Compare commits

...

No commits in common. "c8" and "imports/c8s/microcode_ctl-20201112-1.el8" have entirely different histories.

26 changed files with 321 additions and 2709 deletions

2
.gitignore vendored
View File

@ -4,4 +4,4 @@ SOURCES/06-55-04
SOURCES/06-5e-03 SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20240910.tar.gz SOURCES/microcode-20201112.tar.gz

View File

@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
2815182aa376dba6d534bc087a27fe9f27def1d2 SOURCES/microcode-20240910.tar.gz 010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz

View File

@ -1,3 +1,13 @@
model GenuineIntel 06-2d-07 model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07 path intel-ucode/06-2d-07
dependency required intel ## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

View File

@ -1,4 +1,3 @@
model GenuineIntel 06-4e-03 model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03 path intel-ucode/06-4e-03
dependency required intel
disable early late disable early late

View File

@ -13,9 +13,6 @@ microcode revisions in question are listed below:
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
* 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
* 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version. For the information regarding microcode versions
@ -43,20 +40,6 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding enforcing microcode update is provided below. The information regarding enforcing microcode update is provided below.

View File

@ -11,5 +11,11 @@ kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1 kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1 kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1 kernel 2.6.32-358.90.1
dependency required intel skip=success match-model-mode=off kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
mc_min_ver_late 0xb000019
disable early late disable early late

View File

@ -28,11 +28,6 @@ to the following knowledge base articles:
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"): ("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151 https://access.redhat.com/articles/4138151
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
The information regarding enforcing microcode load is provided below. The information regarding enforcing microcode load is provided below.

View File

@ -9,4 +9,14 @@ path intel-ucode/06-55-04
## are provided for speeding up the search only, VID:DID is the real selector. ## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue. ## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
dependency required intel ## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

View File

@ -18,13 +18,6 @@ microcode revisions in question are listed below:
* 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
* 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
* 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
* 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
* 06-55-04, revision 0x2006f05: c47277a6a47caedb518f311ce5d339528a8347e2
* 06-55-04, revision 0x2007006: 68ae0f321685ff97b50266bc20818f31563fc67c
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version. For the information regarding microcode versions
@ -52,24 +45,6 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
CVE-2022-21136 (Overclocking service access protection),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
https://access.redhat.com/articles/6976398
The information regarding disabling microcode update is provided below. The information regarding disabling microcode update is provided below.

View File

@ -1,3 +1,3 @@
model GenuineIntel 06-5e-03 model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03 path intel-ucode/06-5e-03
dependency required intel disable early late

View File

@ -1,24 +1,18 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of possible system hangs when revision 0xdc stepping 3) have reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order
to address this, microcode updates to the newer revision had been disabled to address this, microcode update to the newer revision has been disabled
by default on these systems, and the previously published microcode revision by default on these systems, and the previously published microcode revision
0xd6 was used by default for the OS-driven microcode update. The revision 0xd6 is used by default for the OS-driven microcode update.
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below: microcode revisions in question are listed below:
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
* 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
* 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version. For the information regarding microcode versions
@ -46,42 +40,32 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below. The information regarding enforcing microcode update is provided below.
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-5e-03" inside version, please create a file "force-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run /lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode is available for late microcode update, and run where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version "dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated, for example: is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03 touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1 dracut -f --kver 3.10.0-862.9.1
To avoid addition of the latest microcode for all kernels, please create file After that, it is possible to perform a late microcode update by executing
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run "/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, "/sys/devices/system/cpu/microcode/reload" directly.
and "dracut -f --regenerate-all" for early microcode updates:
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03 touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all dracut -f --regenerate-all

View File

@ -1,3 +1,3 @@
model GenuineIntel 06-8c-01 model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01 path intel-ucode/06-8c-01
dependency required intel skip=success match-model-mode=off disable early late

View File

@ -1,64 +1,38 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
had reports of system hangs when a microcode update, that was included have reports of system hangs when a microcode update, that is included
since microcode-20201110 update, was applied[1]. In order to address this, since microcode-20201110 update, is applied[1]. In order to address this,
microcode update had been disabled by default on these systems. The revision microcode update has been disabled by default on these systems.
0x88 seems to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
microcode revisions in question are listed below:
* 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
* 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
* 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
* 06-8c-01, revision 0xa6: fdcf89e3a15a20df8aeee215b78bf5d13d731044
* 06-8c-01, revision 0xaa: cf84883f6b3184690c25ccade0b10fa839ac8657
* 06-8c-01, revision 0xac: b9f342e564a0be372ed1f4709263bf811feb022a
* 06-8c-01, revision 0xb4: 6596bb8696cde85538bb833d090f0b7a42d6ae14
* 06-8c-01, revision 0xb6: 76556e8248a89f38cd55a6c83dccc995ba176091
* 06-8c-01, revision 0xb8: 6e9b138d1db2934479b179af4a3a19e843c4b4e4
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version.
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
https://access.redhat.com/articles/6716541
* CVE-2022-21123 (Shared Buffers Data Read):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below. The information regarding enforcing microcode update is provided below.
To disable 06-8c-01 microcode updates for a specific kernel To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-8c-01" inside version, please create a file "force-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run /lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
directory where microcode is available for late microcode update, and run where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version "dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated, for example: is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01 touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1 dracut -f --kver 3.10.0-862.9.1
To avoid addition of this microcode for all kernels, please create file After that, it is possible to perform a late microcode update by executing
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run "/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, "/sys/devices/system/cpu/microcode/reload" directly.
and "dracut -f --regenerate-all" for early microcode updates:
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01 touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode /usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all dracut -f --regenerate-all

View File

@ -1,5 +1,4 @@
path intel-ucode/* path intel-ucode/*
vendor GenuineIntel vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc." dmi mode=fail-equal key=bios_vendor val="Dell Inc."
dependency required intel
disable early late disable early late

View File

@ -82,74 +82,6 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer required for mitigating specific side-channel cache attacks, please refer
@ -176,20 +108,6 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below. The information regarding disabling microcode update is provided below.

View File

@ -4,4 +4,14 @@ vendor GenuineIntel
## in cases where no model filter is used is too broad, hence ## in cases where no model filter is used is too broad, hence
## no-model-mode=success. ## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
dependency required intel ## The "kernel_early" statements are carried over from the intel caveat config
## in order to avoid enabling this newer microcode on these problematic kernels;
## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
## (That also means that this caveat has to be enforced separately on these
## kernels.)
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

View File

@ -82,74 +82,6 @@ in question:
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542 * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
Please contact your system vendor for a BIOS/firmware update that contains Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer required for mitigating specific side-channel cache attacks, please refer
@ -176,20 +108,6 @@ to the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below. The information regarding disabling microcode update is provided below.

View File

@ -22,30 +22,6 @@ microcode files and their usage.
* SECURITY.intel-ucode * SECURITY.intel-ucode
"security.md" file from the Intel x86 CPU microcode archive. "security.md" file from the Intel x86 CPU microcode archive.
* SUMMARY.intel-ucode * SUMMARY.intel-ucode
Information about supplied microcode files extracted from their headers, Information about supplied microcode files extracted from their headers.
in a table form. Columns have the following meaning:
* "Path": path to the microcode file under one of the following directories:
* /usr/share/microcode_ctl/ucode_with_caveats/intel
* /usr/share/microcode_ctl/ucode_with_caveats
* /usr/share/microcode_ctl
* /lib/firmware
* /etc/firmware
* "Offset": offset of the microcode blob within the micocode file in bytes.
* "Ext. Offset": offset of the extended signature header within
the microcode file in bytes.
* "Data Size": size of microcode data in bytes. 0 means 2000 bytes.
* "Total Size": size of microcode blob in bytes, incuding headers.
0 means 2048 bytes.
* "CPUID": CPU ID signature (in format returned by the CPUID instruction).
* "Platform ID Mask": mask of suitable Platform IDs (provided in bits
52..50 of MSR 0x17).
* "Revision": microcode revision.
* "Date": microcode creation date.
* "Checksum": sum (in base 1<< 32) of all 32-bit values comprising
the microcode (from Offset up to Offset + Total Size).
* "Codenames": list of known CPU codenames associated with the CPUID
and Platform ID Mask combination.
Please refer to README.cavets, section "Microcode file structure"
for additional information regarding microcode header fields.
* caveats * caveats
Directory that contains readme files for each specific caveat. Directory that contains readme files for specific caveats.

