Revert OL modifications

This commit is contained in:
Andrew Lukoshko 2023-06-23 13:22:20 +00:00
parent daffe26cb4
commit 98cd727a22
11 changed files with 250 additions and 24 deletions

2
.gitignore vendored
View File

@ -1,4 +1,6 @@
SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz

View File

@ -1,4 +1,6 @@
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz

3
SOURCES/06-2d-07_config Normal file
View File

@ -0,0 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
dependency required intel

View File

@ -0,0 +1,4 @@
MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
stepping 7; CPUID 0x206d7) CPUs is disabled.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

58
SOURCES/06-2d-07_readme Normal file
View File

@ -0,0 +1,58 @@
Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
had issues with MDS-related microcode update that may lead to a system hang
after a microcode update[1][2]. In order to address this, microcode update
to the MDS-related revision 0x718 had been disabled, and the previously
published microcode revision 0x714 is used by default for the OS-driven
microcode update. The revision 0x71a of the microcode is intended to fix
the aforementioned issue, hence it is enabled by default (but can be disabled
explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
[2] https://access.redhat.com/solutions/4593951
For the reference, SHA1 checksums of 06-2d-07 microcode files containing
microcode revisions in question are listed below:
* 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
* 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
* 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create file "disallow-intel-06-2d-07" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To avoid addition of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

View File

@ -1,6 +1,15 @@
model GenuineIntel 06-4f-01
path intel-ucode/06-4f-01
kernel 5.15.0
kernel 5.14.0
kernel 4.17.0
kernel 3.10.0-894
kernel 3.10.0-862.6.1
kernel 3.10.0-693.35.1
kernel 3.10.0-514.52.1
kernel 3.10.0-327.70.1
kernel 2.6.32-754.1.1
kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
dependency required intel skip=success match-model-mode=off
disable late
disable early late

12
SOURCES/06-55-04_config Normal file
View File

@ -0,0 +1,12 @@
model GenuineIntel 06-55-04
path intel-ucode/06-55-04
## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
## affects only SKX-W/X (Workstation and HEDT segments); product segment
## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers
## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
## for Server/FPGA/Fabric segments description; for SKX-W/X no public
## documentation seems to be available). Specific device/function numbers
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
dependency required intel

View File

@ -0,0 +1,5 @@
Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6,
model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system
hangs on reboot, so the previous revision 0x2000064 was used instead.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

97
SOURCES/06-55-04_readme Normal file
View File

@ -0,0 +1,97 @@
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
of system hangs on reboot when revision 0x2000065 of microcode, that was included
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
In order to address this, microcode update to the newer revision had been
disabled by default on these systems, and the previously published microcode
revision 0x2000064 is used by default for the OS-driven microcode update.
Since revision 0x2006906 (included with the microcode-20200609 release)
it is reported that the issue is no longer present, so the newer microcode
revision is enabled by default now (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
For the reference, SHA1 checksums of 06-55-04 microcode files containing
microcode revisions in question are listed below:
* 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
* 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
* 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
* 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
* 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
CVE-2022-21136 (Overclocking service access protection),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
https://access.redhat.com/articles/6976398
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create a file "disallow-intel-06-55-04" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
so initramfs for this kernel version is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To disable usage of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
used for late microcode updates, and run "dracut -f --regenerate-all"
so initramfs images get regenerated, for example:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

View File

@ -1,6 +1,8 @@
path intel-ucode/*
vendor GenuineIntel
kernel_early 5.15.0
kernel_early 5.14.0
kernel 5.15.0
kernel 5.14.0
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

