append(out) + + print_table(tbl, header, style=TableStyles.TS_FANCY) + + +def cmd_summary(args): + revs = [] + for p in args.filelist: + revs = read_revs(p, args, ret=revs) + + codenames_map = read_codenames_file(args.codenames) + + print_summary(revs, codenames_map, args) + + return 0 + + +def cmd_changelog(args): + codenames_map = read_codenames_file(args.codenames) + base_path = args.filelist[0] + upd_path = args.filelist[1] + + base = read_revs(base_path, args) + upd = read_revs(upd_path, args) + + print_changelog(gen_changelog(base, upd), codenames_map, args) + + return 0 + + +def cmd_discrepancies(args): + """ + filenames: + * "<" prefix (possibly multiple times) to refer to a previous entry + to compare against + * "[name]" prefix is a name reference + """ + codenames_map = read_codenames_file(args.codenames) + rev_map = dict() + deps = list() + cur = -1 + + for path in args.filelist: + orig_path = path + name = None + cur += 1 + dep = None + while True: + if path[0] == '<': + path = path[1:] + dep = cur - 1 if dep is None else dep - 1 + elif path[0] == '[' and path.find(']') > 0: + pos = path.find(']') + name = path[1:pos] + path = path[pos + 1:] + else: + break + if name is None: + name = path + if dep is not None and dep < 0: + log_error("Incorrect dep reference for '%s' (points to index %d)" % + (orig_path, dep)) + return 1 + deps.append((path, name, deps[dep][0] if dep is not None else None)) + rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge, + merge_path=True) + + print_discrepancies(rev_map, deps, codenames_map, args) + + return 0 + + +def parse_cli(): + root_parser = argparse.ArgumentParser(prog="gen_updates", + description="Intel CPU Microcode " + + "parser") + root_parser.add_argument("-C", "--codenames", default='codenames', + help="Code names file") + root_parser.add_argument("-v", "--verbose", action="count", default=0, + help="Increase output verbosity") + root_parser.add_argument("-E", "--no-ignore-ext-duplicates", + action="store_const", dest="ignore_ext_dups", + default=False, const=False, + help="Do not ignore duplicates of the main " + + "signature in the extended signature header") + root_parser.add_argument("-e", "--ignore-ext-duplicates", + action="store_const", dest="ignore_ext_dups", + const=True, + help="Ignore duplicates of the main signature " + + "in the extended signature header") + root_parser.add_argument("-t", "--print-segment", action="store_const", + dest="segment", const=True, + help="Print model segment") + root_parser.add_argument("-T", "--no-print-segment", action="store_const", + dest="segment", const=False, default=False, + help="Do not print model segment") + + cmdparsers = root_parser.add_subparsers(title="Commands", + help="main gen_updates commands") + + parser_s = cmdparsers.add_parser("summary", + help="Generate microcode summary") + parser_s.add_argument("-a", "--abbreviate", action="store_const", + dest="abbrev", const=True, default=True, + help="Abbreviate code names") + parser_s.add_argument("-A", "--no-abbreviate", action="store_const", + dest="abbrev", const=False, + help="Do not abbreviate code names") + parser_s.add_argument("-m", "--print-models", action="store_const", + dest="models", const=True, default=False, + help="Print models") + parser_s.add_argument("-M", "--no-print-models", + action="store_const", dest="models", + const=False, help="Do not print models") + parser_s.add_argument("-H", "--no-print-header", + action="store_const", dest="header", + const=False, default=True, + help="Do not print hader") + parser_s.add_argument("filelist", nargs="*", default=[], + help="List or RPMs/directories to process") + parser_s.set_defaults(func=cmd_summary) + + parser_c = cmdparsers.add_parser("changelog", + help="Generate changelog") + parser_c.add_argument("-F", "--format", choices=["rpm", "intel"], + default="rpm", help="Changelog format") + parser_c.add_argument("filelist", nargs=2, + help="RPMs/directories to compare") + parser_c.set_defaults(func=cmd_changelog) + + parser_d = cmdparsers.add_parser("discrepancies", + help="Generate discrepancies") + parser_d.add_argument("-s", "--merge-revs", action="store_const", + dest="merge", const=True, default=False, + help="Merge revisions that come" + + " from different files") + parser_d.add_argument("-S", "--no-merge-revs", action="store_const", + dest="merge", const=False, + help="Do not Merge revisions that come" + + " from different files") + parser_d.add_argument("-v", "--print-vs", action="store_const", + dest="print_vs", const=True, default=False, + help="Print base version ") + parser_d.add_argument("-V", "--no-print-vs", action="store_const", + dest="print_vs", const=False, + help="Do not Merge revisions that come" + + " from different files") + parser_d.add_argument("-m", "--print-models", action="store_const", + dest="models", const=True, default=True, + help="Print model names") + parser_d.add_argument("-M", "--no-print-models", action="store_const", + dest="models", const=False, + help="Do not print model names") + parser_d.add_argument("-H", "--no-print-header", action="store_const", + dest="header", const=False, default=True, + help="Do not print hader") + parser_d.add_argument("-a", "--print-all-files", action="store_const", + dest="print_filter", const=False, default=True, + help="Print all files") + parser_d.add_argument("-c", "--print-changed-files", action="store_const", + dest="print_filter", const=True, + help="Print only changed files") + parser_d.add_argument("-d", "--min-date", action="store", + help="Minimum date filter") + parser_d.add_argument("filelist", nargs='*', + help="RPMs/directories to compare") + parser_d.set_defaults(func=cmd_discrepancies) + + args = root_parser.parse_args() + if not hasattr(args, "func"): + root_parser.print_help() + return None + + global log_level + log_level = args.verbose + + return args + + +def main(): + args = parse_cli() + if args is None: + return 1 + + return args.func(args) + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/SOURCES/intel_config b/SOURCES/intel_config new file mode 100644 index 0000000..1f47b87 --- /dev/null +++ b/SOURCES/intel_config @@ -0,0 +1,8 @@ +path intel-ucode/* +vendor GenuineIntel +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer new file mode 100644 index 0000000..c4669ba --- /dev/null +++ b/SOURCES/intel_disclaimer @@ -0,0 +1,10 @@ +This kernel doesn't handle early microcode load properly (it tries to load +microcode even in virtualised environment, which may lead to a panic on some +hypervisors), thus the microcode files have not been added to the initramfs +image. Please update your kernel to one of the following: + RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + RHEL 7.2: kernel-3.10.0-327.73.1 or newer. +Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme new file mode 100644 index 0000000..de9213d --- /dev/null +++ b/SOURCES/intel_readme @@ -0,0 +1,53 @@ +Older RHEL 7 kernels try to early load microcode even inside virtual +machine, which may lead to panic on some hypervisors. In order to circumvent +that, microcode is installed into a kernel-version-specific directory (which +is not scanned by the dracut script, that constructs early microcode binary +in initramfs, by default), and path to microcode files provided only in case +initramfs is generated for the kernel version that properly handles early +microcode inside a virtual machine (i.e. do not attempts yo load it). +The versions of the kernel package that properly handle early microcode load +inside a virtual machine are as follows: + * RHEL 7.6 onwards: kernel-3.10.0-930 or newer; + * RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + * RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + * RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + * RHEL 7.2: kernel-3.10.0-327.73.1 or newer. +RHEL 8 kernels are not affected. + +If you want to avoid early load of microcode for a specific kernel, please +create "disallow-early-intel" file inside /lib/firmware/ +directory and run dracut -f --kver "": + + touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel + dracut -f --kver 3.10.0-862.9.1 + +If you want to avoid early load of microcode for all kernels, please create +"disallow-early-intel" file inside the "/etc/microcode_ctl/ucode_with_caveats" +directory and run dracut -f --regenerate-all: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel + dracut -f --regenerate-all + +If you want to enforce early load of microcode for a specific kernel, please +create "force-early-intel" file inside /lib/firmware/ directory +and run dracut -f --kver "": + + touch /lib/firmware/3.10.0-862.9.1/force-early-intel + dracut -f --kver 3.10.0-862.9.1 + +If you want to enforce early load of microcode for all kernels, please create +"force-early-intel" file inside /etc/microcode_ctl/ucode_with_caveats +directory and run dracut -f --kver "": + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel + dracut -f --regenerate-all + +In order to override the late load behaviour, the "early" part of file names +should be replaced with "late" (and there is no need to call dracut +in that case). + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/microcode.service b/SOURCES/microcode.service new file mode 100644 index 0000000..a96138f --- /dev/null +++ b/SOURCES/microcode.service @@ -0,0 +1,12 @@ +[Unit] +Description=Load CPU microcode update +After=basic.target +ConditionVirtualization=false +ConditionPathExists=/sys/devices/system/cpu/microcode/reload + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/usr/libexec/microcode_ctl/reload_microcode +[Install] +WantedBy=basic.target diff --git a/SOURCES/reload_microcode b/SOURCES/reload_microcode new file mode 100644 index 0000000..5d4d1b1 --- /dev/null +++ b/SOURCES/reload_microcode @@ -0,0 +1,22 @@ +#! /bin/bash -efu + +# Trigger microcode reload with additional check for BDW-EP that can have +# microcode reloaded only in case kernel has specific patches. +# +# SPDX-License-Identifier: CC0-1.0 + +CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats +IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag" + +[ -e "$IGNORE_HYPERVISOR" ] || { + if grep -q '^flags[[:space:]]*:.* hypervisor\( .*\)\?$' /proc/cpuinfo + then + exit 0 + fi +} + +"$CHECK_CAVEATS" -m > /dev/null || exit 0 + +echo 2>/dev/null 1 > /sys/devices/system/cpu/microcode/reload || : + +exit 0 diff --git a/SOURCES/update_ucode b/SOURCES/update_ucode new file mode 100644 index 0000000..0d5038e --- /dev/null +++ b/SOURCES/update_ucode @@ -0,0 +1,290 @@ +#! /bin/bash -eu + +# Maintain kernel-version-specific symlinks in /lib/firmware based on +# configuration present in /usr/share/microcode_ctl/ucode_with_caveats. +# +# SPDX-License-Identifier: CC0-1.0 + +usage() +{ + echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \ + "[--kernel KERNELVER]* [--verbose] [--dry-run]" \ + "[--cleanup intel_ucode caveats_ucode]" \ + "[--skip-common] [--skip-kernel-specific]" >&2 +} + +debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } + +MC_DIR=/usr/share/microcode_ctl +INTEL_UCODE_DIR=intel-ucode +DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats +FW_DIR=/lib/firmware +check_caveats=/usr/libexec/microcode_ctl/check_caveats + +action=refresh +kernel= +verbose=0 +verbose_opt= +dry_run=0 +remove_cleanup=0 +cleanup_intel= +cleanup_caveats= +skip_common=0 +skip_caveats=0 + +while [ 1 -le "$#" ]; do + case "$1" in + -C|--skip-common) + skip_common=1 + ;; + -K|--skip-kernel-specific) + skip_caveats=1 + ;; + -a|--action) + shift + action="$1" + ;; + -k|--kernel) + shift + kernel="$kernel $1" + ;; + -v|--verbose) + verbose=1 + verbose_opt="-v" + ;; + -n|--dry-run) + dry_run=1 + ;; + -c|--cleanup) + remove_cleanup=1 + shift + cleanup_intel="$1" + shift + cleanup_caveats="$1" + ;; + *) + echo "Unknown argument \"$1\"" >&2 + usage + exit 1 + esac + shift +done + +cmd= +[ 0 -eq "$dry_run" ] || cmd=echo + +case "$action" in +add|remove|refresh|list) + # Scan all directories in FW_DIR and all existing kernels + if [ -z "$kernel" ]; then + debug "No kernel versions provided, scanning..." + + kvers=$(find /lib/modules/ -name '[2-9].*' -print) + for k_dir in $kvers; do + k="${k_dir#/lib/modules/}" + [ ! -e "${k_dir}/symvers.gz" ] || { + debug " Adding $k (from /lib/modules)" + kernel="$kernel $k" + } + done + + kvers=$(find /lib/firmware/ -name '[2-9].*' -print) + for k_dir in $kvers; do + k="${k_dir#/lib/firmware/}" + [ ! -d "$k_dir" ] || { + debug " Adding $k (from /lib/firmware)" + kernel="$kernel $k" + } + done + + kernel=$(printf "%s" "$kernel" | xargs -n 1 | sort -u) + fi + ;; +*) + echo "Unknown action \"$action\"" >&2 + usage + exit 1 + ;; +esac + +# Generic part: managing intel ucode +debug "Running action \"$action\" on common Intel microcode directory" +while :; do + [ 0 -eq "$skip_common" ] || break + + [ ! -e "/etc/microcode_ctl/intel-ucode-disallow" ] || { + debug " Skipping \"$i\":" \ + "\"/etc/microcode_ctl/intel-ucode-disallow\"" \ + "present" + break + } + [ ! -e "$FW_DIR/intel-ucode-disallow" ] || { + debug " Found \"$FW_DIR/intel-ucode-disallow\"," \ + "skipping" + break + } + + # Removing old files + case "$action" in + refresh|remove|list) + debug " Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}" + if [ 0 = "$remove_cleanup" ]; then + find "${MC_DIR}/${INTEL_UCODE_DIR}" \ + -maxdepth 1 -mindepth 1 \ + -type f -printf '%f\n' + else + cat "$cleanup_intel" + fi | while read -r fname; do + name="${FW_DIR}/${INTEL_UCODE_DIR}/${fname}" + + # Needed in case we downgrade to a version where + # no symlinks in /lib/firmware were used + if [ 1 = "$remove_cleanup" ]; then + [ -L "$name" ] || continue + fi + + [ "xlist" != "x$action" ] || { + echo "$name" + continue + } + + $cmd rm -f $verbose_opt "$name" + done + [ "xlist" = "x$action" ] || { + $cmd rmdir -p $verbose_opt \ + "${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \ + || true + } + ;; + esac + + # Adding new ones + case "$action" in + add|refresh) + debug " Creating symlinks in ${FW_DIR}/${INTEL_UCODE_DIR}" + $cmd mkdir -p $verbose_opt "${FW_DIR}/${INTEL_UCODE_DIR}" + $cmd find "${MC_DIR}/${INTEL_UCODE_DIR}" -maxdepth 1 -mindepth 1 \ + -type f -exec bash -c 'ln -fs '"$verbose_opt"' '\''{}'\'' \ + "'"${FW_DIR}/${INTEL_UCODE_DIR}/"'$(basename '\''{}'\'')"' \; + ;; + esac + + break +done + +debug "Running action \"$action\" on kernels $kernel" + +if [ 0 = "$remove_cleanup" ]; then + ls "$DATA_DIR" +else + cat "$cleanup_caveats" +fi | while read -r i; do + [ 0 -eq "$skip_caveats" ] || break + + debug "Processing data directory \"$i\"..." + + for k in $(echo "$kernel"); do + debug " Processing kernel version \"$k\"" + { + out=$($check_caveats -k "$k" -c "$i" $verbose_opt) + ret="$?" + } || : + paths=$(printf "%s" "$out" | sed -n 's/^paths //p') + ignore=$(printf "%s" "$out" | sed -n 's/^skip_cfgs //p') + + [ -z "$ignore" ] || { + debug " Configuration is ignored, skipping" + continue + } + + case "$action" in + remove|refresh|list) + [ "xlist" = "x$action" ] || \ + debug " Removing \"$paths\" (part of $action)..." + + for p in $(printf "%s" "$paths"); do + find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -printf "%P\n" + done | while read -r path; do + [ -e "$FW_DIR/$k/readme-$i" ] || { + debug " \"$FW_DIR/$k/readme-$i\"" \ + "is not found, skipping" \ + "\"$paths\" removal" + + break + } + + if [ "xlist" = "x$action" ]; then + echo "$FW_DIR/$k/$path" + else + debug " Removing \"$FW_DIR/$k/$path\"" + $cmd rm -f $verbose_opt "$FW_DIR/$k/$path" + $cmd rmdir -p $verbose_opt \ + "$FW_DIR/$k/$(dirname $path)" 2>/dev/null \ + || true + fi + done + + if [ -e "$FW_DIR/$k/readme-$i" ]; then + if [ "xlist" = "x$action" ]; then + echo "$FW_DIR/$k/readme-$i" + else + $cmd rm -f $verbose_opt \ + "$FW_DIR/$k/readme-$i" + $cmd rmdir -p $verbose_opt \ + "$FW_DIR/$k" 2>/dev/null || true + fi + fi + ;; + esac + + [ 0 -eq "$ret" ] || { + debug " Checking for caveats failed" \ + "(kernel version \"$k\"), skipping" + continue + } + + [ -n "$paths" ] || { + debug " List of paths to add is empty, skipping" + continue + } + + case "$action" in + add|refresh) + debug " Adding $paths (part of $action)..." + + [ -e "/lib/modules/$k/symvers.gz" ] || { + debug " \"/lib/modules/$k/symvers.gz\"" \ + "does not exist, skipping" + continue + } + + for p in $(printf "%s" "$paths"); do + find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -printf "%P\n" + done | while read -r path; do + [ ! -e "$FW_DIR/$k/$path" ] || { + debug " $FW_DIR/$k/$path already" \ + "exists, skipping" + continue + } + + debug " Adding \"$FW_DIR/$k/$path\"" + $cmd mkdir -p $verbose_opt \ + "$(dirname "$FW_DIR/$k/$path")" + $cmd ln -fs $verbose_opt "$DATA_DIR/$i/$path" \ + "$FW_DIR/$k/$path" + done + + if [ -e "$FW_DIR/$k/readme-$i" ]; then + debug " $FW_DIR/$k/readme-$i already" \ + "exists, skipping creation" + else + $cmd cp $verbose_opt "$DATA_DIR/$i/readme" \ + "$FW_DIR/$k/readme-$i" + fi + ;; + remove) + esac + done +done diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec new file mode 100644 index 0000000..944b7d3 --- /dev/null +++ b/SPECS/microcode_ctl.spec @@ -0,0 +1,1275 @@ +%define intel_ucode_version 20210608 + +%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats +%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl + +%define update_ucode %{microcode_ctl_libexec}/update_ucode +%define check_caveats %{microcode_ctl_libexec}/check_caveats +%define reload_microcode %{microcode_ctl_libexec}/reload_microcode + +%define dracutlibdir %{_prefix}/lib/dracut + +Summary: CPU microcode updates for Intel x86 processors +Name: microcode_ctl +Version: %{intel_ucode_version} +Release: 2%{?dist} +Epoch: 4 +License: CC0 and Redistributable, no modification permitted +URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files +Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz + +# (Pre-MDS) revision 0x714 of 06-2d-07 microcode +Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 + +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + +# (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode +Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 +Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03 + +# microcode-20190918 release,containing revision 0xb4/0xb8 of 06-[89]e-0X microcode +Source6: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20190918.tar.gz +# microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode +Source7: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz + + +# systemd unit +Source10: microcode.service + +# dracut-related stuff +Source20: 01-microcode.conf +Source21: 99-microcode-override.conf +Source22: dracut_99microcode_ctl-fw_dir_override_module_init.sh + +# libexec +Source30: update_ucode +Source31: check_caveats +Source32: reload_microcode + +# docs +Source41: README.caveats +Source42: README + +## Caveats +# BDW EP/EX +# https://bugzilla.redhat.com/show_bug.cgi?id=1622180 +# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 +# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 +Source100: 06-4f-01_readme +Source101: 06-4f-01_config +Source102: 06-4f-01_disclaimer + +# Unsafe early MC update inside VM: +# https://bugzilla.redhat.com/show_bug.cgi?id=1596627 +Source110: intel_readme +Source111: intel_config +Source112: intel_disclaimer + +# SNB-EP (CPUID 0x206d7) post-MDS hangs +# https://bugzilla.redhat.com/show_bug.cgi?id=1758382 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +Source120: 06-2d-07_readme +Source121: 06-2d-07_config +Source122: 06-2d-07_disclaimer + +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + +# SKL-U/Y (CPUID 0x406e3) post-20200609 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 +Source140: 06-4e-03_readme +Source141: 06-4e-03_config +Source142: 06-4e-03_disclaimer + +# SKL-H/S/Xeon E3 v5 (CPUID 0x506e3) post-20200609 possible hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 +Source150: 06-5e-03_readme +Source151: 06-5e-03_config +Source152: 06-5e-03_disclaimer + +# Dell 06-[89]e-0x hangs - intermediate 0xca microcode revision +# https://bugzilla.redhat.com/show_bug.cgi?id=1807960 +# https://bugzilla.redhat.com/show_bug.cgi?id=1846097 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 +# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1862751 +Source160: 06-8e-9e-0x-0xca_readme +Source161: 06-8e-9e-0x-0xca_config +Source162: 06-8e-9e-0x-0xca_disclaimer + +# Dell 06-[89]e-0x hangs - latest microcode revision +# https://bugzilla.redhat.com/show_bug.cgi?id=1807960 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 +# https://bugs.debian.org/962757 +# https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1882943 +Source170: 06-8e-9e-0x-dell_readme +Source171: 06-8e-9e-0x-dell_config +Source172: 06-8e-9e-0x-dell_disclaimer + +# TGL-UP3/UP4 (CPUID 06-8c-01) hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 +Source180: 06-8c-01_readme +Source181: 06-8c-01_config +Source182: 06-8c-01_disclaimer + +# "Provides:" RPM tags generator +Source1000: gen_provides.sh +Source1001: codenames.list +Source1002: gen_updates2.py + +BuildArch: noarch +BuildRequires: systemd-units +# dd, hexdump, and xxd are used in gen_provides.sh +BuildRequires: coreutils util-linux /usr/bin/xxd +# gen_updates2.py requires python interpreter +BuildRequires: /usr/bin/python3 +Requires: coreutils +Requires(post): systemd coreutils +Requires(preun): systemd coreutils +Requires(postun): systemd coreutils +Requires(posttrans): dracut coreutils + +%global _use_internal_dependency_generator 0 +%define __find_provides "%{SOURCE1000}" "%{SOURCE1001}" + +%description +This package provides microcode update files for Intel x86 and x86_64 CPUs. + +The microcode update is volatile and needs to be uploaded on each system +boot i.e. it isn't stored on a CPU permanently; reboot and it reverts +back to the old microcode. + +Package name "microcode_ctl" is historical, as the binary with the same name +is no longer used for microcode upload and, as a result, no longer provided. + +%prep +%setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}" + +%build +# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version +mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ +cp "%{SOURCE2}" intel-ucode/ + +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + +# replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version +mv intel-ucode/06-4e-03 intel-ucode-with-caveats/ +cp "%{SOURCE4}" intel-ucode/ + +# replacing SKL-H/S/Xeon E3 v5 (CPUID 0x5063e) microcode with pre-20200609 version +mv intel-ucode/06-5e-03 intel-ucode-with-caveats/ +cp "%{SOURCE5}" intel-ucode/ + +# Replacing the latest 06-[89]e-0x caveat with pre-20191112 version +mv intel-ucode/06-[89]e-0* intel-ucode-with-caveats/ +tar xvvf "%{SOURCE6}" --wildcards --strip-components=1 \ + '*/intel-ucode/06-[89]e-0*' + +# Unpacking intermediate 06-[89]e-0x microcode revision 0xca (from microcode-20191115) +mkdir -p intel-ucode-0xca +pushd intel-ucode-0xca +tar xvvf "%{SOURCE7}" --wildcards --strip-components=2 \ + '*/intel-ucode/06-[89]e-0*' +popd + +# Moving 06-8c-01 microcode to intel-ucode-with-caveats +mv intel-ucode/06-8c-01 intel-ucode-with-caveats/ + +: + +%install +install -m 755 -d \ + "%{buildroot}/%{_datarootdir}/microcode_ctl/intel-ucode" \ + "%{buildroot}/%{caveat_dir}/" \ + "%{buildroot}/etc/microcode_ctl/ucode_with_caveats/" + +# systemd