View File

@ -89,75 +89,6 @@ installation or removal of a kernel RPM in order to provide microcode files
for newly installed kernels and cleanup symlinks for the uninstalled ones. for newly installed kernels and cleanup symlinks for the uninstalled ones.
Microcode file structure
------------------------
Intel x86 CPU microcode file (that is, one that can be directly consumed
by the CPU/kernel, and not its text representation such as used in microcode.dat
files) is a bundle of concatenated microcode blobs. Each blob has a header,
payload, and an optional additional data, as follows (for additional information
please refer to "Intel® 64 and IA-32 Architectures Software Developers Manual"
[1], Volume 3A, Section 9.11.1 "Microcode Update"):
* Header (48 bytes)
* Header version (unsigned 32-bit integer): version number of the update
header. Must be 0x1.
* Microcode revision (signed 32-bit integer)
* Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
(0x03141592 is 1592-03-14 in ISO 8601)
* CPU signature (unsigned 32-bit integer): CPU ID, as provided
by the CPUID (EAX = 0x1) instruction in the EAX register:
* bits 31..28: reserved
* bits 27..20: "Extended Family", summed with the Family field value
* bits 19..16: "Extended Model", bits 7..4 of the CPU model
* bits 15..14: reserved
* bits 13..12: "Processor Type", non-zero value (other than the "primary
processor") so far used only for the Deschutes (Pentium II) CPU family,
with the processor type of 1, to signify it is an Overdrive processor:
CPUID 0x1632.
* bits 11..08: Family, summed with the Extended Family field value
* bits 07..04: Model (bits 3..0)
* bits 03..00: Stepping
In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
into 0x000w06xz. Please also refer to README.intel-ucode, section "About
Processor Signature, Family, Model, Stepping and Platform ID"
for additional information.
* Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
the 32-bit integers comprising the microcode amounts to 0.
* Loader version (unsigned 32-bit integer): 0x1.
* Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old
(up to Pentium II) microcode blobs the mask may be zero.
* Data size (unsigned 32-bit integer): size of the Payload in bytes,
has to be divisible by 4. 0 means 2000.
* Total size (unsigned 32-bit integer): total microcode blob size (including
header and extended header), has to be divisible by 1024. 0 means 2048.
* Reserved (12 bytes).
* Payload
* Additional data (optional, 20 + 12 * n bytes)
* Extended signature table header (20 bytes)
* Extended signature count (unsigned 32-bit integer)
* Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
of all the 32-bit integers comprising the extender signature table
amounts to 0.
* Reserved (12 bytes).
* Extended signature (12 bytes each)
* CPU signature (unsigned 32-bit integer): see the description of the CPU
signature field in the Header above.
* Platform ID mask (unsigned 32-bit integer): see the description
of the Platform ID mask field in the Header above.
* Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
of all the 32-bit integers comprising the Header (with CPU signature
and Platform ID mask fields replaced with the values from this signature)
and the Payload amounts to 0. Note that since External signature table
header has its own checksum, sum of all its 32-bit values amounts to 0,
so the Checksum in the Header and in the Extended signature will be
the same if the values of CPU signature and Platform ID mask fields
are the same,
[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
Caveat configuration Caveat configuration
-------------------- --------------------
There is a directory for each caveat under There is a directory for each caveat under
@ -225,6 +156,10 @@ separated by white space. Currently, the following options are supported:
configuration. Argument for the argument is a list of stages ("early", configuration. Argument for the argument is a list of stages ("early",
"late") for which the caveat should be disable. The configuration option "late") for which the caveat should be disable. The configuration option
can be provided multiple times in a configuration file. can be provided multiple times in a configuration file.
* "blacklist" is a marker for a start of list of blacklisted model names,
one model name per line. The model name of the running CPU (as reported
in /proc/cpuinfo) is compared against the names in the provided list, and,
if there is a match, caveat check fails.
* "pci_config_val" performs check for specific values in selected parts * "pci_config_val" performs check for specific values in selected parts
of configuration space of specified PCI devices. If "-m" option of configuration space of specified PCI devices. If "-m" option
is not specified, then the actual check is skipped, and the check returns is not specified, then the actual check is skipped, and the check returns
@ -269,9 +204,8 @@ separated by white space. Currently, the following options are supported:
it fails (in accordance with "mode=success-all" semantics). This check fails it fails (in accordance with "mode=success-all" semantics). This check fails
if "-m" option is not specified. if "-m" option is not specified.
* "dmi" performs checks for specific values available in DMI sysfs files * "dmi" performs checks for specific values available in DMI sysfs files
(present under /sys/devices/virtual/dmi/id/). The check (when it is actually (present under /sys/devices/virtual/dmi/id/). The check fails if file
performed; see a not about "no-model-mode" below) fails if one of the files is not readable. If "-m" option is specified, then the actual check
is not readable. If "-m" option is not specified, then the actual check
is skipped, and the check returns value in accordance with "no-model-mode" is skipped, and the check returns value in accordance with "no-model-mode"
parameter value (see below). Check arguments are a white-space-separated parameter value (see below). Check arguments are a white-space-separated
list of "key=value" pairs. The following keys are supported: list of "key=value" pairs. The following keys are supported:
@ -281,30 +215,17 @@ separated by white space. Currently, the following options are supported:
chassis_type, chassis_vendor, chassis_version, product_family, chassis_type, chassis_vendor, chassis_version, product_family,
product_name, product_serial, product_uuid, product_version, sys_vendor. product_name, product_serial, product_uuid, product_version, sys_vendor.
Default is empty string. Default is empty string.
* "val" - a string to match DMI data present in "key" against. * "val" - a string to match DMI data against. Can be enclosed in single
Can be enclosed in single or double quotes. Default is empty string. or double quotes. Default is empty string.
* "keyval" - a pair of "key" and "val" values (with semantics described * "mode" - check mode, the way matches are interpreted:
above), separated with either "=", ":", "!=", or "!:" characters. Enables
providing of multiple key-value pairs by means of supplying multiple
keyval= parameters. The exclamation sign ("!") character in separator
enables negated matching (so, non-equality of the value in DMI "key" file
and the value of "val" is). The match considered successful when all
the key/val (non-)equalities are in effect. This parameter works
in addition to the pair provided in "key" and "val" parameters
(but allows to avoid using them). Default is empty.
* "mode" - check mode, the way successful matches are interpreted:
* "success-equal" - returns 0 if the value present in the file * "success-equal" - returns 0 if the value present in the file
with the name supplied via the "key" parameter file under with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter and all the pairs provided in "keyval" parameters of "val" parameter, otherwise 1.
are equal and non-equal in accordance with their definition, * "success-equal" - returns 1 if the value present in the file
otherwise 1.
* "fail-equal" - returns 1 if the value present in the file
with the name supplied via the "key" parameter file under with the name supplied via the "key" parameter file under
/sys/devices/virtual/dmi/id/ is equal to the value supplied as a value /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
of "val" parameter and all the pairs provided in "keyval" parameters of "val" parameter, otherwise 0.
are equal and non-equal in accordance with their definition,
otherwise 0.
Default is "success-any". Default is "success-any".
* "no-model-mode" - return value if model filter ("-m" option) * "no-model-mode" - return value if model filter ("-m" option)
is not enabled: is not enabled:
@ -316,61 +237,6 @@ separated by white space. Currently, the following options are supported:
It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
content is "Dell Inc." (without quotes). It succeeds if "-m" option content is "Dell Inc." (without quotes). It succeeds if "-m" option
is not enabled. is not enabled.
Another example:
dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
It blocks the caveat from using when either both
/sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
and /sys/devices/virtual/dmi/id/product_name contains the string
"u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
the string "ThinkSystem SR950", but enables caveat loading for other products
with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
for example.
* "dependency" allows conditional enablement of a caveat based on the check
status of some other caveat(s). It has the following format:
dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
currently is "required".
Options for the "required" dependency type:
* "match-model-mode" - whether model matching mode ("-m" option)
has to be used for the nested configuration check. Possible values:
* "on" - model-matching mode is always used during the nested check;
* "off" - model-matching mode is never used during the nested check;
* "same" - used the same model-matching mode as it is now.
Default is "same".
* "skip" - controls result of the check when the nested check indicated
skipping of the configuration.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "force-skip" - controls result of the check when the nested check
indicated skipping of the configuration caused by the presence
of an override file (see "check_caveats script" section for details).
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "skip".
* "nesting-too-deep" - as a measure against dependency loop, configuration
checking logic implements nesting limit on dependency checks (currently
set at 8). This option controls the behaviour of the check
when the nested check cannot be performed due to this limit.
* "fail" - the dependent check fails;
* "success" - the dependent check succeeds;
* "skip" - the dependent check indicates that the configuration
is to be skipped.
Default is "fail".
An example of a check:
dependency required intel skip=success match-model-mode=off
It checks "intel" caveat configuration (see the "Early microcode load
inside a virtual machine" section) with model-matching mode being disabled,
treats skipping of the configuration as a success (unless the configuration
is forced to be skipped, in that case the dependent configuration
is to be skipped as well).
check_caveats script check_caveats script
@ -607,8 +473,6 @@ Caveat name: intel-06-4f-01
Affected microcode: intel-ucode/06-4f-01. Affected microcode: intel-ucode/06-4f-01.
Dependencies: intel
Mitigation: microcode loading is disabled for the affected CPU model. Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch Minimum versions of the kernel package that contain the aforementioned patch
@ -637,8 +501,6 @@ Caveat name: intel
Affected microcode: all. Affected microcode: all.
Dependencies: (none)
Mitigation: early microcode loading is disabled for all CPU models on kernels Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix. without the fix.
@ -675,8 +537,6 @@ Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07. Affected microcode: intel-ucode/06-2d-07.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default; Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat. as part of "intel" caveat.
@ -706,64 +566,35 @@ Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04. Affected microcode: intel-ucode/06-55-04.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default; Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat. as a fallback as part of "intel" caveat.
Intel Skylake-U/Y caveat Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
------------------------ ----------------------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
have reports of system hangs when revision 0xdc of microcode, that is included and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, hangs when revision 0xdc of microcode, that is included in microcode-20200609
and CVE-2020-0549, is applied[1]. In order to address this, microcode update update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
to the newer revision has been disabled by default on these systems, is applied[1][2]. In order to address this, microcode update to the newer
and the previously published microcode revision 0xd6 is used instead; the newer revision has been disabled by default on these systems, and the previously
microcode files, however, are still shipped as part of microcode_ctl package published microcode revision 0xd6 is used instead; the newer microcode files,
and can be used for performing a microcode update if they are enforced however, are still shipped as part of microcode_ctl package and can be used
via the aforementioned overrides. (See the sections "check_caveats script" for performing a microcode update if they are enforced via the aforementioned
and "reload_microcode script" for details.) overrides. (See the sections "check_caveats script" and "reload_microcode
script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
Caveat name: intel-06-4e-03 Caveat names: intel-06-4e-03, intel-06-5e-03
Affected microcode: intel-ucode/06-4e-03 Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default. Mitigation: previously published microcode revision 0xd6 is used by default.
Intel Skylake-H/S/Xeon E3 v5 caveat
-----------------------------------
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of system hangs when revision 0xdc of microcode,
that is included in microcode-20200609 update to address CVE-2020-0543,
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
microcode update to the newer revision had been disabled by default on these
systems, and the previously published microcode revision 0xd6 was used instead.
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
the latest microcode revision usage it is enabled by default,
but can be disabled explicitly via the aforementioned overrides. (See
the sections "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
Caveat names: intel-06-5e-03
Affected microcode: intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0xd6 is still available as a fallback
as part of "intel" caveat.
Dell caveats Dell caveats
------------ ------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -792,8 +623,6 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d. intel-ucode/06-9e-0d.
Dependencies: intel
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used. "Dell Inc."; otherwise, the latest microcode revision is used.
@ -804,12 +633,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
Intel Tiger Lake-UP3/UP4 caveat Intel Tiger Lake-UP3/UP4 caveat
------------------------------- -------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
stepping 1) had reports of system hangs when a microcode update, stepping 1) have reports of system hangs when a microcode update,
that was included since microcode-20201110 release, was applied[1]. that is included since microcode-20201110 release, is applied[1].
In order to address this, microcode update to a newer revision had been disabled In order to address this, microcode update to a newer revision has been disabled
by default on these systems. The revision 0x88 seems to have fixed by default on these systems; the newer microcode file, however, is still shipped
the aforementioned issue, hence it is enabled by default; however, it is still as a part of microcode_ctl package and can be used for performing a microcode
can be disabled via the aforementioned overrides. (See the sections update if it is enforced via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.) "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -818,9 +647,7 @@ Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01. Affected microcode: intel-ucode/06-8c-01.
Dependencies: intel Mitigation: microcode loading is disabled for the affected CPU model.
Mitigation: None; the latest revision of the microcode file is used by default.
@ -855,24 +682,3 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor): CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051 https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow),
CVE-2021-0145 (Fast store forward predictor - Cross Domain Training),
CVE-2021-0146 (VT-d-related Privilege Escalation),
CVE-2021-33120 (Out of bounds read for some Intel Atom processors):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
CVE-2022-21136 (Overclocking service access protection),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
https://access.redhat.com/articles/6976398