View File

@ -12,12 +12,18 @@
Summary: CPU microcode updates for Intel x86 processors
Name: microcode_ctl
Version: 20220809
Release: 2.%{intel_ucode_version}.1.0.1%{?dist}
Release: 2.%{intel_ucode_version}.1%{?dist}
Epoch: 4
License: CC0 and Redistributable, no modification permitted
URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
# (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode
Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03
Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03
@ -60,6 +66,19 @@ Source110: intel_readme
Source111: intel_config
Source112: intel_disclaimer
# SNB-EP (CPUID 0x206d7) post-MDS hangs
# https://bugzilla.redhat.com/show_bug.cgi?id=1758382
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
Source120: 06-2d-07_readme
Source121: 06-2d-07_config
Source122: 06-2d-07_disclaimer
# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
Source130: 06-55-04_readme
Source131: 06-55-04_config
Source132: 06-55-04_disclaimer
# SKL-U/Y (CPUID 0x406e3) post-20200609 hangs
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
Source140: 06-4e-03_readme
@ -131,6 +150,14 @@ is no longer used for microcode upload and, as a result, no longer provided.
%setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}"
%build
# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version
mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
cp "%{SOURCE2}" intel-ucode/
# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
mv intel-ucode/06-55-04 intel-ucode-with-caveats/
cp "%{SOURCE3}" intel-ucode/
# replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version
mv intel-ucode/06-4e-03 intel-ucode-with-caveats/
cp "%{SOURCE4}" intel-ucode/
@ -201,7 +228,7 @@ install -m 644 releasenote.md \
"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"
# caveats
install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
"%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \
"%{SOURCE180}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"
@ -225,6 +252,22 @@ install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme"
install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer"
# SNB caveat
%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/
install -m 755 -d "%{snb_inst_dir}/intel-ucode"
install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
# SKL-SP caveat
%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode"
install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme"
install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config"
install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer"
# SKL-U/Y caveat
%define skl_uy_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4e-03/
install -m 755 -d "%{skl_uy_inst_dir}/intel-ucode"
@ -330,7 +373,7 @@ exit 0
# of RPM name and it has its own versioning scheme both in NVR and uname.
# And there's the kernel package split in RHEL 8, so one should look for *-core
# and not the main package.
pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core kernel-uek-core kernel-uek-debug-core"
pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core"
qf='%%{NAME} %%{VERSION}-%%{RELEASE}.%%{ARCH} %%{installtime}\n'
: "${MICROCODE_RPM_KVER_LIMIT=2}"
@ -343,12 +386,9 @@ rpm -qa --qf "${qf}" ${pkgs} | sort -r -n -k'3,3' | {
while read -r pkgname vra install_ts; do
flavour=''
# Fix the uname for debug kernels
case "${pkgname}" in
kernel-uek-debug-core) flavour='.debug';;
kernel-debug-core) flavour='+debug';;
*) ;;
esac
# For x86, only "debug" flavour exists in RHEL 8
[ "x${pkgname%*-debug-core}" = "x${pkgname}" ] \
|| flavour='+debug'
kver_cnt="$((kver_cnt + 1))"
kver_uname="${vra}${flavour}"
@ -505,13 +545,6 @@ rm -rf %{buildroot}
%changelog
* Thu Jun 22 2023 Todd Vierling <todd.vierling@oracle.com> - 4:20220809-2.20230214.1.0.1
- ensure UEK also rebuilds initramfs [Orabug: 34280058]
- add support for UEK7 kernels
- enable early update for 06-4f-01
- remove no longer appropriate caveats for 06-2d-07 and 06-55-04
- enable early and late load on RHCK
* Wed Feb 15 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-2.20230214.1
- Update Intel CPU microcode to microcode-20230214 release, addresses
CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171236,
@ -689,7 +722,6 @@ rm -rf %{buildroot}
- Update of 06-bf-05/0x07 (ADL C0) microcode from revision 0x22 up to
0x2c (old pf 0x3).
>>>>>>> 762178550d1d (Import microcode_ctl-20220809-2.20230214.1.el9_2 for 9.2)
* Tue Oct 25 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-2
- Change the logger severity level to warning to align with the kmsg one
(#2136506).