unit +install -m 755 -d "%{buildroot}/%{_unitdir}" +install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/" + +# dracut +%define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override" +install -m 755 -d \ + "%{dracut_mod_dir}" \ + "%{buildroot}/%{dracutlibdir}/dracut.conf.d/" +install -m 644 "%{SOURCE20}" "%{SOURCE21}" \ + -t "%{buildroot}/%{dracutlibdir}/dracut.conf.d/" +install -m 755 "%{SOURCE22}" "%{dracut_mod_dir}/module-setup.sh" + +# Internal helper scripts +install -m 755 -d "%{buildroot}/%{microcode_ctl_libexec}" +install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \ + -m 755 -t "%{buildroot}/%{microcode_ctl_libexec}" + + +## Documentation +install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats" + +# caveats readme +install "%{SOURCE41}" "%{SOURCE42}" \ + -m 644 -t "%{buildroot}/%{_pkgdocdir}/" + +# Provide Intel microcode license, as it requires so +install -m 644 license \ + "%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode" + +# Provide release notes, README and security for Intel microcode +install -m 644 README.md \ + "%{buildroot}/%{_pkgdocdir}/README.intel-ucode" +install -m 644 security.md \ + "%{buildroot}/%{_pkgdocdir}/SECURITY.intel-ucode" +install -m 644 releasenote.md \ + "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" + +# caveats +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ + "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \ + "%{SOURCE180}" \ + -t "%{buildroot}/%{_pkgdocdir}/caveats/" + + +## Caveat data + +# BDW caveat +%define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/ +install -m 755 -d "%{bdw_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme" +install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config" +install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer" + +# Early update caveat +%define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/ +install -m 755 -d "%{intel_inst_dir}/intel-ucode" +install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme" +install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" +install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer" + +# SNB caveat +%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/ +install -m 755 -d "%{snb_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" +install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" +install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" + +# SKL-SP caveat +%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer" + +# SKL-U/Y caveat +%define skl_uy_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4e-03/ +install -m 755 -d "%{skl_uy_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-4e-03 -t "%{skl_uy_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE140}" "%{skl_uy_inst_dir}/readme" +install -m 644 "%{SOURCE141}" "%{skl_uy_inst_dir}/config" +install -m 644 "%{SOURCE142}" "%{skl_uy_inst_dir}/disclaimer" + +# SKL-H/S/Xeoon E3 v5 caveat +%define skl_hs_inst_dir %{buildroot}/%{caveat_dir}/intel-06-5e-03/ +install -m 755 -d "%{skl_hs_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-5e-03 -t "%{skl_hs_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE150}" "%{skl_hs_inst_dir}/readme" +install -m 644 "%{SOURCE151}" "%{skl_hs_inst_dir}/config" +install -m 644 "%{SOURCE152}" "%{skl_hs_inst_dir}/disclaimer" + +# Dell 06-[89]e-0x 0xca caveat +%define dell_0xca_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-0xca/ +install -m 755 -d "%{dell_0xca_inst_dir}/intel-ucode" +install -m 644 intel-ucode-0xca/06-[89]e-0? -t "%{dell_0xca_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE160}" "%{dell_0xca_inst_dir}/readme" +install -m 644 "%{SOURCE161}" "%{dell_0xca_inst_dir}/config" +install -m 644 "%{SOURCE162}" "%{dell_0xca_inst_dir}/disclaimer" + +# Dell 06-[89]e-0x latest caveat +%define dell_latest_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8e-9e-0x-dell/ +install -m 755 -d "%{dell_latest_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-[89]e-0? -t "%{dell_latest_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE170}" "%{dell_latest_inst_dir}/readme" +install -m 644 "%{SOURCE171}" "%{dell_latest_inst_dir}/config" +install -m 644 "%{SOURCE172}" "%{dell_latest_inst_dir}/disclaimer" + +# TGL caveat +%define tgl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-8c-01/ +install -m 755 -d "%{tgl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-8c-01 -t "%{tgl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme" +install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config" +install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer" + +# SUMMARY.intel-ucode generation +# It is to be done only after file population, so, it is here, +# at the end of the install stage +/usr/bin/python3 "%{SOURCE1002}" -C "%{SOURCE1001}" \ + summary -A "%{buildroot}" \ + > "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode" + + +%post +%systemd_post microcode.service +%{update_ucode} +%{reload_microcode} + +# send the message to syslog, so it gets recorded on /var/log +if [ -e /usr/bin/logger ]; then + %{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER +fi +# also paste it over dmesg (some customers drop dmesg messages while +# others keep them into /var/log for the later case, we'll have the +# disclaimer recorded twice into system logs. +%{check_caveats} -m -d > /dev/kmsg + +exit 0 + +%posttrans +# We only want to regenerate the initramfs for a fully booted +# system; if this package happened to e.g. be pulled in as a build +# dependency, it is pointless at best to regenerate the initramfs, +# and also does not work with rpm-ostree: +# https://bugzilla.redhat.com/show_bug.cgi?id=1199582 +# https://bugzilla.redhat.com/show_bug.cgi?id=1530400 +[ -d /run/systemd/system ] || exit 0 + +# We can't simply update all initramfs images, since "dracut --regenerate-all" +# generates initramfs even for removed kernels and if dracut generates botched +# initramfs image, that results in unbootable system, even with older kernels +# that can't be used as a fallback: +# https://bugzilla.redhat.com/show_bug.cgi?id=1420180 +# https://access.redhat.com/support/cases/#/case/01779274 +# https://access.redhat.com/support/cases/#/case/01814106 +# +# ...and we can't simply limit ourselves to updating only the currently +# running kernel, as this doesn't work well with cases where kernel +# is installed before the updated microcode, or in the same transaction. +# And we can't rely on late update either, due to issues like this: +# https://bugzilla.redhat.com/show_bug.cgi?id=1710445 +# +# ...and there are also issues with setups with increased "installonly_limit" +# in /etc/yum.conf, which could lead to unacceptably long package installation +# times. +# +# So, in the end, we try to grab no more than 2 most recently installed kernels +# that are installed after the currently running one (with the currently running +# kernel that makes up to 3 in total, the default "installonly_limit" value) +# as a kernel package selection heuristic that tries to accomodate both the need +# to put the latest microcode in freshly installed kernels and also addresses +# existing concerns. +# +# For RPM selection, kernel flavours (like "debug" or "kdump" or "zfcp", +# with only the former being relevant to x86 architecture) are a part or RPM +# name; it's also a part of uname, with different separator used in RHEL 6/7 +# and RHEL 8. RT kernel, however, is special, as "rt" is another part +# of RPM name and it has its own versioning scheme both in NVR and uname. +# And there's the kernel package split in RHEL 8, so one should look for *-core +# and not the main package. +pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core" +qf='%%{NAME} %%{VERSION}-%%{RELEASE}.