powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

microcode_ctl package update 

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64lebuilder0 2019-11-22 14:49:41 +01:00
parent 39f3bb12a6
commit accb78fbb3
26 changed files with 3060 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SOURCES/01-microcode.conf Normal file
View File

@ -0,0 +1 @@
early_microcode="yes"

BIN
SOURCES/06-2d-07 Normal file
View File

Binary file not shown.

3
SOURCES/06-2d-07_config Normal file
View File

@ -0,0 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
disable early late

4
SOURCES/06-2d-07_disclaimer Normal file
View File

@ -0,0 +1,4 @@
MDS-related microcode update for some Intel Sandy Bridge-E/EN/EP (family 6,
model 45, stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system
hangs. Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

21
SOURCES/06-4f-01_config Normal file
View File

@ -0,0 +1,21 @@
model GenuineIntel 06-4f-01
path intel-ucode/06-4f-01
kernel 4.17.0
kernel 3.10.0-894
kernel 3.10.0-862.6.1
kernel 3.10.0-693.35.1
kernel 3.10.0-514.52.1
kernel 3.10.0-327.70.1
kernel 2.6.32-754.1.1
kernel 2.6.32-573.58.1
kernel 2.6.32-504.71.1
kernel 2.6.32-431.90.1
kernel 2.6.32-358.90.1
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1
mc_min_ver_late 0xb000019
disable early late

4
SOURCES/06-4f-01_disclaimer Normal file
View File

@ -0,0 +1,4 @@
microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79,
stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

78
SOURCES/06-4f-01_readme Normal file
View File

@ -0,0 +1,78 @@
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
with microcode update that may lead to a system hang; while some changes
to the Linux kernel have been made in an attempt to address these issues,
they were not eliminated, so a possibility of unstable system behaviour
after a microcode update performed on a running system is still present even
on a kernels that contain aforementioned changes. As a result, microcode update
for this CPU model has been disabled by default.

For the reference, kernel versions for the respective RHEL minor versions
that contain the aforementioned changes, are listed below:
* Upstream/RHEL 8: kernel-4.17.0 or newer;
* RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
* RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
* RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
* RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
* RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.

Please contact you system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151

The information regarding enforcing microcode load is provided below.

For enforcing addition of this microcode to the firmware directory
for a specific kernel, where it is available for a late microcode update,
please create a file "force-late-intel-06-4f-01" inside
/lib/firmware/<kernel_version> directory and run
"/usr/libexec/microcode_ctl/update_ucode":

touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
/usr/libexec/microcode_ctl/update_ucode

After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.

For enforcing addition of this microcode to firmware directories for all
kernels, please create a file
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
and run "/usr/libexec/microcode_ctl/update_ucode":

mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
/usr/libexec/microcode_ctl/update_ucode

For enforcing early load of this microcode for a specific kernel, please
create a file "force-early-intel-06-4f-01" inside
"/lib/firmware/<kernel_version>" directory and run
"dracut -f --kver <kernel_version>":

touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
dracut -f --kver 3.10.0-862.9.1

For enforcing early load of this microcode for all kernels, please
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
and run dracut -f --regenerate-all:

mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
dracut -f --regenerate-all

If you want to avoid removal of the microcode file during cleanup performed by
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).


Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

7
SOURCES/99-microcode-override.conf Normal file
View File

@ -0,0 +1,7 @@
## Uncomment the following line in order to disable
## microcode_ctl module that is used for $fw_dir variable overriding.
##
## Please refer to /usr/share/doc/microcode_ctl/README.caveats
## for additional information.
##
#omit_dracutmodules+=' microcode_ctl-fw_dir_override '

471
SOURCES/README.caveats Normal file
View File

@ -0,0 +1,471 @@
The microcode_ctl package contains microcode files (vendor-provided binary data
and/or code in proprietary format that affects behaviour of a device) for Intel
CPUs that may be loaded into the CPU during boot.

The microcode_ctl package contains provisions for some issues related
to microcode loading. While those provisions are expected to suit most users,
several knobs are available in order to provide ability to override the default
behaviour.


General behaviour
=================
In RHEL 7, there are currently two main handlers for CPU microcode update:
* Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
placed at the beginning of an initramfs image
(/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
version in the same format as provided by "uname -r") as a source
of microcode data, and is performed very early during the boot process
(if the relevant microcode file is available in the aforementioned file).
* On-demand (late) microcode update. It can be triggered by writing "1" to
/sys/devices/system/cpu/microcode/reload file (provided my the "microcode"
module). It relies on request_firmware infrastructure, which searches (and
loads, if found) microcode from a file present in one of the following
directories (in the search order):
/lib/firmware/updates/KERNEL_VERSION/
/lib/firmware/updates/
/lib/firmware/KERNEL_VERSION/
/lib/firmware/
(there is also an additional directory that can be configured via the
"fw_path_para" module option of the "firmware_class" module; as this module
is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para"
should be used for that purpose; this is out of the document's scope, however)

The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for
AMD CPUs, a file under "amd-ucode" is searched.

For Intel CPUs, the name of the specific microcode file the kernel tries to load
has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model
number, and "SS" is the stepping. All those numbers are zero-filled to two digits
and are written in hexadecimal (letters are in the lower case). For AMD CPUs,
the file name has the format "microcode_amd_famFFh.bin", where "FF" is the
family number, written in hexadecimal, letters are in the lower case, not
zero-filled.

The early microcode is placed into initramfs image by the "dracut" script, which
scans the aforementioned subdirectories of the configured list of firmware
directories (by default, the list consists of two directories in RHEL 7,
"/lib/firmware/updates" and "/lib/firmware").

In RHEL 7, AMD CPU microcode is shipped as a part of the linux-firmware package,
and Intel microcode is shipped as a part of the microcode_ctl package.

The microcode_ctl package currently includes the following:
* Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode
directory (currently there are none);
* A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override,
that controls which additional firmware directories will be added to dracut's
default configuration;
* A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf,
that enables inclusion of early microcode to the generated initramfs
in dracut;
* A dracut configuration file,
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way
to quickly disable 99microcode_ctl-fw_dir-override dracut module;
* A systemd service file, microcode.service, that triggers microcode reload
late during boot;
* A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each
of which contains configuration and related data for various caveats related
to microcode:
* readme - description of caveat and related information,
* config - caveat configuration file, with syntax as described in "Caveat
configuration" section below,
* intel-ucode - directory containing microcode files related to the caveat;
* A set of support scripts, placed in /usr/libexec/microcode_ctl:
* "check_caveats" is an utility script that performs checks of the target
kernel (and running CPU) in accordance with caveat configuration files
in ucode_with_caveats directory and reports whether it passes them or not,
* "reload_microcode" is a script that is called by microcode.service and
triggers microcode reloading (by writing "1" to
/sys/devices/system/cpu/microcode/reload) if the running kernel passes
check_caveats checks,
* "update_ucode" is a script that populates symlinks to microcode files
in /lib/firmware, so it can be picked up by relevant kernels for the late
microcode loading.

Also, microcode_ctl RPM includes triggers that run update_ucode script on every
installation or removal of a kernel RPM in order to provide microcode files
for newly installed kernels and cleanup symlinks for the uninstalled ones.


Caveat configuration
--------------------
There is a directory for each caveat under
/usr/share/microcode_ctl/ucode_with_caveats, containing the following files:
* "config", a configuration file for the caveat;
* "readme", that contains description of the caveat;
* set of related associated microcode files.

"config" file is a set of lines each containing option name and its value,
separated by white space. Currently, the following options are supported:
* "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies
to which CPU model the caveat is applicable (check_caveats ignores caveats
with non-matching models if "-m" option is passed to it). Can be set
in the configuration file only once (the last provided value is used).
* "vendor" option specifies CPUs of which vendor (as provided
in the /proc/cpuinfo file) the caveat is applicable to (check_caveats
ignores caveats with non-matching models when it is invoked with "-m"
option). Can be set in the configuration file only once.
* "path" is a glob pattern that specifies set of microcode files associated
with the caveat as a relative path to the caveat directory. This option
is used for populating files in /lib/firmware by update_ucode script and
for matching microcode file when dracut is run in host-only mode
(as in that case it uses only the first directory in firmware directory list
to look for the microcode file applicable to the host CPU). Can be set
in the configuration file multiple times.
* "kernel" is a minimal kernel version that supports proper handling
of the related microcode files during late microcode load. It may be
provided in one of the following formats that affect the way it is compared
to the running kernel version:
* A.B.C (where A, B, and C are decimal numbers), "upstream version". In this
case, simple version comparison against the respective part of the running
kernel version is used, and the running kernel version should be greater
or equal than the version provided in the configuration option in order
for comparison to succeed (that is, the first part, major version number,
of the running kernel version should be greater than the value provided
in the configuration option, or those should be equal and the second part,
minor version number, should be greater than the minor version number
of the kernel version provided in the configuration option, or the first
two parts should be equal and the third part, patch level, should
be greater or equal the patch level of the version in the configuration
option).
* A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version".
In this case, A.B.C part should be equal, and Y part of the running kernel
version should be greater or equal than the Y part of the configuration
option version in order to satisfy the comparison requirement.
* A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers),
"Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2
part of the running kernel should be greater or equal than the respective
part of the configuration option version (when compared as a version)
for comparison to succeed.
Kernel version check passed if at least one comparison of the running kernel
version against a kernel version provided in a configuration option
succeeded. The "kernel" configuration option can be provided
in the configuration file multiple times.
* "kernel_early" is a minimal kernel version that supports proper handling
of the related microcode during early microcode load. The format of the
option and its semantics is similar to the "kernel" configuration options.
This option can be provided multiple times as well.
* "mc_min_ver_late" is the minimal version of the currently loaded microcode
on the CPU (as reported in /proc/cpuinfo) that supports late microcode
update. Microcode update will be attempted only if the currently loaded
microcode version is greater or equal the microcode version provided
in the configuration option. Can be set in the configuration file only once.
* "disable" is a way to disable a specific caveat from inside its
configuration. Argument for the argument is a list of stages ("early",
"late") for which the caveat should be disable. The configuration option
can be provided multiple times in a configuration file.
* "blacklist" is a marker for a start of list of blacklisted model names,
one model name per line. The model name of the running CPU (as reported
in /proc/cpuinfo) is compared against the names in the provided list, and,
if there is a match, caveat check fails.


check_caveats script
--------------------
"check_caveats" is an utility script (called by update_ucode, reload_microcode,
dracut module) that performs checks of the target kernel (and running CPU)
in accordance with caveat configuration files in directory
"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether
the system passes the checks, or not.

Usage:
check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]'

Options:
-e - check for early microcode load possibility (instead of late microcode
load). "kernel_early" caveat configuration options are used for checking
instead of "kernel", and "mc_min_ver_late" is not checked.
-k - target kernel version to check against, $(uname -r) is used otherwise.
-c - caveat(s) to check, all caveat configurations found inside
$MC_CAVEATS_DATA_DIR are checked otherwise.
-m - ignore caveats that do not apply to the current CPU model.
-v - verbose output.

Environment:
MC_CAVEATS_DATA_DIR - directory that contains caveats configurations,
"/usr/share/microcode_ctl/ucode_with_caveats"
by default.
FW_DIR - directory containing firmware files (per-kernel configuration
overrides are checked there), "/lib/firmware" by default.
CFG_DIR - directory containing global caveats overrides,
"/etc/microcode_ctl/ucode_with_caveats" by default.

Output:
Script returns information about caveats check results. Output has a format
of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs.
Currently, the following data is issued:
- "cfgs" - list of caveats that have been processed (and not skipped
due to missing "config", "readme", or a disallow-* override described
below);
- "skip_cfgs" - list of caveats that have been skipped (due to missing
config/readme file, or because of overrides);
- "paths" - list of glob patterns matching files associated with caveats
that have been processed;
- "ok_cfgs" - list of caveat configurations that have all the checks passed
(or have enforced by one of force-* overrides described below);
- "ok_paths" - list of glob patterns associated with caveat files from
the "ok_cfgs" list;
- "fail_cfgs" - list of caveats that have one of the checks failed.
- "fail_paths" - list of glob patterns associated with caveats from the
"fail_cfgs" list.

