import microcode_ctl-20201112-2.el8

.gitignore

@@ -1,6 +1,9 @@
 SOURCES/06-2d-07
 SOURCES/06-4e-03
 SOURCES/06-55-04
+SOURCES/06-55-04.20190918
+SOURCES/06-55-06
+SOURCES/06-55-07
 SOURCES/06-5e-03
 SOURCES/microcode-20190918.tar.gz
 SOURCES/microcode-20191115.tar.gz

.microcode_ctl.metadata

@@ -1,6 +1,9 @@
 bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
-2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
+5f18f985f6d5ad369b5f6549b7f3ee55acaef967 SOURCES/06-55-04
+2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04.20190918
+8affd949151a0badd3f71e23cf9ad668d4c1d82f SOURCES/06-55-06
+a7121c5f49753cc783f82135e268bc4efe85d4be SOURCES/06-55-07
 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz

SOURCES/06-55-04_readme

@@ -10,7 +10,12 @@ Since revision 0x2006906 (included with the microcode-20200609 release)
 it is reported that the issue is no longer present, so the newer microcode
 revision is enabled by default now (but can be disabled explicitly; see below).
 
+Revision 0x2006a08 (included since the microcode-20201110 release) exhibits
+a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2
+caveat;  please refer to [2] for details.
+
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+[2] /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme
 
 For the reference, SHA1 checksums of 06-55-04 microcode files containing
 microcode revisions in question are listed below:

SOURCES/06-55-0x-ipu-2020.2_config

@@ -0,0 +1,20 @@
+path intel-ucode/*
+vendor GenuineIntel
+## It is deemed that blocking the SKX/CLX microcode update on all hardware
+## in cases where no model filter is used is too broad, hence
+## no-model-mode=success.
+## https://bugzilla.redhat.com/1902884 https://bugzilla.redhat.com/1905111
+dmi mode=fail-equal no-model-mode=success key=product_name val="Superdome Flex"
+## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+dmi mode=fail-equal no-model-mode=success key=product_name val="SYS-2029TP-HTR/X11DPT-PS"
+## The "kernel_early" statements are carried over from the intel caveat config
+## in order to avoid enabling this newer microcode on these problematic kernels;
+## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
+## (That also means that this caveat has to be enforced separately on these
+## kernels.)
+kernel_early 4.10.0
+kernel_early 3.10.0-930
+kernel_early 3.10.0-862.14.1
+kernel_early 3.10.0-693.38.1
+kernel_early 3.10.0-514.57.1
+kernel_early 3.10.0-327.73.1

SOURCES/06-55-0x-ipu-2020.2_disclaimer

@@ -0,0 +1,6 @@
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+are disabled on some systems as these updates may cause system instability;
+microcode from the previous microcode-20200609 release is used instead.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.

SOURCES/06-55-0x-ipu-2020.2_readme

@@ -0,0 +1,83 @@
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+may cause system instability on some systems, namely, HPE Superdome Flex
+and Supermicro systems, when an update is performed with the resivions
+that come with microcode-20201110 release, so the previously released microcode
+(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively)
+from microcode-20200609 release are used on these systems by default instead
+for the OS-driven microcode update.
+
+For the reference, SHA1 checksums of the relevant microcode files containing
+microcode revisions in question are listed below:
+ * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
+ * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
+
+ * 06-55-06, revision 0x4004f01: 8affd949151a0badd3f71e23cf9ad668d4c1d82f
+ * 06-55-06, revision 0x4003003: b187866d2570f90ea69f434c2b012a8c88d85f43
+
+ * 06-55-07, revision 0x5002f01: a7121c5f49753cc783f82135e268bc4efe85d4be
+ * 06-55-07, revision 0x5003003: 74e129b108e676f0286742f609b2c1fa65d73db1
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version.  For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
+   CVE-2020-8696 (Vector Register Leakage-Active),
+   CVE-2020-8698 (Fast Forward Store Predictor):
+   https://access.redhat.com/articles/5569051
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the latest microcode revision for a specific kernel
+version, please create a file "force-intel-06-55-0x-ipu-2020.2" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-0x-ipu-2020.2
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To disallow usage of the latest microcode revision for a specific kernel
+version, please create a file "disallow-intel-06-55-0x-ipu-2020.2" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
+used for late microcode updates, and run "dracut -f --kver <kernel_version>",
+so initramfs for this kernel version is regenerated, for example:
+
+    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-0x-ipu-2020.2
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --kver 3.10.0-862.9.1
+
+To enforce addition of this microcode for all kernels, please create a file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
+    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --regenerate-all
+
+To disallow usage of the latest microcode revision for all kernels, please
+create a file
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2",
+run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
+used for late microcode updates, and run "dracut -f --regenerate-all"
+so initramfs images get regenerated, for example:
+
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --regenerate-all
+
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.

