import microcode_ctl-20191115-4.el8

.gitignore

@@ -1 +1,3 @@
-SOURCES/microcode-20190514a.tar.gz
+SOURCES/06-2d-07
+SOURCES/06-55-04
+SOURCES/microcode-20191115.tar.gz

.microcode_ctl.metadata

@@ -1 +1,3 @@
-252f56e1e1e6dc491813cb649c5c83fe1ff1c122 SOURCES/microcode-20190514a.tar.gz
+bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
+2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
+774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz

SOURCES/06-2d-07_config

@@ -0,0 +1,3 @@
+model GenuineIntel 06-2d-07
+path intel-ucode/06-2d-07
+disable early late

SOURCES/06-2d-07_disclaimer

@@ -0,0 +1,4 @@
+MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
+stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.

SOURCES/06-2d-07_readme

@@ -0,0 +1,55 @@
+Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
+have issues with MDS-related microcode update that may lead to a system hang
+after a microcode update. In order to address this, microcode update
+to the MDS-related revision 0x718 has been disabled, and the previously
+published microcode revision 0x714 is used by default for the OS-driven
+microcode update.
+
+For the reference, SHA1 checksums of 06-2d-07 microcode files containing
+microcode revisions in question are listed below:
+ * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
+ * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version. For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+   https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+   https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+   https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+   ("Microarchitectural Data Sampling"):
+   https://access.redhat.com/articles/4138151
+
+The information regarding enforcing microcode load is provided below.
+
+To enforce usage of the 0x718 microcode revision for a specific kernel version,
+please create file "force-intel-06-2d-07" inside /lib/firmware/<kernel_version>
+directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware
+directory where microcode will be available for late microcode update,
+and run "dracut -f --kver <kernel_version>", so initramfs for this kernel
+version is regenerated and the microcode can be loaded early, for example:
+
+    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
+    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.

SOURCES/06-4f-01_disclaimer

@@ -0,0 +1,4 @@
+microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79,
+stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.

SOURCES/06-4f-01_readme

@@ -49,6 +49,7 @@ kernels, please create a file
 "/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
 and run "/usr/libexec/microcode_ctl/update_ucode":
 
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
     touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
     /usr/libexec/microcode_ctl/update_ucode
 
@@ -64,10 +65,11 @@ For enforcing early load of this microcode for all kernels, please
 create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
 and run dracut -f --regenerate-all:
 
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
     touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
     dracut -f --regenerate-all
 
-If you want avoid removal of the microcode file during cleanup performed by
+If you want to avoid removal of the microcode file during cleanup performed by
 /usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
 file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
 

SOURCES/06-55-04_config

@@ -0,0 +1,3 @@
+model GenuineIntel 06-55-04
+path intel-ucode/06-55-04
+disable early late

SOURCES/06-55-04_disclaimer

@@ -0,0 +1,6 @@
+Microcode revision 0x2000065 for Intel Skylake-SP/X/W (family 6, model 85,
+stepping 4; CPUID 0x50654) CPUs that has been included into microcode-20191112
+release is disabled as it may cause system instability and the previous revision
+0x2000064 is used instead.
+Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.