Return value:
- 0 in case caveats check has passed, 1 otherwise.
- In "-d" mode, 0 is always returned.

Overrides:

When check_caveats perform its checks, it also checks for presence of files
in specific places, and, if they exist, check_caveats skips a caveat or ignores
its checks; that mechanism allows overriding the information provided
in configuration on local systems and affect the behaviour of the microcode
update process.

Current list of overrides (where $FW_DIR and $CFG_DIR are the environment
options described earlier; $kver - the currently processed kernel version,
$s is the requested stage ("early" or "late"), $cfg is the caveat directory
name):
$FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for
a specific kernel version..
$FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific
kernel version for the requested stage without
performing any checks.
$FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific
kernel version.
$FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage
for a specific kernel version without checks.
$FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage
for a specific kernel version.
$CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all
kernel versions.
$FW_DIR/$kver/force-$s - apply all caveats for a specific stage
for a specific kernel version without checks.
$CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for
all kernel versions without checks.
$FW_DIR/$kver/disallow - skip all caveats for all stages for a specific
kernel version.
$CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel
versions.
$FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel
version without checks.
$CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions
without checks.
$CFG_DIR/disallow-$s - skip all caveat for all kernel versions
for a specific stage.
$CFG_DIR/force-$s - apply all caveats for all kernel versions for specific
stage without checks.
$CFG_DIR/disallow - skip all caveats for all stages for all kernel versions
(disable everything).
$CFG_DIR/force - force all caveats for all stages for all kernel versions
(enable everything).

The "apply" action above means creating symlinks in /lib/firmware by
update_ucode in case of the "late" stage and adding caveat directory to the list
of firmware directories by dracut plugin in case of the "early" stage.

The files are checked for existence until the first match, so more specific
overrides can override more broad ones.

Also, a caveat is ignored if it lacks either config or readme file.


update_ucode script
-------------------
"update_ucode" populates symlinks to microcode files in accordance with caveats
configuration. It enables late microcode loading that is invoked by triggering
/sys/devices/system/cpu/microcode/reload file. Since caveats depend
on the kernel version, symlinks are populated inside
"/lib/firmware/KERNEL_VERSION" directory for each installed kernel.
As a consequence, this script is triggered upon each kernel package installation
and removal.

The script has two parts: common and kernel-version-specific.

During the common part, files are populated from
/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are
several possibilities to affect the process:
* Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping
the common part of the script.
* The same for "/lib/firmware/intel-ucode-disallow".

During the kernel-version-specific part, each caveat is checked against every
kernel version, and those combinations, for which caveat check succeeds,
gets the symlinks to the associated microcode files populated.
* Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode
from removing symlinks related to the caveat for specific kernel version.
* Since the check is being done by check_caveats, all the overrides that
described there also stay.

Usage:
update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]*
[--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode]
[--skip-common] [--skip-kernel-specific]

Options:
--action - action to perform. Currently, the following actions are supported:
* "add" - create new symlinks.
* "remove" - remove old symlinks that are no longer needed.
* "refresh" - re-populate symlinks.
* "list" - list files under control of update_ucode.
By default, "refresh" action is executed.
--kernel - kernel version to process. By default, list of kernel versions
is formed based on contents of /lib/firmware and /lib/modules
directories.
--verbose - verbose output.
--dry-run - do not call commands, just print the invocation lines.
--cleanup - cleanup mode. Used by post-uninstall script during package
upgrades. Removes excess files in accordance to the contents
of the files provided in the arguments to the option.
--skip-common - do not process /lib/firmware directory.
--skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION
directories.

Return value:
0 on success, 1 on error.


reload_microcode script
-----------------------
"reload_microcode" is a script that is called by microcode.service and
triggers late microcode reloading (by writing "1" to
/sys/devices/system/cpu/microcode/reload) if the following check are passed:
* the microcode update performed not in a virtualised environment;
* running kernel passes "check_caveats" checks that applicable to the current
CPU model.

For a virtualised environment check, the script searches the "/proc/cpuinfo"
file for presence of the "hypervisor" flag among CPU features (it corresponds
to a CPUID feature bit set by hypervisors in order to inform that the kernel
operates inside a virtual machine). This check can be overridden and skipped
by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag".

The script has no options and always returns 0.

In addition to overrides that affect check_caveats, the presence of the
"/etc/microcode_ctl/ignore-hypervisor-flag" flag provides an ability
to skip "hypervisor" flag check.


99microcode_ctl-fw_dir_override dracut module
---------------------------------------------
This dracut module injects directories with microcode files for caveats
that pass "early" check_caveats check (with "-e" flag). In addition
to "check_caveats" overrides, the following abilities to control module's
behaviour are present:
* Presence of one of the following files:
- /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check
- /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg
- /lib/firmware/$kver/skip-host-only-check
- /lib/firmware/$kver/skip-host-only-check-$cfg
(where "$kver" is the kernel version in question and "$cfg" is the caveat
directory name) allows skipping matching of microcode file name when dracut's
Host-Only mode is enabled.

When caveats_check succeeds, caveats directory (not its possibly populated
version for late microcode update: "/lib/firmware/KERNEL_VERSION";
it is done so in order
to have ability to configure list of caveats enabled for early and late
microcode update, independently) is added to dracut's list of firmware search
directories.

The module can be disabled by running dracut with
"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can
be disabled permanently by uncommenting string
"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file.

See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable
"omit_dracutmodules" for additional information.


Caveats
=======

Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat
----------------------------------------------
Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0,
family 6, model 79, stepping 1) has issues that lead to system instability.
A series of changes for the Linux kernel has been developed in order to work
around those issues; however, as it turned out, some systems have issues even
when a microcode update performed on a kernel that contains those changes.
As a result, microcode update for this CPU model is disabled by default;
the microcode file, however, is still shipped as a part of microcode_ctl
package and can be used for performing a microcode update if it is enforced
via the aforementioned overriddes. (See sections "check_caveats script"
and "reload_microcode script" for details.)

Affected microcode: intel-ucode/06-4f-01.

Mitigation: microcode loading is disabled for the affected CPU model.

Minimum versions of the kernel package that contain the aforementioned patch
series:
- Upstream/RHEL 8: 4.17.0
- RHEL 7.6 onwards: 3.10.0-894
- RHEL 7.5: 3.10.0-862.6.1
- RHEL 7.4: 3.10.0-693.35.1
- RHEL 7.3: 3.10.0-514.52.1
- RHEL 7.2: 3.10.0-327.70.1
- RHEL 6.10: 2.6.32-754.1.1
- RHEL 6.7: 2.6.32-573.58.1
- RHEL 6.6: 2.6.32-504.71.1
- RHEL 6.5: 2.6.32-431.90.1
- RHEL 6.4: 2.6.32-358.90.1


Early microcode load inside a virtual machine
---------------------------------------------
RHEL 7 kernel supports performing microcode update during early boot stage
from a cpio archive placed at the beginning of the initramfs image. However,
when an early microcode update is attempted inside some virtualised
environments, that may result in unexpected system behaviour.

Affected microcode: all.

Mitigation: early microcode loading is disabled for all CPU models.

Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8: 4.10.0
- RHEL 7.6 onwards: 3.10.0-930
- RHEL 7.5: 3.10.0-862.14.1
- RHEL 7.4: 3.10.0-693.38.1
- RHEL 7.3: 3.10.0-514.57.1
- RHEL 7.2: 3.10.0-327.73.1


Intel Sandy Bridge-E/EN/EP caveat
---------------------------------
MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP
(SNB-EP, family 6, model 45, stepping 7) may lead to system instability.
In order to address this, this microcode update is not used and the previous
microcode revision is provided instead by default; the microcode file, however,
is still shipped as part of microcode_ctl package and can be used for performing
a microcode update if it is enforced via the aforementioned overriddes. (See
sections "check_caveats script" and "reload_microcode script" for details.)

Affected microcode: intel-ucode/06-2d-07.

Mitigation: previously published microcode revision 0x714 is used by default.



Additional information
======================
Red Hat provides updated microcode, developed by its microprocessor partners,
as a customer convenience. Please contact your hardware vendor to determine
whether more recent BIOS/firmware updates are recommended because additional
improvements may be available.

Information regarding microcode revisions required for mitigating specific
microarchitectural side-channel attacks is available in the following
knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151

495
SOURCES/check_caveats Executable file
View File

@ -0,0 +1,495 @@
#! /bin/bash -eu

# Script for checking various microcode caveats
#
#
# SPDX-License-Identifier: CC0-1.0

: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}

usage() {
echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
echo ' [-m] [-v]'
echo
echo ' -d - enables disclaimer printing mode'
echo ' -e - check for early microcode load possibility (instead of'
echo ' late microcode load)'
echo ' -k - target version to check against, $(uname -r) is used'
echo ' otherwise'
echo ' -c - caveat config(s) to check, all configs are checked'
echo ' otherwise'
echo ' -m - check that caveats actually apply to the current model'
echo ' -v - verbose output'
echo
echo 'Environment:'
echo ' MC_CAVEATS_DATA_DIR - directory that contains caveats'
echo ' configuration data'
}

debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }

# A simplified RPM version comparison that takes into account knowledge about
# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if
# the version against which comparison is performed has appropriate versioning
# scheme).
#
# $1 - kernel version to check
# $* - list of kernel versions to check against
check_kver()
{
local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest=
local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest=
local cmp_type=

# IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1"
# "cannot create temp file for here-document: Read-only file system"
# that's why we can't have nice things.
t_major=${1%%.*}
t_rest=${1#${t_major}}
t_rest=${t_rest#.}
t_minor=${t_rest%%.*}
t_rest=${t_rest#${t_minor}}
t_rest=${t_rest#.}
t_patch=${t_rest%%-*}
t_rest=${t_rest#${t_patch}}
t_rest=${t_rest#-}
t_y=${t_rest%%.*}
t_rest=${t_rest#${t_y}}
t_rest=${t_rest#.}
t_z1=${t_rest%%.*}
t_rest=${t_rest#${t_z1}}
t_rest=${t_rest#.}
t_z2=${t_rest%%.*}

# minor/major/patch/y should be numeric
[ -n "${t_major##*[!0-9]*}" ] || return 1
[ -n "${t_minor##*[!0-9]*}" ] || return 1
[ -n "${t_patch##*[!0-9]*}" ] || return 1
[ -n "${t_y##*[!0-9]*}" ] || return 1
# reset z1/z2 to zero if non-numeric
[ -n "${t_z1##*[!0-9]*}" ] || t_z1=0
[ -n "${t_z2##*[!0-9]*}" ] || t_z2=0

while [ 1 -lt "$#" ]; do
cmp_type=upstream

shift
m_major=${1%%.*}
m_rest=${1#${m_major}}
m_rest=${m_rest#.}
m_minor=${m_rest%%.*}
m_rest=${m_rest#${m_minor}}
m_rest=${m_rest#.}
m_patch=${m_rest%%-*}
m_rest=${m_rest#${m_patch}}
m_rest=${m_rest#-}
m_y=${m_rest%%.*}
m_rest=${m_rest#${m_y}}
m_rest=${m_rest#.}
m_z1=${m_rest%%.*}
m_rest=${m_rest#${m_z1}}
m_rest=${m_rest#.}
m_z2=${m_rest%%.*}

# minor/major/patch should be numeric
[ -n "${m_major##*[!0-9]*}" ] || continue
[ -n "${m_minor##*[!0-9]*}" ] || continue
[ -n "${m_patch##*[!0-9]*}" ] || continue
# reset z1/z2 to zero if non-numeric
[ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0
[ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0
[ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0