SOURCES/README.caveats

@@ -560,6 +560,11 @@ to enable ability to disable it in case such a need arises.  (See the sections
 "check_caveats script" and "reload_microcode script" for details regarding
 caveats mechanism operation.)
 
+Revision 0x2006a08 (included since the microcode-20201110 release) exhibits
+a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2
+caveat;  please refer to the "Intel Skylake-SP and Cascade Lake-SP
+microcode-20201110 caveats" section for details.
+
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
 
 Caveat name: intel-06-55-04
@@ -571,6 +576,28 @@ previously published microcode revision 0x2000064 is still available
 as a fallback as part of "intel" caveat.
 
 
+Intel Skylake-SP and Cascade Lake-SP microcode-20201110 caveats
+---------------------------------------------------------------
+Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
+(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
+may cause system instability on some systems (there were reports for HPE
+Superdome Flex and Supermicro systems[1]) with the resivions that come
+with microcode-20201110 release, so the previously released microcode
+(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively)
+from microcode-20200609 release are used by default instead for the OS-driven
+microcode update.
+
+[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+
+Caveat name: intel-06-55-0x-ipu-2020.2
+
+Affected microcode: intel-ucode/06-55-04, intel-ucode/06-55-06,
+                    intel-ucode/06-55-07
+
+Mitigation: previously published microcode files (revision 0x2006906 for 06-55-04,
+            0x4002f01 for 06-55-06, 0x5002f01 for 06-55-07) are used by default.
+
+
 Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
 ----------------------------------------
 Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;

SOURCES/check_caveats

@@ -628,10 +628,9 @@ for cfg in $(echo "${configs}"); do
 		cfg_mc_present=0
 
 		for p in $(printf "%s" "$cfg_path"); do
-			{ /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
-				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0;
-			  /bin/true; } \
-			    | /bin/grep -zFxq "$cpu_mc_path" \
+			/usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
+				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \
+			    | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \
 			    || continue
 
 			cfg_mc_present=1

SPECS/microcode_ctl.spec

@@ -13,7 +13,7 @@
 Summary:        CPU microcode updates for Intel x86 processors
 Name:           microcode_ctl
 Version:        %{intel_ucode_version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Epoch:          4
 License:        CC0 and Redistributable, no modification permitted
 URL:            https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
@@ -23,7 +23,7 @@ Source0:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
 Source2:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
 
 # (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
-Source3:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
+Source3:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04#/06-55-04.20190918
 
 # (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode
 Source4:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03
@@ -34,9 +34,15 @@ Source6:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Fi
 # microcode-20191115 release,containing revision 0xca of 06-[89]e-0X microcode
 Source7:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-20191115.tar.gz
 
+# (Pre-20201110) revision 0x2006906 of 06-55-04/0xb7 microcode
+Source8:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-04
+# (Pre-20201110) revision 0x4002f01 of 06-55-06/0xbf microcode
+Source9:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-06
+# (Pre-20201110) revision 0x5002f01 of 06-55-07/0xbf microcode
+Source10:       https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200609/intel-ucode/06-55-07
 
 # systemd unit
-Source10:       microcode.service
+Source15:       microcode.service
 
 # dracut-related stuff
 Source20:       01-microcode.conf
@@ -76,6 +82,7 @@ Source122:      06-2d-07_disclaimer
 
 # SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
 # https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+# It is still preerved due to https://bugzilla.redhat.com/1908432
 Source130:      06-55-04_readme
 Source131:      06-55-04_config
 Source132:      06-55-04_disclaimer
@@ -116,10 +123,18 @@ Source180:      06-8c-01_readme
 Source181:      06-8c-01_config
 Source182:      06-8c-01_disclaimer
 
+# SKX-SP/CLX-SP (CPUID 0x50654/0x50656/0x50657)
+# IPU 2020.2 HPE Superdome issue
+# https://bugzilla.redhat.com/show_bug.cgi?id=1902884
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45
+Source190:      06-55-0x-ipu-2020.2_readme
+Source191:      06-55-0x-ipu-2020.2_config
+Source192:      06-55-0x-ipu-2020.2_disclaimer
+
 # "Provides:" RPM tags generator
-Source200:      gen_provides.sh
-Source201:      codenames.list
-Source202:      gen_updates2.py
+Source1000:      gen_provides.sh
+Source1001:      codenames.list
+Source1002:      gen_updates2.py
 
