26 changed files with 2556 additions and 316 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,4 +4,4 @@ SOURCES/06-55-04
 SOURCES/06-5e-03
 SOURCES/microcode-20190918.tar.gz
 SOURCES/microcode-20191115.tar.gz
-SOURCES/microcode-20201112.tar.gz
+SOURCES/microcode-20240531.tar.gz
--- a/.microcode_ctl.metadata
+++ b/.microcode_ctl.metadata
@ -4,4 +4,4 @@ bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
 bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
 774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
-010507b8a7ca0b5c4a01cd1f8a6adae5f0fd316d SOURCES/microcode-20201112.tar.gz
+9e4c19980b5d79eaa8c7324b6f6821c5812680c0 SOURCES/microcode-20240531.tar.gz
--- a/SOURCES/06-2d-07_config
+++ b/SOURCES/06-2d-07_config
@ -1,13 +1,3 @@
 model GenuineIntel 06-2d-07
 path intel-ucode/06-2d-07
-## The "kernel_early" statements are carried over from the intel caveat config
+dependency required intel
 ## in order to avoid enabling this newer microcode on these problematic kernels;
 ## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
 ## (That also means that this caveat has to be enforced separately on these
 ## kernels.)
 kernel_early 4.10.0
 kernel_early 3.10.0-930
 kernel_early 3.10.0-862.14.1
 kernel_early 3.10.0-693.38.1
 kernel_early 3.10.0-514.57.1
 kernel_early 3.10.0-327.73.1
--- a/SOURCES/06-4e-03_config
+++ b/SOURCES/06-4e-03_config
@ -1,3 +1,4 @@
 model GenuineIntel 06-4e-03
 path intel-ucode/06-4e-03
 dependency required intel
 disable early late
--- a/SOURCES/06-4e-03_readme
+++ b/SOURCES/06-4e-03_readme
@ -13,6 +13,9 @@ microcode revisions in question are listed below:
 * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
 * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
 * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
 * 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
 * 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
 Please contact your system vendor for a BIOS/firmware update that contains
 the latest microcode version.  For the information regarding microcode versions
@ -40,6 +43,20 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 The information regarding enforcing microcode update is provided below.
--- a/SOURCES/06-4f-01_config
+++ b/SOURCES/06-4f-01_config
@ -11,11 +11,5 @@ kernel 2.6.32-573.58.1
 kernel 2.6.32-504.71.1
 kernel 2.6.32-431.90.1
 kernel 2.6.32-358.90.1
-kernel_early 4.10.0
+dependency required intel skip=success match-model-mode=off
 kernel_early 3.10.0-930
 kernel_early 3.10.0-862.14.1
 kernel_early 3.10.0-693.38.1
 kernel_early 3.10.0-514.57.1
 kernel_early 3.10.0-327.73.1
 mc_min_ver_late 0xb000019
 disable early late
--- a/SOURCES/06-4f-01_readme
+++ b/SOURCES/06-4f-01_readme
@ -28,6 +28,11 @@ to the following knowledge base articles:
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
   ("Microarchitectural Data Sampling"):
   https://access.redhat.com/articles/4138151
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 The information regarding enforcing microcode load is provided below.
--- a/SOURCES/06-55-04_config
+++ b/SOURCES/06-55-04_config
@ -9,14 +9,4 @@ path intel-ucode/06-55-04
 ## are provided for speeding up the search only, VID:DID is the real selector.
 ## Commented out since revision 0x2006906 seems to fix the issue.
 #pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
-## The "kernel_early" statements are carried over from the intel caveat config
+dependency required intel
 ## in order to avoid enabling this newer microcode on these problematic kernels;
 ## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
 ## (That also means that this caveat has to be enforced separately on these
 ## kernels.)
 kernel_early 4.10.0
 kernel_early 3.10.0-930
 kernel_early 3.10.0-862.14.1
 kernel_early 3.10.0-693.38.1
 kernel_early 3.10.0-514.57.1
 kernel_early 3.10.0-327.73.1
--- a/SOURCES/06-55-04_readme
+++ b/SOURCES/06-55-04_readme
@ -18,6 +18,13 @@ microcode revisions in question are listed below:
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
 * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
 * 06-55-04, revision 0x2006f05: c47277a6a47caedb518f311ce5d339528a8347e2
 * 06-55-04, revision 0x2007006: 68ae0f321685ff97b50266bc20818f31563fc67c
 Please contact your system vendor for a BIOS/firmware update that contains
 the latest microcode version.  For the information regarding microcode versions
@ -45,6 +52,24 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
   CVE-2022-21136 (Overclocking service access protection),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
   https://access.redhat.com/articles/6976398
 The information regarding disabling microcode update is provided below.
--- a/SOURCES/06-5e-03_config
+++ b/SOURCES/06-5e-03_config
@ -1,3 +1,3 @@
 model GenuineIntel 06-5e-03
 path intel-ucode/06-5e-03
-disable early late
+dependency required intel
--- a/SOURCES/06-5e-03_readme
+++ b/SOURCES/06-5e-03_readme
@ -1,18 +1,24 @@
 Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
-stepping 3) have reports of possible system hangs when revision 0xdc
+stepping 3) had reports of possible system hangs when revision 0xdc
 of microcode, that is included in microcode-20200609 update to address
-CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1].  In order
+CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
-to address this, microcode update to the newer revision has been disabled
+to address this, microcode updates to the newer revision had been disabled
 by default on these systems, and the previously published microcode revision
-0xd6 is used by default for the OS-driven microcode update.
+0xd6 was used by default for the OS-driven microcode update.  The revision
 0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
 by default (but can be disabled explicitly; see below).
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
 For the reference, SHA1 checksums of 06-5e-03 microcode files containing
 microcode revisions in question are listed below:
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
 Please contact your system vendor for a BIOS/firmware update that contains
 the latest microcode version.  For the information regarding microcode versions
@ -40,32 +46,42 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.
-To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel
+To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
-version, please create a file "force-intel-06-5e-03" inside
+version, please create a file "disallow-intel-06-5e-03" inside
 /lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
-where microcode will be available for late microcode update, and run
+where microcode is available for late microcode update, and run
 "dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
-    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03
+    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
+To avoid  addition of the latest microcode for all kernels, please create file
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
-"/sys/devices/system/cpu/microcode/reload" directly.
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
-
+and "dracut -f --regenerate-all" for early microcode updates:
 To enforce addition of this microcode for all kernels, please create file
 "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03", run
 "/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
 and "dracut -f --regenerate-all" for enabling early microcode updates:
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all
--- a/SOURCES/06-8c-01_config
+++ b/SOURCES/06-8c-01_config
@ -1,3 +1,3 @@
 model GenuineIntel 06-8c-01
 path intel-ucode/06-8c-01
-disable early late
+dependency required intel skip=success match-model-mode=off
--- a/SOURCES/06-8c-01_readme
+++ b/SOURCES/06-8c-01_readme
@ -1,38 +1,63 @@
 Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
-have reports of system hangs when a microcode update, that is included
+had reports of system hangs when a microcode update, that was included
-since microcode-20201110 update, is applied[1].  In order to address this,
+since microcode-20201110 update, was applied[1].  In order to address this,
-microcode update has been disabled by default on these systems.
+microcode update had been disabled by default on these systems.  The revision
 0x88 seems to have fixed the aforementioned issue, hence it is enabled
 by default (but can be disabled explicitly; see below).
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
 For the reference, SHA1 checksums of 06-8c-01 microcode files containing
 microcode revisions in question are listed below:
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
 * 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
 * 06-8c-01, revision 0xa6: fdcf89e3a15a20df8aeee215b78bf5d13d731044
 * 06-8c-01, revision 0xaa: cf84883f6b3184690c25ccade0b10fa839ac8657
 * 06-8c-01, revision 0xac: b9f342e564a0be372ed1f4709263bf811feb022a
 * 06-8c-01, revision 0xb4: 6596bb8696cde85538bb833d090f0b7a42d6ae14
 * 06-8c-01, revision 0xb6: 76556e8248a89f38cd55a6c83dccc995ba176091
 Please contact your system vendor for a BIOS/firmware update that contains
-the latest microcode version.
+the latest microcode version.  For the information regarding microcode versions
 required for mitigating specific side-channel cache attacks, please refer
 to the following knowledge base articles:
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
   https://access.redhat.com/articles/6716541
 * CVE-2022-21123 (Shared Buffers Data Read):
   https://access.redhat.com/articles/6963124
-The information regarding enforcing microcode update is provided below.
+The information regarding disabling microcode update is provided below.
-To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel
+To disable 06-8c-01 microcode updates for a specific kernel
-version, please create a file "force-intel-06-8c-01" inside
+version, please create a file "disallow-intel-06-8c-01" inside
 /lib/firmware/<kernel_version> directory, run
-"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
+"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
-where microcode will be available for late microcode update, and run
+directory where microcode is available for late microcode update, and run
 "dracut -f --kver <kernel_version>", so initramfs for this kernel version
-is regenerated and the microcode can be loaded early, for example:
+is regenerated, for example:
-    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01
+    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1
-After that, it is possible to perform a late microcode update by executing
+To avoid addition of this microcode for all kernels, please create file
-"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
+"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
-"/sys/devices/system/cpu/microcode/reload" directly.