# Comparing versions
case "$cmp_type" in
upstream)
[ "$t_major" -ge "$m_major" ] || continue
[ "$t_minor" -ge "$m_minor" ] || continue
[ "$t_patch" -ge "$m_patch" ] || continue
return 0
;;
y)
[ "$t_major" -eq "$m_major" ] || continue
[ "$t_minor" -eq "$m_minor" ] || continue
[ "$t_patch" -eq "$m_patch" ] || continue
[ "$t_y" -ge "$m_y" ] || continue
return 0
;;
z)
[ "$t_major" -eq "$m_major" ] || continue
[ "$t_minor" -eq "$m_minor" ] || continue
[ "$t_patch" -eq "$m_patch" ] || continue
[ "$t_y" -eq "$m_y" ] || continue
[ "$t_z1" -ge "$m_z1" ] || continue
[ "$t_z2" -ge "$m_z2" ] || continue
return 0
;;
esac
done

return 1
}

# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING"
#
# We check only the first processor as we don't expect non-symmetrical setups
# with CPUs with caveats
get_model_string()
{
/usr/bin/printf "%s %02x-%02x-%02x" \
$(/bin/sed -rn '1,/^$/{
s/^vendor_id[[:space:]]*: (.*)$/\1/p;
s/^cpu family[[:space:]]*: (.*)$/\1/p;
s/^model[[:space:]]*: (.*)$/\1/p;
s/^stepping[[:space:]]*: (.*)$/\1/p;
}' /proc/cpuinfo)
}

get_model_name()
{
/bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

get_vendor_id()
{
/bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

get_mc_path()
{
case "$1" in
GenuineIntel)
echo "intel-ucode/$2"
;;
AuthenticAMD)
echo "amd-ucode/$2"
;;
esac
}

get_mc_ver()
{
/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

fail()
{
ret=1

fail_cfgs="$fail_cfgs $cfg"
fail_paths="$fail_paths $cfg_path"

[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
|| cat "${dir}/disclaimer"
}

#check_kver "$@"
#get_model_name

match_model=0
configs=
kver=$(/bin/uname -r)
verbose=0
early_check=0
print_disclaimers=0

ret=0

while getopts "dek:c:mv" opt; do
case "${opt}" in
d)
print_disclaimers=1
early_check=2
;;
e)
early_check=1
;;
k)
kver="$OPTARG"
;;
c)
configs="$configs $OPTARG"
;;
m)
match_model=1
;;
v)
verbose=1
;;
*)
usage
exit 1;
;;
esac
done

: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}

cpu_model=$(get_model_string)
cpu_model_name=$(get_model_name)
cpu_vendor=$(get_vendor_id)

ret_paths=""
ok_paths=""
fail_paths=""

ret_cfgs=""
ok_cfgs=""
fail_cfgs=""

skip_cfgs=""

if [ 1 -eq "$early_check" ]; then
stage="early"
else
stage="late"
fi


for cfg in $(echo "${configs}"); do
dir="$MC_CAVEATS_DATA_DIR/$cfg"

# We add cfg to the skip list first and then, if we do not skip it,
# we remove the configuration from the list.
skip_cfgs="$skip_cfgs $cfg"

[ -r "${dir}/readme" ] || {
debug "File 'readme' in ${dir} is not found, skipping"
continue
}

[ -r "${dir}/config" ] || {
debug "File 'config' in ${dir} is not found, skipping"
continue
}

cfg_model=
cfg_vendor=
cfg_path=
cfg_kvers=
cfg_kvers_early=
cfg_blacklist=
cfg_mc_min_ver_late=
cfg_disable=

while read -r key value; do
case "$key" in
model)
cfg_model="$value"
;;
vendor)
cfg_vendor="$value"
;;
path)
cfg_path="$cfg_path $value"
;;
kernel)
cfg_kvers="$cfg_kvers $value"
;;
kernel_early)
cfg_kvers_early="$cfg_kvers_early $value"
;;
mc_min_ver_late)
cfg_mc_min_ver_late="$value"
;;
disable)
cfg_disable="$cfg_disable $value "
;;
blacklist)
cfg_blacklist=1
break
;;
esac
done < "${dir}/config"

[ -z "${cfg_blacklist}" ] || \
cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
/usr/bin/tail -n +2)

debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
debug "${cfg}: blacklist '$cfg_blacklist'"

# Check for override files in the following order:
# - disallow early/late specific caveat for specific kernel
# - force early/late specific caveat for specific kernel
# - disallow specific caveat for specific kernel
# - force specific caveat for specific kernel
#
# - disallow early/late specific caveat for any kernel
# - disallow early/late any caveat for specific kernel
# - force early/late specific caveat for any kernel
# - force early/late any caveat for specific kernel
# - disallow specific caveat for any kernel
# - disallow any caveat for specific kernel
# - force specific caveat for any kernel
# - force any caveat for specific kernel
#
# - disallow early/late everything
# - force early/late everyhting
# - disallow everything
# - force everyhting
ignore_cfg=0
force_cfg=0
override_file=""
overrides="
0:$FW_DIR/$kver/disallow-$stage-$cfg
1:$FW_DIR/$kver/force-$stage-$cfg
0:$FW_DIR/$kver/disallow-$cfg
1:$FW_DIR/$kver/force-$cfg
0:$FW_DIR/$kver/disallow-$stage
0:$CFG_DIR/disallow-$stage-$cfg
1:$FW_DIR/$kver/force-$stage
1:$CFG_DIR/force-$stage-$cfg
0:$FW_DIR/$kver/disallow
0:$CFG_DIR/disallow-$cfg
1:$FW_DIR/$kver/force
1:$CFG_DIR/force-$cfg
0:$CFG_DIR/disallow-$stage
1:$CFG_DIR/force-$stage
0:$CFG_DIR/disallow
1:$CFG_DIR/force"
for o in $(echo "$overrides"); do
o_force=${o%%:*}
override_file=${o#$o_force:}

[ -e "$override_file" ] || continue

if [ 0 -eq "$o_force" ]; then
ignore_cfg=1
else
force_cfg=1
fi

break
done

[ 0 -eq "$ignore_cfg" ] || {
debug "Configuration \"$cfg\" is ignored due to presence of" \
"\"$override_file\"."
continue
}

# Check model if model filter is enabled
if [ 1 -eq "$match_model" -a -n "$cfg_model" ]; then
[ "x$cpu_model" = "x$cfg_model" ] || {
debug "Current CPU model '$cpu_model' doesn't" \
"match configuration CPU model '$cfg_model'," \
"skipping"
continue
}
fi

# Check paths if model filter is enabled
if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then
cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
"$cpu_vendor" "${cpu_model#* }")"
cfg_mc_present=0

for p in $(printf "%s" "$cfg_path"); do
find "$MC_CAVEATS_DATA_DIR/$cfg" \
-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \
| grep -zFxq "$cpu_mc_path" \
|| continue

cfg_mc_present=1
done

[ 1 = "$cfg_mc_present" ] || {
debug "No matching microcode files in '$cfg_path'" \
"for CPU model '$cpu_model', skipping"
continue
}
fi

# Check vendor if model filter is enabled
if [ 1 -eq "$match_model" -a -n "$cfg_vendor" ]; then
[ "x$cpu_vendor" = "x$cfg_vendor" ] || {
debug "Current CPU vendor '$cpu_vendor' doesn't" \
"match configuration CPU vendor '$cfg_vendor'," \
"skipping"
continue
}
fi

# Check configuration files

ret_cfgs="$ret_cfgs $cfg"
ret_paths="$ret_paths $cfg_path"
skip_cfgs="${skip_cfgs% $cfg}"

[ 0 -eq "$force_cfg" ] || {
debug "Checks for configuration \"$cfg\" are ignored due to" \
"presence of \"$override_file\"."

ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"

continue
}

[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
debug "${cfg}: caveat is disabled in configuration"
fail
continue
}

# Check late load kernel version
if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then
check_kver "$kver" $cfg_kvers || {
debug "${cfg}: late load kernel version check for" \
" '$kver' against '$cfg_kvers' failed"
fail
continue
}
fi

# Check early load kernel version
if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then
check_kver "$kver" $cfg_kvers_early || {
debug "${cfg}: early load kernel version check for" \
"'$kver' against '$cfg_kvers_early' failed"
fail
continue
}
fi

# Check model blacklist
if [ -n "$cfg_blacklist" ]; then
echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
debug "${cfg}: model '${cpu_model_name}' is blacklisted"
fail
continue
}
fi

# Check current microcode version for the late update
if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \
"x$cpu_model" = "x$cfg_model" ]; then
cpu_mc_ver="$(get_mc_ver)"

[ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || {
debug "${cfg}: CPU microcode version $cpu_mc_ver" \
"failed check (should be at least" \
"${cfg_mc_min_ver_late})"
fail
continue
}
fi

ok_cfgs="$ok_cfgs $cfg"
ok_paths="$ok_paths $cfg_path"
done

[ 0 -eq "$print_disclaimers" ] || exit 0

echo "cfgs$ret_cfgs"
echo "skip_cfgs$skip_cfgs"
echo "paths$ret_paths"
echo "ok_cfgs$ok_cfgs"
echo "ok_paths$ok_paths"
echo "fail_cfgs$fail_cfgs"
echo "fail_paths$fail_paths"

exit $ret

177
SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh Executable file
View File

@ -0,0 +1,177 @@
#!/bin/bash

# Hack in additional firmware directories for supported caveats.
#
# SPDX-License-Identifier: CC0-1.0

check() {
return 0
}

install() {
local FW_DIR=/lib/firmware
local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats"
local check_caveats=/usr/libexec/microcode_ctl/check_caveats

local verbose_opt
local cc_out
local path
local ignored
local do_skip_host_only
local p

verbose_opt=
[ 4 -gt "$stdloglvl" ] || verbose_opt="-v"

# HACK: we override external fw_dir variable in order to get
# an additional ucode based on the kernel version.
dinfo " microcode_ctl module: mangling fw_dir"

[ -z "$fw_dir_l" ] || {
dinfo " microcode_ctl: avoid touching fw_dir as" \
"it has been changed (fw_dir_l is '$fw_dir_l')"

return 0
}

# Reset fw_dir to avoid inclusion of kernel-version-specific directories
# populated with microcode for the late load
[ "x$fw_dir" != \
"x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" ] || {
fw_dir="/lib/firmware/updates /lib/firmware"
dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\""
}

fw_dir_add=""
while read -d $'\n' -r i; do
dinfo " microcode_ctl: processing data directory " \
"\"$DATA_DIR/$i\"..."

if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" $verbose_opt)
then
dinfo " microcode_ctl: kernel version \"$kernel\"" \
"failed early load check for \"$i\", skipping"
continue
fi

path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p')
[ -n "$path" ] || {
ignored=$(printf "%s" "$cc_out" | \
sed -n 's/^skip_cfgs //p')

if [ -n "$ignored" ]; then
dinfo " microcode_ctl: configuration" \
"\"$i\" is ignored"
else
dinfo " microcode_ctl: no microcode paths" \
"are associated with \"$i\", skipping"
fi

continue
}

if [ "x" != "x$hostonly" ]; then
do_skip_host_only=0

local sho_overrides="
$CFG_DIR/skip-host-only-check
$CFG_DIR/skip-host-only-check-$i
$FW_DIR/$kernel/skip-host-only-check
$FW_DIR/$kernel/skip-host-only-check-$i"

for p in $(echo "$sho_overrides"); do
[ -e "$p" ] || continue

do_skip_host_only=1
dinfo " microcode_ctl: $i; skipping" \
"Host-Only check, since \"$p\" exists."
break
done
else
do_skip_host_only=1
fi

if [ 0 -eq "$do_skip_host_only" ]; then
local hostonly_passed=0
local ucode
local uvendor
local ucode_dir=""

ucode=$(get_ucode_file)
uvendor=$(get_cpu_vendor)

case "$uvendor" in
Intel)
ucode_dir="intel-ucode"
;;
AMD)
ucode_dir="amd-ucode"
;;
*)
dinfo " microcode_ctl: unknown CPU" \
"vendor: \"$uvendor\", bailing out of" \
"Host-Only check"
continue
;;
esac