SOURCES/06-55-04_readme

@@ -0,0 +1,61 @@
+Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85,
+stepping 4) have reports of system hangs when revision 0x2000065 of microcode,
+that is included since microcode-20191112 update, is applied.  In order
+to address this, microcode update to this revision has been disabled,
+and the previously published microcode revision 0x2000064 is used by default
+for the OS-driven microcode update.
+
+For the reference, SHA1 checksums of 06-55-04 microcode files containing
+microcode revisions in question are listed below:
+ * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
+ * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
+
+Please contact your system vendor for a BIOS/firmware update that contains
+the latest microcode version.  For the information regarding microcode versions
+required for mitigating specific side-channel cache attacks, please refer
+to the following knowledge base articles:
+ * CVE-2017-5715 ("Spectre"):
+   https://access.redhat.com/articles/3436091
+ * CVE-2018-3639 ("Speculative Store Bypass"):
+   https://access.redhat.com/articles/3540901
+ * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
+   https://access.redhat.com/articles/3562741
+ * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
+   ("Microarchitectural Data Sampling"):
+   https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+   CVE-2019-0123 (Intel SGX Privilege Escalation),
+   CVE-2019-11135 (TSX Asynchronous Abort),
+   CVE-2019-11139 (Voltage Setting Modulation):
+   https://access.redhat.com/solutions/2019-microcode-nov
+
+The information regarding enforcing microcode update is provided below.
+
+To enforce usage of the 0x2000065 microcode revision for a specific kernel
+version, please create a file "force-intel-06-55-04" inside
+/lib/firmware/<kernel_version> directory, run
+"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+where microcode will be available for late microcode update, and run
+"dracut -f --kver <kernel_version>", so initramfs for this kernel version
+is regenerated and the microcode can be loaded early, for example:
+
+    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --kver 3.10.0-862.9.1
+
+After that, it is possible to perform a late microcode update by executing
+"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/sys/devices/system/cpu/microcode/reload" directly.
+
+To enforce addition of this microcode for all kernels, please create file
+"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run
+"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
+and "dracut -f --regenerate-all" for enabling early microcode updates:
+
+    mkdir -p /etc/microcode_ctl/ucode_with_caveats
+    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04
+    /usr/libexec/microcode_ctl/update_ucode
+    dracut -f --regenerate-all
+
+Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
+information.

SOURCES/README.caveats

@@ -389,8 +389,10 @@ when a microcode update performed on a kernel that contains those changes.
 As a result, microcode update for this CPU model is disabled by default;
 the microcode file, however, is still shipped as a part of microcode_ctl
 package and can be used for performing a microcode update if it is enforced
-via the aforementioned overridden. (See sections "check_caveats script"
-and "reload_microcode script" for details).
+via the aforementioned overrides. (See the sections "check_caveats script"
+and "reload_microcode script" for details.)
+
+Caveat name: intel-06-4f-01
 
 Affected microcode: intel-ucode/06-4f-01.
 
@@ -418,9 +420,12 @@ from a cpio archive placed at the beginning of the initramfs image.  However,
 when an early microcode update is attempted inside some virtualised
 environments, that may result in unexpected system behaviour.
 
+Caveat name: intel
+
 Affected microcode: all.
 
-Mitigation: early microcode loading is disabled for all CPU models.
+Mitigation: early microcode loading is disabled for all CPU models on kernels
+without the fix.
 
 Minimum versions of the kernel package that contain the fix:
  - Upstream/RHEL 8: 4.10.0
@@ -431,16 +436,52 @@ Minimum versions of the kernel package that contain the fix:
  - RHEL 7.2: 3.10.0-327.73.1
 
 
+Intel Sandy Bridge-E/EN/EP caveat
+---------------------------------
+MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP
+(SNB-EP, family 6, model 45, stepping 7) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overrides. (See
+the sections "check_caveats script" and "reload_microcode script" for details.)
+
+Caveat name: intel-06-2d-07
+
+Affected microcode: intel-ucode/06-2d-07.
+
+Mitigation: previously published microcode revision 0x714 is used by default.
+
+
+Intel Skylake-SP/W/X caveat
+---------------------------
+Microcode revision 0x2000065 for Intel Skylake Scalable Platform (SKL-SP/W/X,
+family 6, model 85, stepping 4) may lead to system instability.
+In order to address this, this microcode update is not used and the previous
+microcode revision is provided instead by default; the microcode file, however,
+is still shipped as part of microcode_ctl package and can be used for performing
+a microcode update if it is enforced via the aforementioned overrides.
+(See the sections "check_caveats script" and "reload_microcode script"
+for details.)
+
+Caveat name: intel-06-55-04
+
+Affected microcode: intel-ucode/06-55-04.
+
+Mitigation: previously published microcode revision 0x2000064 is used
+by default.
+
+
+
 Additional information
 ======================
-Red Hat provides updated microcode, developed by our microprocessor
-partners, as a customer convenience.  Please contact your hardware vendor
-to determine whether more recent BIOS/firmware updates are recommended
-because additional improvements may be available.
+Red Hat provides updated microcode, developed by its microprocessor partners,
+as a customer convenience.  Please contact your hardware vendor to determine
+whether more recent BIOS/firmware updates are recommended because additional
+improvements may be available.
 