+"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
-
+and "dracut -f --regenerate-all" for early microcode updates:
 To enforce addition of this microcode for all kernels, please create file
 "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run
 "/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
 and "dracut -f --regenerate-all" for enabling early microcode updates:
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
-    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01
+    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all
--- a/SOURCES/06-8e-9e-0x-0xca_config
+++ b/SOURCES/06-8e-9e-0x-0xca_config
@ -1,4 +1,5 @@
 path intel-ucode/*
 vendor GenuineIntel
 dmi mode=fail-equal key=bios_vendor val="Dell Inc."
 dependency required intel
 disable early late
--- a/SOURCES/06-8e-9e-0x-0xca_readme
+++ b/SOURCES/06-8e-9e-0x-0xca_readme
@ -82,6 +82,65 @@ in question:
 * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
 * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
 * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
 * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
 * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
 * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
 * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
 * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
 * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
 * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
 * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
 * 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
 * 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
 * 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
 * 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
 * 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
 * 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
 * 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
 * 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
 * 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
 * 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
 * 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
 * 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
 * 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
 * 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
 * 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
 * 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
 * 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
 * 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
 * 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
 * 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
 * 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
 * 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
 * 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
 * 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
 * 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
 * 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
 * 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
 * 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
 * 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
 * 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
 * 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
 * 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
 * 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
 * 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
 * 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
 * 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
 * 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
 * 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
 * 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
 * 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
 * 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
 * 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
 * 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
 Please contact your system vendor for a BIOS/firmware update that contains
 the latest microcode version.  For the information regarding microcode versions
 required for mitigating specific side-channel cache attacks, please refer
@ -108,6 +167,20 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 The information regarding disabling microcode update is provided below.
--- a/SOURCES/06-8e-9e-0x-dell_config
+++ b/SOURCES/06-8e-9e-0x-dell_config
@ -4,14 +4,4 @@ vendor GenuineIntel
 ## in cases where no model filter is used is too broad, hence
 ## no-model-mode=success.
 dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
-## The "kernel_early" statements are carried over from the intel caveat config
+dependency required intel
 ## in order to avoid enabling this newer microcode on these problematic kernels;
 ## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme
 ## (That also means that this caveat has to be enforced separately on these
 ## kernels.)
 kernel_early 4.10.0
 kernel_early 3.10.0-930
 kernel_early 3.10.0-862.14.1
 kernel_early 3.10.0-693.38.1
 kernel_early 3.10.0-514.57.1
 kernel_early 3.10.0-327.73.1
--- a/SOURCES/06-8e-9e-0x-dell_readme
+++ b/SOURCES/06-8e-9e-0x-dell_readme
@ -82,6 +82,65 @@ in question:
 * 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
 * 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
 * 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
 * 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
 * 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
 * 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
 * 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
 * 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
 * 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
 * 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
 * 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
 * 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
 * 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
 * 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
 * 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
 * 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
 * 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
 * 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
 * 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
 * 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
 * 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
 * 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
 * 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
 * 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
 * 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
 * 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
 * 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
 * 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
 * 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
 * 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
 * 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
 * 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
 * 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
 * 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
 * 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
 * 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
 * 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
 * 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
 * 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
 * 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
 * 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
 * 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
 * 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
 * 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
 * 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
 * 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
 * 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
 * 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
 * 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
 * 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
 * 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
 * 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
 * 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
 * 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
 Please contact your system vendor for a BIOS/firmware update that contains
 the latest microcode version.  For the information regarding microcode versions
 required for mitigating specific side-channel cache attacks, please refer
@ -108,6 +167,20 @@ to the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 The information regarding disabling microcode update is provided below.
--- a/SOURCES/README
+++ b/SOURCES/README
@ -22,6 +22,30 @@ microcode files and their usage.
 * SECURITY.intel-ucode
   "security.md" file from the Intel x86 CPU microcode archive.
 * SUMMARY.intel-ucode
-   Information about supplied microcode files extracted from their headers.
+   Information about supplied microcode files extracted from their headers,
   in a table form.  Columns have the following meaning:
    * "Path": path to the microcode file under one of the following directories:
       * /usr/share/microcode_ctl/ucode_with_caveats/intel
       * /usr/share/microcode_ctl/ucode_with_caveats
       * /usr/share/microcode_ctl
       * /lib/firmware
       * /etc/firmware
    * "Offset": offset of the microcode blob within the micocode file in bytes.
    * "Ext. Offset": offset of the extended signature header within
      the microcode file in bytes.
    * "Data Size": size of microcode data in bytes.  0 means 2000 bytes.
    * "Total Size": size of microcode blob in bytes, incuding headers.
      0 means 2048 bytes.
    * "CPUID": CPU ID signature (in format returned by the CPUID instruction).
    * "Platform ID Mask": mask of suitable Platform IDs (provided in bits
      52..50 of MSR 0x17).
    * "Revision": microcode revision.
    * "Date": microcode creation date.
    * "Checksum": sum (in base 1<< 32) of all 32-bit values comprising
      the microcode (from Offset up to Offset + Total Size).
    * "Codenames": list of known CPU codenames associated with the CPUID
      and Platform ID Mask combination.
   Please refer to README.cavets, section "Microcode file structure"
   for additional information regarding microcode header fields.
 * caveats
-   Directory that contains readme files for specific caveats.
+   Directory that contains readme files for each specific caveat.
--- a/SOURCES/README.caveats
+++ b/SOURCES/README.caveats
@ -89,6 +89,75 @@ installation or removal of a kernel RPM in order to provide microcode files
 for newly installed kernels and cleanup symlinks for the uninstalled ones.
 Microcode file structure
 ------------------------
 Intel x86 CPU microcode file (that is, one that can be directly consumed
 by the CPU/kernel, and not its text representation such as used in microcode.dat
 files) is a bundle of concatenated microcode blobs.  Each blob has a header,
 payload, and an optional additional data, as follows (for additional information
 please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual"
 [1], Volume 3A, Section 9.11.1 "Microcode Update"):
 * Header (48 bytes)
    * Header version (unsigned 32-bit integer): version number of the update
      header.  Must be 0x1.
    * Microcode revision (signed 32-bit integer)
    * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
      (0x03141592 is 1592-03-14 in ISO 8601)
    * CPU signature (unsigned 32-bit integer): CPU ID, as provided
      by the CPUID (EAX = 0x1) instruction in the EAX register:
       * bits 31..28: reserved
       * bits 27..20: "Extended Family", summed with the Family field value
       * bits 19..16: "Extended Model", bits 7..4 of the CPU model
       * bits 15..14: reserved
       * bits 13..12: "Processor Type", non-zero value (other than the "primary
         processor") so far used only for the Deschutes (Pentium II) CPU family,
         with the processor type of 1, to signify it is an Overdrive processor:
         CPUID 0x1632.
       * bits 11..08: Family, summed with the Extended Family field value
       * bits 07..04: Model (bits 3..0)
       * bits 03..00: Stepping
      In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
      to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
      uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
      into 0x000w06xz.  Please also refer to README.intel-ucode, section "About
      Processor Signature, Family, Model, Stepping and Platform ID"
      for additional information.
    * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
      the 32-bit integers comprising the microcode amounts to 0.
    * Loader version (unsigned 32-bit integer): 0x1.
    * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
      of possible values of bits 52..50 of MSR 0x17 ("Platform ID").  In old
      (up to Pentium II) microcode blobs the mask may be zero.
    * Data size (unsigned 32-bit integer): size of the Payload in bytes,
      has to be divisible by 4.  0 means 2000.
    * Total size (unsigned 32-bit integer): total microcode blob size (including
      header and extended header), has to be divisible by 1024.  0 means 2048.
    * Reserved (12 bytes).
 * Payload
 * Additional data (optional, 20 + 12 * n bytes)
    * Extended signature table header (20 bytes)
       * Extended signature count (unsigned 32-bit integer)
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
         of all the 32-bit integers comprising the extender signature table
         amounts to 0.
       * Reserved (12 bytes).
    * Extended signature (12 bytes each)
       * CPU signature (unsigned 32-bit integer): see the description of the CPU
         signature field in the Header above.
       * Platform ID mask (unsigned 32-bit integer): see the description
         of the Platform ID mask field in the Header above.
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
         of all the 32-bit integers comprising the Header (with CPU signature
         and Platform ID mask fields replaced with the values from this signature)
         and the Payload amounts to 0.  Note that since External signature table
         header has its own checksum, sum of all its 32-bit values amounts to 0,
         so the Checksum in the Header and in the Extended signature will be
         the same if the values of CPU signature and Platform ID mask fields
         are the same,
 [1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
 Caveat configuration
 --------------------
 There is a directory for each caveat under
@ -156,10 +225,6 @@ separated by white space.  Currently, the following options are supported:
   configuration. Argument for the argument is a list of stages ("early",
   "late") for which the caveat should be disable. The configuration option
   can be provided multiple times in a configuration file.
 * "blacklist" is a marker for a start of list of blacklisted model names,
   one model name per line. The model name of the running CPU (as reported
   in /proc/cpuinfo) is compared against the names in the provided list, and,
   if there is a match, caveat check fails.
 * "pci_config_val" performs check for specific values in selected parts
   of configuration space of specified PCI devices.  If "-m" option
   is not specified, then the actual check is skipped, and the check returns
@ -204,8 +269,9 @@ separated by white space.  Currently, the following options are supported:
   it fails (in accordance with "mode=success-all" semantics).  This check fails
   if "-m" option is not specified.
 * "dmi" performs checks for specific values available in DMI sysfs files
-   (present under /sys/devices/virtual/dmi/id/).  The check fails if file
+   (present under /sys/devices/virtual/dmi/id/).  The check (when it is actually
-   is not readable.  If "-m" option is specified, then the actual check
+   performed; see a not about "no-model-mode" below) fails if one of the files
   is not readable.  If "-m" option is not specified, then the actual check
   is skipped, and the check returns value in accordance with "no-model-mode"
   parameter value (see below).  Check arguments are a white-space-separated
   list of "key=value" pairs.  The following keys are supported:
@ -215,17 +281,30 @@ separated by white space.  Currently, the following options are supported:
      chassis_type, chassis_vendor, chassis_version, product_family,
      product_name, product_serial, product_uuid, product_version, sys_vendor.
      Default is empty string.
-    * "val" - a string to match DMI data against.  Can be enclosed in single
+    * "val" - a string to match DMI data present in "key" against.
-      or double quotes.  Default is empty string.
+      Can be enclosed in single or double quotes.  Default is empty string.
-    * "mode" - check mode, the way matches are interpreted:
+    * "keyval" - a pair of "key" and "val" values (with semantics described
      above), separated with either "=", ":", "!=", or "!:" characters.  Enables
      providing of multiple key-value pairs by means of supplying multiple
      keyval= parameters.  The exclamation sign ("!") character in separator
      enables negated matching (so, non-equality of the value in DMI "key" file
      and the value of "val" is).  The match considered successful when all
      the key/val (non-)equalities are in effect.  This parameter works
      in addition to the pair provided in "key" and "val" parameters
      (but allows to avoid using them).  Default is empty.