View File

@ -5,14 +5,10 @@
# #
# SPDX-License-Identifier: CC0-1.0 # SPDX-License-Identifier: CC0-1.0
export LC_ALL=C
: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats} : ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}
: ${FW_DIR=/lib/firmware} : ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
MAX_NESTING_LEVEL=8
usage() { usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]' echo ' [-m] [-v]'
@ -169,7 +165,7 @@ check_pci_config_val()
local checked=0 matched=0 path='' local checked=0 matched=0 path=''
local dev_path dev_vid dev_did dev_val local dev_path dev_vid dev_did dev_val
local opts="${1:-}" local opts="${1:-}"
local match_model="${2:-0}" local match_model="${2:0}"
set -- $1 set -- $1
while [ "$#" -gt 0 ]; do while [ "$#" -gt 0 ]; do
@ -265,7 +261,7 @@ check_pci_config_val()
# It is needed for filtering by BIOS vendor name that is available in DMI data # It is needed for filtering by BIOS vendor name that is available in DMI data
# #
# $1 - params in config file, space-separated, in key=value form: # $1 - params in config file, space-separated, in key=value form:
# key= - DMI data record to check. Can be one of the following: bios_date, # key= - DMI value to check. Can be one of the following: bios_date,
# bios_vendor, bios_version, board_asset_tag, board_name, board_serial, # bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
# board_vendor, board_version, chassis_asset_tag, chassis_serial, # board_vendor, board_version, chassis_asset_tag, chassis_serial,
# chassis_type, chassis_vendor, chassis_version, product_family, # chassis_type, chassis_vendor, chassis_version, product_family,
@ -273,33 +269,26 @@ check_pci_config_val()
# sys_vendor. # sys_vendor.
# val= - a string to match DMI data against. Can be enclosed in single # val= - a string to match DMI data against. Can be enclosed in single
# or double quotes. # or double quotes.
# keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
# "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
# a key-value pair in a single parameter. It is possible to provide
# multiple keyval= parameters. "!" before :/= means negated match.
# The action supplied in the mode= parameter is executed upon
# successful (non-)matching of all the keyval pairs (as well
# as the pair provided in a pair of key= and val= parameters).
# mode=success-equal [ success-equal, fail-equal ] - matching mode: # mode=success-equal [ success-equal, fail-equal ] - matching mode:
# success-equal: Returns 0 if the all values present in the corresponding # success-equal: Returns 0 if the value present in the corresponding file
# files under /sys/devices/virtual/dmi/id/<KEY> are equal # under /sys/devices/virtual/dmi/id/<key> is equal
# (or not equal in case of a keyval= with negated match) # to the value supplied as a value of "val" parameter,
# to the respective values supplied as the values # otherwise 1.
# of the keyval= parameters or the pair of key= vand val= # fail-equal: Returns 1 if the value present in the corresponding file
# parameters, otherwise 1. # under /sys/devices/virtual/dmi/id/<key> is equal
# fail-equal: Returns 1 if all the values present in DMI files in sysfs # to the value supplied as a value of "val" parameter,
# match (as described above), otherwise 0. # otherwise 0.
# no-model-mode=success [ success, fail ] - return value if model filter # no-model-mode=success [ success, fail ] - return value if model filter
# is not enabled: # is not enabled:
# success: Return 0. # success: Return 0.
# fail: Return 1. # fail: Return 1.
# $2 - whether model filter is engaged (if it is not '1', just return the result # $2 - whether model filter is engaged (if it is not '1', just return the result
# based on "no-model-mode" value). # based on "mode" value that assumes that the check has failed).
check_dmi_val() check_dmi_val()
{ {
local key= val= keyval= keyvals= mode='success-equal' nm_mode='success' local key= val= mode='success-equal' nm_mode='success'
local opts="${1:-}" opt= opt_= local opts="${1:-}" opt= opt_=
local match_model="${2:-0}" local match_model="${2:0}"
local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor "
local success=1 local success=1
@ -316,44 +305,21 @@ check_dmi_val()
# Handle possible quoting # Handle possible quoting
[ "x${opt#val=}" = "x${opt}" ] || { [ "x${opt#val=}" = "x${opt}" ] || {
case "${opt#val=}" in case "${opt#val=}" in
[\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;; [']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
[\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; ["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
*) val="${opt#val=}" ;; *) val="${opt#val=}" ;;
esac esac
} }
[ "x${opt#keyval=}" = "x${opt}" ] || {
case "${opt#keyval=}" in
[\']*)
opt_="${opts#keyval=\'}"
keyval="${opt_%%\'*}"
opt="keyval='${keyval}'"
keyvals="${keyvals}
${keyval}"
;;
[\"]*)
opt_="${opts#keyval=\"}"
keyval="${opt_%%\"*}"
opt="keyval=\"${keyval}\""
keyvals="${keyvals}
${keyval}"
;;
*)
keyvals="${keyvals}
${opt#keyval=}"
;;
esac
}
opts="${opts#"${opt}"}" opts="${opts#"${opt}"}"
continue continue
done done
[ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}" # Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
[ -n "x${keyvals}" ] || { debug "Invalid \"key\" parameter value: \"${key}\""
debug "Neither key=, val=, nor keyval= parameters were privoded"
echo 2 echo 2
return exit
} }
[ 1 = "$match_model" ] || { [ 1 = "$match_model" ] || {
@ -366,171 +332,23 @@ check_dmi_val()
;; ;;
esac esac
return exit
} }
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
exit
}
file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" = "x${file_val}" ] || success=0
case "$mode" in case "$mode" in
success-equal|fail-equal) ;; success-equal) echo "$((1 - $success))" ;;
*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;; fail-equal) echo "${success}" ;;
esac *) debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
printf "%s\n" "${keyvals}" | (
while read l; do
[ -n "$l" ] || continue
key="${l%%[=:]*}"
val="${l#${key}[=:]}"
cmp="="
[ "x${key%!}" = "x${key}" ] || {
cmp="!="
key="${key%!}"
}
# Check key for validity
[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
debug "Invalid \"key\" parameter value: \"${key}\""
echo 2
return
}
[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
debug "Can't access /sys/devices/virtual/dmi/id/${key}"
echo 3
return
}
file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
[ "x${val}" "${cmp}" "x${file_val}" ] || {
case "$mode" in
success-equal) echo 1 ;;
fail-equal) echo 0 ;;
esac
return
}
done
case "$mode" in
success-equal) echo 0 ;;
fail-equal) echo 1 ;;
esac
)
}
# check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
# DEP_TYPE:
# required - caveat can be enabled only if dependency is enabled
# (is not forcefully disabled and meets caveat conditions)
# OPTS:
# match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
# skip=skip [ fail, skip, success ]
# force-skip=skip [ fail, skip, success ]
# nesting-too-deep=fail [ fail, skip, success ]
# Return values:
# 0 - success
# 1 - fail
# 2 - skip
# 9 - error
check_dependency()
{
local cur_level="$1"
local dep_type="$2"
local dep_name="$3"
local match_model_mode=same old_match_model="${match_model}"
local skip=skip
local force_skip=skip
local nesting_too_deep=fail
local check="Dependency check for ${dep_type} ${dep_name}"
set -- ${4:-}
while [ "$#" -gt 0 ]; do
[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
shift
done
case "${dep_type}" in
required)
[ "x${dep_name%/*}" = "x${dep_name}" ] || {
debug "${check} error: dependency name (${dep_name})" \
"cannot contain slashes"
echo 9
return
}
[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
case "$nesting_too_deep" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: invalid" \
"nesting-too-deep mode" \
"(${nesting_too_deep})"; echo 9 ;;
esac
return
}
case "${match_model_mode}" in
same) ;;
on) match_model=1 ;;
off) match_model=0 ;;
*)
debug "${check} error: invalid match-model-mode" \
"(${match_model_mode})"
echo 9
return
;;
esac
local result=0
debug "${check}: calling check_caveat '${dep_name}'" \
"'$(($cur_level + 1))' match_model=${match_model}"
check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
match_model="${old_match_model}"
case "${result}" in
0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
1) debug "${check} failed: result=${result}"; echo "${result}" ;;
2)
local reason="result=${result} and skip='${skip}'"
case "${skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
3)
local reason="result=${result} and force_skip='${force_skip}'"
case "${force_skip}" in
success) debug "${check} succeeded: ${reason}"; echo 0 ;;
fail) debug "${check} failed: ${reason}"; echo 1 ;;
skip) debug "${check} skipped: ${reason}"; echo 2 ;;
*) debug "${check} error: unexpected force-skip=" \
"setting (${skip})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unexpected check_caveat result" \
"(${result})"; echo 9 ;;
esac
;;
*)
debug "${check} error: unknown dependency type '${dep_type}'"
echo 9
;;
esac esac
} }
@ -568,12 +386,6 @@ get_mc_path()
AuthenticAMD) AuthenticAMD)
echo "amd-ucode/$2" echo "amd-ucode/$2"
;; ;;
*)
# We actually only support Intel ucode, but things may break
# if nothing is printed (input would be gotten from stdin
# otherwise).
echo "invalid"
;;
esac esac
} }
@ -582,6 +394,19 @@ get_mc_ver()
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