 Information regarding microcode revisions required for mitigating specific
-microarchitectural side-channel attacks is available in the following
-knowledge base articles:
+Intel CPU vulnerabilities is available in the following knowledge base articles:
  * CVE-2017-5715 ("Spectre"):
    https://access.redhat.com/articles/3436091
  * CVE-2018-3639 ("Speculative Store Bypass"):
@@ -450,3 +491,8 @@ knowledge base articles:
  * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
    ("Microarchitectural Data Sampling"):
    https://access.redhat.com/articles/4138151
+ * CVE-2019-0117 (Intel SGX Information Leak),
+   CVE-2019-0123 (Intel SGX Privilege Escalation),
+   CVE-2019-11135 (TSX Asynchronous Abort),
+   CVE-2019-11139 (Voltage Setting Modulation):
+   https://access.redhat.com/solutions/2019-microcode-nov

SOURCES/check_caveats

@@ -10,8 +10,10 @@
 : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
 
 usage() {
-	echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]'
+	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
+	echo '                     [-m] [-v]'
 	echo
+	echo '   -d - enables disclaimer printing mode'
 	echo '   -e - check for early microcode load possibility (instead of'
 	echo '        late microcode load)'
 	echo '   -k - target version to check against, $(uname -r) is used'
@@ -178,6 +180,9 @@ fail()
 
 	fail_cfgs="$fail_cfgs $cfg"
 	fail_paths="$fail_paths $cfg_path"
+
+	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
+		|| cat "${dir}/disclaimer"
 }
 
 #check_kver "$@"
@@ -188,11 +193,16 @@ configs=
 kver=$(/bin/uname -r)
 verbose=0
 early_check=0
+print_disclaimers=0
 
 ret=0
 
-while getopts "ek:c:mv" opt; do
+while getopts "dek:c:mv" opt; do
 	case "${opt}" in
+	d)
+		print_disclaimers=1
+		early_check=2
+		;;
 	e)
 		early_check=1
 		;;
@@ -472,6 +482,8 @@ for cfg in $(echo "${configs}"); do
 	ok_paths="$ok_paths $cfg_path"
 done
 
+[ 0 -eq "$print_disclaimers" ] || exit 0
+
 echo "cfgs$ret_cfgs"
 echo "skip_cfgs$skip_cfgs"
 echo "paths$ret_paths"

SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh

@@ -43,7 +43,8 @@ install() {
 		dinfo "    microcode_ctl: reset fw_dir to \"${fw_dir}\""
 	}
 
-	while read -d "/" -r i; do
+	fw_dir_add=""
+	while read -d $'\n' -r i; do
 		dinfo "    microcode_ctl: processing data directory " \
 		      "\"$DATA_DIR/$i\"..."
 
@@ -117,8 +118,10 @@ install() {
 
 			# $path is a list of globs, so it needs special care
 			for p in $(printf "%s" "$path"); do
-				find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-					-print0 \
+				# "true" is due to sporadic SIGPIPE from find
+				# when "grep -q" exits early.
+				{ find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
+					-print0; true; } \
 				    | grep -zFxq \
 					"$DATA_DIR/$i/$ucode_dir/$ucode" \
 				    || continue
@@ -143,8 +146,12 @@ install() {
 		dinfo "      microcode_ctl: $i: caveats check for kernel" \
 		      "version \"$kernel\" passed, adding" \
 		      "\"$DATA_DIR/$i\" to fw_dir variable"
-		fw_dir="$DATA_DIR/$i $fw_dir"
 
+		if [ 0 -eq "$do_skip_host_only" ]; then
+			fw_dir_add="$DATA_DIR/$i "
+		else
+			fw_dir_add="$DATA_DIR/$i $fw_dir_add"
+		fi
 	# The list of directories is reverse-sorted in order to preserve the
 	# "last wins" policy in case of presence of multiple microcode
 	# revisions.
@@ -153,11 +160,20 @@ install() {
 	# but since the microcode search is done with the "first wins" policy
 	# by the (early) microcode loading code, the correct microcode revision
 	# still has to be picked.
+	#
+	# Note that dracut without patch [1] puts only the last directory
+	# in the early cpio; we try to address this by putting only the last
+	# matching caveat in the search path, but that workaround works only
+	# for host-only mode; non-host-only mode early cpio generation is still
+	# broken without that patch.
+	#
+	# [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b
 	done <<-EOF
-	$(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f/" \
-		| sort -r)
+	$(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \
+		| LC_ALL=C sort)
 	EOF
 