    * "mode" - check mode, the way successful matches are interpreted:
       * "success-equal" - returns 0 if the value present in the file
         with the name supplied via the "key" parameter file under
 	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
-	 of "val" parameter, otherwise 1.
+	 of "val" parameter and all the pairs provided in "keyval" parameters
-       * "success-equal" - returns 1 if the value present in the file
+	 are equal and non-equal in accordance with their definition,
 	 otherwise 1.
       * "fail-equal" - returns 1 if the value present in the file
         with the name supplied via the "key" parameter file under
 	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
-	 of "val" parameter, otherwise 0.
+	 of "val" parameter and all the pairs provided in "keyval" parameters
 	 are equal and non-equal in accordance with their definition,
 	 otherwise 0.
      Default is "success-any".
    * "no-model-mode" - return value if model filter ("-m" option)
      is not enabled:
@ -237,6 +316,61 @@ separated by white space.  Currently, the following options are supported:
   It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
   content is "Dell Inc." (without quotes).  It succeeds if "-m" option
   is not enabled.
   Another example:
       dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
       dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
   It blocks the caveat from using when either both
   /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
   and /sys/devices/virtual/dmi/id/product_name contains the string
   "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
   the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
   the string "ThinkSystem SR950", but enables caveat loading for other products
   with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
   for example.
 * "dependency" allows conditional enablement of a caveat based on the check
   status of some other caveat(s).  It has the following format:
       dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
   where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
   are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
   currently is "required".
   Options for the "required" dependency type:
    * "match-model-mode" - whether model matching mode ("-m" option)
      has to be used for the nested configuration check. Possible values:
       * "on" - model-matching mode is always used during the nested check;
       * "off" - model-matching mode is never used during the nested check;
       * "same" - used the same model-matching mode as it is now.
      Default is "same".
    * "skip" - controls result of the check when the nested check indicated
      skipping of the configuration.
       * "fail" - the dependent check fails;
       * "success" - the dependent check succeeds;
       * "skip" - the dependent check indicates that the configuration
         is to be skipped.
      Default is "skip".
    * "force-skip" - controls result of the check when the nested check
      indicated skipping of the configuration caused by the presence
      of an override file (see "check_caveats script" section for details).
       * "fail" - the dependent check fails;
       * "success" - the dependent check succeeds;
       * "skip" - the dependent check indicates that the configuration
         is to be skipped.
      Default is "skip".
    * "nesting-too-deep" - as a measure against dependency loop, configuration
      checking logic implements nesting limit on dependency checks (currently
      set at 8).  This option controls the behaviour of the check
      when the nested check cannot be performed due to this limit.
       * "fail" - the dependent check fails;
       * "success" - the dependent check succeeds;
       * "skip" - the dependent check indicates that the configuration
         is to be skipped.
      Default is "fail".
   An example of a check:
       dependency required intel skip=success match-model-mode=off
   It checks "intel" caveat configuration (see the "Early microcode load
   inside a virtual machine" section) with model-matching mode being disabled,
   treats skipping of the configuration as a success (unless the configuration
   is forced to be skipped, in that case the dependent configuration
   is to be skipped as well).
 check_caveats script
@ -473,6 +607,8 @@ Caveat name: intel-06-4f-01
 Affected microcode: intel-ucode/06-4f-01.
 Dependencies: intel
 Mitigation: microcode loading is disabled for the affected CPU model.
 Minimum versions of the kernel package that contain the aforementioned patch
@ -501,6 +637,8 @@ Caveat name: intel
 Affected microcode: all.
 Dependencies: (none)
 Mitigation: early microcode loading is disabled for all CPU models on kernels
 without the fix.
@ -537,6 +675,8 @@ Caveat name: intel-06-2d-07
 Affected microcode: intel-ucode/06-2d-07.
 Dependencies: intel
 Mitigation: None; the latest revision of the microcode file is used by default;
 previously published microcode revision 0x714 is still available as a fallback
 as part of "intel" caveat.
@ -566,35 +706,64 @@ Caveat name: intel-06-55-04
 Affected microcode: intel-ucode/06-55-04.
 Dependencies: intel
 Mitigation: None; the latest revision of the microcode file is used by default;
 previously published microcode revision 0x2000064 is still available
 as a fallback as part of "intel" caveat.
-Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
+Intel Skylake-U/Y caveat
----------------------------------------
+------------------------
-Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
+Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
-and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
+have reports of system hangs when revision 0xdc of microcode, that is included
-hangs when revision 0xdc of microcode, that is included in microcode-20200609
+in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
-update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
+and CVE-2020-0549, is applied[1].  In order to address this, microcode update
-is applied[1][2].  In order to address this, microcode update to the newer
+to the newer revision has been disabled by default on these systems,
-revision has been disabled by default on these systems, and the previously
+and the previously published microcode revision 0xd6 is used instead; the newer
-published microcode revision 0xd6 is used instead; the newer microcode files,
+microcode files, however, are still shipped as part of microcode_ctl package
-however, are still shipped as part of microcode_ctl package and can be used
+and can be used for performing a microcode update if they are enforced
-for performing a microcode update if they are enforced via the aforementioned
+via the aforementioned overrides.  (See the sections "check_caveats script"
-overrides.  (See the sections "check_caveats script" and "reload_microcode
+and "reload_microcode script" for details.)
 script" for details.)
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
-Caveat names: intel-06-4e-03, intel-06-5e-03
+Caveat name: intel-06-4e-03
-Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
+Affected microcode: intel-ucode/06-4e-03
 Dependencies: intel
 Mitigation: previously published microcode revision 0xd6 is used by default.
 Intel Skylake-H/S/Xeon E3 v5 caveat
 -----------------------------------
 Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
 stepping 3) had reports of system hangs when revision 0xdc of microcode,
 that is included in microcode-20200609 update to address CVE-2020-0543,
 CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order to address this,
 microcode update to the newer revision had been disabled by default on these
 systems, and the previously published microcode revision 0xd6 was used instead.
 The revision 0xea seems[2] to have fixed the aforementioned issue, hence
 the latest microcode revision usage it is enabled by default,
 but can be disabled explicitly via the aforementioned overrides.  (See
 the sections "check_caveats script" and "reload_microcode script" for details.)
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
 Caveat names: intel-06-5e-03
 Affected microcode: intel-ucode/06-5e-03.
 Dependencies: intel
 Mitigation: None; the latest revision of the microcode file is used by default;
 previously published microcode revision 0xd6 is still available as a fallback
 as part of "intel" caveat.
 Dell caveats
 ------------
 Some Dell systems that use some models of Intel CPUs are susceptible to hangs
@ -623,6 +792,8 @@ Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
                    intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
                    intel-ucode/06-9e-0d.
 Dependencies: intel
 Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
            by default if /sys/devices/virtual/dmi/id/bios_vendor reports
 	    "Dell Inc."; otherwise, the latest microcode revision is used.
@ -633,12 +804,12 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
 Intel Tiger Lake-UP3/UP4 caveat
 -------------------------------
 Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
-stepping 1) have reports of system hangs when a microcode update,
+stepping 1) had reports of system hangs when a microcode update,
-that is included since microcode-20201110 release, is applied[1].
+that was included since microcode-20201110 release, was applied[1].
-In order to address this, microcode update to a newer revision has been disabled
+In order to address this, microcode update to a newer revision had been disabled
-by default on these systems; the newer microcode file, however, is still shipped
+by default on these systems.  The revision 0x88 seems to have fixed
-as a part of microcode_ctl package and can be used for performing a microcode
+the aforementioned issue, hence it is enabled by default; however, it is still
-update if it is enforced via the aforementioned overrides.  (See the sections
+can be disabled via the aforementioned overrides.  (See the sections
 "check_caveats script" and "reload_microcode script" for details.)
 [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
@ -647,7 +818,9 @@ Caveat names: intel-06-8c-01
 Affected microcode: intel-ucode/06-8c-01.
-Mitigation: microcode loading is disabled for the affected CPU model.
+Dependencies: intel
 Mitigation: None; the latest revision of the microcode file is used by default.
@ -682,3 +855,24 @@ Intel CPU vulnerabilities is available in the following knowledge base articles:
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow),
   CVE-2021-0145 (Fast store forward predictor - Cross Domain Training),
   CVE-2021-0146 (VT-d-related Privilege Escalation),
   CVE-2021-33120 (Out of bounds read for some Intel Atom processors):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
   CVE-2022-21136 (Overclocking service access protection),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
   https://access.redhat.com/articles/6976398
--- a/SOURCES/check_caveats
+++ b/SOURCES/check_caveats
@ -5,10 +5,14 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 export LC_ALL=C
 : ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}
 : ${FW_DIR=/lib/firmware}
 : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
 MAX_NESTING_LEVEL=8
 usage() {
 	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
 	echo '                     [-m] [-v]'
@ -165,7 +169,7 @@ check_pci_config_val()
 	local checked=0 matched=0 path=''
 	local dev_path dev_vid dev_did dev_val
 	local opts="${1:-}"
-	local match_model="${2:0}"
+	local match_model="${2:-0}"
 	set -- $1
 	while [ "$#" -gt 0 ]; do
@ -261,7 +265,7 @@ check_pci_config_val()
 # It is needed for filtering by BIOS vendor name that is available in DMI data
 #
 # $1 - params in config file, space-separated, in key=value form:
-#   key= - DMI value to check. Can be one of the following: bios_date,
+#   key= - DMI data record to check. Can be one of the following: bios_date,
 #          bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
 #          board_vendor, board_version, chassis_asset_tag, chassis_serial,
 #          chassis_type, chassis_vendor, chassis_version, product_family,
@ -269,26 +273,33 @@ check_pci_config_val()
 #          sys_vendor.
 #   val= - a string to match DMI data against.  Can be enclosed in single
 #          or double quotes.
 #   keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL",
 #             "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing
 #             a key-value pair in a single parameter.  It is possible to provide
 #             multiple keyval= parameters.  "!" before :/= means negated match.
 #             The action supplied in the mode= parameter is executed upon
 #             successful (non-)matching of all the keyval pairs (as well
 #             as the pair provided in a pair of key= and val= parameters).
 #   mode=success-equal [ success-equal, fail-equal ] - matching mode:
-#     success-equal: Returns 0 if the value present in the corresponding file
+#     success-equal: Returns 0 if the all values present in the corresponding
-#                    under /sys/devices/virtual/dmi/id/<key> is equal
+#                    files under /sys/devices/virtual/dmi/id/<KEY> are equal
-#                    to the value supplied as a value of "val" parameter,
+#                    (or not equal in case of a keyval= with negated match)
-#                    otherwise 1.