# $path is a list of globs, so it needs special care
for p in $(printf "%s" "$path"); do
find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-print0 \
| grep -zFxq \
"$DATA_DIR/$i/$ucode_dir/$ucode" \
|| continue

dinfo " microcode_ctl: $i: Host-Only" \
"mode is enabled and" \
"\"$ucode_dir/$ucode\" matches \"$p\""

hostonly_passed=1
break
done

[ 1 -eq "$hostonly_passed" ] || {
dinfo " microcode_ctl: $i: Host-Only mode" \
"is enabled and ucode name does not" \
"match the expected one, skipping" \
"caveat (\"$ucode\" not in \"$path\")"
continue
}
fi

dinfo " microcode_ctl: $i: caveats check for kernel" \
"version \"$kernel\" passed, adding" \
"\"$DATA_DIR/$i\" to fw_dir variable"

if [ 0 -eq "$do_skip_host_only" ]; then
fw_dir_add="$DATA_DIR/$i "
else
fw_dir_add="$DATA_DIR/$i $fw_dir_add"
fi
# The list of directories is reverse-sorted in order to preserve the
# "last wins" policy in case of presence of multiple microcode
# revisions.
#
# In case of hostonly == 0, all microcode revisions will be included,
# but since the microcode search is done with the "first wins" policy
# by the (early) microcode loading code, the correct microcode revision
# still has to be picked.
#
# Note that dracut without patch [1] puts only the last directory
# in the early cpio; we try to address this by putting only the last
# matching caveat in the search path, but that workaround works only
# for host-only mode; non-host-only mode early cpio generation is still
# broken without that patch.
#
# [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b
done <<-EOF
$(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \
| LC_ALL=C sort)
EOF

fw_dir="${fw_dir_add}${fw_dir}"
dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\""
}

114
SOURCES/gen_provides.sh Executable file
View File

@ -0,0 +1,114 @@
#! /bin/bash -efux

# Generator of RPM "Provides:" tags for Intel microcode files.
#
# SPDX-License-Identifier: CC0-1.0

IFS=$'\n'
UPDATED="intel-beta"
CODENAMES="codenames"

if [ "$#" -ge 1 ]; then
CODENAMES="$1"
shift
fi

# Match only FF-MM-SS ucode files under intel-ucode/intel-ucode-with-caveats
# directories.
for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]$'); do
ucode=$(basename "$f")
ucode_caveat="$(basename "$(dirname "$(dirname "$f")")")"
ucode_fname="$ucode_caveat/$ucode"
file_sz="$(stat -c "%s" "$f")"
skip=0

while :; do
[ "$skip" -lt "$file_sz" ] || break

# Microcode header format description:
# https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c
IFS=' ' read hdrver rev \
date_y date_d date_m \
cpuid cksum ldrver \
pf_mask datasz totalsz <<- EOF
$(dd if="$f" bs=1 skip="$skip" count=36 status=none \
| hexdump -e '"" 1/4 "%u " 1/4 "%#x " \
1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \
1/4 "%08x " 1/4 "%x " 1/4 "%#x " \
1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"')
EOF

[ 0 != "$datasz" ] || datasz=2000
[ 0 != "$totalsz" ] || totalsz=2048

# TODO: add some sanity/safety checks here. As of now, there's
# a (pretty fragile) assumption that all the matched files
# are valid Intel microcode files in the expected format.

skip=$((skip + totalsz))

#[ -n "$rev" ] || continue

# Basic "Provides:" tag. Everything else is bells and whistles.
# It's possible that microcode files for different platform_id's
# and the same CPUID have the same version, that's why "sort -u"
# in the end.
printf "firmware(intel-ucode/%s) = %s\n" "$ucode" "$rev"

# Generate extended "Provides:" tags with additional
# information, which allow more precise matching.
printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x) = %s.%s.%s\n" \
"$ucode_fname" "$cpuid" "$pf_mask" "$date_y" "$date_m" "$date_d"
printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x) = %s\n" \
"$ucode_fname" "$cpuid" "$pf_mask" "$rev"

# Generate tags for each possible platform_id
_pf=1
_pf_mask="$pf_mask"
while [ 0 -lt "$_pf_mask" ]; do
[ 1 -ne "$((_pf_mask % 2))" ] || \
# We try to provide a more specific firmware()
# dependency here. It has incorrect file name,
# but allows constructing a required RPM
# capability name by (directly) using
# the contents of /proc/cpuinfo and
# /sys/devices/system/cpu/cpu*/microcode/processor_flags
# (except for a Deschutes CPU with sig 0x1632)
printf "iucode_rev(fname:%s;platform_id:0x%x) = %s\n" \
"$ucode_fname" "$_pf" "$rev"

_pf_mask=$((_pf_mask / 2))
_pf=$((_pf * 2))
done

# Generate tags with codename information, in case
# it is available
cpuid_up="$(echo "$cpuid" | tr 'a-z' 'A-Z')"
if [ -e "$CODENAMES" ]; then
grep ' '"$cpuid_up"' ' "$CODENAMES" \
| while IFS=$'\t' read segm int_fname codename stepping candidate_pf rest; do
codename=$(echo "$codename" | tr ' (),' '_[];')
candidate_pf=$(printf "%u" "0x${candidate_pf}")
[ \( 0 -ne "$pf_mask" \) -a \
\( "$candidate_pf" -ne "$((candidate_pf & pf_mask))" \) ] || { \
printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s\n" \
"$ucode_fname" "$cpuid" "$pf_mask" \
"$segm" "$codename" "$stepping" "$candidate_pf" \
"$rev";
printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s.%s.%s\n" \
"$ucode_fname" "$cpuid" "$pf_mask" \
"$segm" "$codename" "$stepping" "$candidate_pf" \
"$date_y" "$date_m" "$date_d";
}
done
fi

# Kludge squared: generate additional "Provides:" tags
# for the files in the overrides tarball (that a placed
# in a separate caveat with a specific name)
[ "x${ucode_caveat}" != "x${UPDATED}" ] || {
printf "firmware_updated(intel-ucode/%s) = %s\n" \
"$ucode" "$rev";
}
done
done | sort -u

90
SOURCES/intel-microcode2ucode.8.in Normal file
View File

@ -0,0 +1,90 @@
.\" intel-microcode2ucode stub man page
.\"
.\" SPDX-License-Identifier: CC0-1.0
.\"
.TH INTEL-MICROCODE2UCODE 8 "@DATE@" "MICROCODE_CTL @VERSION@"
.\"
.SH NAME
intel\-microcode2ucode \- convert Intel microcode.dat file into ucode files
.\"
.SH SYNOPSIS
.SY intel\-microcode2ucode
.RI [ MICROCODE_FILE ]
.YS
.\"
.SH DESCRIPTION
.B intel\-microcode2ucode
parses Intel microcode combined text data file (which usually has name
.BR microcode.dat )
and splits it into individual binary microcode files that can be loaded by the
Linux kernel.
.LP
Generated microcode files are placed into
.B intel-ucode
directory, which is created in the current working directory, and have file name
format of
.IR FF - MM - SS ,
where
.I FF
is the CPU family number,
.I MM
is the model number, and
.I SS
is stepping.
All three values are zero-filled to two digits and are hexadecimal
(letters are in the lower case).
.LP
This tool is mostly of historic interest, as Intel ships separate microcode
files now.
.\"
.SH OPTIONS
.\"
.TP
.I MICROCODE_FILE
Path to the
.B microcode.dat
file.
If no path has been provided, the default path
.B /lib/firmware/microcode.dat
is used.
If
.B -
(single dash) is provided as an argument, data is read from the standard input.
.\"
.SH EXIT STATUS
.TP
.B 0
Success.
.TP
.B 1
Error occurred:
temporary buffer cannot be allocated,
input microcode file cannot be opened,
microcode version and/or format are unknown,
cannot open output file,
cannot write to the output file.
.\"
.SH REPORTING BUGS
Problems with
.B intel-microcode2ucode
should be reported to
.UR https://bugzilla.redhat.com/
Red Hat Bugzilla
.UE
.\"
.SH AUTHORS
.B intel-microcode2ucode
was written by
Kay Sievers <kay.sievers@vrfy.org> and
Anton Arapov <anton@redhat.com>.
This manpage was written for Red Hat Enterprise Linux and may be
used, modified, and/or distributed freely by anyone.
.\"
.SH "SEE ALSO"
.UR https://gitlab.com\:/iucode-tool\:/iucode-tool
iucode-tool, a tool for manipulating Intel microcode files
.UE ,
.LP
.UR @MICROCODE_URL@
Intel microcode
.UE

8
SOURCES/intel_config Normal file
View File

@ -0,0 +1,8 @@
path intel-ucode/*
vendor_id GenuineIntel
kernel_early 4.10.0
kernel_early 3.10.0-930
kernel_early 3.10.0-862.14.1
kernel_early 3.10.0-693.38.1
kernel_early 3.10.0-514.57.1
kernel_early 3.10.0-327.73.1

10
SOURCES/intel_disclaimer Normal file
View File

@ -0,0 +1,10 @@
This kernel doesn't handle early microcode load properly (it tries to load
microcode even in virtualised environment, which may lead to a panic on some
hypervisors), thus the microcode files have not been added to the initramfs
image. Please update your kernel to one of the following:
RHEL 7.5: kernel-3.10.0-862.14.1 or newer;
RHEL 7.4: kernel-3.10.0-693.38.1 or newer;
RHEL 7.3: kernel-3.10.0-514.57.1 or newer;
RHEL 7.2: kernel-3.10.0-327.73.1 or newer.
Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

52
SOURCES/intel_readme Normal file
View File

@ -0,0 +1,52 @@
Older RHEL 7 kernels try to early load microcode even inside virtual
machine, which may lead to panic on some hypervisors. In order to circumvent
that, microcode is installed into a kernel-version-specific directory (which
is not scanned by the dracut script, that constructs early microcode binary
in initramfs, by default), and path to microcode files provided only in case
initramfs is generated for the kernel version that properly handles early
microcode inside a virtual machine (i.e. do not attempts yo load it).
The versions of the kernel package that properly handle early microcode load
inside a virtual machine are as follows:
* RHEL 7.6 onwards: kernel-3.10.0-930 or newer;
* RHEL 7.5: kernel-3.10.0-862.14.1 or newer;
* RHEL 7.4: kernel-3.10.0-693.38.1 or newer;
* RHEL 7.3: kernel-3.10.0-514.57.1 or newer;
* RHEL 7.2: kernel-3.10.0-327.73.1 or newer.

If you want to avoid early load of microcode for a specific kernel, please
create "disallow-early-intel" file inside /lib/firmware/<kernel_version>
directory and run dracut -f --kver "<kernel_version>":

touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel
dracut -f --kver 3.10.0-862.9.1

If you want to avoid early load of microcode for all kernels, please create
"disallow-early-intel" file inside the "/etc/microcode_ctl/ucode_with_caveats"
directory and run dracut -f --regenerate-all:

mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel
dracut -f --regenerate-all

If you want to enforce early load of microcode for a specific kernel, please
create "force-early-intel" file inside /lib/firmware/<kernel_version> directory
and run dracut -f --kver "<kernel_version>":

touch /lib/firmware/3.10.0-862.9.1/force-early-intel
dracut -f --kver 3.10.0-862.9.1

If you want to enforce early load of microcode for all kernels, please create
"force-early-intel" file inside /etc/microcode_ctl/ucode_with_caveats
directory and run dracut -f --kver "<kernel_version>":

mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel
dracut -f --regenerate-all

In order to override the late load behaviour, the "early" part of file names
should be replaced with "late" (and there is no need to call dracut
in that case).


Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

12
SOURCES/microcode.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Load CPU microcode update
After=basic.target
ConditionVirtualization=false
ConditionPathExists=/sys/devices/system/cpu/microcode/reload

[Service]
Type=oneshot
RemainAfterExit=no
ExecStart=/usr/libexec/microcode_ctl/reload_microcode
[Install]
WantedBy=basic.target

20
SOURCES/microcode_ctl-do-not-install-intel-ucode.patch Normal file
View File

@ -0,0 +1,20 @@
Index: microcode_ctl-2.1-18/Makefile
===================================================================
--- microcode_ctl-2.1-18.orig/Makefile 2018-08-16 04:48:33.466867302 +0200
+++ microcode_ctl-2.1-18/Makefile 2018-08-16 04:55:46.140598645 +0200
@@ -29,14 +29,13 @@
$(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c
clean:
- rm -rf $(PROGRAM) intel-ucode
+ rm -rf $(PROGRAM)
install:
$(INS) -d $(DESTDIR)$(INSDIR) $(DESTDIR)$(DOCDIR) \
$(DESTDIR)$(MICDIRINTEL)
$(INS) -m 755 $(PROGRAM) $(DESTDIR)$(INSDIR)
$(INS) -m 644 README $(DESTDIR)$(DOCDIR)
- $(INS) -m 644 intel-ucode/* $(DESTDIR)$(MICDIRINTEL)
uninstall:
rm -rf $(DESTDIR)$(INSDIR)/$(PROGRAM) \

16
SOURCES/microcode_ctl-do-not-merge-ucode-with-caveats.patch Normal file
View File

@ -0,0 +1,16 @@
Do not extract intel-ucode-with-caveats into the same directory as it needs
special handling.
Index: microcode_ctl-2.1-18/Makefile
===================================================================
--- microcode_ctl-2.1-18.orig/Makefile 2018-07-09 08:55:53.000000000 +0200
+++ microcode_ctl-2.1-18/Makefile 2018-07-20 17:52:34.767187807 +0200
@@ -21,8 +21,7 @@
MICDIRINTEL = $(MICDIR)/intel-ucode
all:
- tar xf $(MICROCODE_INTEL) ./intel-ucode/* ./intel-ucode-with-caveats/* \
- --one-top-level=intel-ucode --strip-components=2 --backup=simple
+ tar -xf $(MICROCODE_INTEL) ./intel-ucode
clean:
rm -rf intel-ucode

13
SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch Normal file
View File

@ -0,0 +1,13 @@
Index: microcode_ctl-2.1-18/Makefile
===================================================================
--- microcode_ctl-2.1-18.orig/Makefile 2019-04-16 00:47:14.671953255 +0200
+++ microcode_ctl-2.1-18/Makefile 2019-04-16 00:57:29.656380940 +0200
@@ -23,7 +23,7 @@
MICDIRINTEL = $(MICDIR)/intel-ucode
all: microcode_ctl
- tar -xf $(MICROCODE_INTEL) ./intel-ucode
+ tar -xf ${MICROCODE_INTEL} --wildcards --strip-components=1 \*/intel-ucode
microcode_ctl: intel-microcode2ucode.c
$(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c

95
SOURCES/microcode_ctl-intel-microcode2ucode-buf-handling.patch Normal file
View File

@ -0,0 +1,95 @@
Fix most obvious intel-microcode2ucode buffer overruns.
Index: microcode_ctl-2.1-19/intel-microcode2ucode.c
===================================================================
--- microcode_ctl-2.1-19.orig/intel-microcode2ucode.c 2018-08-20 04:32:26.803450076 +0200
+++ microcode_ctl-2.1-19/intel-microcode2ucode.c 2018-08-20 04:33:49.324661025 +0200
@@ -47,16 +47,25 @@
char c[0];
};
+#define MAX_MICROCODE 4000000
+
int main(int argc, char *argv[])
{
char *filename = "/lib/firmware/microcode.dat";
FILE *input, *f;
char line[LINE_MAX];
- char buf[4000000];
+ char *buf = NULL;
union mcbuf *mc;
size_t bufsize, count, start;
int rc = EXIT_SUCCESS;
+ buf = malloc(MAX_MICROCODE);
+ if (!buf) {
+ printf("can't allocate buffer\n");
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+
if (argv[1] != NULL)
filename = argv[1];
@@ -74,6 +83,12 @@
count = 0;
mc = (union mcbuf *) buf;
while (fgets(line, sizeof(line), input) != NULL) {
+ if ((count + 3) >= (MAX_MICROCODE / sizeof(mc->i[0]))) {
+ printf("input file is too big");
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+
if (sscanf(line, "%x, %x, %x, %x",
&mc->i[count],
&mc->i[count + 1],
@@ -102,6 +117,10 @@
unsigned int family, model, stepping;
unsigned int year, month, day;
+ if ((start > bufsize) ||
+ ((bufsize - start) < sizeof(struct microcode_header_intel)))
+ goto out;
+
mc = (union mcbuf *) &buf[start];
if (mc->hdr.totalsize)
@@ -109,8 +128,12 @@
else
size = 2000 + sizeof(struct microcode_header_intel);
+ if (size > (bufsize - start))
+ goto out;
+
if (mc->hdr.ldrver != 1 || mc->hdr.hdrver != 1) {
- printf("unknown version/format:\n");
+ printf("unknown version/format: %d/%d\n",
+ mc->hdr.ldrver, mc->hdr.hdrver);
rc = EXIT_FAILURE;
break;
}
@@ -135,7 +158,11 @@
month = mc->hdr.date >> 24;
day = (mc->hdr.date >> 16) & 0xff;
- asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family, model, stepping);
+ if (asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family,
+ model, stepping) == -1) {
+ printf("Failed to generate ucode filename\n");
+ goto out;
+ }
printf("\n");
printf("%s\n", filename);
printf("signature: 0x%02x\n", mc->hdr.sig);
@@ -164,6 +191,11 @@
}
printf("\n");
+ if (start != bufsize)
+ printf("Finished parsing at byte %zu of %zu\n", start, bufsize);
+
out:
+ free(buf);
+
return rc;
}

226
SOURCES/microcode_ctl-revert-intel-microcode2ucode-removal.patch Normal file
View File

@ -0,0 +1,226 @@
Revert removal of intel_microcode2ucode [1].

Since it was shipped to end users, its removal may introduce unneeded
disruption.

[1] https://pagure.io/microcode_ctl/c/fde91236cc7b45ecffa5c48a7cd8b30ff75752cf.patch
Index: microcode_ctl-2.1-18/Makefile
===================================================================
--- microcode_ctl-2.1-18.orig/Makefile 2018-07-20 17:52:34.767187807 +0200
+++ microcode_ctl-2.1-18/Makefile 2018-07-20 19:13:37.948699082 +0200
@@ -7,6 +7,7 @@
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
+PROGRAM = intel-microcode2ucode
MICROCODE_INTEL = microcode-20180703.tgz
INS = install
@@ -16,23 +17,29 @@
DESTDIR =
PREFIX = /usr/local
+INSDIR = $(PREFIX)/sbin
DOCDIR = $(PREFIX)/share/doc/microcode_ctl
MICDIR = /lib/firmware
MICDIRINTEL = $(MICDIR)/intel-ucode
-all:
+all: microcode_ctl
tar -xf $(MICROCODE_INTEL) ./intel-ucode
+microcode_ctl: intel-microcode2ucode.c
+ $(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c
+
clean:
- rm -rf intel-ucode
+ rm -rf $(PROGRAM) intel-ucode
install:
- $(INS) -d $(DESTDIR)$(DOCDIR) \
+ $(INS) -d $(DESTDIR)$(INSDIR) $(DESTDIR)$(DOCDIR) \
$(DESTDIR)$(MICDIRINTEL)
+ $(INS) -m 755 $(PROGRAM) $(DESTDIR)$(INSDIR)
$(INS) -m 644 README $(DESTDIR)$(DOCDIR)
$(INS) -m 644 intel-ucode/* $(DESTDIR)$(MICDIRINTEL)
uninstall:
- rm -rf $(DESTDIR)$(MICDIRINTEL) \
+ rm -rf $(DESTDIR)$(INSDIR)/$(PROGRAM) \
+ $(DESTDIR)$(MICDIRINTEL) \
$(DESTDIR)$(DOCDIR)
Index: microcode_ctl-2.1-18/intel-microcode2ucode.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ microcode_ctl-2.1-18/intel-microcode2ucode.c 2018-07-20 19:02:19.510433818 +0200
@@ -0,0 +1,169 @@
+/*
+ * Convert Intel microcode.dat into individual ucode files
+ * named: intel-ucode/$family-$model-$stepping
+ *
+ * The subdir intel-ucode/ is created in the current working
+ * directory. We get multiple ucodes in the same file, so they
+ * are appended to an existing file. Make sure the directory
+ * is empty before every run of the converter.
+ *
+ * Kay Sievers <kay.sievers@vrfy.org>
+ * Anton Arapov <anton@redhat.com>
+ */
+
+
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE 1
+#endif
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <inttypes.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/stat.h>
+
+struct microcode_header_intel {
+ unsigned int hdrver;
+ unsigned int rev;
+ unsigned int date;
+ unsigned int sig;
+ unsigned int cksum;
+ unsigned int ldrver;
+ unsigned int pf;
+ unsigned int datasize;
+ unsigned int totalsize;
+ unsigned int reserved[3];
+};
+
+union mcbuf {
+ struct microcode_header_intel hdr;
+ unsigned int i[0];
+ char c[0];
+};
+
+int main(int argc, char *argv[])
+{
+ char *filename = "/lib/firmware/microcode.dat";
+ FILE *input, *f;
+ char line[LINE_MAX];
+ char buf[4000000];
+ union mcbuf *mc;
+ size_t bufsize, count, start;
+ int rc = EXIT_SUCCESS;
+
+ if (argv[1] != NULL)
+ filename = argv[1];
+
+ if (!strcmp(filename, "-")) {
+ input = stdin;
+ } else {
+ input = fopen(filename, "re");
+ if (input == NULL) {
+ printf("open %s: %m\n", filename);
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+ }
+
+ count = 0;
+ mc = (union mcbuf *) buf;
+ while (fgets(line, sizeof(line), input) != NULL) {
+ if (sscanf(line, "%x, %x, %x, %x",
+ &mc->i[count],
+ &mc->i[count + 1],
+ &mc->i[count + 2],
+ &mc->i[count + 3]) != 4)
+ continue;
+ count += 4;
+ }
+ fclose(input);
+
+ bufsize = count * sizeof(int);
+ printf("%s: %lu(%luk) bytes, %zu integers\n",
+ filename,
+ bufsize,
+ bufsize / 1024,
+ count);
+
+ if (bufsize < sizeof(struct microcode_header_intel))
+ goto out;
+
+ mkdir("intel-ucode", 0750);
+
+ start = 0;
+ for (;;) {
+ size_t size;
+ unsigned int family, model, stepping;
+ unsigned int year, month, day;
+
+ mc = (union mcbuf *) &buf[start];
+
+ if (mc->hdr.totalsize)
+ size = mc->hdr.totalsize;
+ else
+ size = 2000 + sizeof(struct microcode_header_intel);
+
+ if (mc->hdr.ldrver != 1 || mc->hdr.hdrver != 1) {
+ printf("unknown version/format:\n");
+ rc = EXIT_FAILURE;
+ break;
+ }
+
+ /*
+ * 0- 3 stepping
+ * 4- 7 model
+ * 8-11 family
+ * 12-13 type
+ * 16-19 extended model
+ * 20-27 extended family
+ */
+ family = (mc->hdr.sig >> 8) & 0xf;
+ if (family == 0xf)
+ family += (mc->hdr.sig >> 20) & 0xff;
+ model = (mc->hdr.sig >> 4) & 0x0f;
+ if (family == 0x06)
+ model += ((mc->hdr.sig >> 16) & 0x0f) << 4;
+ stepping = mc->hdr.sig & 0x0f;
+
+ year = mc->hdr.date & 0xffff;
+ month = mc->hdr.date >> 24;
+ day = (mc->hdr.date >> 16) & 0xff;
+
+ asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family, model, stepping);
+ printf("\n");
+ printf("%s\n", filename);
+ printf("signature: 0x%02x\n", mc->hdr.sig);
+ printf("flags: 0x%02x\n", mc->hdr.pf);
+ printf("revision: 0x%02x\n", mc->hdr.rev);
+ printf("date: %04x-%02x-%02x\n", year, month, day);
+ printf("size: %zu\n", size);
+
+ f = fopen(filename, "ae");
+ if (f == NULL) {
+ printf("open %s: %m\n", filename);
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+ if (fwrite(mc, size, 1, f) != 1) {
+ printf("write %s: %m\n", filename);
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+ fclose(f);
+ free(filename);
+
+ start += size;
+ if (start >= bufsize)
+ break;
+ }
+ printf("\n");
+
+ out:
+ return rc;
+}