+	fw_dir="${fw_dir_add}${fw_dir}"
 	dinfo "    microcode_ctl: final fw_dir: \"${fw_dir}\""
 }
 

SOURCES/gen_provides.sh

@@ -1,4 +1,4 @@
-#! /bin/bash -efux
+#! /bin/bash -efu
 
 # Generator of RPM "Provides:" tags for Intel microcode files.
 #

SOURCES/intel_disclaimer

@@ -0,0 +1,10 @@
+This kernel doesn't handle early microcode load properly (it tries to load
+microcode even in virtualised environment, which may lead to a panic on some
+hypervisors), thus the microcode files have not been added to the initramfs
+image.  Please update your kernel to one of the following:
+  RHEL 7.5: kernel-3.10.0-862.14.1 or newer;
+  RHEL 7.4: kernel-3.10.0-693.38.1 or newer;
+  RHEL 7.3: kernel-3.10.0-514.57.1 or newer;
+  RHEL 7.2: kernel-3.10.0-327.73.1 or newer.
+Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme
+and /usr/share/doc/microcode_ctl/README.caveats for details.

SOURCES/intel_readme

@@ -18,8 +18,7 @@ If you want to avoid early load of microcode for a specific kernel, please
 create "disallow-early-intel" file inside /lib/firmware/<kernel_version>
 directory and run dracut -f --kver "<kernel_version>":
 
-    touch /lib/firmware/3.10.0-862.9.1/disallow-intel
-    /usr/libexec/microcode_ctl/update_ucode
+    touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel
     dracut -f --kver 3.10.0-862.9.1
 
 If you want to avoid early load of microcode for all kernels, please create
@@ -27,14 +26,13 @@ If you want to avoid early load of microcode for all kernels, please create
 directory and run dracut -f --regenerate-all:
 
     mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel
-    dracut -f --kver 3.10.0-862.9.1
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel
+    dracut -f --regenerate-all
 
 If you want to enforce early load of microcode for a specific kernel, please
 create "force-early-intel" file inside /lib/firmware/<kernel_version> directory
 and run dracut -f --kver "<kernel_version>":
 
-    modir -p/lib/firmware/3.10.0-862.9.1/
     touch /lib/firmware/3.10.0-862.9.1/force-early-intel
     dracut -f --kver 3.10.0-862.9.1
 
@@ -46,8 +44,9 @@ directory and run dracut -f --kver "<kernel_version>":
     touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel
     dracut -f --regenerate-all
 
-In order to override late load behaviour, the "early" part of file names should
-be replaced with "late" (and there is no need to call dracut in that case).
+In order to override the late load behaviour, the "early" part of file names
+should be replaced with "late" (and there is no need to call dracut
+in that case).
 
 
 Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional

SPECS/microcode_ctl.spec

@@ -1,4 +1,4 @@
-%define intel_ucode_version 20190514a
+%define intel_ucode_version 20191115
 %define intel_ucode_file_id 28727
 %global debug_package %{nil}
 
@@ -13,13 +13,19 @@
 
 Summary:        CPU microcode updates for Intel x86 processors
 Name:           microcode_ctl
-Version:        20180807a
-Release:        2.%{intel_ucode_version}.2%{?dist}
+Version:        %{intel_ucode_version}
+Release:        4%{?dist}
 Epoch:          4
 License:        CC0 and Redistributable, no modification permitted
 URL:            https://downloadcenter.intel.com/download/%{intel_ucode_file_id}/Linux-Processor-Microcode-Data-File
 Source0:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz
 
+# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
+Source2:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07
+
+# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode
+Source3:        https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04
+
 