} }
fail()
{
ret=1
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
|| /bin/cat "${dir}/disclaimer"
}
#check_kver "$@"
#get_model_name
match_model=0 match_model=0
configs= configs=
@ -642,44 +467,34 @@ else
stage="late" stage="late"
fi fi
# check_caveat CFG [CHECK_LEVEL]
# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, for cfg in $(echo "${configs}"); do
# skip_cfgs if CHECK_LEVEL is set to 0 (default). dir="$MC_CAVEATS_DATA_DIR/$cfg"
# CHECK_LEVEL is used for recursive configuration dependency checks,
# and indicates nesting level. # We add cfg to the skip list first and then, if we do not skip it,
# Return value: # we remove the configuration from the list.
# 0 - check is successful skip_cfgs="$skip_cfgs $cfg"
# 1 - check has been failed
# 2 - configuration has been skipped
# 3 - configuration has been skipped due to presence of an override file
check_caveat() {
local cfg="$1"
local check_level="${2:-0}"
local dir="$MC_CAVEATS_DATA_DIR/$cfg"
[ -r "${dir}/readme" ] || { [ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping" debug "File 'readme' in ${dir} is not found, skipping"
return 2 continue
} }
[ -r "${dir}/config" ] || { [ -r "${dir}/config" ] || {
debug "File 'config' in ${dir} is not found, skipping" debug "File 'config' in ${dir} is not found, skipping"
return 2 continue
} }
local cfg_model= cfg_model=
local cfg_vendor= cfg_vendor=
local cfg_path= cfg_path=
local cfg_kvers= cfg_kvers=
local cfg_kvers_early= cfg_kvers_early=
local cfg_mc_min_ver_late= cfg_blacklist=
local cfg_disable= cfg_mc_min_ver_late=
local cfg_pci= cfg_disable=
local cfg_dmi= cfg_pci=
local cfg_dependency= cfg_dmi=
local key
local value
while read -r key value; do while read -r key value; do
case "$key" in case "$key" in
@ -704,6 +519,13 @@ check_caveat() {
disable) disable)
cfg_disable="$cfg_disable $value " cfg_disable="$cfg_disable $value "
;; ;;
blacklist)
cfg_blacklist=1
# "blacklist" is special: it stops entity parsing,
# and the rest of file is a list of blacklisted model
# names.
break
;;
pci_config_val) pci_config_val)
cfg_pci="$cfg_pci cfg_pci="$cfg_pci
$value" $value"
@ -712,10 +534,6 @@ check_caveat() {
cfg_dmi="$cfg_dmi cfg_dmi="$cfg_dmi
$value" $value"
;; ;;
dependency)
cfg_dependency="$cfg_dependency
$value"
;;
'#'*|'') '#'*|'')
continue continue
;; ;;
@ -726,8 +544,12 @@ check_caveat() {
esac esac
done < "${dir}/config" done < "${dir}/config"
[ -z "${cfg_blacklist}" ] || \
cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
/usr/bin/tail -n +2)
debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
echo "$cfg_path" debug "${cfg}: blacklist '$cfg_blacklist'"
# Check for override files in the following order: # Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel # - disallow early/late specific caveat for specific kernel
@ -748,10 +570,10 @@ check_caveat() {
# - force early/late everyhting # - force early/late everyhting
# - disallow everything # - disallow everything
# - force everyhting # - force everyhting
local ignore_cfg=0 ignore_cfg=0
local force_cfg=0 force_cfg=0
local override_file="" override_file=""
local overrides=" overrides="
0:$FW_DIR/$kver/disallow-$stage-$cfg 0:$FW_DIR/$kver/disallow-$stage-$cfg
1:$FW_DIR/$kver/force-$stage-$cfg 1:$FW_DIR/$kver/force-$stage-$cfg
0:$FW_DIR/$kver/disallow-$cfg 0:$FW_DIR/$kver/disallow-$cfg
@ -768,9 +590,6 @@ check_caveat() {
1:$CFG_DIR/force-$stage 1:$CFG_DIR/force-$stage
0:$CFG_DIR/disallow 0:$CFG_DIR/disallow
1:$CFG_DIR/force" 1:$CFG_DIR/force"
local o
local o_force
local override_file
for o in $(echo "$overrides"); do for o in $(echo "$overrides"); do
o_force=${o%%:*} o_force=${o%%:*}
override_file=${o#$o_force:} override_file=${o#$o_force:}
@ -789,7 +608,7 @@ check_caveat() {
[ 0 -eq "$ignore_cfg" ] || { [ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \ debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"." "\"$override_file\"."
return 3 continue
} }
# Check model if model filter is enabled # Check model if model filter is enabled
@ -798,22 +617,21 @@ check_caveat() {
debug "Current CPU model '$cpu_model' doesn't" \ debug "Current CPU model '$cpu_model' doesn't" \
"match configuration CPU model '$cfg_model'," \ "match configuration CPU model '$cfg_model'," \
"skipping" "skipping"
return 2 continue
} }
fi fi
# Check paths if model filter is enabled # Check paths if model filter is enabled
local cpu_mc_path
local cfg_mc_present
if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then
cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
"$cpu_vendor" "${cpu_model#* }")" "$cpu_vendor" "${cpu_model#* }")"
cfg_mc_present=0 cfg_mc_present=0
for p in $(printf "%s" "$cfg_path"); do for p in $(printf "%s" "$cfg_path"); do
/usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0;
| /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ /bin/true; } \
| /bin/grep -zFxq "$cpu_mc_path" \
|| continue || continue
cfg_mc_present=1 cfg_mc_present=1
@ -823,7 +641,7 @@ check_caveat() {
[ 1 = "$cfg_mc_present" ] || { [ 1 = "$cfg_mc_present" ] || {
debug "No matching microcode files in '$cfg_path'" \ debug "No matching microcode files in '$cfg_path'" \
"for CPU model '$cpu_model', skipping" "for CPU model '$cpu_model', skipping"
return 2 continue
} }
fi fi
@ -833,56 +651,30 @@ check_caveat() {
debug "Current CPU vendor '$cpu_vendor' doesn't" \ debug "Current CPU vendor '$cpu_vendor' doesn't" \
"match configuration CPU vendor '$cfg_vendor'," \ "match configuration CPU vendor '$cfg_vendor'," \
"skipping" "skipping"
return 2 continue
} }
fi fi
# Has to be performed before dependency checks
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
return 0
}
# Check dependencies
# It has to be performed here (before adding configuration
# to $ret_cfgs/$ret_paths) since it may be skipped.
if [ -n "$cfg_dependency" ]; then
dep_line="$(printf "%s\n" "$cfg_dependency" | \
while read -r dep_type dep_name dep_opts
do
[ -n "$dep_type" ] || continue
dep_res=$(check_dependency "$check_level" \
"$dep_type" \
"$dep_name" \
"$dep_opts")
[ 0 != "$dep_res" ] || continue
echo "$dep_res $dep_type $dep_name $dep_opts"
break
done
echo "0 ")"
case "${dep_line%% *}" in
0) ;;
2)
debug "Dependency check '${dep_line#* }'" \
"induced configuration skip"
return 2
;;
*)
debug "Dependency check '${dep_line#* }'" \
"failed (with return code ${dep_line%% *})"
return 1
;;
esac
fi
# Check configuration files # Check configuration files
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
skip_cfgs="${skip_cfgs% $cfg}"
[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
continue
}
[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration" debug "${cfg}: caveat is disabled in configuration"
return 1 fail
continue
} }
# Check late load kernel version # Check late load kernel version
@ -890,7 +682,8 @@ check_caveat() {
check_kver "$kver" $cfg_kvers || { check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \ debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed" " '$kver' against '$cfg_kvers' failed"
return 1 fail
continue
} }
fi fi
@ -899,7 +692,17 @@ check_caveat() {
check_kver "$kver" $cfg_kvers_early || { check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \ debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed" "'$kver' against '$cfg_kvers_early' failed"
return 1 fail
continue
}
fi
# Check model blacklist
if [ -n "$cfg_blacklist" ]; then
echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
debug "${cfg}: model '${cpu_model_name}' is blacklisted"
fail
continue
} }
fi fi
@ -912,7 +715,8 @@ check_caveat() {
debug "${cfg}: CPU microcode version $cpu_mc_ver" \ debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \ "failed check (should be at least" \
"${cfg_mc_min_ver_late})" "${cfg_mc_min_ver_late})"
return 1 fail
continue
} }
fi fi
@ -933,14 +737,14 @@ check_caveat() {
[ -z "${pci_line#* }" ] || { [ -z "${pci_line#* }" ] || {
debug "PCI configuration word check '${pci_line#* }'" \ debug "PCI configuration word check '${pci_line#* }'" \
"failed (with return code ${pci_line%% *})" "failed (with return code ${pci_line%% *})"
return 1 fail
continue
} }
fi fi
# Check DMI data if model filter is enabled # Check DMI data if model filter is enabled
# Note that the model filter check is done inside check_dmi_val # Note that the model filter check is done inside check_pci_config_val
# (which returns the value of 'no-model-mode=' parameter # based on the 'mode=' parameter.
# if it is disenaged).
if [ -n "$cfg_dmi" ]; then if [ -n "$cfg_dmi" ]; then
dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
do do
@ -956,43 +760,13 @@ check_caveat() {
[ -z "${dmi_line#* }" ] || { [ -z "${dmi_line#* }" ] || {
debug "DMI data check '${dmi_line#* }'" \ debug "DMI data check '${dmi_line#* }'" \
"failed (with return code ${dmi_line%% *})" "failed (with return code ${dmi_line%% *})"
return 1 fail
continue
} }
fi fi
return 0 ok_cfgs="$ok_cfgs $cfg"
} ok_paths="$ok_paths $cfg_path"
for cfg in $(echo "${configs}"); do
if cfg_path=$(check_caveat "$cfg"; exit "$?")
then
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
else
case "$?" in
1)
ret=1
ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"
[ 0 -eq "$print_disclaimers" ] \
|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
;;
2|3)
skip_cfgs="$skip_cfgs $cfg";
;;
*)
debug "Unexpected check_caveat return code '$?'" \
"for config '$cfg'"
;;
esac
fi
done done
[ 0 -eq "$print_disclaimers" ] || exit 0 [ 0 -eq "$print_disclaimers" ] || exit 0