13
SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch Normal file
View File

@ -0,0 +1,13 @@
Index: microcode_ctl-2.1-18/Makefile
===================================================================
--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200
+++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200
@@ -8,7 +8,7 @@
# 2 of the License, or (at your option) any later version.
PROGRAM = intel-microcode2ucode
-MICROCODE_INTEL = microcode-20180703.tgz
+MICROCODE_INTEL = microcode-20191112.pre.tar.gz
INS = install
CC = gcc

22
SOURCES/reload_microcode Normal file
View File

@ -0,0 +1,22 @@
#! /bin/bash -efu

# Trigger microcode reload with additional check for BDW-EP that can have
# microcode reloaded only in case kernel has specific patches.
#
# SPDX-License-Identifier: CC0-1.0

CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats
IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag"

[ -e "$IGNORE_HYPERVISOR" ] || {
if grep -q '^flags[[:space:]]*:.* hypervisor\( .*\)\?$' /proc/cpuinfo
then
exit 0
fi
}

"$CHECK_CAVEATS" -m > /dev/null || exit 0

echo 2>/dev/null 1 > /sys/devices/system/cpu/microcode/reload || :

exit 0

290
SOURCES/update_ucode Normal file
View File

@ -0,0 +1,290 @@
#! /bin/bash -eu

# Maintain kernel-version-specific symlinks in /lib/firmware based on
# configuration present in /usr/share/microcode_ctl/ucode_with_caveats.
#
# SPDX-License-Identifier: CC0-1.0

usage()
{
echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \
"[--kernel KERNELVER]* [--verbose] [--dry-run]" \
"[--cleanup intel_ucode caveats_ucode]" \
"[--skip-common] [--skip-kernel-specific]" >&2
}

debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }

MC_DIR=/usr/share/microcode_ctl
INTEL_UCODE_DIR=intel-ucode
DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats
FW_DIR=/lib/firmware
check_caveats=/usr/libexec/microcode_ctl/check_caveats

action=refresh
kernel=
verbose=0
verbose_opt=
dry_run=0
remove_cleanup=0
cleanup_intel=
cleanup_caveats=
skip_common=0
skip_caveats=0

while [ 1 -le "$#" ]; do
case "$1" in
-C|--skip-common)
skip_common=1
;;
-K|--skip-kernel-specific)
skip_caveats=1
;;
-a|--action)
shift
action="$1"
;;
-k|--kernel)
shift
kernel="$kernel $1"
;;
-v|--verbose)
verbose=1
verbose_opt="-v"
;;
-n|--dry-run)
dry_run=1
;;
-c|--cleanup)
remove_cleanup=1
shift
cleanup_intel="$1"
shift
cleanup_caveats="$1"
;;
*)
echo "Unknown argument \"$1\"" >&2
usage
exit 1
esac
shift
done

cmd=
[ 0 -eq "$dry_run" ] || cmd=echo

case "$action" in
add|remove|refresh|list)
# Scan all directories in FW_DIR and all existing kernels
if [ -z "$kernel" ]; then
debug "No kernel versions provided, scanning..."

kvers=$(find /lib/modules/ -name '[2-9].*' -print)
for k_dir in $kvers; do
k="${k_dir#/lib/modules/}"
[ ! -e "/boot/symvers-$k.gz" ] || {
debug " Adding $k (from /lib/modules)"
kernel="$kernel $k"
}
done

kvers=$(find /lib/firmware/ -name '[2-9].*' -print)
for k_dir in $kvers; do
k="${k_dir#/lib/firmware/}"
[ ! -d "$k_dir" ] || {
debug " Adding $k (from /lib/firmware)"
kernel="$kernel $k"
}
done

kernel=$(printf "%s" "$kernel" | xargs -n 1 | sort -u)
fi
;;
*)
echo "Unknown action \"$action\"" >&2
usage
exit 1
;;
esac

# Generic part: managing intel ucode
debug "Running action \"$action\" on common Intel microcode directory"
while :; do
[ 0 -eq "$skip_common" ] || break

[ ! -e "/etc/microcode_ctl/intel-ucode-disallow" ] || {
debug " Skipping \"$i\":" \
"\"/etc/microcode_ctl/intel-ucode-disallow\"" \
"present"
break
}
[ ! -e "$FW_DIR/intel-ucode-disallow" ] || {
debug " Found \"$FW_DIR/intel-ucode-disallow\"," \
"skipping"
break
}

# Removing old files
case "$action" in
refresh|remove|list)
debug " Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}"
if [ 0 = "$remove_cleanup" ]; then
find "${MC_DIR}/${INTEL_UCODE_DIR}" \
-maxdepth 1 -mindepth 1 \
-type f -printf '%f\n'
else
cat "$cleanup_intel"
fi | while read -r fname; do
name="${FW_DIR}/${INTEL_UCODE_DIR}/${fname}"

# Needed in case we downgrade to a version where
# no symlinks in /lib/firmware were used
if [ 1 = "$remove_cleanup" ]; then
[ -L "$name" ] || continue
fi

[ "xlist" != "x$action" ] || {
echo "$name"
continue
}

$cmd rm -f $verbose_opt "$name"
done
[ "xlist" = "x$action" ] || {
$cmd rmdir -p $verbose_opt \
"${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \
|| true
}
;;
esac

# Adding new ones
case "$action" in
add|refresh)
debug " Creating symlinks in ${FW_DIR}/${INTEL_UCODE_DIR}"
$cmd mkdir -p $verbose_opt "${FW_DIR}/${INTEL_UCODE_DIR}"
$cmd find "${MC_DIR}/${INTEL_UCODE_DIR}" -maxdepth 1 -mindepth 1 \
-type f -exec bash -c 'ln -fs '"$verbose_opt"' '\''{}'\'' \
"'"${FW_DIR}/${INTEL_UCODE_DIR}/"'$(basename '\''{}'\'')"' \;
;;
esac

break
done

debug "Running action \"$action\" on kernels $kernel"

if [ 0 = "$remove_cleanup" ]; then
ls "$DATA_DIR"
else
cat "$cleanup_caveats"
fi | while read -r i; do
[ 0 -eq "$skip_caveats" ] || break

debug "Processing data directory \"$i\"..."

for k in $(echo "$kernel"); do
debug " Processing kernel version \"$k\""
{
out=$($check_caveats -k "$k" -c "$i" $verbose_opt)
ret="$?"
} || :
paths=$(printf "%s" "$out" | sed -n 's/^paths //p')
ignore=$(printf "%s" "$out" | sed -n 's/^skip_cfgs //p')

[ -z "$ignore" ] || {
debug " Configuration is ignored, skipping"
continue
}

case "$action" in
remove|refresh|list)
[ "xlist" = "x$action" ] || \
debug " Removing \"$paths\" (part of $action)..."

for p in $(printf "%s" "$paths"); do
find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-printf "%P\n"
done | while read -r path; do
[ -e "$FW_DIR/$k/readme-$i" ] || {
debug " \"$FW_DIR/$k/readme-$i\"" \
"is not found, skipping" \
"\"$paths\" removal"

break
}

if [ "xlist" = "x$action" ]; then
echo "$FW_DIR/$k/$path"
else
debug " Removing \"$FW_DIR/$k/$path\""
$cmd rm -f $verbose_opt "$FW_DIR/$k/$path"
$cmd rmdir -p $verbose_opt \
"$FW_DIR/$k/$(dirname $path)" 2>/dev/null \
|| true
fi
done

if [ -e "$FW_DIR/$k/readme-$i" ]; then
if [ "xlist" = "x$action" ]; then
echo "$FW_DIR/$k/readme-$i"
else
$cmd rm -f $verbose_opt \
"$FW_DIR/$k/readme-$i"
$cmd rmdir -p $verbose_opt \
"$FW_DIR/$k" 2>/dev/null || true
fi
fi
;;
esac

[ 0 -eq "$ret" ] || {
debug " Checking for caveats failed" \
"(kernel version \"$k\"), skipping"
continue
}

[ -n "$paths" ] || {
debug " List of paths to add is empty, skipping"
continue
}

case "$action" in
add|refresh)
debug " Adding $paths (part of $action)..."

[ -e "/boot/symvers-$k.gz" ] || {
debug " \"/boot/symvers-$k.gz\"" \
"does not exist, skipping"
continue
}

for p in $(printf "%s" "$paths"); do
find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \
-printf "%P\n"
done | while read -r path; do
[ ! -e "$FW_DIR/$k/$path" ] || {
debug " $FW_DIR/$k/$path already" \
"exists, skipping"
continue
}

debug " Adding \"$FW_DIR/$k/$path\""
$cmd mkdir -p $verbose_opt \
"$(dirname "$FW_DIR/$k/$path")"
$cmd ln -fs $verbose_opt "$DATA_DIR/$i/$path" \
"$FW_DIR/$k/$path"
done

if [ -e "$FW_DIR/$k/readme-$i" ]; then
debug " $FW_DIR/$k/readme-$i already" \
"exists, skipping creation"
else
$cmd cp $verbose_opt "$DATA_DIR/$i/readme" \
"$FW_DIR/$k/readme-$i"
fi
;;
remove)
esac
done
done

818
SPECS/microcode_ctl.spec Normal file
View File

@ -0,0 +1,818 @@
%define upstream_version 2.1-18
%define intel_ucode_version 20191112
%define intel_ucode_file_id 28727

%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl

%define update_ucode %{microcode_ctl_libexec}/update_ucode
%define check_caveats %{microcode_ctl_libexec}/check_caveats
%define reload_microcode %{microcode_ctl_libexec}/reload_microcode

%define dracutlibdir %{_prefix}/lib/dracut

%define i_m2u_man intel-microcode2ucode.8

# In microcode_ctl, documentation directory is unversioned historically.
# In RHEL 8 spec, %{_pkgdocdir} is used as installation destination; however,
# it is unversioned only since Fedora 20, per #986871,
# and not in Fedora 18/19-based RHEL 7.
%define _pkgdocdir %{_docdir}/%{name}

Summary: Tool to transform and deploy CPU microcode update for x86.
Name: microcode_ctl
Version: 2.1
Release: 53.3%{?dist}
Epoch: 2
Group: System Environment/Base
License: GPLv2+ and Redistributable, no modification permitted
URL: https://pagure.io/microcode_ctl
Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz
Source1: microcode-%{intel_ucode_version}.pre.tar.gz
# (Pre-MDS) revision 0x714 of 06-2d-07 microcode
Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07


# systemd unit
Source10: microcode.service

# dracut-related stuff
Source20: 01-microcode.conf
Source21: 99-microcode-override.conf
Source22: dracut_99microcode_ctl-fw_dir_override_module_init.sh

# libexec
Source30: update_ucode
Source31: check_caveats
Source32: reload_microcode

# docs
Source40: %{i_m2u_man}.in
Source41: README.caveats

## Caveats
# BDW EP/EX
# https://bugzilla.redhat.com/show_bug.cgi?id=1622180
# https://bugzilla.redhat.com/show_bug.cgi?id=1623630
# https://bugzilla.redhat.com/show_bug.cgi?id=1646383
Source100: 06-4f-01_readme
Source101: 06-4f-01_config
Source102: 06-4f-01_disclaimer

# Unsafe early MC update inside VM:
# https://bugzilla.redhat.com/show_bug.cgi?id=1596627
Source110: intel_readme
Source111: intel_config
Source112: intel_disclaimer

# SNB-EP (CPUID 0x206d7) post-MDS hangs
# https://bugzilla.redhat.com/show_bug.cgi?id=1758382
# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
Source120: 06-2d-07_readme
Source121: 06-2d-07_config
Source122: 06-2d-07_disclaimer


# "Provides:" RPM tags generator
Source200: gen_provides.sh

Patch1: microcode_ctl-do-not-merge-ucode-with-caveats.patch
Patch2: microcode_ctl-revert-intel-microcode2ucode-removal.patch
Patch3: microcode_ctl-use-microcode-%{intel_ucode_version}-tgz.patch
Patch4: microcode_ctl-do-not-install-intel-ucode.patch
Patch5: microcode_ctl-intel-microcode2ucode-buf-handling.patch
Patch6: microcode_ctl-ignore-first-directory-level-in-archive.patch

Buildroot: %{_tmppath}/%{name}-%{version}-root
ExclusiveArch: %{ix86} x86_64
BuildRequires: systemd-units
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(posttrans): kernel

%global _use_internal_dependency_generator 0
%define __find_provides "%{SOURCE200}"

%description
The microcode_ctl utility is a companion to the microcode driver written
by Tigran Aivazian <tigran@aivazian.fsnet.co.uk>.