 ExclusiveArch:  %{ix86} x86_64
 BuildRequires:  systemd-units
@@ -132,7 +147,7 @@ Requires(postun): systemd coreutils
 Requires(posttrans): dracut coreutils
 
 %global _use_internal_dependency_generator 0
-%define __find_provides "%{SOURCE200}" "%{SOURCE201}"
+%define __find_provides "%{SOURCE1000}" "%{SOURCE1001}"
 
 %description
 This package provides microcode update files for Intel x86 and x86_64 CPUs.
@@ -152,9 +167,16 @@ is no longer used for microcode upload and, as a result, no longer provided.
 mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
 cp "%{SOURCE2}" intel-ucode/
 
+# replacing SKX/CLX (CPUID 0x50654/0x50656/0x50657) microcode with pre-20201110
+# versions
+# placing this caveat because the older 06-55-04 one in order to preserve
+# mv/cp command pattern
+mv intel-ucode/06-55-0[467] intel-ucode-with-caveats/
+cp "%{SOURCE8}" "%{SOURCE9}" "%{SOURCE10}" intel-ucode/
+
 # replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
-mv intel-ucode/06-55-04 intel-ucode-with-caveats/
-cp "%{SOURCE3}" intel-ucode/
+mv intel-ucode/06-55-04 intel-ucode-with-caveats/06-55-04.20200609
+cp "%{SOURCE3}" intel-ucode/06-55-04
 
 # replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version
 mv intel-ucode/06-4e-03 intel-ucode-with-caveats/
@@ -189,7 +211,7 @@ install -m 755 -d \
 
 # systemd unit
 install -m 755 -d "%{buildroot}/%{_unitdir}"
-install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/"
+install -m 644 "%{SOURCE15}" -t "%{buildroot}/%{_unitdir}/"
 
 # dracut
 %define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override"
@@ -228,7 +250,7 @@ install -m 644 releasenote.md \
 # caveats
 install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
 	       "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \
-	       "%{SOURCE180}" \
+	       "%{SOURCE180}" "%{SOURCE190}" \
 	-t "%{buildroot}/%{_pkgdocdir}/caveats/"
 
 
@@ -261,7 +283,7 @@ install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
 # SKL-SP caveat
 %define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
 install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode"
-install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/"
+install -m 644 intel-ucode-with-caveats/06-55-04.20200609 "%{skl_sp_inst_dir}/intel-ucode/06-55-04"
 install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme"
 install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config"
 install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer"
@@ -306,10 +328,18 @@ install -m 644 "%{SOURCE180}" "%{tgl_inst_dir}/readme"
 install -m 644 "%{SOURCE181}" "%{tgl_inst_dir}/config"
 install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer"
 
+# SKX-SP/CLX-SP HPE Superdome caveat
+%define skx_clx_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-0x-ipu-2020.2/
+install -m 755 -d "%{skx_clx_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-55-0[467] -t "%{skx_clx_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE190}" "%{skx_clx_inst_dir}/readme"
+install -m 644 "%{SOURCE191}" "%{skx_clx_inst_dir}/config"
+install -m 644 "%{SOURCE192}" "%{skx_clx_inst_dir}/disclaimer"
+
 # SUMMARY.intel-ucode generation
 # It is to be done only after file population, so, it is here,
 # at the end of the install stage
-/usr/libexec/platform-python "%{SOURCE202}" -C "%{SOURCE201}" \
+/usr/libexec/platform-python "%{SOURCE1002}" -C "%{SOURCE1001}" \
 	summary -A "%{buildroot}" \
 	> "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode"
 
@@ -543,6 +573,11 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Tue Dec 01 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201112-2
+- Do not use "grep -q" in a pipe in check_caveats (#1902021).
+- Add 06-55-04/06-55-06/06-55-07 (SKX-SP/CLX-SP) microcode-20201110 caveats
+  (#1902884).
+
 * Fri Nov 13 2020 Eugene Syromiatnikov <esyr@redhat.com> - 4:20201112-1
 - Update Intel CPU microcode to microcode-20201112 release (#1896912):
   - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28;