View File

@ -242,7 +242,6 @@ Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable;
Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX; Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX;
Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable; Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable;
Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx; Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx;
Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2;
Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2; Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2;
Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;; Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;;
Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2; Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2;
@ -263,20 +262,11 @@ Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5;
SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx; SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx;
SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272 SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272
Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile; Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile;
Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3;
Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3;
Server;;Ice Lake;B0;10;606c1;ICL;D;;Xeon D-17xx, D-27xx
SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100 SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile; Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile;
Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295 Server;;Knights Mill;A0;08;80650;KNM;;Xeon hi 72x5;Xeon Phi 7235, 7285, 7295
SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB;
SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB;
SOC;;Snow Ridge;C0;01;80667;SNR;;Atom P59xxB;
SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile; Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile;
Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile;
Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile;
Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile; Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile;
Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile; Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile;
Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile; Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile;
@ -287,21 +277,6 @@ Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile;
Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile; Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile; Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile;
Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile; Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile;
Server;;Sapphire Rapids;E0,S1;87;806f4;SPR;SP;Xeon Scalable Gen4;
Server;;Sapphire Rapids;B1;10;806f5;SPR;HBM;Xeon Max;
Server;;Sapphire Rapids;E2;87;806f5;SPR;SP;Xeon Scalable Gen4;
Server;;Sapphire Rapids;E3;87;806f6;SPR;SP;Xeon Scalable Gen4;
Server;;Sapphire Rapids;E4,S2;87;806f7;SPR;SP;Xeon Scalable Gen4;
Server;;Sapphire Rapids;B3;10;806f8;SPR;HBM;Xeon Max;
Server;;Sapphire Rapids;E5,S3;87;806f8;SPR;SP;Xeon Scalable Gen4;
SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E;
Desktop;;Alder Lake;C0;02;90672;ADL;S 8+8;Core Gen12;
Mobile;;Alder Lake;C0;03;90672;ADL;HX;Core Gen12 Mobile;
Desktop;;Alder Lake;K0;01;90675;ADL;S 6+0;Core Gen12;
Mobile;;Alder Lake;L0;82;906a3;ADL;P 6+8;Core Gen12 Mobile;
Mobile;;Alder Lake;R0;80;906a3;ADL;U 9W;Core Gen12 Mobile;
Mobile;;Arizona Beach;A0;40;906a4;AZB;;;Intel(R) Atom(R) C1100
Mobile;;Alder Lake;R0;82;906a4;ADL;P 2+8;Core Gen12 Mobile;
Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7; Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7;
Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile; Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile;
Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6; Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6;
@ -317,22 +292,12 @@ Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E;
Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop; Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop;
Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile; Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile;
Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E; Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E;
SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105;
Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile; Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11; SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
Mobile;;Meteor Lake;C0;e6;a06a4;MTL;H,U;Core™ Ultra Processor;
Desktop;;Raptor Lake;B0;32;b0671;RPL;S;Core Gen13;
Mobile;;Raptor Lake;J0;e0;b06a2;RPL;P 6+8,H 6+8;Core Gen13;
Mobile;;Raptor Lake;Q0;e0;b06a3;RPL;U 2+8;Core Gen13;
SOC;;Alder Lake;A0;01;b06e0;ADL;N;;Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
Desktop;;Alder Lake;C0;03;b06f2;ADL;;Core Gen12;
Desktop;;Alder Lake;C0;03;b06f5;ADL;;Core Gen12;
Server;;Emerald Rapids;A0;87;c06f1;EMR;SP;Xeon Scalable Gen5;
Server;;Emerald Rapids;A1;87;c06f2;EMR;SP;Xeon Scalable Gen5;
# sources: # sources:
# https://en.wikichip.org/wiki/intel/cpuid # https://en.wikichip.org/wiki/intel/cpuid