The microcode update is volatile and needs to be uploaded on each system
boot i.e. it doesn't reflash your cpu permanently, reboot and it reverts
back to the old microcode.

%prep
%setup -q -n %{name}-%{upstream_version}
%patch1 -p1
%patch2 -p1

# Use the latest archive instead of microcode-20180703.tgz bundled
# with upstream microcode_ctl-2.1-18.
cp "%{SOURCE1}" .
%patch3 -p1

# We install ucode files manually into "intel" caveat directory
%patch4 -p1

%patch5 -p1

# The archive published on github has an additional top-level directory,
# strip it.
%patch6 -p1

%build
make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags}

# We do not populate any intel-ucode files into /lib/firmware directly due to
# early microcode load inside VM issue:
# https://bugzilla.redhat.com/show_bug.cgi?id=1596627
# https://bugzilla.redhat.com/show_bug.cgi?id=1607899
#find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list
touch ghost_list

tar xf "%{SOURCE1}" --wildcards --strip-components=1 \
\*/intel-ucode-with-caveats \*/license \*/releasenote

# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version
mv intel-ucode/06-2d-07 intel-ucode-with-caveats/
cp "%{SOURCE2}" intel-ucode/

# man page
sed "%{SOURCE40}" \
-e "s/@DATE@/2019-05-09/g" \
-e "s/@VERSION@/%{version}-%{release}/g" \
-e "s|@MICROCODE_URL@|https://downloadcenter.intel.com/download/%{intel_ucode_file_id}|g" > "%{i_m2u_man}"

%install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} PREFIX=%{_prefix} INSDIR=/usr/sbin MICDIR=/usr/share/microcode_ctl install clean

install -m 755 -d \
"%{buildroot}/%{_datarootdir}/microcode_ctl/intel-ucode" \
"%{buildroot}/%{caveat_dir}/" \
"%{buildroot}/etc/microcode_ctl/ucode_with_caveats/"

# systemd unit
install -m 755 -d "%{buildroot}/%{_unitdir}"
install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/"

# dracut
%define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override"
install -m 755 -d \
"%{dracut_mod_dir}" \
"%{buildroot}/%{dracutlibdir}/dracut.conf.d/"
install -m 644 "%{SOURCE20}" "%{SOURCE21}" \
-t "%{buildroot}/%{dracutlibdir}/dracut.conf.d/"
install -m 755 "%{SOURCE22}" "%{dracut_mod_dir}/module-setup.sh"

# Internal helper scripts
install -m 755 -d "%{buildroot}/%{microcode_ctl_libexec}"
install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \
-m 755 -t "%{buildroot}/%{microcode_ctl_libexec}"


## Documentation
install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats"

# caveats readme
install "%{SOURCE41}" \
-m 644 -t "%{buildroot}/%{_pkgdocdir}/"

# Provide Intel microcode license, as it requires so
install -m 644 license \
"%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode"

# Provide release notes for Intel microcode
install -m 644 releasenote \
"%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode"

# caveats
install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \
-t "%{buildroot}/%{_pkgdocdir}/caveats/"

# Man page
install -m 755 -d %{buildroot}/%{_mandir}/man8/
install -m 644 "%{i_m2u_man}" -t %{buildroot}/%{_mandir}/man8/


## Caveat data

# BDW caveat
%define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/
install -m 755 -d "%{bdw_inst_dir}/intel-ucode"
install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme"
install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config"
install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer"

# Early update caveat
%define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/
install -m 755 -d "%{intel_inst_dir}/intel-ucode"
install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme"
install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config"
install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer"

# SNB caveat
%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/
install -m 755 -d "%{snb_inst_dir}/intel-ucode"
install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/"
install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme"
install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config"
install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer"

# Cleanup
rm -f intel-ucode-with-caveats/06-4f-01
rm -f intel-ucode-with-caveats/06-2d-07
rmdir intel-ucode-with-caveats
rm -rf intel-ucode

%post
%systemd_post microcode.service
%{update_ucode}
%{reload_microcode}

# send the message to syslog, so it gets recorded on /var/log
if [ -e /usr/bin/logger ]; then
%{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER
fi
# also paste it over dmesg (some customers drop dmesg messages while
# others keep them into /var/log for the later case, we'll have the
# disclaimer recorded twice into system logs.
%{check_caveats} -m -d > /dev/kmsg

exit 0

%posttrans
# We only want to regenerate the initramfs for a fully booted
# system; if this package happened to e.g. be pulled in as a build
# dependency, it is pointless at best to regenerate the initramfs,
# and also does not work with rpm-ostree:
# https://bugzilla.redhat.com/show_bug.cgi?id=1199582
#
# Also check that the running kernel is actually installed:
# https://bugzilla.redhat.com/show_bug.cgi?id=1591664
# We use the presence of symvers file as an indicator, the check similar
# to what weak-modules script does.
if [ -d /run/systemd/system -a -e "/boot/symvers-$(uname -r).gz" ]; then
dracut -f
fi

%global rpm_state_dir %{_localstatedir}/lib/rpm-state


%preun
%systemd_preun microcode.service

# Storing ucode list before uninstall
ls /usr/share/microcode_ctl/intel-ucode |
sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode"
ls /usr/share/microcode_ctl/ucode_with_caveats |
sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats"
%{update_ucode} --action list --skip-common |
sort > "%{rpm_state_dir}/microcode_ctl_un_file_list"

%postun
%systemd_postun microcode.service

ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null |
sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after"
comm -23 \
"%{rpm_state_dir}/microcode_ctl_un_intel-ucode" \
"%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" \
> "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff"

if [ -e "%{update_ucode}" ]; then
ls /usr/share/microcode_ctl/ucode_with_caveats 2> /dev/null |
sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after"

comm -23 \
"%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" \
"%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" \
> "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff"

%{update_ucode} --action remove --cleanup \
"%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" \
"%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" || exit 0

rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after"
rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff"
else
while read -r f; do
[ -L "/lib/firmware/intel-ucode/$f" ] || continue
rm -f "/lib/firmware/intel-ucode/$f"
done < "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff"

rmdir "/lib/firmware/intel-ucode" 2>/dev/null || :

# We presume that if we don't have update_ucode script, we can remove
# all the caveats-related files.
while read -r f; do
if [ -L "$f" ] || [ "${f%%readme-*}" != "$f" ]; then
rm -f "$f"
rmdir -p $(dirname "$f") 2>/dev/null || :
fi
done < "%{rpm_state_dir}/microcode_ctl_un_file_list"
fi

rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode"
rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after"
rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff"

rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats"

rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list"


exit 0

%triggerin -- kernel
%{update_ucode}

%triggerpostun -- kernel
%{update_ucode}


%clean
rm -rf %{buildroot}

%files -f ghost_list
%ghost %attr(0755, root, root) /lib/firmware/intel-ucode/
/usr/sbin/intel-microcode2ucode
%{microcode_ctl_libexec}
/usr/share/microcode_ctl
%{dracutlibdir}/modules.d/*
%config(noreplace) %{dracutlibdir}/dracut.conf.d/*
%{_unitdir}/microcode.service
%doc %{_pkgdocdir}
%{_mandir}/man8/*


%changelog
* Thu Nov 07 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-53.3
- Intel CPU microcode update to 20191112, addresses CVE-2017-5715,
CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764050, #1764070, #1764949,
#1764969, #1764997, #1765401, #1765413, #1766438, #1766870, #1769889):
- Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6;
- Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a;
- Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150;
- Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46;
- Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4;
- Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc
to 0xd4
- Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6;
- Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6;
- Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4
to 0xc6;
- Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6;
- Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6;
- Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6;
- Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6;
- Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6;
- Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4
to 0xc6;
- Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4
to 0xc6;
- Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6;
- Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6.
- Rework dracut hook to address dracut's early initramfs generation
behaviour.

* Sun Oct 06 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-53.2
- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714
by default.

* Thu Sep 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-53.1
- Intel CPU microcode update to 20190918.
- Add new disclaimer, generated based on relevant caveats.
- Resolves: #1758572.

* Wed Jun 19 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-53
- Intel CPU microcode update to 20190618.
- Resolves: #1717241.

* Sun Jun 02 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-52
- Remove disclaimer, as it is not as important now to justify kmsg/log
pollution; its contents are partially adopted in README.caveats.

* Mon May 20 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-51
- Intel CPU microcode update to 20190514a.
- Resolves: #1711941.

* Thu May 09 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-50
- Intel CPU microcode update to 20190507_Public_DEMO.
- Resolves: #1697904.

* Mon Apr 15 2019 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-49
- Intel CPU microcode update to 20190312.
- Add "Provides:" tags generation.
- Resolves: #1697904.

* Thu Sep 20 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-48
- Fix %postun script (#1628629)

* Wed Sep 05 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-47
- Add 7.3.z kernel version to kernel_early configuration.

* Thu Aug 30 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-46
- Fix dracut module checks in Host-Only mode.

* Thu Aug 30 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-45
- Disable 06-4f-01 microcode in config (#1623630).

* Tue Aug 28 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-44
- Intel CPU microcode update to 20180807a.
- Add README.caveats documentation file.
- Add intel-microcode2ucode manual page.
- Add check for early microcode load, use it in microcode_ctl dracut module.
- Resolves: #1596627.

* Mon Aug 20 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-43
- Check that the currently running kernel is installed before
running dracut -f.

* Thu Aug 16 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-42
- Drop "hypervisor" /proc/cpuinfo flag check.

* Thu Aug 09 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-41
- Intel CPU microcode update to 20180807.
- Resolves: #1614422

* Mon Aug 06 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-40
- Add an ability to disable "hypervisor" /proc/cpuinfo flag check.

* Fri Jul 27 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-39
- Provide %attr for the ghosted /lib/firmware/intel-ucode.