+#                    to the respective values supplied as the values
-#     fail-equal:    Returns 1 if the value present in the corresponding file
+#                    of the keyval= parameters or the pair of key= vand val=
-#                    under /sys/devices/virtual/dmi/id/<key> is equal
+#                    parameters, otherwise 1.
-#                    to the value supplied as a value of "val" parameter,
+#     fail-equal:    Returns 1 if all the values present in DMI files in sysfs
-#                    otherwise 0.
+#                    match (as described above), otherwise 0.
 #   no-model-mode=success [ success, fail ] - return value if model filter
 #                                             is not enabled:
 #     success: Return 0.
 #     fail:    Return 1.
 # $2 - whether model filter is engaged (if it is not '1', just return the result
-#      based on "mode" value that assumes that the check has failed).
+#      based on "no-model-mode" value).
 check_dmi_val()
 {
-	local key= val= mode='success-equal' nm_mode='success'
+	local key= val= keyval= keyvals= mode='success-equal' nm_mode='success'
 	local opts="${1:-}" opt= opt_=
-	local match_model="${2:0}"
+	local match_model="${2:-0}"
 	local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor "
 	local success=1
@ -305,21 +316,44 @@ check_dmi_val()
 		# Handle possible quoting
 		[ "x${opt#val=}" = "x${opt}" ] || {
 			case "${opt#val=}" in
-			[']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val=\'${val}\'" ;;
+			[\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;;
-			["]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
+			[\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;;
 			*)    val="${opt#val=}" ;;
 			esac
 		}
 		[ "x${opt#keyval=}" = "x${opt}" ] || {
 			case "${opt#keyval=}" in
 			[\']*)
 				opt_="${opts#keyval=\'}"
 				keyval="${opt_%%\'*}"
 				opt="keyval='${keyval}'"
 				keyvals="${keyvals}
 					${keyval}"
 				;;
 			[\"]*)
 				opt_="${opts#keyval=\"}"
 				keyval="${opt_%%\"*}"
 				opt="keyval=\"${keyval}\""
 				keyvals="${keyvals}
 					${keyval}"
 				;;
 			*)
 				keyvals="${keyvals}
 					${opt#keyval=}"
 				;;
 			esac
 		}
 		opts="${opts#"${opt}"}"
 		continue
 	done
-	# Check key for validity
+	[ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}"
-	[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
+
-		debug "Invalid \"key\" parameter value: \"${key}\""
+	[ -n "x${keyvals}" ] || {
 		debug "Neither key=, val=, nor keyval= parameters were privoded"
 		echo 2
-		exit
+		return
 	}
 	[ 1 = "$match_model" ] || {
@ -332,23 +366,171 @@ check_dmi_val()
 			;;
 		esac
-		exit
+		return
 	}
 	case "$mode" in
 	success-equal|fail-equal) ;;
 	*) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;;
 	esac
 	printf "%s\n" "${keyvals}" | (
 		while read l; do
 			[ -n "$l" ] || continue
 			key="${l%%[=:]*}"
 			val="${l#${key}[=:]}"
 			cmp="="
 			[ "x${key%!}" = "x${key}" ] || {
 				cmp="!="
 				key="${key%!}"
 			}
 			# Check key for validity
 			[ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || {
 				debug "Invalid \"key\" parameter value: \"${key}\""
 				echo 2
 				return
 			}
 			[ -r "/sys/devices/virtual/dmi/id/${key}" ] || {
 				debug "Can't access /sys/devices/virtual/dmi/id/${key}"
 				echo 3
-		exit
+				return
 			}
-	file_val="$(cat "/sys/devices/virtual/dmi/id/${key}")"
+			file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")"
-	[ "x${val}" = "x${file_val}" ] || success=0
+			[ "x${val}" "${cmp}" "x${file_val}" ] || {
 				case "$mode" in
 				success-equal) echo 1 ;;
 				fail-equal)    echo 0 ;;
 				esac
 				return
 			}
 		done
 		case "$mode" in
-	success-equal) echo "$((1 - $success))" ;;
+		success-equal) echo 0 ;;
-	fail-equal)    echo "${success}" ;;
+		fail-equal)    echo 1 ;;
-	*)             debug "Invalid mode value: \"${nm_mode}\""; echo 2 ;;
+		esac
 	)
 }
 # check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS
 # DEP_TYPE:
 #   required - caveat can be enabled only if dependency is enabled
 #              (is not forcefully disabled and meets caveat conditions)
 # OPTS:
 #   match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency
 #   skip=skip [ fail, skip, success ]
 #   force-skip=skip [ fail, skip, success ]
 #   nesting-too-deep=fail [ fail, skip, success ]
 # Return values:
 #   0 - success
 #   1 - fail
 #   2 - skip
 #   9 - error
 check_dependency()
 {
 	local cur_level="$1"
 	local dep_type="$2"
 	local dep_name="$3"
 	local match_model_mode=same old_match_model="${match_model}"
 	local skip=skip
 	local force_skip=skip
 	local nesting_too_deep=fail
 	local check="Dependency check for ${dep_type} ${dep_name}"
 	set -- ${4:-}
 	while [ "$#" -gt 0 ]; do
 		[ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}"
 		[ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}"
 		[ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}"
 		[ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}"
 		shift
 	done
 	case "${dep_type}" in
 	required)
 		[ "x${dep_name%/*}" = "x${dep_name}" ] || {
 			debug "${check} error: dependency name (${dep_name})" \
 			      "cannot contain slashes"
 			echo 9
 			return
 		}
 		[ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || {
 			local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'"
 			case "$nesting_too_deep" in
 			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
 			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
 			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
 			*)       debug "${check} error: invalid" \
 				       "nesting-too-deep mode" \
 				       "(${nesting_too_deep})"; echo 9 ;;
 			esac
 			return
 		}
 		case "${match_model_mode}" in
 		same) ;;
 		on)   match_model=1 ;;
 		off)  match_model=0 ;;
 		*)
 			debug "${check} error: invalid match-model-mode" \
 			      "(${match_model_mode})"
 			echo 9
 			return
 			;;
 		esac
 		local result=0
 		debug "${check}: calling check_caveat '${dep_name}'" \
 		      "'$(($cur_level + 1))' match_model=${match_model}"
 		check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?"
 		match_model="${old_match_model}"
 		case "${result}" in
 		0) debug "${check} succeeded: result=${result}"; echo "${result}" ;;
 		1) debug "${check} failed: result=${result}"; echo "${result}" ;;
 		2)
 			local reason="result=${result} and skip='${skip}'"
 			case "${skip}" in
 			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
 			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
 			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
 			*)       debug "${check} error: unexpected skip=" \
 				       "setting (${skip})"; echo 9 ;;
 			esac
 			;;
 		3)
 			local reason="result=${result} and force_skip='${force_skip}'"
 			case "${force_skip}" in
 			success) debug "${check} succeeded: ${reason}"; echo 0 ;;
 			fail)    debug "${check} failed: ${reason}"; echo 1 ;;
 			skip)    debug "${check} skipped: ${reason}"; echo 2 ;;
 			*)       debug "${check} error: unexpected force-skip=" \
 				       "setting (${skip})"; echo 9 ;;
 			esac
 			;;
 		*)
 			debug "${check} error: unexpected check_caveat result" \
 			      "(${result})"; echo 9 ;;
 		esac
 		;;
 	*)
 		debug "${check} error: unknown dependency type '${dep_type}'"
 		echo 9
 		;;
 	esac
 }
@ -386,6 +568,12 @@ get_mc_path()
 	AuthenticAMD)
 		echo "amd-ucode/$2"
 		;;
 	*)
 		# We actually only support Intel ucode, but things may break
 		# if nothing is printed (input would be gotten from stdin
 		# otherwise).
 		echo "invalid"
 		;;
 	esac
 }
@ -394,19 +582,6 @@ get_mc_ver()
 	/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
 }
 fail()
 {
 	ret=1
 	fail_cfgs="$fail_cfgs $cfg"
 	fail_paths="$fail_paths $cfg_path"
 	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
 		|| /bin/cat "${dir}/disclaimer"
 }
 #check_kver "$@"
 #get_model_name
 match_model=0
 configs=
@ -467,34 +642,44 @@ else
 	stage="late"
 fi
-
+# check_caveat CFG [CHECK_LEVEL]
-for cfg in $(echo "${configs}"); do
+# changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs,
-	dir="$MC_CAVEATS_DATA_DIR/$cfg"
+# skip_cfgs if CHECK_LEVEL is set to 0 (default).
-
+# CHECK_LEVEL is used for recursive configuration dependency checks,
-	# We add cfg to the skip list first and then, if we do not skip it,
+# and indicates nesting level.
-	# we remove the configuration from the list.