View File

@ -13,7 +13,6 @@ install() {
local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats" local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats"
local check_caveats=/usr/libexec/microcode_ctl/check_caveats local check_caveats=/usr/libexec/microcode_ctl/check_caveats
local fw_path_para=$(< /sys/module/firmware_class/parameters/path)
local verbose_opt local verbose_opt
local cc_out local cc_out
@ -37,13 +36,9 @@ install() {
} }
# Reset fw_dir to avoid inclusion of kernel-version-specific directories # Reset fw_dir to avoid inclusion of kernel-version-specific directories
# populated with microcode for the late load, only in case it is set # populated with microcode for the late load
# to the default value to avoid meddling with user-enforced changes. [ "x$fw_dir" != \
# The second variant has been introduced in dracut-057~5. "x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" ] || {
[ \( "x$fw_dir" != \
"x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" \) -a \
\( "x$fw_dir" != \
"x${fw_path_para:+$fw_path_para }/lib/firmware/updates/$kernel /lib/firmware/updates /lib/firmware/$kernel /lib/firmware" \) ] || {
fw_dir="/lib/firmware/updates /lib/firmware" fw_dir="/lib/firmware/updates /lib/firmware"
dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\"" dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\""
} }

View File

@ -3,7 +3,6 @@
import argparse import argparse
import errno import errno
import fnmatch
import io import io
import itertools import itertools
import os import os
@ -11,7 +10,6 @@ import re
import shutil import shutil
import struct import struct
import sys import sys
import tarfile
import tempfile import tempfile
from subprocess import PIPE, Popen, STDOUT from subprocess import PIPE, Popen, STDOUT
@ -36,7 +34,6 @@ except:
log_level = 0 log_level = 0
print_date = False print_date = False
file_glob = ["*??-??-??", "*microcode*.dat"]
def log_status(msg, level=0): def log_status(msg, level=0):
@ -99,15 +96,13 @@ def file_walk(args, yield_dirs=False):
def cpuid_fname(c): def cpuid_fname(c):
# Note that the Extended Family is summed up with the Family,
# while the Extended Model is concatenated with the Model.
return "%02x-%02x-%02x" % ( return "%02x-%02x-%02x" % (
((c >> 20) & 0xff) + ((c >> 8) & 0xf), ((c >> 16) & 0xff0) + ((c >> 8) & 0xf),
((c >> 12) & 0xf0) + ((c >> 4) & 0xf), ((c >> 12) & 0xf0) + ((c >> 4) & 0xf),
c & 0xf) c & 0xf)
def read_revs_dir(path, args, src=None, ret=None): def read_revs_dir(path, src=None, ret=None):
if ret is None: if ret is None:
ret = [] ret = []
@ -161,24 +156,18 @@ def read_revs_dir(path, args, src=None, ret=None):
while cur_offs < offs + hdr[8] \ while cur_offs < offs + hdr[8] \
and ext_sig_cnt <= ext_tbl[0]: and ext_sig_cnt <= ext_tbl[0]:
ext_sig = struct.unpack("III", f.read(12)) ext_sig = struct.unpack("III", f.read(12))
ignore = args.ignore_ext_dups and \ ret.append({"path": rp, "src": src or path,
(ext_sig[0] == hdr[3]) "cpuid": ext_sig[0], "pf": ext_sig[1],
if not ignore: "rev": hdr[1], "date": hdr[2],
ret.append({"path": rp, "src": src or path, "offs": offs, "ext_offs": cur_offs,
"cpuid": ext_sig[0], "cksum": hdr[4],
"pf": ext_sig[1], "ext_cksum": ext_sig[2],
"rev": hdr[1], "date": hdr[2], "data_size": hdr[7],
"offs": offs, "ext_offs": cur_offs, "total_size": hdr[8]})
"cksum": hdr[4],
"ext_cksum": ext_sig[2],
"data_size": hdr[7],
"total_size": hdr[8]})
log_status(("Got ext sig %#x/%#x for " + log_status(("Got ext sig %#x/%#x for " +
"%s:%#x:%#x/%#x%s") % "%s:%#x:%#x/%#x") %
(ext_sig[0], ext_sig[1], (ext_sig[0], ext_sig[1], rp, offs,
rp, offs, hdr[3], hdr[6], hdr[3], hdr[6]), level=2)
" (ignored)" if ignore else ""),
level=2)
cur_offs += 12 cur_offs += 12
ext_sig_cnt += 1 ext_sig_cnt += 1
@ -191,7 +180,7 @@ def read_revs_dir(path, args, src=None, ret=None):
return ret return ret
def read_revs_rpm(path, args, ret=None): def read_revs_rpm(path, ret=None):
if ret is None: if ret is None:
ret = [] ret = []
@ -202,7 +191,7 @@ def read_revs_rpm(path, args, ret=None):
rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE, rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE,
close_fds=True) close_fds=True)
cpio = Popen(args=["cpio", "-idmv"] + file_glob, cpio = Popen(args=["cpio", "-idmv", "*??-??-??", "*microcode*.dat"],
cwd=dir_tmp, stdin=rpm2cpio.stdout, cwd=dir_tmp, stdin=rpm2cpio.stdout,
stdout=PIPE, stderr=STDOUT) stdout=PIPE, stderr=STDOUT)
out, cpio_stderr = cpio.communicate() out, cpio_stderr = cpio.communicate()
@ -221,58 +210,20 @@ def read_revs_rpm(path, args, ret=None):
log_info("cpio stderr:\n%s" % cpio_stderr, level=3) log_info("cpio stderr:\n%s" % cpio_stderr, level=3)
if rpm2cpio_ret == 0 and cpio_ret == 0: if rpm2cpio_ret == 0 and cpio_ret == 0:
ret = read_revs_dir(dir_tmp, args, path) ret = read_revs_dir(dir_tmp, path)
shutil.rmtree(dir_tmp) shutil.rmtree(dir_tmp)
return ret return ret
def read_revs_tar(path, args, ret=None): def read_revs(path, ret=None):
if ret is None:
ret = []
dir_tmp = tempfile.mkdtemp()
log_status("Trying to extract files from tarball \"%s\"..." % path,
level=1)
try:
with tarfile.open(path, "r:*") as tar:
for ti in tar:
if any(fnmatch.fnmatchcase(ti.name, p) for p in file_glob):
d = os.path.normpath(os.path.join("/",
os.path.dirname(ti.name)))
# For now, strip exactl one level
d = os.path.join(*(d.split(os.path.sep)[2:]))
n = os.path.join(d, os.path.basename(ti.name))
if not os.path.exists(d):
os.makedirs(d)
t = tar.extractfile(ti)
with open(n, "wb") as f:
shutil.copyfileobj(t, f)
t.close()
ret = read_revs_dir(dir_tmp, args, path)
except Exception as err:
log_error("Error while reading \"%s\" as a tarball: \"%s\"" %
(path, str(err)))
shutil.rmtree(dir_tmp)
return ret
def read_revs(path, args, ret=None):
if ret is None: if ret is None:
ret = [] ret = []
if os.path.isdir(path): if os.path.isdir(path):
return read_revs_dir(path, args, ret) return read_revs_dir(path, ret)
elif tarfile.is_tarfile(path):
return read_revs_tar(path, args, ret)
else: else:
return read_revs_rpm(path, args, ret) return read_revs_rpm(path, ret)
def gen_mc_map(mc_data, merge=False, merge_path=False): def gen_mc_map(mc_data, merge=False, merge_path=False):
@ -356,8 +307,7 @@ class mcnm:
MCNM_CODENAME = 4 MCNM_CODENAME = 4
def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True, def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
segment=False):
if not isinstance(mc, dict): if not isinstance(mc, dict):
mc = mc_from_mc_key(mc) mc = mc_from_mc_key(mc)
sig = mc["cpuid"] sig = mc["cpuid"]
@ -400,9 +350,6 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True,
else: else:
cname = c["codename"] cname = c["codename"]
if segment:
cname = c["segment"] + " " + cname
if cname not in suffices: if cname not in suffices:
suffices[cname] = set() suffices[cname] = set()
if "variant" in c and c["variant"]: if "variant" in c and c["variant"]:
@ -414,28 +361,28 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True,
steppings[cname] |= set(c["stepping"]) steppings[cname] |= set(c["stepping"])
for cname in sorted(steppings.keys()): for cname in sorted(steppings.keys()):
cname_res = [cname] cname_str = cname
if len(suffices[cname]): if len(suffices[cname]):
cname_res[0] += "-" + "/".join(sorted(suffices[cname])) cname_str += "-" + "/".join(sorted(suffices[cname]))
if len(steppings[cname]): if len(steppings[cname]):
cname_res.append("/".join(sorted(steppings[cname]))) cname_str += " " + "/".join(sorted(steppings[cname]))
res.append(" ".join(cname_res) if stringify else cname_res) res.append(cname_str)
return (", ".join(res) or None) if stringify else res return ", ".join(res) or None
def mc_from_mc_key(k): def mc_from_mc_key(k):
return dict(zip(("path", "cpuid", "pf"), k)) return dict(zip(("path", "cpuid", "pf"), k))
def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False): def mc_path(mc, pf_sfx=True, midword=None, cmap=None):
if not isinstance(mc, dict): if not isinstance(mc, dict):
mc = mc_from_mc_key(mc) mc = mc_from_mc_key(mc)
path = mc_stripped_path(mc) if mc["path"] is not None else None path = mc_stripped_path(mc) if mc["path"] is not None else None
cpuid_fn = cpuid_fname(mc["cpuid"]) cpuid_fn = cpuid_fname(mc["cpuid"])
fname = os.path.basename(mc["path"] or cpuid_fn) fname = os.path.basename(mc["path"] or cpuid_fn)
midword = "" if midword is None else " " + midword midword = "" if midword is None else " " + midword
cname = get_mc_cnames(mc, cmap, segment=cname_segment) cname = get_mc_cnames(mc, cmap)
cname_str = " (" + cname + ")" if cname else "" cname_str = " (" + cname + ")" if cname else ""
if pf_sfx: if pf_sfx:
@ -545,22 +492,22 @@ def mc_rev(mc, date=None):
return "%#x" % rev return "%#x" % rev