 # systemd unit
 Source10:       microcode.service
@@ -39,14 +45,34 @@ Source41:       README.caveats
 
 ## Caveats
 # BDW EP/EX
+# https://bugzilla.redhat.com/show_bug.cgi?id=1622180
+# https://bugzilla.redhat.com/show_bug.cgi?id=1623630
+# https://bugzilla.redhat.com/show_bug.cgi?id=1646383
 Source100:      06-4f-01_readme
 Source101:      06-4f-01_config
+Source102:      06-4f-01_disclaimer
 
 # Unsafe early MC update inside VM:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1596627
 Source110:      intel_readme
 Source111:      intel_config
+Source112:      intel_disclaimer
 
+# SNB-EP (CPUID 0x206d7) post-MDS hangs
+# https://bugzilla.redhat.com/show_bug.cgi?id=1758382
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
+Source120:      06-2d-07_readme
+Source121:      06-2d-07_config
+Source122:      06-2d-07_disclaimer
+
+# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+Source130:      06-55-04_readme
+Source131:      06-55-04_config
+Source132:      06-55-04_disclaimer
+
+
+# "Provides:" RPM tags generator
 Source200:      gen_provides.sh
 
 ExclusiveArch:  %{ix86} x86_64
@@ -54,7 +80,7 @@ BuildRequires:  systemd-units
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-Requires(posttrans): kernel
+Requires(posttrans): dracut
 
 %global _use_internal_dependency_generator 0
 %define __find_provides "%{SOURCE200}"
@@ -73,6 +99,14 @@ is no longer used for microcode upload and, as a result, no longer provided.
 %setup -n "Intel-Linux-Processor-Microcode-Data-Files-microcode-%{intel_ucode_version}"
 
 %build
+# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version
+mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
+cp "%{SOURCE2}" intel-ucode/
+
+# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version
+mv intel-ucode/06-55-04 intel-ucode-with-caveats/
+cp "%{SOURCE3}" intel-ucode/
+
 :
 
 %install
@@ -103,18 +137,21 @@ install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \
 ## Documentation
 install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats"
 
+# caveats readme
 install "%{SOURCE41}" \
 	-m 644 -t "%{buildroot}/%{_pkgdocdir}/"
 
 # Provide Intel microcode license, as it requires so
 install -m 644 license \
 	"%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode"
+
+# Provide release notes for Intel microcode
 install -m 644 releasenote \
 	"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"
 
 # caveats
-install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
-        -t "%{buildroot}/%{_pkgdocdir}/caveats/"
+install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \
+	-t "%{buildroot}/%{_pkgdocdir}/caveats/"
 
 
 ## Caveat data
@@ -122,9 +159,10 @@ install -m 644 "%{SOURCE100}" "%{SOURCE110}" \
 # BDW caveat
 %define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/
 install -m 755 -d "%{bdw_inst_dir}/intel-ucode"
-install -m 644 intel-ucode-with-caveats/* -t "%{bdw_inst_dir}/intel-ucode/"
+install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/"
 install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme"
 install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config"
+install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer"
 
 # Early update caveat
 %define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/
@@ -132,12 +170,23 @@ install -m 755 -d "%{intel_inst_dir}/intel-ucode"
 install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/"
 install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme"
 install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
+install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer"
 
+# SNB caveat
+%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/
+install -m 755 -d "%{snb_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
+install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
+install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"
 
-## Cleanup
-#rm -f intel-ucode-with-caveats/06-4f-01
-#rmdir intel-ucode-with-caveats
-#rm -rf intel-ucode
+# SKL-SP caveat
+%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/
+install -m 755 -d "%{skl_inst_dir}/intel-ucode"
+install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/"
+install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme"
+install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config"
+install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer"
 
 
 %post
@@ -145,6 +194,15 @@ install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
 %{update_ucode}
 %{reload_microcode}
 
+# send the message to syslog, so it gets recorded on /var/log
+if [ -e /usr/bin/logger ]; then
+	%{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER
+fi
+# also paste it over dmesg (some customers drop dmesg messages while
+# others keep them into /var/log for the later case, we'll have the
+# disclaimer recorded twice into system logs.
+%{check_caveats} -m -d > /dev/kmsg
+
 exit 0
 