%%{ARCH} %%{installtime}\n' +: "${MICROCODE_RPM_KVER_LIMIT=2}" + +rpm -qa --qf "${qf}" ${pkgs} | sort -r -n -k'3,3' | { + kver_cnt=0 + processed="" + skipped="" + skip=0 + + while read -r pkgname vra install_ts; do + flavour='' + + # For x86, only "debug" flavour exists in RHEL 8 + [ "x${pkgname%*-debug-core}" = "x${pkgname}" ] \ + || flavour='+debug' + + kver_cnt="$((kver_cnt + 1))" + kver_uname="${vra}${flavour}" + + # Also check that the kernel is actually installed: + # https://bugzilla.redhat.com/show_bug.cgi?id=1591664 + # We use the presence of symvers file as an indicator, the check + # similar to what weak-modules script does. + # + # Now that /boot/symvers-KVER.gz population is now relies + # on some shell scripts that are triggered by other shell + # scripts (kernel-install, which is a part of systemd) that + # called by RPM scripts, and systemd is not inclined to fix + # https://bugzilla.redhat.com/show_bug.cgi?id=1609698 + # https://bugzilla.redhat.com/show_bug.cgi?id=1609696 + # So, we check for symvers file inside /lib/modules. + # + # XXX: Not sure if this check is still needed, since we now + # iterate over the rpm output. + [ -e "/lib/modules/${kver_uname}/symvers.gz" ] || continue + # Check that modules.dep for the kernel is present as well, + # otherwise dracut complains with "/lib/modules/.../modules.dep + # is missing. Did you run depmod?". + [ -e "/lib/modules/${kver_uname}/modules.dep" ] || continue + + # We update the kernels with the same uname as the running kernel + # regardless of the selected limit + if [ "x$(uname -r)" = "x${kver_uname}" \ + -o \( "${kver_cnt}" -le "${MICROCODE_RPM_KVER_LIMIT}" \ + -a "${skip}" = 0 \) ] + then + dracut -f --kver "${kver_uname}" + + processed="${processed} ${pkgname}-${vra}" + else + skipped="${skipped} ${pkgname}-${vra}" + fi + + # The packages are processed until a package with the same uname + # as the running kernel is hit (since they are sorted + # in the descending installation time stamp older). + [ "x$(uname -r)" != "x${kver_uname}" ] || skip=1 + done + + if [ -n "${skipped}" ]; then + skip_msg="After installation of a new version of microcode_ctl package, +initramfs hasn't been re-generated for all the installed kernel packages. +The following kernel packages have been skipped:${skipped}. +Please re-generate initramfs manually for these kernel packages with the +\"dracut -f --kver KERNEL_VERSION\" command in order to get the latest +Intel CPU microcode included into early initramfs image for it, if needed." + + if [ -e /usr/bin/logger ]; then + echo "${skip_msg}" | + /usr/bin/logger -p syslog.notice -t microcode_ctl + fi + + if [ -e /dev/kmsg ]; then + echo "${skip_msg}" > /dev/kmsg + fi + fi +} + +exit 0 + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state + + +%preun +%systemd_preun microcode.service + +# Storing ucode list before uninstall +ls /usr/share/microcode_ctl/intel-ucode | + sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" +ls /usr/share/microcode_ctl/ucode_with_caveats | + sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" +%{update_ucode} --action list --skip-common | + sort > "%{rpm_state_dir}/microcode_ctl_un_file_list" + +%postun +%systemd_postun microcode.service + +ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null | + sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" +comm -23 \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" \ + > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + +if [ -e "%{update_ucode}" ]; then + ls /usr/share/microcode_ctl/ucode_with_caveats 2> /dev/null | + sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" + + comm -23 \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" \ + > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" + + %{update_ucode} --action remove --cleanup \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" || : + + rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" + rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" +else + while read -r f; do + [ -L "/lib/firmware/intel-ucode/$f" ] || continue + rm -f "/lib/firmware/intel-ucode/$f" + done < "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + + rmdir "/lib/firmware/intel-ucode" 2>/dev/null || : + + # We presume that if we don't have update_ucode script, we can remove + # all the caveats-related files. + while read -r f; do + if [ -L "$f" ] || [ "${f%%readme-*}" != "$f" ]; then + rm -f "$f" + rmdir -p $(dirname "$f") 2>/dev/null || : + fi + done < "%{rpm_state_dir}/microcode_ctl_un_file_list" +fi + +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + +rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" + +rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list" + +exit 0 + + +%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core +%{update_ucode} + +%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core +%{update_ucode} + + +%clean +rm -rf %{buildroot} + + +%files +%ghost %attr(0755, root, root) /lib/firmware/intel-ucode +%{microcode_ctl_libexec} +/usr/share/microcode_ctl +/etc/microcode_ctl +%{dracutlibdir}/modules.d/* +%config(noreplace) %{dracutlibdir}/dracut.conf.d/* +%{_unitdir}/microcode.service +%doc %{_pkgdocdir} + + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 4:20210608-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Jul 05 2021 Eugene Syromiatnikov - 4:20210608-1 +- Update Intel CPU microcode to microcode-20210608 release (#1921773): + - Fixes in releasenote.md file. + +* Mon Jun 14 2021 Eugene Syromiatnikov - 4:20210525-2 +- Make intel-06-2d-07, intel-06-4e-03, intel-06-4f-01, intel-06-55-04, + intel-06-5e-03, intel-06-8c-01, intel-06-8e-9e-0x-0xca, + and intel-06-8e-9e-0x-dell caveats dependent on intel caveat. +- Enable 06-8c-01 microcode update by default (#1970611). +- Enable 06-5e-03 microcode update by default (#1897673). + +* Thu May 27 2021 Eugene Syromiatnikov - 4:20210525-1 +- Update Intel CPU microcode to microcode-20210525 release, addresses + CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, and CVE-2020-24513 + (#1962664, #1962714, #1962734, #1962680): + - Addition of 06-55-05/0xb7 (CLX-SP A0) microcode at revision 0x3000010; + - Addition of 06-6a-05/0x87 (ICX-SP C0) microcode at revision 0xc0002f0; + - Addition of 06-6a-06/0x87 (ICX-SP D0) microcode at revision 0xd0002a0; + - Addition of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f; + - Addition of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04) + at revision 0xb00000f; + - Addition of 06-86-04/0x01 (SNR B0) microcode (in intel-ucode/06-86-05) + at revision 0xb00000f; + - Addition of 06-86-05/0x01 (SNR B1) microcode at revision 0xb00000f; + - Addition of 06-8c-02/0xc2 (TGL-R C0) microcode at revision 0x16; + - Addition of 06-8d-01/0xc2 (TGL-H R0) microcode at revision 0x2c; + - Addition of 06-96-01/0x01 (EHL B1) microcode at revision 0x11; + - Addition of 06-9c-00/0x01 (JSL A0/A1) microcode at revision 0x1d; + - Addition of 06-a7-01/0x02 (RKL-S B0) microcode at revision 0x40; + - Update of 06-4e-03/0xc0 (SKL-U/U 2+3e/Y D0/K1) microcode (in + intel-06-4e-03/intel-ucode/06-4e-03) from revision 0xe2 up to 0xea; + - Update of 06-4f-01/0xef (BDX-E/EP/EX/ML B0/M0/R0) microcode (in + intel-06-4f-01/intel-ucode/06-4f-01) from revision 0xb000038 up + to 0xb00003e; + - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in + intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a0a up + to 0x2006b06; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 N0/R0/S0) microcode (in + intel-06-5e-03/intel-ucode/06-5e-03) from revision 0xe2 up to 0xea; + - Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in + intel-06-8c-01/intel-ucode/06-8c-01) from revision 0x68 up to 0x88; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up + to 0xea; + - Update of 06-8e-09/0xc0 (KBL-U/U 2+3e/Y