def print_changelog_rpm(clog, cmap, args): def print_changelog(clog, cmap, args):
for e, old, new in clog: for e, old, new in sorted(clog):
mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old,
midword="microcode",
cmap=cmap, cname_segment=args.segment)
if e == ChangeLogEntry.ADDED: if e == ChangeLogEntry.ADDED:
print("Addition of %s at revision %s" % (mc_str, mc_rev(new))) print("Addition of %s at revision %s" %
(mc_path(new, midword="microcode", cmap=cmap), mc_rev(new)))
elif e == ChangeLogEntry.REMOVED: elif e == ChangeLogEntry.REMOVED:
print("Removal of %s at revision %s" % (mc_str, mc_rev(old))) print("Removal of %s at revision %s" %
(mc_path(old, midword="microcode", cmap=cmap), mc_rev(old)))
elif e == ChangeLogEntry.UPDATED: elif e == ChangeLogEntry.UPDATED:
print("Update of %s from revision %s up to %s" % print("Update of %s from revision %s up to %s" %
(mc_str, mc_rev(old), mc_rev(new))) (mc_path(old, midword="microcode", cmap=cmap),
mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.DOWNGRADED: elif e == ChangeLogEntry.DOWNGRADED:
print("Downgrade of %s from revision %s down to %s" % print("Downgrade of %s from revision %s down to %s" %
(mc_str, mc_rev(old), mc_rev(new))) (mc_path(old, midword="microcode", cmap=cmap),
mc_rev(old), mc_rev(new)))
elif e == ChangeLogEntry.OTHER: elif e == ChangeLogEntry.OTHER:
print("Other change in %s:" % old["path"]) print("Other change in %s:" % old["path"])
print(" old: %#x/%#x: rev %s (offs %#x)" % print(" old: %#x/%#x: rev %s (offs %#x)" %
@ -569,70 +516,6 @@ def print_changelog_rpm(clog, cmap, args):
(new["cpuid"], new["pf"], mc_rev(new), new["offs"])) (new["cpuid"], new["pf"], mc_rev(new), new["offs"]))
def print_changelog_intel(clog, cmap, args):
def clog_sort_key(x):
res = str(x[0])
if x[0] != ChangeLogEntry.ADDED:
res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"])
else:
res += "0" * 10
if x[0] != ChangeLogEntry.REMOVED:
res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"])
else:
res += "0" * 10
return res
sorted_clog = sorted(clog, key=clog_sort_key)
sections = (("New Platforms", (ChangeLogEntry.ADDED, )),
("Updated Platforms", (ChangeLogEntry.UPDATED,
ChangeLogEntry.DOWNGRADED)),
("Removed Platforms", (ChangeLogEntry.REMOVED, )))
def print_line(e, old, new, types):
if e not in types:
return
if not print_line.hdr:
print("""
| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products
|:---------------|:---------|:------------|:---------|:---------|:---------""")
print_line.hdr = True
mc = new if e == ChangeLogEntry.ADDED else old
cnames = get_mc_cnames(mc, cmap, stringify=False,
segment=args.segment) or (("???", ""), )
for cn in cnames:
cname = cn[0]
stepping = cn[1] if len(cn) > 1 else ""
print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" %
(cname,
stepping,
cpuid_fname(mc["cpuid"]), mc["pf"],
("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "",
("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "",
get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES,
segment=args.segment) or ""))
for h, types in sections:
print("\n### %s" % h)
print_line.hdr = False
for e, old, new in sorted_clog:
print_line(e, old, new, types)
def print_changelog(clog, cmap, args):
if args.format == "rpm":
print_changelog_rpm(clog, cmap, args)
elif args.format == "intel":
print_changelog_intel(clog, cmap, args)
else:
log_error(("unknown changelog format: \"%s\". " +
"Supported formats are: rpm, intel.") % args.format)
class TableStyles: class TableStyles:
TS_CSV = 0 TS_CSV = 0
TS_FANCY = 1 TS_FANCY = 1
@ -669,9 +552,9 @@ def print_summary(revs, cmap, args):
header = [] header = []
if args.header: if args.header:
header.append(["Path", "Offset", "Ext. Offset", "Data Size", header.append(["Path", "Offset", "Ext. Offset", "CPUID",
"Total Size", "CPUID", "Platform ID Mask", "Revision", "Platform ID Mask", "Revision", "Date", "Checksum",
"Date", "Checksum", "Codenames"] + "Codenames"] +
(["Models"] if args.models else [])) (["Models"] if args.models else []))
tbl = [] tbl = []
for k in sorted(m.keys()): for k in sorted(m.keys()):
@ -679,19 +562,14 @@ def print_summary(revs, cmap, args):
tbl.append([mc_stripped_path(mc), tbl.append([mc_stripped_path(mc),
"0x%x" % mc["offs"], "0x%x" % mc["offs"],
"0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-", "0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-",
"0x%05x" % mc["data_size"],
"0x%05x" % mc["total_size"],
"0x%05x" % mc["cpuid"], "0x%05x" % mc["cpuid"],
"0x%02x" % mc["pf"], "0x%02x" % mc["pf"],
mc_rev(mc, date=False), mc_rev(mc, date=False),
mc_date(mc), mc_date(mc),
"0x%08x" % (mc["ext_cksum"] "0x%08x" % mc["cksum"],
if "ext_cksum" in mc else mc["cksum"]), get_mc_cnames(mc, cmap, cnames_mode) or ""] +
get_mc_cnames(mc, cmap, cnames_mode,
segment=args.segment) or ""] +
([get_mc_cnames(mc, cmap, ([get_mc_cnames(mc, cmap,
mcnm.MCNM_FAMILIES_MODELS, mcnm.MCNM_FAMILIES_MODELS)]
segment=args.segment)]
if args.models else [])) if args.models else []))
print_table(tbl, header, style=TableStyles.TS_FANCY) print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -807,7 +685,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
if print_out and print_date: if print_out and print_date:
if args.models: if args.models:
out.append(get_mc_cnames(s, cmap, segment=args.segment) or "") out.append(get_mc_cnames(s, cmap) or "")
tbl.append(out) tbl.append(out)
print_table(tbl, header, style=TableStyles.TS_FANCY) print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -816,7 +694,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
def cmd_summary(args): def cmd_summary(args):
revs = [] revs = []
for p in args.filelist: for p in args.filelist:
revs = read_revs(p, args, ret=revs) revs = read_revs(p, ret=revs)
codenames_map = read_codenames_file(args.codenames) codenames_map = read_codenames_file(args.codenames)
@ -830,8 +708,8 @@ def cmd_changelog(args):
base_path = args.filelist[0] base_path = args.filelist[0]
upd_path = args.filelist[1] upd_path = args.filelist[1]
base = read_revs(base_path, args) base = read_revs(base_path)
upd = read_revs(upd_path, args) upd = read_revs(upd_path)
print_changelog(gen_changelog(base, upd), codenames_map, args) print_changelog(gen_changelog(base, upd), codenames_map, args)
@ -872,7 +750,7 @@ def cmd_discrepancies(args):
(orig_path, dep)) (orig_path, dep))
return 1 return 1
deps.append((path, name, deps[dep][0] if dep is not None else None)) deps.append((path, name, deps[dep][0] if dep is not None else None))
rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge, rev_map[path] = gen_fn_map(read_revs(path), merge=args.merge,
merge_path=True) merge_path=True)
print_discrepancies(rev_map, deps, codenames_map, args) print_discrepancies(rev_map, deps, codenames_map, args)
@ -888,22 +766,6 @@ def parse_cli():
help="Code names file") help="Code names file")
root_parser.add_argument("-v", "--verbose", action="count", default=0, root_parser.add_argument("-v", "--verbose", action="count", default=0,
help="Increase output verbosity") help="Increase output verbosity")
root_parser.add_argument("-E", "--no-ignore-ext-duplicates",
action="store_const", dest="ignore_ext_dups",
default=False, const=False,
help="Do not ignore duplicates of the main " +
"signature in the extended signature header")
root_parser.add_argument("-e", "--ignore-ext-duplicates",
action="store_const", dest="ignore_ext_dups",
const=True,
help="Ignore duplicates of the main signature " +
"in the extended signature header")
root_parser.add_argument("-t", "--print-segment", action="store_const",
dest="segment", const=True,
help="Print model segment")
root_parser.add_argument("-T", "--no-print-segment", action="store_const",
dest="segment", const=False, default=False,
help="Do not print model segment")
cmdparsers = root_parser.add_subparsers(title="Commands", cmdparsers = root_parser.add_subparsers(title="Commands",
help="main gen_updates commands") help="main gen_updates commands")
@ -932,8 +794,6 @@ def parse_cli():
parser_c = cmdparsers.add_parser("changelog", parser_c = cmdparsers.add_parser("changelog",
help="Generate changelog") help="Generate changelog")
parser_c.add_argument("-F", "--format", choices=["rpm", "intel"],
default="rpm", help="Changelog format")
parser_c.add_argument("filelist", nargs=2, parser_c.add_argument("filelist", nargs=2,
help="RPMs/directories to compare") help="RPMs/directories to compare")
parser_c.set_defaults(func=cmd_changelog) parser_c.set_defaults(func=cmd_changelog)
@ -980,10 +840,6 @@ def parse_cli():
if not hasattr(args, "func"): if not hasattr(args, "func"):
root_parser.print_help() root_parser.print_help()
return None return None
global log_level
log_level = args.verbose
return args return args