+# Return value:
-	skip_cfgs="$skip_cfgs $cfg"
+#  0 - check is successful
 #  1 - check has been failed
 #  2 - configuration has been skipped
 #  3 - configuration has been skipped due to presence of an override file
 check_caveat() {
 	local cfg="$1"
 	local check_level="${2:-0}"
 	local dir="$MC_CAVEATS_DATA_DIR/$cfg"
 	[ -r "${dir}/readme" ] || {
 		debug "File 'readme' in ${dir} is not found, skipping"
-		continue
+		return 2
 	}
 	[ -r "${dir}/config" ] || {
 		debug "File 'config' in ${dir} is not found, skipping"
-		continue
+		return 2
 	}
-	cfg_model=
+	local cfg_model=
-	cfg_vendor=
+	local cfg_vendor=
-	cfg_path=
+	local cfg_path=
-	cfg_kvers=
+	local cfg_kvers=
-	cfg_kvers_early=
+	local cfg_kvers_early=
-	cfg_blacklist=
+	local cfg_mc_min_ver_late=
-	cfg_mc_min_ver_late=
+	local cfg_disable=
-	cfg_disable=
+	local cfg_pci=
-	cfg_pci=
+	local cfg_dmi=
-	cfg_dmi=
+	local cfg_dependency=
 	local key
 	local value
 	while read -r key value; do
 		case "$key" in
@ -519,13 +704,6 @@ for cfg in $(echo "${configs}"); do
 		disable)
 			cfg_disable="$cfg_disable $value "
 			;;
 		blacklist)
 			cfg_blacklist=1
 			# "blacklist" is special: it stops entity parsing,
 			# and the rest of file is a list of blacklisted model
 			# names.
 			break
 			;;
 		pci_config_val)
 			cfg_pci="$cfg_pci
 				$value"
@ -534,6 +712,10 @@ for cfg in $(echo "${configs}"); do
 			cfg_dmi="$cfg_dmi
 				$value"
 			;;
 		dependency)
 			cfg_dependency="$cfg_dependency
 				$value"
 			;;
 		'#'*|'')
 			continue
 			;;
@ -544,12 +726,8 @@ for cfg in $(echo "${configs}"); do
 		esac
 	done < "${dir}/config"
 	[ -z "${cfg_blacklist}" ] || \
 		cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
 					/usr/bin/tail -n +2)
 	debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
-	debug "${cfg}: blacklist '$cfg_blacklist'"
+	echo "$cfg_path"
 	# Check for override files in the following order:
 	#  - disallow early/late specific caveat for specific kernel
@ -570,10 +748,10 @@ for cfg in $(echo "${configs}"); do
 	#  - force early/late everyhting
 	#  - disallow everything
 	#  - force everyhting
-	ignore_cfg=0
+	local ignore_cfg=0
-	force_cfg=0
+	local force_cfg=0
-	override_file=""
+	local override_file=""
-	overrides="
+	local overrides="
 	0:$FW_DIR/$kver/disallow-$stage-$cfg
 	1:$FW_DIR/$kver/force-$stage-$cfg
 	0:$FW_DIR/$kver/disallow-$cfg
@ -590,6 +768,9 @@ for cfg in $(echo "${configs}"); do
 	1:$CFG_DIR/force-$stage
 	0:$CFG_DIR/disallow
 	1:$CFG_DIR/force"
 	local o
 	local o_force
 	local override_file
 	for o in $(echo "$overrides"); do
 		o_force=${o%%:*}
 		override_file=${o#$o_force:}
@ -608,7 +789,7 @@ for cfg in $(echo "${configs}"); do
 	[ 0 -eq "$ignore_cfg" ] || {
 		debug "Configuration \"$cfg\" is ignored due to presence of" \
 		      "\"$override_file\"."
-		continue
+		return 3
 	}
 	# Check model if model filter is enabled
@ -617,21 +798,22 @@ for cfg in $(echo "${configs}"); do
 			debug "Current CPU model '$cpu_model' doesn't" \
 			      "match configuration CPU model '$cfg_model'," \
 			      "skipping"
-			continue
+			return 2
 		}
 	fi
 	# Check paths if model filter is enabled
 	local cpu_mc_path
 	local cfg_mc_present
 	if [ 1 -eq "$match_model" -a  -n "$cfg_path" ]; then
 		cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
 			"$cpu_vendor" "${cpu_model#* }")"
 		cfg_mc_present=0
 		for p in $(printf "%s" "$cfg_path"); do
-			{ /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
+			/usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
-				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0;
+				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \
-			  /bin/true; } \
+			    | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \
 			    | /bin/grep -zFxq "$cpu_mc_path" \
 			    || continue
 			cfg_mc_present=1
@ -641,7 +823,7 @@ for cfg in $(echo "${configs}"); do
 		[ 1 = "$cfg_mc_present" ] || {
 			debug "No matching microcode files in '$cfg_path'" \
 			      "for CPU model '$cpu_model', skipping"
-			continue
+			return 2
 		}
 	fi
@ -651,30 +833,56 @@ for cfg in $(echo "${configs}"); do
 			debug "Current CPU vendor '$cpu_vendor' doesn't" \
 			      "match configuration CPU vendor '$cfg_vendor'," \
 			      "skipping"
-			continue
+			return 2
 		}
 	fi
-	# Check configuration files
+	# Has to be performed before dependency checks
 	ret_cfgs="$ret_cfgs $cfg"
 	ret_paths="$ret_paths $cfg_path"
 	skip_cfgs="${skip_cfgs% $cfg}"
 	[ 0 -eq "$force_cfg" ] || {
 		debug "Checks for configuration \"$cfg\" are ignored due to" \
 		      "presence of \"$override_file\"."
-		ok_cfgs="$ok_cfgs $cfg"
+		return 0
 		ok_paths="$ok_paths $cfg_path"
 		continue
 	}
 	# Check dependencies
 	# It has to be performed here (before adding configuration
 	# to $ret_cfgs/$ret_paths) since it may be skipped.
 	if [ -n "$cfg_dependency" ]; then
 		dep_line="$(printf "%s\n" "$cfg_dependency" | \
 			while read -r dep_type dep_name dep_opts
 			do
 				[ -n "$dep_type" ] || continue
 				dep_res=$(check_dependency "$check_level" \
 							   "$dep_type" \
 							   "$dep_name" \
 							   "$dep_opts")
 				[ 0 != "$dep_res" ] || continue
 				echo "$dep_res $dep_type $dep_name $dep_opts"
 				break
 			done
 			echo "0 ")"
 		case "${dep_line%% *}" in
 		0) ;;
 		2)
 			debug "Dependency check '${dep_line#* }'" \
 			      "induced configuration skip"
 			return 2
 			;;
 		*)
 			debug "Dependency check '${dep_line#* }'" \
 			      "failed (with return code ${dep_line%% *})"
 			return 1
 			;;
 		esac
 	fi
 	# Check configuration files
 	[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
 		debug "${cfg}: caveat is disabled in configuration"
-		fail
+		return 1
 		continue
 	}
 	# Check late load kernel version
@ -682,8 +890,7 @@ for cfg in $(echo "${configs}"); do
 		check_kver "$kver" $cfg_kvers || {
 			debug "${cfg}: late load kernel version check for" \
 			      " '$kver' against '$cfg_kvers' failed"
-			fail
+			return 1
 			continue
 		}
 	fi
@ -692,17 +899,7 @@ for cfg in $(echo "${configs}"); do
 		check_kver "$kver" $cfg_kvers_early || {
 			debug "${cfg}: early load kernel version check for" \
 			      "'$kver' against '$cfg_kvers_early' failed"
-			fail
+			return 1
 			continue
 		}
 	fi
 	# Check model blacklist
 	if [ -n "$cfg_blacklist" ]; then
 		echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
 			debug "${cfg}: model '${cpu_model_name}' is blacklisted"
 			fail
 			continue
 		}
 	fi
@ -715,8 +912,7 @@ for cfg in $(echo "${configs}"); do
 			debug "${cfg}: CPU microcode version $cpu_mc_ver" \
 			      "failed check (should be at least" \
 			      "${cfg_mc_min_ver_late})"
-			fail
+			return 1
 			continue
 		}
 	fi
@ -737,14 +933,14 @@ for cfg in $(echo "${configs}"); do
 		[ -z "${pci_line#* }" ] || {
 			debug "PCI configuration word check '${pci_line#* }'" \
 			      "failed (with return code ${pci_line%% *})"
-			fail
+			return 1
 			continue
 		}
 	fi
 	# Check DMI data if model filter is enabled
-	# Note that the model filter check is done inside check_pci_config_val
+	# Note that the model filter check is done inside check_dmi_val
-	# based on the 'mode=' parameter.
+	# (which returns the value of 'no-model-mode=' parameter
 	# if it is disenaged).
 	if [ -n "$cfg_dmi" ]; then
 		dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line
 			do
@ -760,13 +956,43 @@ for cfg in $(echo "${configs}"); do
 		[ -z "${dmi_line#* }" ] || {
 			debug "DMI data check '${dmi_line#* }'" \
 			      "failed (with return code ${dmi_line%% *})"
-			fail
+			return 1
 			continue
 		}
 	fi
 	return 0
 }
 for cfg in $(echo "${configs}"); do
 	if cfg_path=$(check_caveat "$cfg"; exit "$?")
