diff --git a/.gitignore b/.gitignore index 641b925..0ad19b1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ +SOURCES/06-2d-07 SOURCES/06-4e-03 +SOURCES/06-55-04 SOURCES/06-5e-03 SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20191115.tar.gz diff --git a/.microcode_ctl.metadata b/.microcode_ctl.metadata index 9a28f70..98b7cc8 100644 --- a/.microcode_ctl.metadata +++ b/.microcode_ctl.metadata @@ -1,4 +1,6 @@ +bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07 06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03 +2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config new file mode 100644 index 0000000..99a8ed7 --- /dev/null +++ b/SOURCES/06-2d-07_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-2d-07 +path intel-ucode/06-2d-07 +dependency required intel diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer new file mode 100644 index 0000000..ae71a34 --- /dev/null +++ b/SOURCES/06-2d-07_disclaimer @@ -0,0 +1,4 @@ +MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45, +stepping 7; CPUID 0x206d7) CPUs is disabled. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme new file mode 100644 index 0000000..e5e575b --- /dev/null +++ b/SOURCES/06-2d-07_readme @@ -0,0 +1,58 @@ +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +had issues with MDS-related microcode update that may lead to a system hang +after a microcode update[1][2]. In order to address this, microcode update +to the MDS-related revision 0x718 had been disabled, and the previously +published microcode revision 0x714 is used by default for the OS-driven +microcode update. The revision 0x71a of the microcode is intended to fix +the aforementioned issue, hence it is enabled by default (but can be disabled +explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 + +For the reference, SHA1 checksums of 06-2d-07 microcode files containing +microcode revisions in question are listed below: + * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 + * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + * 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create file "disallow-intel-06-2d-07" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To avoid addition of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run +"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, +and "dracut -f --regenerate-all" for early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config index 8a4e436..f987150 100644 --- a/SOURCES/06-4f-01_config +++ b/SOURCES/06-4f-01_config @@ -1,6 +1,15 @@ model GenuineIntel 06-4f-01 path intel-ucode/06-4f-01 -kernel 5.15.0 -kernel 5.14.0 +kernel 4.17.0 +kernel 3.10.0-894 +kernel 3.10.0-862.6.1 +kernel 3.10.0-693.35.1 +kernel 3.10.0-514.52.1 +kernel 3.10.0-327.70.1 +kernel 2.6.32-754.1.1 +kernel 2.6.32-573.58.1 +kernel 2.6.32-504.71.1 +kernel 2.6.32-431.90.1 +kernel 2.6.32-358.90.1 dependency required intel skip=success match-model-mode=off -disable late +disable early late diff --git a/SOURCES/06-55-04_config b/SOURCES/06-55-04_config new file mode 100644 index 0000000..07f06f6 --- /dev/null +++ b/SOURCES/06-55-04_config @@ -0,0 +1,12 @@ +model GenuineIntel 06-55-04 +path intel-ucode/06-55-04 +## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +## affects only SKX-W/X (Workstation and HEDT segments); product segment +## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers +## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +## for Server/FPGA/Fabric segments description; for SKX-W/X no public +## documentation seems to be available). Specific device/function numbers +## are provided for speeding up the search only, VID:DID is the real selector. +## Commented out since revision 0x2006906 seems to fix the issue. +#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 +dependency required intel diff --git a/SOURCES/06-55-04_disclaimer b/SOURCES/06-55-04_disclaimer new file mode 100644 index 0000000..66d71bd --- /dev/null +++ b/SOURCES/06-55-04_disclaimer @@ -0,0 +1,5 @@ +Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6, +model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system +hangs on reboot, so the previous revision 0x2000064 was used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04_readme b/SOURCES/06-55-04_readme new file mode 100644 index 0000000..373e600 --- /dev/null +++ b/SOURCES/06-55-04_readme @@ -0,0 +1,97 @@ +Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT +(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports +of system hangs on reboot when revision 0x2000065 of microcode, that was included +from microcode-20191112 update up to microcode-20200520 update, was applied[1]. +In order to address this, microcode update to the newer revision had been +disabled by default on these systems, and the previously published microcode +revision 0x2000064 is used by default for the OS-driven microcode update. + +Since revision 0x2006906 (included with the microcode-20200609 release) +it is reported that the issue is no longer present, so the newer microcode +revision is enabled by default now (but can be disabled explicitly; see below). + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 + +For the reference, SHA1 checksums of 06-55-04 microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a + * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 + * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 + * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462 + * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7 + * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085 + * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f + * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov + * CVE-2020-0543 (Special Register Buffer Data Sampling), + CVE-2020-0548 (Vector Register Data Sampling), + CVE-2020-0549 (L1D Cache Eviction Sampling): + https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + * CVE-2020-24489 (VT-d-related Privilege Escalation), + CVE-2020-24511 (Improper Isolation of Shared Resources), + CVE-2020-24512 (Observable Timing Discrepancy), + CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): + https://access.redhat.com/articles/6101171 + * CVE-2021-0127 (Intel Processor Breakpoint Control Flow): + https://access.redhat.com/articles/6716541 + * CVE-2022-0005 (Informational disclosure via JTAG), + CVE-2022-21123 (Shared Buffers Data Read), + CVE-2022-21125 (Shared Buffers Data Sampling), + CVE-2022-21127 (Update to Special Register Buffer Data Sampling), + CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection), + CVE-2022-21136 (Overclocking service access protection), + CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure), + CVE-2022-21166 (Device Register Partial Write): + https://access.redhat.com/articles/6963124 + * CVE-2022-21233 (Stale Data Read from legacy xAPIC): + https://access.redhat.com/articles/6976398 + +The information regarding disabling microcode update is provided below. + +To disable usage of the newer microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-04" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver " +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To disable usage of the newer microcode revision for all kernels, please create +file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/intel_config b/SOURCES/intel_config index 245cd3b..1f47b87 100644 --- a/SOURCES/intel_config +++ b/SOURCES/intel_config @@ -1,6 +1,8 @@ path intel-ucode/* vendor GenuineIntel -kernel_early 5.15.0 -kernel_early 5.14.0 -kernel 5.15.0 -kernel 5.14.0 +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 64bf131..0a4ee99 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -12,12 +12,18 @@ Summary: CPU microcode updates for Intel x86 processors Name: microcode_ctl Version: 20220809 -Release: 2.%{intel_ucode_version}.1.0.1%{?dist} +Release: 2.%{intel_ucode_version}.1%{?dist} Epoch: 4 License: CC0 and Redistributable, no modification permitted URL: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files Source0: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz +# (Pre-MDS) revision 0x714 of 06-2d-07 microcode +Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 + +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + # (Pre-20200609) revision 0xd6 of 06-4e-03/06-5e-03 microcode Source4: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-4e-03 Source5: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20200520/intel-ucode/06-5e-03 @@ -60,6 +66,19 @@ Source110: intel_readme Source111: intel_config Source112: intel_disclaimer +# SNB-EP (CPUID 0x206d7) post-MDS hangs +# https://bugzilla.redhat.com/show_bug.cgi?id=1758382 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +Source120: 06-2d-07_readme +Source121: 06-2d-07_config +Source122: 06-2d-07_disclaimer + +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + # SKL-U/Y (CPUID 0x406e3) post-20200609 hangs # https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 Source140: 06-4e-03_readme @@ -131,6 +150,14 @@ is no longer used for microcode upload and, as a result, no longer provided. %setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}" %build +# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version +mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ +cp "%{SOURCE2}" intel-ucode/ + +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + # replacing SKL-U/Y (CPUID 0x4063e) microcode with pre-20200609 version mv intel-ucode/06-4e-03 intel-ucode-with-caveats/ cp "%{SOURCE4}" intel-ucode/ @@ -201,7 +228,7 @@ install -m 644 releasenote.md \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" \ +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ "%{SOURCE140}" "%{SOURCE150}" "%{SOURCE160}" "%{SOURCE170}" \ "%{SOURCE180}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" @@ -225,6 +252,22 @@ install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme" install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer" +# SNB caveat +%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/ +install -m 755 -d "%{snb_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" +install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" +install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" + +# SKL-SP caveat +%define skl_sp_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_sp_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_sp_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_sp_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_sp_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_sp_inst_dir}/disclaimer" + # SKL-U/Y caveat %define skl_uy_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4e-03/ install -m 755 -d "%{skl_uy_inst_dir}/intel-ucode" @@ -330,7 +373,7 @@ exit 0 # of RPM name and it has its own versioning scheme both in NVR and uname. # And there's the kernel package split in RHEL 8, so one should look for *-core # and not the main package. -pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core kernel-uek-core kernel-uek-debug-core" +pkgs="kernel-core kernel-debug-core kernel-rt-core kernel-rt-debug-core" qf='%%{NAME} %%{VERSION}-%%{RELEASE}.%%{ARCH} %%{installtime}\n' : "${MICROCODE_RPM_KVER_LIMIT=2}" @@ -343,12 +386,9 @@ rpm -qa --qf "${qf}" ${pkgs} | sort -r -n -k'3,3' | { while read -r pkgname vra install_ts; do flavour='' - # Fix the uname for debug kernels - case "${pkgname}" in - kernel-uek-debug-core) flavour='.debug';; - kernel-debug-core) flavour='+debug';; - *) ;; - esac + # For x86, only "debug" flavour exists in RHEL 8 + [ "x${pkgname%*-debug-core}" = "x${pkgname}" ] \ + || flavour='+debug' kver_cnt="$((kver_cnt + 1))" kver_uname="${vra}${flavour}" @@ -505,13 +545,6 @@ rm -rf %{buildroot} %changelog -* Thu Jun 22 2023 Todd Vierling - 4:20220809-2.20230214.1.0.1 -- ensure UEK also rebuilds initramfs [Orabug: 34280058] -- add support for UEK7 kernels -- enable early update for 06-4f-01 -- remove no longer appropriate caveats for 06-2d-07 and 06-55-04 -- enable early and late load on RHCK - * Wed Feb 15 2023 Eugene Syromiatnikov - 4:20220809-2.20230214.1 - Update Intel CPU microcode to microcode-20230214 release, addresses CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171236, @@ -689,7 +722,6 @@ rm -rf %{buildroot} - Update of 06-bf-05/0x07 (ADL C0) microcode from revision 0x22 up to 0x2c (old pf 0x3). ->>>>>>> 762178550d1d (Import microcode_ctl-20220809-2.20230214.1.el9_2 for 9.2) * Tue Oct 25 2022 Eugene Syromiatnikov - 4:20220809-2 - Change the logger severity level to warning to align with the kmsg one (#2136506).