 %posttrans
@@ -237,10 +295,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list"
 exit 0
 
 
-%triggerin -- kernel-core
+%triggerin -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
 %{update_ucode}
 
-%triggerpostun -- kernel-core
+%triggerpostun -- kernel-core, kernel-debug-core, kernel-rt-core, kernel-rt-debug-core
 %{update_ucode}
 
 
@@ -260,18 +318,112 @@ rm -rf %{buildroot}
 
 
 %changelog
-* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190514a.2
+* Mon Dec 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-4
+- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script
+  (#1781365).
+
+* Mon Dec 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-3
+- Update stale posttrans dependency, add triggers for proper handling
+  of the debug kernel flavour along with kernel-rt (#1766178).
+
+* Mon Nov 18 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-2
+- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064
+  by default (#1774322).
+
+* Sat Nov 16 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191115-1
+- Update Intel CPU microcode to microcode-20191115 release:
+  - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6;
+  - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4
+    up to 0xd6;
+  - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca;
+  - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca;
+  - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca;
+  - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca;
+  - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision
+    0xc6 up to 0xca;
+  - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6
+    up to 0xca;
+  - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca;
+  - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca;
+  - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca;
+  - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca;
+  - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca.
+
+* Fri Nov 15 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191113-1
+- Update Intel CPU microcode to microcode-20191113 release:
+  - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6.
+- Drop 0001-releasenote-changes-summary-fixes.patch.
+
+* Tue Nov 12 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191112-2
+- Package the publicy available microcode-20191112 release (#1755027):
+  - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d;
+  - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c;
+  - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16;
+  - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150
+    up to 0x1000151;
+  - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision
+    0x2000064 up to 0x2000065;
+  - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b
+    up to 0x500002c;
+  - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32;
+- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release.
+- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch).
+- Update README.caveats with the link to the new Knowledge Base article.
+
+* Thu Nov 07 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20191112-1
+- Intel CPU microcode update to 20191112, addresses CVE-2017-5715,
+  CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1755019, #1764060, #1764073,
+  #1764952, #1764972, #1765000, #1765404, #1765416, #1766444, #1766873):
+  - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6;
+  - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a;
+  - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150;
+  - Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46;
+  - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4;
+  - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc
+    to 0xd4
+  - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6;
+  - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6;
+  - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4
+    to 0xc6;
+  - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6;
+  - Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6;
+  - Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6;
+  - Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6;
+  - Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6;
+  - Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4
+    to 0xc6;
+  - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4
+    to 0xc6;
+  - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6;
+  - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6.
+
+* Thu Oct 10 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-3
+- Rework dracut hook to address dracut's early initramfs generation
+  behaviour (#1760508).
+
+* Sun Oct 06 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-2
+- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714
+  by default.
+
+* Thu Sep 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190918-1
+- Intel CPU microcode update to 20190918 (#1753544).
+- Add new disclaimer, generated based on relevant caveats.
+
+* Wed Jun 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190618-1
+- Intel CPU microcode update to 20190618 (#1717240).
+
+* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190514a-2
 - Remove disclaimer, as it is not as important now to justify kmsg/log
   pollution; its contents are partially adopted in README.caveats.
 
-* Mon May 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190514a.1
-- Intel CPU microcode update to 20190514a (#1715334).
+* Mon May 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190514a-1
+- Intel CPU microcode update to 20190514a (#1711940).
 
-* Fri May 10 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20180807a-2.20190507.1
-- Intel CPU microcode update to 20190507 (#1704339).
+* Thu May 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 4:20190507-1
+- Intel CPU microcode update to 20190507 (#1697901).
 
-* Fri May 10 2019 Eugene Syromiatnikov <esyr@redhat.com> 4:20180807a-2.20190312.1
-- Intel CPU microcode update to 20190312 (#1704339).
+* Mon Apr 15 2019 Eugene Syromiatnikov <esyr@redhat.com> 4:20190312-1
+- Intel CPU microcode update to 20190312 (#1660320).
 - Add "Provides:" tags generation.
 
 * Tue Nov 06 2018 Eugene Syromiatnikov <esyr@redhat.com> 4:20180807a-2