 	then
 		ret_cfgs="$ret_cfgs $cfg"
 		ret_paths="$ret_paths $cfg_path"
 		ok_cfgs="$ok_cfgs $cfg"
 		ok_paths="$ok_paths $cfg_path"
 	else
 		case "$?" in
 		1)
 			ret=1
 			ret_cfgs="$ret_cfgs $cfg"
 			ret_paths="$ret_paths $cfg_path"
 			fail_cfgs="$fail_cfgs $cfg"
 			fail_paths="$fail_paths $cfg_path"
 			[ 0 -eq "$print_disclaimers" ] \
 				|| [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \
 				|| /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer"
 			;;
 		2|3)
 			skip_cfgs="$skip_cfgs $cfg";
 			;;
 		*)
 			debug "Unexpected check_caveat return code '$?'" \
 			      "for config '$cfg'"
 			;;
 		esac
 	fi
 done
 [ 0 -eq "$print_disclaimers" ] || exit 0
--- a/SOURCES/codenames.list
+++ b/SOURCES/codenames.list
@ -242,6 +242,7 @@ Server;;Skylake;B1;97;50653;SKX;SP;Xeon Scalable;
 Desktop;;Skylake;H0,M0,U0;b7;50654;SKX;X;Core i9-7xxxX, i9-9xxxX;
 Server;;Skylake;H0,M0,U0;b7;50654;SKX;SP,W;Xeon Scalable;
 Server;;Skylake;M1;b7;50654;SKX;D;Xeon D-21xx;
 Server;;Cascade Lake;A0;b7;50655;CLX;SP;Xeon Scalable Gen2;
 Server;;Cascade Lake;B0;bf;50656;CLX;SP;Xeon Scalable Gen2;
 Desktop;;Cascade Lake;B1,L1;bf;50657;CLX;X;;
 Server;;Cascade Lake;B1,L1;bf;50657;CLX;SP;Xeon Scalable Gen2;
@ -262,11 +263,20 @@ Server;;Skylake;N0,R0,S0;36;506e3;SKL;Xeon E3;Xeon E3 v5;
 SOC;;Denverton;B0;01;506f1;DNV;;Atom C3xxx;
 SOC;;XMM 7272 (SoFIA);;01;60650;;;XMM 7272
 Mobile;;Cannon Lake;D0;80;60663;CNL;U;Core Gen8 Mobile;
 Server;;Ice Lake;C0;87;606a5;ICX;SP;Xeon Scalable Gen3;
 Server;;Ice Lake;D0;87;606a6;ICX;SP;Xeon Scalable Gen3;
 Server;;Ice Lake;B0;10;606c1;ICL;D;;Xeon D-17xx, D-27xx
 SOC;;Gemini Lake;B0;01;706a1;GLK;;;Pentium J5005/N5000, Celeron J4005/J4105/N4000/N4100
 SOC;;Gemini Lake;R0;01;706a8;GLK;R;;Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120
 Mobile;;Ice Lake;D1;80;706e5;ICL;U,Y;Core Gen10 Mobile;
-Server;;Knights Mill;A0;08;80650;KNM;;Xeon hi 72x5;Xeon Phi 7235, 7285, 7295
+Server;;Knights Mill;A0;08;80650;KNM;;Xeon Phi 72x5;Xeon Phi 7235, 7285, 7295
 SOC;;Snow Ridge;B0;01;80664;SNR;;Atom P59xxB;
 SOC;;Snow Ridge;B1;01;80665;SNR;;Atom P59xxB;
 SOC;;Snow Ridge;C0;01;80667;SNR;;Atom P59xxB;
 SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
 Mobile;;Tiger Lake;B1;80;806c1;TGL;UP3,UP4;Core Gen11 Mobile;
 Mobile;;Tiger Lake Refresh;C0;80;806c2;TGL;R;Core Gen11 Mobile;
 Mobile;;Tiger Lake;R0;c2;806d1;TGL;H;Core Gen11 Mobile;
 Mobile;;Amber Lake;H0;10;806e9;AML;Y 2+2;Core Gen8 Mobile;
 Mobile;;Kaby Lake;H0;c0;806e9;KBL;U,Y;Core Gen7 Mobile;
 Mobile;;Kaby Lake;J1;c0;806e9;KBL;U 2+3e;Core Gen7 Mobile;
@ -277,6 +287,21 @@ Mobile;;Comet Lake;V0;94;806ec;CML;U 4+2;Core Gen10 Mobile;
 Mobile;;Whiskey Lake;W0;d0;806eb;WHL;U;Core Gen8 Mobile;
 Mobile;;Whiskey Lake;V0;94;806ec;WHL;U;Core Gen8 Mobile;
 Mobile;;Whiskey Lake;V0;94;806ed;WHL;U;Core Gen8 Mobile;
 Server;;Sapphire Rapids;E0,S1;87;806f4;SPR;SP;Xeon Scalable Gen4;
 Server;;Sapphire Rapids;B1;10;806f5;SPR;HBM;Xeon Max;
 Server;;Sapphire Rapids;E2;87;806f5;SPR;SP;Xeon Scalable Gen4;
 Server;;Sapphire Rapids;E3;87;806f6;SPR;SP;Xeon Scalable Gen4;
 Server;;Sapphire Rapids;E4,S2;87;806f7;SPR;SP;Xeon Scalable Gen4;
 Server;;Sapphire Rapids;B3;10;806f8;SPR;HBM;Xeon Max;
 Server;;Sapphire Rapids;E5,S3;87;806f8;SPR;SP;Xeon Scalable Gen4;
 SOC;;Elkhart Rate;B1;01;90661;EHL;;Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E;
 Desktop;;Alder Lake;C0;02;90672;ADL;S 8+8;Core Gen12;
 Mobile;;Alder Lake;C0;03;90672;ADL;HX;Core Gen12 Mobile;
 Desktop;;Alder Lake;K0;01;90675;ADL;S 6+0;Core Gen12;
 Mobile;;Alder Lake;L0;82;906a3;ADL;P 6+8;Core Gen12 Mobile;
 Mobile;;Alder Lake;R0;80;906a3;ADL;U 9W;Core Gen12 Mobile;
 Mobile;;Arizona Beach;A0;40;906a4;AZB;;;Intel(R) Atom(R) C1100
 Mobile;;Alder Lake;R0;82;906a4;ADL;P 2+8;Core Gen12 Mobile;
 Desktop;;Kaby Lake;B0;2a;906e9;KBL;S,X;Core Gen7;
 Mobile;;Kaby Lake;B0;2a;906e9;KBL;G,H;Core Gen7 Mobile;
 Server;;Kaby Lake;B0;2a;906e9;KBL;Xeon E3;Xeon E3 v6;
@ -292,12 +317,22 @@ Server;;Coffee Lake;P0;22;906ec;CFL;Xeon E;Xeon E;
 Desktop;;Coffee Lake;R0;22;906ed;CFL;S;Core Gen9 Desktop;
 Mobile;;Coffee Lake;R0;22;906ed;CFL;H;Core Gen9 Mobile;
 Server;;Coffee Lake;R0;22;906ed;CFL;Xeon E;Xeon E;
 SOC;;Jasper Lake;A0,A1;01;906c0;JSL;;Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105;
 Mobile;;Comet Lake;R1;20;a0652;CML;H;Core Gen10 Mobile;
 Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop;
 Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop;
 Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile;
-Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
+Mobile;;Comet Lake;K1;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile;
-SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology;
+Desktop;;Rocket Lake;B0;02;a0671;RKL;S;Core Gen11;
 Mobile;;Meteor Lake;C0;e6;a06a4;MTL;H,U;Core™ Ultra Processor;
 Desktop;;Raptor Lake;B0;32;b0671;RPL;S;Core Gen13;
 Mobile;;Raptor Lake;J0;e0;b06a2;RPL;P 6+8,H 6+8;Core Gen13;
 Mobile;;Raptor Lake;Q0;e0;b06a3;RPL;U 2+8;Core Gen13;
 SOC;;Alder Lake;A0;01;b06e0;ADL;N;;Core i3-N305/N300, N50/N97/N100/N200, Atom x7211E/x7213E/x7425E
 Desktop;;Alder Lake;C0;03;b06f2;ADL;;Core Gen12;
 Desktop;;Alder Lake;C0;03;b06f5;ADL;;Core Gen12;
 Server;;Emerald Rapids;A0;87;c06f1;EMR;SP;Xeon Scalable Gen5;
 Server;;Emerald Rapids;A1;87;c06f2;EMR;SP;Xeon Scalable Gen5;
 # sources:
 # https://en.wikichip.org/wiki/intel/cpuid
--- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh
+++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh
@ -13,6 +13,7 @@ install() {
 	local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
 	local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats"
 	local check_caveats=/usr/libexec/microcode_ctl/check_caveats
 	local fw_path_para=$(< /sys/module/firmware_class/parameters/path)
 	local verbose_opt
 	local cc_out
@ -36,9 +37,13 @@ install() {
 	}
 	# Reset fw_dir to avoid inclusion of kernel-version-specific directories
-	# populated with microcode for the late load
+	# populated with microcode for the late load, only in case it is set
-	[ "x$fw_dir" != \
+	# to the default value to avoid meddling with user-enforced changes.
-	  "x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" ] || {
+	# The second variant has been introduced in dracut-057~5.
 	[ \( "x$fw_dir" != \
 	     "x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" \) -a \
 	  \( "x$fw_dir" != \
 	     "x${fw_path_para:+$fw_path_para }/lib/firmware/updates/$kernel /lib/firmware/updates /lib/firmware/$kernel /lib/firmware" \) ] || {
 		fw_dir="/lib/firmware/updates /lib/firmware"
 		dinfo "    microcode_ctl: reset fw_dir to \"${fw_dir}\""
 	}
--- a/SOURCES/gen_updates2.py
+++ b/SOURCES/gen_updates2.py
@ -3,6 +3,7 @@
 import argparse
 import errno
 import fnmatch
 import io
 import itertools
 import os
@ -10,6 +11,7 @@ import re
 import shutil
 import struct
 import sys
 import tarfile
 import tempfile
 from subprocess import PIPE, Popen, STDOUT
@ -34,6 +36,7 @@ except:
 log_level = 0
 print_date = False
 file_glob = ["*??-??-??", "*microcode*.dat"]
 def log_status(msg, level=0):
@ -96,13 +99,15 @@ def file_walk(args, yield_dirs=False):
 def cpuid_fname(c):