View File

@ -5,8 +5,6 @@
# #
# SPDX-License-Identifier: CC0-1.0 # SPDX-License-Identifier: CC0-1.0
export LC_ALL=C
CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats
IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag" IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag"

View File

@ -5,8 +5,6 @@
# #
# SPDX-License-Identifier: CC0-1.0 # SPDX-License-Identifier: CC0-1.0
export LC_ALL=C
usage() usage()
{ {
echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \ echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \
@ -17,11 +15,6 @@ usage()
debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }
# Calls find only if the first argument exists and is a directory.
# Avoids spurious "find: '...' No such file or directory" for the directories
# that may not exist.
find_d() { [ \! -d "$1" ] || find "$@"; }
MC_DIR=/usr/share/microcode_ctl MC_DIR=/usr/share/microcode_ctl
INTEL_UCODE_DIR=intel-ucode INTEL_UCODE_DIR=intel-ucode
DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
@ -86,16 +79,16 @@ add|remove|refresh|list)
if [ -z "$kernel" ]; then if [ -z "$kernel" ]; then
debug "No kernel versions provided, scanning..." debug "No kernel versions provided, scanning..."
kvers=$(find_d /lib/modules/ -name '[2-9].*' -print) kvers=$(find /lib/modules/ -name '[2-9].*' -print)
for k_dir in $kvers; do for k_dir in $kvers; do
k="${k_dir#/lib/modules/}" k="${k_dir#/lib/modules/}"
[ ! -e "${k_dir}/symvers.gz" -a ! -e "${k_dir}/symvers.xz" ] || { [ ! -e "${k_dir}/symvers.gz" ] || {
debug " Adding $k (from /lib/modules)" debug " Adding $k (from /lib/modules)"
kernel="$kernel $k" kernel="$kernel $k"
} }
done done
kvers=$(find_d /lib/firmware/ -name '[2-9].*' -print) kvers=$(find /lib/firmware/ -name '[2-9].*' -print)
for k_dir in $kvers; do for k_dir in $kvers; do
k="${k_dir#/lib/firmware/}" k="${k_dir#/lib/firmware/}"
[ ! -d "$k_dir" ] || { [ ! -d "$k_dir" ] || {
@ -136,7 +129,7 @@ while :; do
refresh|remove|list) refresh|remove|list)
debug " Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}" debug " Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}"
if [ 0 = "$remove_cleanup" ]; then if [ 0 = "$remove_cleanup" ]; then
find_d "${MC_DIR}/${INTEL_UCODE_DIR}" \ find "${MC_DIR}/${INTEL_UCODE_DIR}" \
-maxdepth 1 -mindepth 1 \ -maxdepth 1 -mindepth 1 \
-type f -printf '%f\n' -type f -printf '%f\n'
else else
@ -158,17 +151,6 @@ while :; do
$cmd rm -f $verbose_opt "$name" $cmd rm -f $verbose_opt "$name"
done done
[ "xlist" = "x$action" ] || { [ "xlist" = "x$action" ] || {
# Removing possible dangling symlinks
find_d "${FW_DIR}/${INTEL_UCODE_DIR}" \
-maxdepth 1 -mindepth 1 \
-type l -printf '%p\n' \
| while read -r fname; do
[ -e "$fname" ] || {
debug " Removing danging symlink \"$fname\""
$cmd rm -f $verbose_opt "$fname"
}
done
$cmd rmdir -p $verbose_opt \ $cmd rmdir -p $verbose_opt \
"${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \ "${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \
|| true || true
@ -221,7 +203,7 @@ fi | while read -r i; do
debug " Removing \"$paths\" (part of $action)..." debug " Removing \"$paths\" (part of $action)..."
for p in $(printf "%s" "$paths"); do for p in $(printf "%s" "$paths"); do
find_d "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-printf "%P\n" -printf "%P\n"
done | while read -r path; do done | while read -r path; do
[ -e "$FW_DIR/$k/readme-$i" ] || { [ -e "$FW_DIR/$k/readme-$i" ] || {
@ -243,7 +225,6 @@ fi | while read -r i; do
fi fi
done done
if [ -e "$FW_DIR/$k/readme-$i" ]; then if [ -e "$FW_DIR/$k/readme-$i" ]; then
if [ "xlist" = "x$action" ]; then if [ "xlist" = "x$action" ]; then
echo "$FW_DIR/$k/readme-$i" echo "$FW_DIR/$k/readme-$i"
@ -272,14 +253,14 @@ fi | while read -r i; do
add|refresh) add|refresh)
debug " Adding $paths (part of $action)..." debug " Adding $paths (part of $action)..."
[ -e "/lib/modules/$k/symvers.gz" -o -e "/lib/modules/$k/symvers.xz" ] || { [ -e "/lib/modules/$k/symvers.gz" ] || {
debug " \"/lib/modules/$k/symvers.[gx]z\"" \ debug " \"/lib/modules/$k/symvers.gz\"" \
"does not exist, skipping" "does not exist, skipping"
continue continue
} }
for p in $(printf "%s" "$paths"); do for p in $(printf "%s" "$paths"); do
find_d "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-printf "%P\n" -printf "%P\n"
done | while read -r path; do done | while read -r path; do
[ ! -e "$FW_DIR/$k/$path" ] || { [ ! -e "$FW_DIR/$k/$path" ] || {
@ -307,17 +288,3 @@ fi | while read -r i; do
esac esac
done done
done done
# Removing possible dangling symlinks in kernel-specific directories
debug "Checking for dangling symlinks..."
for k in $(echo "$kernel"); do
debug " Processing kernel version \"$k\""
find_d "${FW_DIR}/${k}" \
-mindepth 1 -type l -printf '%p\n' \
| while read -r fname; do
[ -e "$fname" ] || {
debug " Removing danging symlink \"$fname\""
$cmd rm -f $verbose_opt "$fname"
}
done
done

File diff suppressed because it is too large Load Diff