H0/J1) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xde up + to 0xea; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0, KBL-R Y0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0a) from revision 0xe0 up + to 0xea; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0b) from revision 0xde up + to 0xea; + - Update of 06-8e-0c/0x94 (AML-Y 4+2 V0, CML-U 4+2 V0, WHL-U V0) + microcode (in intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0c) from + revision 0xde up to 0xea; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-09) from revision 0xde up + to 0xea; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0a) from revision 0xde up + to 0xea; + - Update of 06-9e-0b/0x02 (CFL-E/H/S B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0b) from revision 0xde up + to 0xea; + - Update of 06-9e-0c/0x22 (CFL-H/S/Xeon E P0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0c) from revision 0xde up + to 0xea; + - Update of 06-9e-0d/0x22 (CFL-H/S/Xeon E R0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0d) from revision 0xde up + to 0xea; + - Update of 06-3f-02/0x6f (HSX-E/EN/EP/EP 4S C0/C1/M1/R2) microcode + from revision 0x44 up to 0x46; + - Update of 06-3f-04/0x80 (HSX-EX E0) microcode from revision 0x16 up + to 0x19; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000159 + up to 0x100015b; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003006 + up to 0x4003102; + - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision + 0x5003006 up to 0x5003102; + - Update of 06-55-0b/0xbf (CPX-SP A1) microcode from revision 0x700001e + up to 0x7002302; + - Update of 06-56-03/0x10 (BDX-DE V2/V3) microcode from revision + 0x7000019 up to 0x700001b; + - Update of 06-56-04/0x10 (BDX-DE Y0) microcode from revision 0xf000017 + up to 0xf000019; + - Update of 06-56-05/0x10 (BDX-NS A0/A1, HWL A1) microcode from revision + 0xe00000f up to 0xe000012; + - Update of 06-5c-09/0x03 (APL D0) microcode from revision 0x40 up + to 0x44; + - Update of 06-5c-0a/0x03 (APL B1/F1) microcode from revision 0x1e up + to 0x20; + - Update of 06-5f-01/0x01 (DNV B0) microcode from revision 0x2e up + to 0x34; + - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x34 up + to 0x36; + - Update of 06-7a-08/0x01 (GLK-R R0) microcode from revision 0x18 up + to 0x1a; + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0xa0 + up to 0xa6; + - Update of 06-8a-01/0x10 (LKF B2/B3) microcode from revision 0x28 up + to 0x2a; + - Update of 06-a5-02/0x20 (CML-H R1) microcode from revision 0xe0 up + to 0xea; + - Update of 06-a5-03/0x22 (CML-S 6+2 G1) microcode from revision 0xe0 + up to 0xea; + - Update of 06-a5-05/0x22 (CML-S 10+2 Q0) microcode from revision 0xe0 + up to 0xec; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) microcode from revision 0xe0 + up to 0xe8; + - Update of 06-a6-01/0x80 (CML-U 6+2 v2 K0) microcode from revision + 0xe0 up to 0xea. + +* Wed Feb 17 2021 Eugene Syromiatnikov - 4:20210216-1 +- Update Intel CPU microcode to microcode-20210216 release (#1902884): + - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in + intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006a08 up + to 0x2006a0a; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4003003 + up to 0x4003006; + - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision + 0x5003003 up to 0x5003006. + +* Wed Feb 17 2021 Eugene Syromiatnikov - 4:20201112-3 +- Remove 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats. + +* Tue Dec 01 2020 Eugene Syromiatnikov - 4:20201112-2 +- Do not use "grep -q" in a pipe in check_caveats (#1902021). +- Add 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats + (#1902884). + +* Fri Nov 13 2020 Eugene Syromiatnikov - 4:20201112-1 +- Update Intel CPU microcode to microcode-20201112 release (#1896912): + - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28; + - Update of 06-7a-01/0x01 (GLK B0) microcode from revision 0x32 up + to 0x34; + - Updated releasenote file. + +* Fri Nov 13 2020 Eugene Syromiatnikov - 4:20201027-2 +- Disable 06-8c-01 (TGL-UP3/UP4 B1) microcode update by default (#1897534). + +* Thu Oct 29 2020 Eugene Syromiatnikov - 4:20201027-1 +- Update Intel CPU microcode to microcode-20201027 release, addresses + CVE-2020-8694, CVE-2020-8695, CVE-2020-8696, CVE-2020-8698 + (#1893266, #1893254, #1893234): + - Addition of 06-55-0b/0xbf (CPX-SP A1) microcode at revision 0x700001e; + - Addition of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode at revision 0x68; + - Addition of 06-a5-02/0x20 (CML-H R1) microcode at revision 0xe0; + - Addition of 06-a5-03/0x22 (CML-S 6+2 G1) microcode at revision 0xe0; + - Addition of 06-a5-05/0x22 (CML-S 10+2 Q0) microcode at revision 0xe0; + - Addition of 06-a6-01/0x80 (CML-U 6+2 v2 K0) microcode at revision + 0xe0; + - Update of 06-4e-03/0xc0 (SKL-U/U 2+3e/Y D0/K1) microcode (in + intel-06-4e-03/intel-ucode/06-4e-03) from revision 0xdc up to 0xe2; + - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in + intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006906 up + to 0x2006a08; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 N0/R0/S0) microcode (in + intel-06-5e-03/intel-ucode/06-5e-03) from revision 0xdc up to 0xe2; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xd6 up + to 0xde; + - Update of 06-8e-09/0xc0 (KBL-U/U 2+3e/Y H0/J1) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-09) from revision 0xd6 up + to 0xde; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0, KBL-R Y0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0a) from revision 0xd6 up + to 0xe0; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0b) from revision 0xd6 up + to 0xde; + - Update of 06-8e-0c/0x94 (AML-Y 4+2 V0, CML-U 4+2 V0, WHL-U V0) + microcode (in intel-06-8e-9e-0x-dell/intel-ucode/06-8e-0c) from + revision 0xd6 up to 0xde; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-09) from revision 0xd6 up + to 0xde; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0a) from revision 0xd6 up + to 0xde; + - Update of 06-9e-0b/0x02 (CFL-E/H/S B0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0b) from revision 0xd6 up + to 0xde; + - Update of 06-9e-0c/0x22 (CFL-H/S/Xeon E P0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0c) from revision 0xd6 up + to 0xde; + - Update of 06-9e-0d/0x22 (CFL-H/S/Xeon E R0) microcode (in + intel-06-8e-9e-0x-dell/intel-ucode/06-9e-0d) from revision 0xd6 up + to 0xde; + - Update of 06-3f-02/0x6f (HSX-E/EN/EP/EP 4S C0/C1/M1/R2) microcode + from revision 0x43 up to 0x44; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000157 + up to 0x1000159; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x4002f01 + up to 0x4003003; + - Update of 06-55-07/0xbf (CLX-SP/W/X B1/L1) microcode from revision + 0x5002f01 up to 0x5003003; + - Update of 06-5c-09/0x03 (APL D0) microcode from revision 0x38 up + to 0x40; + - Update of 06-5c-0a/0x03 (APL B1/F1) microcode from revision 0x16 up + to 0x1e; + - Update of 06-7a-08/0x01 (GLK-R R0) microcode from revision 0x16 up + to 0x18; + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x78 + up to 0xa0; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) microcode from revision 0xca + up to 0xe0. + +* Fri Aug 21 2020 Eugene Syromiatnikov - 4:20200609-3 +- Add README file to the documentation directory. +- Add publicly-sourced codenames list to supply to gen_provides.sh; update + the latter to handle the somewhat different format. +- Add SUMMARY.intel-ucode file containing metadata information from + the microcode file headers. + +* Mon Jun 22 2020 Eugene Syromiatnikov - 4:20200609-2 +- Blacklist latest microcode revision for 06-[89]e-0x CPUs (AML-Y, + CFL-H/S/U/Xeon E, CML-Y, KBL-G/H/S/X/U/Y/Xeon E3 v6, WHL-U) on Dell systems, + use revision 0xae/0xb4/0xb8 by default, provide the latest revision + and intermediate revision 0xca in caveats (#1807960, #1846097). + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200609-1 +- Update Intel CPU microcode to microcode-20200609 release (#1845967): + - Fixed a typo in the release note file. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200602-5 +- Enable 06-2d-07 (SNB-E/EN/EP) caveat by default. + +* Mon Jun 15 2020 Eugene Syromiatnikov - 4:20200602-4 +- Enable 06-55-04 (SKL-X/W) caveat by default. + +* Sun Jun 14 2020 Eugene Syromiatnikov - 4:20200602-3 +- Do not update 06-4e-03 (SKL-U/Y) and 06-5e-03 (SKL-H/S/Xeon E3 v5) to revision + 0xdc, use 0xd6 by default (#1846119). + +* Thu Jun 04 2020 Eugene Syromiatnikov - 4:20200602-2 +- Avoid temporary file creation, used for here-documents in check_caveats + (#1839163). + +* Wed Jun 03 2020 Eugene Syromiatnikov - 4:20200602-1 +- Update Intel CPU microcode to microcode-20200602 release, addresses + CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1795354, #1795356, #1827184): + - Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28; + - Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e + up to 0x2f; + - Update of 06-45-01/0x72 (HSW-U C0/D0) microcode from revision 0x25 + up to 0x26; + - Update of 06-46-01/0x32 (HSW-H C0) microcode from revision 0x1b up to 0x1c; + - Update of 06-47-01/0x22 (BDW-H/Xeon E3 E0/G0) microcode from revision 0x21 + up to 0x22; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000151 + up to 0x1000157; + - Update of 06-55-04/0xb7 (SKX-SP H0/M0/U0, SKX-D M1) microcode + (in intel-06-55-04/intel-ucode/06-55-04) from revision 0x2000065 + up to 0x2006906; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x400002c + up to 0x4002f01; + - Update of 06-55-07/0xbf (CLX-SP B1) microcode from revision 0x500002c + up to 0x5002f01; + - Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0a/0xc0 (CFL-U43e D0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0c/0x94 (AML-Y42 V0, CML-Y42 V0, WHL-U V0) microcode + from revision 0xca up to 0xd6; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode from revision + 0xca up to 0xd6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E3 U0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xca up to 0xd6; + - Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6. + +* Fri May 22 2020 Eugene Syromiatnikov - 4:20200520-1 +- Update Intel CPU microcode to microcode-20200520 release (#1783103): + - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f + up to 0x621; + - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718 + up to 0x71a. + +* Tue May 12 2020 Eugene Syromiatnikov - 4:20200508-1 +- Update Intel CPU microcode to microcode-20200508 release (#1783103): + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46 + up to 0x78. +- Change the URL to point to the GitHub repository since the microcode download + section at Intel Download Center does not exist anymore. + +* Thu May 07 2020 Eugene Syromiatnikov - 4:20191115-6 +- Narrow down SKL-SP/W/X blacklist to exclude Server/FPGA/Fabric segment + models (#1833036). + +* Wed Apr 29 2020 Eugene Syromiatnikov - 4:20191115-5 +- Re-generate initramfs not only for the currently running kernel, + but for several recently installed kernels as well (#1773338). + +* Mon Dec 09 2019 Eugene Syromiatnikov - 4:20191115-4 +- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script + (#1781365). + +* Mon Dec 02 2019 Eugene Syromiatnikov - 4:20191115-3 +- Update stale posttrans dependency, add triggers for proper handling + of the debug kernel flavour along with kernel-rt (#1766178). + +* Mon Nov 18 2019 Eugene Syromiatnikov - 4:20191115-2 +- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 + by default (#1774322). + +* Sat Nov 16 2019 Eugene Syromiatnikov - 4:20191115-1 +- Update Intel CPU microcode to microcode-20191115 release: + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 + up to 0xd6; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision + 0xc6 up to 0xca; + - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 + up to 0xca; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca. + +* Fri Nov 15 2019 Eugene Syromiatnikov - 4:20191113-1 +- Update Intel CPU microcode to microcode-20191113 release: + - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6. +- Drop 0001-releasenote-changes-summary-fixes.patch. + +* Tue Nov 12 2019 Eugene Syromiatnikov - 4:20191112-2 +- Package the publicy available microcode-20191112 release (#1755027): + - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d; + - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c; + - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16; + - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 + up to 0x1000151; + - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision + 0x2000064 up to 0x2000065; + - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b + up to 0x500002c; + - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32; +- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release. +- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch). +- Update README.caveats with the link to the new Knowledge Base article. + +* Thu Nov 07 2019 Eugene Syromiatnikov - 4:20191112-1 +- Intel CPU microcode update to 20191112, addresses CVE-2017-5715, + CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1755019, #1764060, #1764073, + #1764952, #1764972, #1765000, #1765404, #1765416, #1766444, #1766873): + - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6; + - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a; + - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150; + - Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc + to 0xd4 + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6. + +* Thu Oct 10 2019 Eugene Syromiatnikov - 4:20190918-3 +- Rework dracut hook to address dracut's early initramfs generation + behaviour (#1760508). + +* Sun Oct 06 2019 Eugene Syromiatnikov - 4:20190918-2 +- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 + by default. + +* Thu Sep 19 2019 Eugene Syromiatnikov - 4:20190918-1 +- Intel CPU microcode update to 20190918 (#1753544). +- Add new disclaimer, generated based on relevant caveats. + +* Wed Jun 19 2019 Eugene Syromiatnikov - 4:20190618-1 +- Intel CPU microcode update to 20190618 (#1717240). + +* Sun Jun 02 2019 Eugene Syromiatnikov - 4:20190514a-2 +- Remove disclaimer, as it is not as important now to justify kmsg/log + pollution; its contents are partially adopted in README.caveats. + +* Mon May 20 2019 Eugene Syromiatnikov - 4:20190514a-1 +- Intel CPU microcode update to 20190514a (#1711940). + +* Thu May 09 2019 Eugene Syromiatnikov - 4:20190507-1 +- Intel CPU microcode update to 20190507 (#1697901). + +* Mon Apr 15 2019 Eugene Syromiatnikov 4:20190312-1 +- Intel CPU microcode update to 20190312 (#1660320). +- Add "Provides:" tags generation. + +* Tue Nov 06 2018 Eugene Syromiatnikov 4:20180807a-2 +- Do not exit with error in %postin if disclaimer printing returned an error + (#1647083). + +* Wed Oct 17 2018 Eugene Syromiatnikov 4:20180807a-1 +- Use the tar ball distributed by Intel directly, sync up with RHEL 7.6. + +* Fri Aug 24 2018 Eugene Syromiatnikov 3:2.1-27 +- Bump epoch in order to ensure upgrade from RHEL 7 (#1622131). + +* Mon Aug 13 2018 Anton Arapov 2:2.1-26 +- Update to upstream 2.1-19. 20180807 + +* Fri Jul 13 2018 Fedora Release Engineering - 2:2.1-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Anton Arapov 2:2.1-24 +- Update to upstream 2.1-18. 20180703 + +* Wed May 16 2018 Anton Arapov 2:2.1-23 +- Update to upstream 2.1-17. 20180425 + +* Thu Mar 15 2018 Anton Arapov 2:2.1-22 +- Update to upstream 2.1-16. 20180312 + +* Thu Feb 08 2018 Fedora Release Engineering - 2:2.1-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 09 2018 Anton Arapov 2:2.1-20 +- Update to upstream 2.1-15. 