    # Note that the Extended Family is summed up with the Family,
    # while the Extended Model is concatenated with the Model.
    return "%02x-%02x-%02x" % (
-        ((c >> 16) & 0xff0) + ((c >> 8) & 0xf),
+        ((c >> 20) & 0xff) + ((c >> 8) & 0xf),
        ((c >> 12) & 0xf0) + ((c >> 4) & 0xf),
        c & 0xf)
-def read_revs_dir(path, src=None, ret=None):
+def read_revs_dir(path, args, src=None, ret=None):
    if ret is None:
        ret = []
@ -156,8 +161,12 @@ def read_revs_dir(path, src=None, ret=None):
                        while cur_offs < offs + hdr[8] \
                                and ext_sig_cnt <= ext_tbl[0]:
                            ext_sig = struct.unpack("III", f.read(12))
                            ignore = args.ignore_ext_dups and \
                                (ext_sig[0] == hdr[3])
                            if not ignore:
                                ret.append({"path": rp, "src": src or path,
-                                        "cpuid": ext_sig[0], "pf": ext_sig[1],
+                                            "cpuid": ext_sig[0],
                                            "pf": ext_sig[1],
                                            "rev": hdr[1], "date": hdr[2],
                                            "offs": offs, "ext_offs": cur_offs,
                                            "cksum": hdr[4],
@ -165,9 +174,11 @@ def read_revs_dir(path, src=None, ret=None):
                                            "data_size": hdr[7],
                                            "total_size": hdr[8]})
                            log_status(("Got ext sig %#x/%#x for " +
-                                        "%s:%#x:%#x/%#x") %
+                                        "%s:%#x:%#x/%#x%s") %
-                                       (ext_sig[0], ext_sig[1], rp, offs,
+                                       (ext_sig[0], ext_sig[1],
-                                        hdr[3], hdr[6]), level=2)
+                                        rp, offs, hdr[3], hdr[6],
                                        " (ignored)" if ignore else ""),
                                       level=2)
                            cur_offs += 12
                            ext_sig_cnt += 1
@ -180,7 +191,7 @@ def read_revs_dir(path, src=None, ret=None):
    return ret
-def read_revs_rpm(path, ret=None):
+def read_revs_rpm(path, args, ret=None):
    if ret is None:
        ret = []
@ -191,7 +202,7 @@ def read_revs_rpm(path, ret=None):
    rpm2cpio = Popen(args=["rpm2cpio", path], stdout=PIPE, stderr=PIPE,
                     close_fds=True)
-    cpio = Popen(args=["cpio", "-idmv", "*??-??-??", "*microcode*.dat"],
+    cpio = Popen(args=["cpio", "-idmv"] + file_glob,
                 cwd=dir_tmp, stdin=rpm2cpio.stdout,
                 stdout=PIPE, stderr=STDOUT)
    out, cpio_stderr = cpio.communicate()
@ -210,20 +221,58 @@ def read_revs_rpm(path, ret=None):
        log_info("cpio stderr:\n%s" % cpio_stderr, level=3)
    if rpm2cpio_ret == 0 and cpio_ret == 0:
-        ret = read_revs_dir(dir_tmp, path)
+        ret = read_revs_dir(dir_tmp, args, path)
    shutil.rmtree(dir_tmp)
    return ret
-def read_revs(path, ret=None):
+def read_revs_tar(path, args, ret=None):
    if ret is None:
        ret = []
    dir_tmp = tempfile.mkdtemp()
    log_status("Trying to extract files from tarball \"%s\"..." % path,
               level=1)
    try:
        with tarfile.open(path, "r:*") as tar:
            for ti in tar:
                if any(fnmatch.fnmatchcase(ti.name, p) for p in file_glob):
                    d = os.path.normpath(os.path.join("/",
                                         os.path.dirname(ti.name)))
                    # For now, strip exactl one level
                    d = os.path.join(*(d.split(os.path.sep)[2:]))
                    n = os.path.join(d, os.path.basename(ti.name))
                    if not os.path.exists(d):
                        os.makedirs(d)
                    t = tar.extractfile(ti)
                    with open(n, "wb") as f:
                        shutil.copyfileobj(t, f)
                    t.close()
        ret = read_revs_dir(dir_tmp, args, path)
    except Exception as err:
        log_error("Error while reading \"%s\" as a tarball: \"%s\"" %
                  (path, str(err)))
    shutil.rmtree(dir_tmp)
    return ret
 def read_revs(path, args, ret=None):
    if ret is None:
        ret = []
    if os.path.isdir(path):
-        return read_revs_dir(path, ret)
+        return read_revs_dir(path, args, ret)
    elif tarfile.is_tarfile(path):
        return read_revs_tar(path, args, ret)
    else:
-        return read_revs_rpm(path, ret)
+        return read_revs_rpm(path, args, ret)
 def gen_mc_map(mc_data, merge=False, merge_path=False):
@ -307,7 +356,8 @@ class mcnm:
    MCNM_CODENAME = 4
-def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
+def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV, stringify=True,
                  segment=False):
    if not isinstance(mc, dict):
        mc = mc_from_mc_key(mc)
    sig = mc["cpuid"]
@ -350,6 +400,9 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
        else:
            cname = c["codename"]
        if segment:
            cname = c["segment"] + " " + cname
        if cname not in suffices:
            suffices[cname] = set()
        if "variant" in c and c["variant"]:
@ -361,28 +414,28 @@ def get_mc_cnames(mc, cmap, mode=mcnm.MCNM_ABBREV):
            steppings[cname] |= set(c["stepping"])
    for cname in sorted(steppings.keys()):
-        cname_str = cname
+        cname_res = [cname]
        if len(suffices[cname]):
-            cname_str += "-" + "/".join(sorted(suffices[cname]))
+            cname_res[0] += "-" + "/".join(sorted(suffices[cname]))
        if len(steppings[cname]):
-            cname_str += " " + "/".join(sorted(steppings[cname]))
+            cname_res.append("/".join(sorted(steppings[cname])))
-        res.append(cname_str)
+        res.append(" ".join(cname_res) if stringify else cname_res)
-    return ", ".join(res) or None
+    return (", ".join(res) or None) if stringify else res
 def mc_from_mc_key(k):
    return dict(zip(("path", "cpuid", "pf"), k))
-def mc_path(mc, pf_sfx=True, midword=None, cmap=None):
+def mc_path(mc, pf_sfx=True, midword=None, cmap=None, cname_segment=False):
    if not isinstance(mc, dict):
        mc = mc_from_mc_key(mc)
    path = mc_stripped_path(mc) if mc["path"] is not None else None
    cpuid_fn = cpuid_fname(mc["cpuid"])
    fname = os.path.basename(mc["path"] or cpuid_fn)
    midword = "" if midword is None else " " + midword
-    cname = get_mc_cnames(mc, cmap)
+    cname = get_mc_cnames(mc, cmap, segment=cname_segment)
    cname_str = " (" + cname + ")" if cname else ""
    if pf_sfx:
@ -492,22 +545,22 @@ def mc_rev(mc, date=None):
        return "%#x" % rev
-def print_changelog(clog, cmap, args):
+def print_changelog_rpm(clog, cmap, args):
-    for e, old, new in sorted(clog):
+    for e, old, new in clog:
        mc_str = mc_path(new if e == ChangeLogEntry.ADDED else old,
                         midword="microcode",
                         cmap=cmap, cname_segment=args.segment)
        if e == ChangeLogEntry.ADDED:
-            print("Addition of %s at revision %s" %
+            print("Addition of %s at revision %s" % (mc_str, mc_rev(new)))
                  (mc_path(new, midword="microcode", cmap=cmap), mc_rev(new)))
        elif e == ChangeLogEntry.REMOVED:
-            print("Removal of %s at revision %s" %
+            print("Removal of %s at revision %s" % (mc_str, mc_rev(old)))
                  (mc_path(old, midword="microcode", cmap=cmap), mc_rev(old)))
        elif e == ChangeLogEntry.UPDATED:
            print("Update of %s from revision %s up to %s" %
-                  (mc_path(old, midword="microcode", cmap=cmap),
+                  (mc_str, mc_rev(old), mc_rev(new)))
                   mc_rev(old), mc_rev(new)))
        elif e == ChangeLogEntry.DOWNGRADED:
                print("Downgrade of %s from revision %s down to %s" %
-                      (mc_path(old, midword="microcode", cmap=cmap),
+                      (mc_str, mc_rev(old), mc_rev(new)))
                       mc_rev(old), mc_rev(new)))
        elif e == ChangeLogEntry.OTHER:
            print("Other change in %s:" % old["path"])
            print("  old: %#x/%#x: rev %s (offs %#x)" %
@ -516,6 +569,70 @@ def print_changelog(clog, cmap, args):
                  (new["cpuid"], new["pf"], mc_rev(new), new["offs"]))
 def print_changelog_intel(clog, cmap, args):
    def clog_sort_key(x):
        res = str(x[0])
        if x[0] != ChangeLogEntry.ADDED:
            res += "%08x%02x" % (x[1]["cpuid"], x[1]["pf"])
        else:
            res += "0" * 10
        if x[0] != ChangeLogEntry.REMOVED:
            res += "%08x%02x" % (x[2]["cpuid"], x[2]["pf"])
        else:
            res += "0" * 10
        return res
    sorted_clog = sorted(clog, key=clog_sort_key)
    sections = (("New Platforms",     (ChangeLogEntry.ADDED, )),
                ("Updated Platforms", (ChangeLogEntry.UPDATED,
                                       ChangeLogEntry.DOWNGRADED)),
                ("Removed Platforms", (ChangeLogEntry.REMOVED, )))
    def print_line(e, old, new, types):
        if e not in types:
            return
        if not print_line.hdr:
            print("""
 | Processor      | Stepping | F-M-S/PI    | Old Ver  | New Ver  | Products
 |:---------------|:---------|:------------|:---------|:---------|:---------""")
            print_line.hdr = True
        mc = new if e == ChangeLogEntry.ADDED else old
        cnames = get_mc_cnames(mc, cmap, stringify=False,
                               segment=args.segment) or (("???", ""), )
        for cn in cnames:
            cname = cn[0]
            stepping = cn[1] if len(cn) > 1 else ""
        print("| %-14s | %-8s | %8s/%02x | %8s | %8s | %s" %
              (cname,
               stepping,
               cpuid_fname(mc["cpuid"]), mc["pf"],
               ("%08x" % old["rev"]) if e != ChangeLogEntry.ADDED else "",
               ("%08x" % new["rev"]) if e != ChangeLogEntry.REMOVED else "",
               get_mc_cnames(mc, cmap, mode=mcnm.MCNM_FAMILIES,
                             segment=args.segment) or ""))
    for h, types in sections:
        print("\n### %s" % h)
        print_line.hdr = False
        for e, old, new in sorted_clog:
            print_line(e, old, new, types)
 def print_changelog(clog, cmap, args):
    if args.format == "rpm":
        print_changelog_rpm(clog, cmap, args)
    elif args.format == "intel":
        print_changelog_intel(clog, cmap, args)
    else:
        log_error(("unknown changelog format: \"%s\". " +
                   "Supported formats are: rpm, intel.") % args.format)
 class TableStyles:
    TS_CSV = 0
    TS_FANCY = 1
@ -552,9 +669,9 @@ def print_summary(revs, cmap, args):
    header = []
    if args.header:
-        header.append(["Path", "Offset", "Ext. Offset", "CPUID",
+        header.append(["Path", "Offset", "Ext. Offset", "Data Size",
-                       "Platform ID Mask", "Revision", "Date", "Checksum",
+                       "Total Size", "CPUID", "Platform ID Mask", "Revision",
-                       "Codenames"] +
+                       "Date", "Checksum", "Codenames"] +
                      (["Models"] if args.models else []))
    tbl = []
    for k in sorted(m.keys()):
@ -562,14 +679,19 @@ def print_summary(revs, cmap, args):
            tbl.append([mc_stripped_path(mc),
                        "0x%x" % mc["offs"],
                        "0x%x" % mc["ext_offs"] if "ext_offs" in mc else "-",
                        "0x%05x" % mc["data_size"],
                        "0x%05x" % mc["total_size"],
                        "0x%05x" % mc["cpuid"],
                        "0x%02x" % mc["pf"],
                        mc_rev(mc, date=False),
                        mc_date(mc),
-                        "0x%08x" % mc["cksum"],
+                        "0x%08x" % (mc["ext_cksum"]
-                        get_mc_cnames(mc, cmap, cnames_mode) or ""] +
+                                    if "ext_cksum" in mc else mc["cksum"]),
                        get_mc_cnames(mc, cmap, cnames_mode,
                                      segment=args.segment) or ""] +
                       ([get_mc_cnames(mc, cmap,
-                                       mcnm.MCNM_FAMILIES_MODELS)]
+                                       mcnm.MCNM_FAMILIES_MODELS,
                                       segment=args.segment)]
                        if args.models else []))
    print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -685,7 +807,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
        if print_out and print_date:
            if args.models:
-                out.append(get_mc_cnames(s, cmap) or "")
+                out.append(get_mc_cnames(s, cmap, segment=args.segment) or "")
            tbl.append(out)
    print_table(tbl, header, style=TableStyles.TS_FANCY)
@ -694,7 +816,7 @@ def print_discrepancies(rev_map, deps, cmap, args):
 def cmd_summary(args):
    revs = []
    for p in args.filelist:
-        revs = read_revs(p, ret=revs)
+        revs = read_revs(p, args, ret=revs)
    codenames_map = read_codenames_file(args.codenames)
@ -708,8 +830,8 @@ def cmd_changelog(args):
    base_path = args.filelist[0]
    upd_path = args.filelist[1]
-    base = read_revs(base_path)
+    base = read_revs(base_path, args)
-    upd = read_revs(upd_path)
+    upd = read_revs(upd_path, args)
    print_changelog(gen_changelog(base, upd), codenames_map, args)
@ -750,7 +872,7 @@ def cmd_discrepancies(args):
                      (orig_path, dep))
            return 1
        deps.append((path, name, deps[dep][0] if dep is not None else None))
-        rev_map[path] = gen_fn_map(read_revs(path), merge=args.merge,
+        rev_map[path] = gen_fn_map(read_revs(path, args), merge=args.merge,
                                   merge_path=True)
    print_discrepancies(rev_map, deps, codenames_map, args)
@ -766,6 +888,22 @@ def parse_cli():
                             help="Code names file")
    root_parser.add_argument("-v", "--verbose", action="count", default=0,
                             help="Increase output verbosity")
    root_parser.add_argument("-E", "--no-ignore-ext-duplicates",
                             action="store_const", dest="ignore_ext_dups",
                             default=False, const=False,
                             help="Do not ignore duplicates of the main " +
                                  "signature in the extended signature header")
    root_parser.add_argument("-e", "--ignore-ext-duplicates",
                             action="store_const", dest="ignore_ext_dups",
                             const=True,
                             help="Ignore duplicates of the main signature " +
                                   "in the extended signature header")
    root_parser.add_argument("-t", "--print-segment", action="store_const",
                             dest="segment", const=True,
                             help="Print model segment")
    root_parser.add_argument("-T", "--no-print-segment", action="store_const",
                             dest="segment", const=False, default=False,
                             help="Do not print model segment")
    cmdparsers = root_parser.add_subparsers(title="Commands",
                                            help="main gen_updates commands")
@ -794,6 +932,8 @@ def parse_cli():
    parser_c = cmdparsers.add_parser("changelog",
                                     help="Generate changelog")
    parser_c.add_argument("-F", "--format", choices=["rpm", "intel"],
                          default="rpm", help="Changelog format")
    parser_c.add_argument("filelist", nargs=2,
                          help="RPMs/directories to compare")
    parser_c.set_defaults(func=cmd_changelog)
@ -840,6 +980,10 @@ def parse_cli():
    if not hasattr(args, "func"):
        root_parser.print_help()
        return None
    global log_level
    log_level = args.verbose
    return args
--- a/SOURCES/reload_microcode
+++ b/SOURCES/reload_microcode
@ -5,6 +5,8 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 export LC_ALL=C
 CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats
 IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag"
--- a/SOURCES/update_ucode
+++ b/SOURCES/update_ucode
@ -5,6 +5,8 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 export LC_ALL=C
 usage()
 {
 	echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \
@ -15,6 +17,11 @@ usage()
 debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }
 # Calls find only if the first argument exists and is a directory.
 # Avoids spurious "find: '...' No such file or directory" for the directories
 # that may not exist.
 find_d() { [ \! -d "$1" ] || find "$@"; }
 MC_DIR=/usr/share/microcode_ctl
 INTEL_UCODE_DIR=intel-ucode
 DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
@ -79,16 +86,16 @@ add|remove|refresh|list)
 	if [ -z "$kernel" ]; then
 		debug "No kernel versions provided, scanning..."
-		kvers=$(find /lib/modules/ -name '[2-9].*' -print)
+		kvers=$(find_d /lib/modules/ -name '[2-9].*' -print)
 		for k_dir in $kvers; do
 			k="${k_dir#/lib/modules/}"
-			[ ! -e "${k_dir}/symvers.gz" ] || {
+			[ ! -e "${k_dir}/symvers.gz" -a ! -e "${k_dir}/symvers.xz" ] || {
 				debug "  Adding $k (from /lib/modules)"
 				kernel="$kernel $k"
 			}
 		done
-		kvers=$(find /lib/firmware/ -name '[2-9].*' -print)
+		kvers=$(find_d /lib/firmware/ -name '[2-9].*' -print)
 		for k_dir in $kvers; do
 			k="${k_dir#/lib/firmware/}"
 			[ ! -d "$k_dir" ] || {
@ -129,7 +136,7 @@ while :; do
 	refresh|remove|list)
 		debug "  Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}"
 		if [ 0 = "$remove_cleanup" ]; then
-			find "${MC_DIR}/${INTEL_UCODE_DIR}" \
+			find_d "${MC_DIR}/${INTEL_UCODE_DIR}" \
 				-maxdepth 1 -mindepth 1 \
 				-type f -printf '%f\n'
 		else
@ -151,6 +158,17 @@ while :; do
 			$cmd rm -f $verbose_opt "$name"
 		done
 		[ "xlist" = "x$action" ] || {
 			# Removing possible dangling symlinks
 			find_d "${FW_DIR}/${INTEL_UCODE_DIR}" \
 				-maxdepth 1 -mindepth 1 \
 				-type l -printf '%p\n' \
 			| while read -r fname; do
 				[ -e "$fname" ] || {
 					debug "    Removing danging symlink \"$fname\""
 					$cmd rm -f $verbose_opt "$fname"
 				}
 			done
 			$cmd rmdir -p $verbose_opt \
 				"${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \
 				|| true
@ -203,7 +221,7 @@ fi | while read -r i; do
 				debug "    Removing \"$paths\" (part of $action)..."
 			for p in $(printf "%s" "$paths"); do
-				find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
+				find_d "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
 					-printf "%P\n"
 			done | while read -r path; do
 				[ -e "$FW_DIR/$k/readme-$i" ] || {
@ -225,6 +243,7 @@ fi | while read -r i; do
 				fi
 			done
 			if [ -e "$FW_DIR/$k/readme-$i" ]; then
 				if [ "xlist" = "x$action" ]; then
 					echo "$FW_DIR/$k/readme-$i"
@ -253,14 +272,14 @@ fi | while read -r i; do
 		add|refresh)
 			debug "    Adding $paths (part of $action)..."
-			[ -e "/lib/modules/$k/symvers.gz" ] || {
+			[ -e "/lib/modules/$k/symvers.gz" -o -e "/lib/modules/$k/symvers.xz" ] || {
-				debug "      \"/lib/modules/$k/symvers.gz\"" \
+				debug "      \"/lib/modules/$k/symvers.[gx]z\"" \
 				      "does not exist, skipping"
 				continue
 			}
 			for p in $(printf "%s" "$paths"); do
-				find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
+				find_d "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
 					-printf "%P\n"
 			done | while read -r path; do
 				[ ! -e "$FW_DIR/$k/$path" ] || {
@ -288,3 +307,17 @@ fi | while read -r i; do
 		esac
 	done
 done
 # Removing possible dangling symlinks in kernel-specific directories
 debug "Checking for dangling symlinks..."
 for k in $(echo "$kernel"); do
 	debug "  Processing kernel version \"$k\""
 	find_d "${FW_DIR}/${k}" \
 		-mindepth 1 -type l -printf '%p\n' \
 	| while read -r fname; do
 		[ -e "$fname" ] || {
 			debug "    Removing danging symlink \"$fname\""
 			$cmd rm -f $verbose_opt "$fname"
 		}
 	done
 done
--- a/SPECS/microcode_ctl.spec
+++ b/SPECS/microcode_ctl.spec