20180108 + +* Tue Nov 21 2017 Anton Arapov 2:2.1-19 +- Update to upstream 2.1-14. 20171117 + +* Thu Aug 03 2017 Fedora Release Engineering - 2:2.1-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2:2.1-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jul 12 2017 Anton Arapov 2:2.1-16 +- Update to upstream 2.1-13. 20170707 + +* Tue May 23 2017 Anton Arapov 2:2.1-15 +- Update to upstream 2.1-12. 20170511 + +* Fri Feb 10 2017 Fedora Release Engineering - 2:2.1-14.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Dec 02 2016 Anton Arapov 2.1-13.1 +- Update to upstream 2.1-11. 20161104 + +* Thu Jul 21 2016 Anton Arapov 2.1-13 +- Update to upstream 2.1-10. 20160714 +- Fixes rhbz#1353103 + +* Fri Jun 24 2016 Anton Arapov 2.1-12 +- Update to upstream 2.1-9. 20160607 + +* Thu Feb 04 2016 Fedora Release Engineering - 2:2.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 12 2016 Anton Arapov 2.1-10 +- Update to upstream 2.1-8. 20151106 + +* Wed Jun 17 2015 Fedora Release Engineering - 2:2.1-9.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Feb 03 2015 Anton Arapov 2.1-8.1 +- Update to upstream 2.1-7. 20150121 + +* Sun Sep 21 2014 Anton Arapov 2.1-8 +- Update to upstream 2.1-6. 20140913 + +* Sun Aug 17 2014 Fedora Release Engineering - 2:2.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 08 2014 Anton Arapov 2.1-6 +- Update to upstream 2.1-5. 20140624 + +* Sat Jun 07 2014 Fedora Release Engineering - 2:2.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Anton Arapov 2.1-4 +- Update to upstream 2.1-4. + +* Fri Jan 24 2014 Anton Arapov 2.1-3 +- Update to upstream 2.1-3. + +* Mon Sep 09 2013 Anton Arapov 2.1-2 +- Update to upstream 2.1-2. + +* Wed Aug 14 2013 Anton Arapov 2.1-1 +- Update to upstream 2.1-1. + +* Sat Jul 27 2013 Anton Arapov 2.1-0 +- Update to upstream 2.1. AMD microcode has been removed, find it in linux-firmware. + +* Wed Apr 03 2013 Anton Arapov 2.0-3.1 +- Update to upstream 2.0-3 + +* Thu Feb 14 2013 Fedora Release Engineering - 2:2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Oct 17 2012 Anton Arapov 2.0-2 +- Update to upstream 2.0-2 + +* Tue Oct 02 2012 Anton Arapov 2.0-1 +- Update to upstream 2.0-1 + +* Mon Aug 06 2012 Anton Arapov 2.0 +- Update to upstream 2.0 + +* Wed Jul 25 2012 Anton Arapov 1.18-1 +- Update to upstream 1.18 + +* Fri Jul 20 2012 Fedora Release Engineering - 1:1.17-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 07 2012 Anton Arapov 1.17-25 +- Update to microcode-20120606.dat + +* Tue Feb 07 2012 Anton Arapov 1.17-24 +- Update to amd-ucode-2012-01-17.tar + +* Fri Jan 13 2012 Fedora Release Engineering - 1:1.17-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Dec 22 2011 Anton Arapov 1.17-21 +- Fix a segfault that may be triggered by very long parameter [#768803] + +* Tue Dec 13 2011 Anton Arapov 1.17-20 +- Update to microcode-20111110.dat + +* Tue Sep 27 2011 Anton Arapov 1.17-19 +- Update to microcode-20110915.dat + +* Thu Aug 04 2011 Anton Arapov 1.17-18 +- Ship splitted microcode for Intel CPUs [#690930] +- Include tool for splitting microcode for Intl CPUs (Kay Sievers ) + +* Thu Jun 30 2011 Anton Arapov 1.17-17 +- Fix udev rules (Dave Jones ) [#690930] + +* Thu May 12 2011 Anton Arapov 1.17-14 +- Update to microcode-20110428.dat + +* Thu Mar 24 2011 Anton Arapov 1.17-13 +- fix memory leak. + +* Mon Mar 07 2011 Anton Arapov 1.17-12 +- Update to amd-ucode-2011-01-11.tar + +* Tue Feb 08 2011 Fedora Release Engineering - 1:1.17-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 19 2011 Anton Arapov 1.17-10 +- manpage fix (John Bradshaw ) [#670879] + +* Wed Jan 05 2011 Anton Arapov 1.17-9 +- Update to microcode-20101123.dat + +* Mon Nov 01 2010 Anton Arapov 1.17-8 +- Update to microcode-20100914.dat + +* Wed Sep 29 2010 jkeating - 1:1.17-7 +- Rebuilt for gcc bug 634757 + +* Wed Sep 15 2010 Anton Arapov 1.17-6 +- Update to microcode-20100826.dat + +* Tue Sep 07 2010 Toshio Kuratomi 1.17-5 +- Fix license tag: bz#450491 + +* Fri Aug 27 2010 Dave Jones 1.17-4 +- Update to microcode-20100826.dat + +* Tue Mar 23 2010 Anton Arapov 1.17-3 +- Fix the udev rules (Harald Hoyer ) + +* Mon Mar 22 2010 Anton Arapov 1.17-2 +- Make microcode_ctl event driven (Bill Nottingham ) [#479898] + +* Thu Feb 11 2010 Dave Jones 1.17-1.58 +- Update to microcode-20100209.dat + +* Fri Dec 04 2009 Kyle McMartin 1.17-1.57 +- Fix duplicate message pointed out by Edward Sheldrake. + +* Wed Dec 02 2009 Kyle McMartin 1.17-1.56 +- Add AMD x86/x86-64 microcode. (Dated: 2009-10-09) + Doesn't need microcode_ctl modifications as it's loaded by + request_firmware() like any other sensible driver. +- Eventually, this AMD firmware can probably live inside + kernel-firmware once it is split out. + +* Wed Sep 30 2009 Dave Jones +- Update to microcode-20090927.dat + +* Fri Sep 11 2009 Dave Jones +- Remove some unnecessary code from the init script. + +* Sat Jul 25 2009 Fedora Release Engineering - 1:1.17-1.52.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 25 2009 Dave Jones +- Shorten sleep time during init. + This really needs to be replaced with proper udev hooks, but this is + a quick interim fix. + +* Wed Jun 03 2009 Kyle McMartin 1:1.17-1.50 +- Change ExclusiveArch to i586 instead of i386. Resolves rhbz#497711. + +* Wed May 13 2009 Dave Jones +- update to microcode 20090330 + +* Wed Feb 25 2009 Fedora Release Engineering - 1:1.17-1.46.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Sep 12 2008 Dave Jones +- update to microcode 20080910 + +* Tue Apr 01 2008 Jarod Wilson +- Update to microcode 20080401 + +* Sat Mar 29 2008 Dave Jones +- Update to microcode 20080220 +- Fix rpmlint warnings in specfile. + +* Mon Mar 17 2008 Dave Jones +- specfile cleanups. + +* Fri Feb 22 2008 Jarod Wilson +- Use /lib/firmware instead of /etc/firmware + +* Wed Feb 13 2008 Jarod Wilson +- Fix permissions on microcode.dat + +* Thu Feb 07 2008 Jarod Wilson +- Spec cleanup and macro standardization. +- Update license +- Update microcode data file to 20080131 revision. + +* Mon Jul 2 2007 Dave Jones +- Update to upstream 1.17 + +* Thu Oct 12 2006 Jon Masters +- BZ209455 fixes. + +* Mon Jul 17 2006 Jesse Keating +- rebuild + +* Fri Jun 16 2006 Bill Nottingham +- remove kudzu requirement +- add prereq for coreutils, awk, grep + +* Thu Feb 09 2006 Dave Jones +- rebuild. + +* Fri Jan 27 2006 Dave Jones +- Update to upstream 1.13 + +* Fri Dec 16 2005 Jesse Keating +- rebuilt for new gcj + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 14 2005 Dave Jones +- initscript tweaks. + +* Tue Sep 13 2005 Dave Jones +- Update to upstream 1.12 + +* Wed Aug 17 2005 Dave Jones +- Check for device node *after* loading the module. (#157672) + +* Tue Mar 1 2005 Dave Jones +- Rebuild for gcc4 + +* Thu Feb 17 2005 Dave Jones +- s/Serial/Epoch/ + +* Tue Jan 25 2005 Dave Jones +- Drop the node creation/deletion change from previous release. + It'll cause grief with selinux, and was a hack to get around + a udev shortcoming that should be fixed properly. + +* Fri Jan 21 2005 Dave Jones +- Create/remove the /dev/cpu/microcode dev node as needed. +- Use correct path again for the microcode.dat. +- Remove some no longer needed tests in the init script. + +* Fri Jan 14 2005 Dave Jones +- Only enable microcode_ctl service if the CPU is capable. +- Prevent microcode_ctl getting restarted multiple times on initlevel change (#141581) +- Make restart/reload work properly +- Do nothing if not started by root. + +* Wed Jan 12 2005 Dave Jones +- Adjust dev node location. (#144963) + +* Tue Jan 11 2005 Dave Jones +- Load/Remove microcode module in initscript. + +* Mon Jan 10 2005 Dave Jones +- Update to upstream 1.11 release. + +* Sat Dec 18 2004 Dave Jones +- Initial packaging, based upon kernel-utils. +