* Thu Jul 26 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-38
- Remove model name blacklists from caveats configuration files.
- Resolves: #1596627

* Wed Jul 25 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-37
- Add model name blacklist infrastructure.
- Store Intel ucode files in /usr/share/microcode_ctl; do not populate them
in a virtualised environment.
- Resolves: #1596627

* Fri Jul 20 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-35
- Add intel-microcode2ucode back
- Resolves: #1574582

* Fri Jul 20 2018 Eugene Syromiatnikov <esyr@redhat.com> - 2:2.1-34
- Update to upstream 2.1-18. Intel CPU microcode update to 20180703.
- Add infrastructure for handling kernel-version-dependant microcode.
- Resolves: #1574582

* Wed Jun 13 2018 Petr Oros <poros@redhat.com> - 2.1-33
- CVE-2018-3639 hw: cpu: speculative store bypass
- Resolves: #1495071

* Mon Jun 11 2018 Petr Oros <poros@redhat.com> - 2.1-32
- Fix: Operation not permitted when installing microcode_ctl
- Resolves: #1584247

* Tue May 15 2018 Petr Oros <poros@redhat.com> - 2.1-31
- Update disclaimer text
- Resolves: #1574574

* Mon May 7 2018 Petr Oros <poros@redhat.com> - 2.1-30
- Intel CPU microcode update to 20180425.
- Resolves: #1574574

* Fri Jan 12 2018 Petr Oros <poros@redhat.com> - 2.1-29
- Revert Microcode from Intel for Side Channel attack
- Resolves: #1533939

* Fri Jan 12 2018 Petr Oros <poros@redhat.com> - 2.1-29
- Don't run dracut if not on a live system
- Resolves: #1530400

* Tue Jan 9 2018 Petr Oros <poros@redhat.com> - 2.1-28
- Remove old binary tool
- Resolves: #1527360

* Tue Jan 9 2018 Petr Oros <poros@redhat.com> - 2.1-27
- Update to upstream 2.1-15. Intel CPU microcode update to 20180108.
- Resolves: #1527360

* Fri Dec 15 2017 Petr Oros <poros@redhat.com> - 2.1-26
- Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04
- Resolves: #1527360

* Wed Nov 22 2017 Petr Oros <poros@redhat.com> - 2.1-25
- Update to upstream 2.1-14. Intel CPU microcode update to 20171117.
- Resolves: #1457522

* Tue Oct 17 2017 Petr Oros <poros@redhat.com> - 2.1-24
- Fix upstream URL
- Resolves: #1502360

* Fri Jul 14 2017 Petr Oros <poros@redhat.com> - 2.1-23
- Update to upstream 2.1-13. Intel CPU microcode update to 20170707.
- Resolves: #1457522

* Wed May 24 2017 Petr Oros <poros@redhat.com> - 2.1-22
- Update to upstream 2.1-12. Intel CPU microcode update to 20170511.
- Resolves: #1384218

* Tue Mar 7 2017 Petr Oros <poros@redhat.com> - 2.1-21
- Rpm scriptlets should only rebuild the current kernel's initrd.
- Resolves: #1420180

* Wed Jan 18 2017 Petr Oros <poros@redhat.com> - 2.1-20
- Fix issue with hot microcode cpu reload.
- Resolves: #1411232

* Mon Jan 9 2017 Petr Oros <poros@redhat.com> - 2.1-19
- Fix broken quoting in ExecStart line.
- Resolves: #1411232

* Fri Dec 16 2016 Petr Oros <poros@redhat.com> - 2.1-18
- Fix issue with hot microcode cpu reload.
- Resolves: #1398698

* Wed Nov 30 2016 Petr Oros <poros@redhat.com> - 2.1-17
- Move dracut call into posttrans phase.
- Resolves: #1398698

* Thu Jul 21 2016 Petr Oros <poros@redhat.com> - 2.1-16
- Update to upstream 2.1-10. Intel CPU microcode update to 20160714.
- Resolves: #1358047

* Wed Jun 29 2016 Petr Oros <poros@redhat.com> - 2.1-15
- Load CPU microcode update only on supproted systems.
- Resolves: #1307179

* Fri Jun 24 2016 Petr Oros <poros@redhat.com> - 2.1-14
- Update to upstream 2.1-9. Intel CPU microcode update to 20160607.
- Resolves: #1253106

* Thu May 19 2016 Petr Oros <poros@redhat.com> - 2.1-13
- Run dracut -f for all kernels.
- Resolves: #1292158

* Fri Jul 3 2015 Petr Oros <poros@redhat.com> - 2.1-12
- Update to upstream 2.1-7. Intel CPU microcode update to 20150121.
- Resolves: #1174983

* Fri Oct 10 2014 Petr Oros <poros@redhat.com> - 2.1-11
- Run dracut -f after install microcode for update initramfs.
- Resolves: #1151192

* Tue Sep 30 2014 Petr Oros <poros@redhat.com> - 2.1-10
- Update to upstream 2.1-6. Intel CPU microcode update to 20140913.
- Resolves: #1142302

* Tue Jul 15 2014 Petr Oros <poros@redhat.com> - 2.1-9
- Update to upstream 2.1-5. Intel CPU microcode update to 20140624.
- Resolves: #1113396

* Tue Jun 3 2014 Petr Oros <poros@redhat.com> - 2.1-8
- Fix bogus time in changelog
- Resolves: #1085117

* Tue Jun 3 2014 Petr Oros <poros@redhat.com> - 2.1-8
- Update to upstream 2.1-4. Intel CPU microcode update to 20140430.
- Resolves: #1085117

* Wed Mar 12 2014 Anton Arapov <anton@redhat.com> - 2.1-7.1
- Fix the microcode's behaviour in virtual environment.

* Fri Feb 28 2014 Anton Arapov <anton@redhat.com> - 2.1-7
- Fix the microcode's dracut configuration file location.

* Tue Feb 18 2014 Anton Arapov <anton@redhat.com> - 2.1-6
- Enable early microcode capabilities. Systemd and Dracut support. (Jeff Bastian)

* Fri Jan 24 2014 Anton Arapov <anton@redhat.com> - 2.1-5
- Update to upstream 2.1-3. Intel CPU microcode update to 20140122.

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2:2.1-4
- Mass rebuild 2013-12-27

* Mon Sep 09 2013 Anton Arapov <anton@redhat.com> 2.1-3
- Imported to RHEL tree

* Mon Sep 09 2013 Anton Arapov <anton@redhat.com> 2.1-2
- Update to upstream 2.1-2.

* Wed Aug 14 2013 Anton Arapov <anton@redhat.com> 2.1-1
- Update to upstream 2.1-1.

* Sat Jul 27 2013 Anton Arapov <anton@redhat.com> 2.1-0
- Update to upstream 2.1. AMD microcode has been removed, find it in linux-firmware.

* Wed Apr 03 2013 Anton Arapov <anton@redhat.com> 2.0-3.1
- Update to upstream 2.0-3

* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Oct 17 2012 Anton Arapov <anton@redhat.com> 2.0-2
- Update to upstream 2.0-2

* Tue Oct 02 2012 Anton Arapov <anton@redhat.com> 2.0-1
- Update to upstream 2.0-1

* Mon Aug 06 2012 Anton Arapov <anton@redhat.com> 2.0
- Update to upstream 2.0

* Wed Jul 25 2012 Anton Arapov <anton@redhat.com> 1.18-1
- Update to upstream 1.18

* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.17-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Thu Jun 07 2012 Anton Arapov <anton@redhat.com> 1.17-25
- Update to microcode-20120606.dat

* Tue Feb 07 2012 Anton Arapov <anton@redhat.com> 1.17-24
- Update to amd-ucode-2012-01-17.tar

* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.17-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Thu Dec 22 2011 Anton Arapov <anton@redhat.com> 1.17-21
- Fix a segfault that may be triggered by very long parameter [#768803]

* Tue Dec 13 2011 Anton Arapov <anton@redhat.com> 1.17-20
- Update to microcode-20111110.dat

* Tue Sep 27 2011 Anton Arapov <anton@redhat.com> 1.17-19
- Update to microcode-20110915.dat

* Thu Aug 04 2011 Anton Arapov <anton@redhat.com> 1.17-18
- Ship splitted microcode for Intel CPUs [#690930]
- Include tool for splitting microcode for Intl CPUs (Kay Sievers )

* Thu Jun 30 2011 Anton Arapov <anton@redhat.com> 1.17-17
- Fix udev rules (Dave Jones ) [#690930]

* Thu May 12 2011 Anton Arapov <anton@redhat.com> 1.17-14
- Update to microcode-20110428.dat

* Thu Mar 24 2011 Anton Arapov <anton@redhat.com> 1.17-13
- fix memory leak.

* Mon Mar 07 2011 Anton Arapov <anton@redhat.com> 1.17-12
- Update to amd-ucode-2011-01-11.tar

* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.17-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Wed Jan 19 2011 Anton Arapov <anton@redhat.com> 1.17-10
- manpage fix (John Bradshaw ) [#670879]

* Wed Jan 05 2011 Anton Arapov <anton@redhat.com> 1.17-9
- Update to microcode-20101123.dat

* Mon Nov 01 2010 Anton Arapov <anton@redhat.com> 1.17-8
- Update to microcode-20100914.dat

* Wed Sep 29 2010 jkeating - 1:1.17-7
- Rebuilt for gcc bug 634757

* Wed Sep 15 2010 Anton Arapov <anton@redhat.com> 1.17-6
- Update to microcode-20100826.dat

* Tue Sep 07 2010 Toshio Kuratomi <toshio@fedoraproject.org> 1.17-5
- Fix license tag: bz#450491

* Fri Aug 27 2010 Dave Jones <davej@redhat.com> 1.17-4
- Update to microcode-20100826.dat

* Tue Mar 23 2010 Anton Arapov <anton@redhat.com> 1.17-3
- Fix the udev rules (Harald Hoyer )

* Mon Mar 22 2010 Anton Arapov <anton@redhat.com> 1.17-2
- Make microcode_ctl event driven (Bill Nottingham ) [#479898]

* Thu Feb 11 2010 Dave Jones <davej@redhat.com> 1.17-1.58
- Update to microcode-20100209.dat

* Fri Dec 04 2009 Kyle McMartin <kyle@redhat.com> 1.17-1.57
- Fix duplicate message pointed out by Edward Sheldrake.

* Wed Dec 02 2009 Kyle McMartin <kyle@redhat.com> 1.17-1.56
- Add AMD x86/x86-64 microcode. (Dated: 2009-10-09)
Doesn't need microcode_ctl modifications as it's loaded by
request_firmware() like any other sensible driver.
- Eventually, this AMD firmware can probably live inside
kernel-firmware once it is split out.

* Wed Sep 30 2009 Dave Jones <davej@redhat.com>
- Update to microcode-20090927.dat

* Fri Sep 11 2009 Dave Jones <davej@redhat.com>
- Remove some unnecessary code from the init script.

* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.17-1.52.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Jun 25 2009 Dave Jones <davej@redhat.com>
- Shorten sleep time during init.
This really needs to be replaced with proper udev hooks, but this is
a quick interim fix.

* Wed Jun 03 2009 Kyle McMartin <kyle@redhat.com> 1:1.17-1.50
- Change ExclusiveArch to i586 instead of i386. Resolves rhbz#497711.

* Wed May 13 2009 Dave Jones <davej@redhat.com>
- update to microcode 20090330

* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.17-1.46.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Fri Sep 12 2008 Dave Jones <davej@redhat.com>
- update to microcode 20080910

* Tue Apr 01 2008 Jarod Wilson <jwilson@redhat.com>
- Update to microcode 20080401

* Sat Mar 29 2008 Dave Jones <davej@redhat.com>
- Update to microcode 20080220
- Fix rpmlint warnings in specfile.

* Mon Mar 17 2008 Dave Jones <davej@redhat.com>
- specfile cleanups.

* Fri Feb 22 2008 Jarod Wilson <jwilson@redhat.com>
- Use /lib/firmware instead of /etc/firmware

* Wed Feb 13 2008 Jarod Wilson <jwilson@redhat.com>
- Fix permissions on microcode.dat

* Thu Feb 07 2008 Jarod Wilson <jwilson@redhat.com>
- Spec cleanup and macro standardization.
- Update license
- Update microcode data file to 20080131 revision.

* Mon Jul 2 2007 Dave Jones <davej@redhat.com>
- Update to upstream 1.17

* Thu Oct 12 2006 Jon Masters <jcm@redhat.com>
- BZ209455 fixes.

* Mon Jul 17 2006 Jesse Keating <jkeating@redhat.com>
- rebuild

* Fri Jun 16 2006 Bill Nottingham <notting@redhat.com>
- remove kudzu requirement
- add prereq for coreutils, awk, grep

* Thu Feb 09 2006 Dave Jones <davej@redhat.com>
- rebuild.

* Fri Jan 27 2006 Dave Jones <davej@redhat.com>
- Update to upstream 1.13

* Fri Dec 16 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt for new gcj

* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt

* Mon Nov 14 2005 Dave Jones <davej@redhat.com>
- initscript tweaks.

* Tue Sep 13 2005 Dave Jones <davej@redhat.com>
- Update to upstream 1.12

* Wed Aug 17 2005 Dave Jones <davej@redhat.com>
- Check for device node *after* loading the module. (#157672)

* Tue Mar 1 2005 Dave Jones <davej@redhat.com>
- Rebuild for gcc4

* Thu Feb 17 2005 Dave Jones <davej@redhat.com>
- s/Serial/Epoch/

* Tue Jan 25 2005 Dave Jones <davej@redhat.com>
- Drop the node creation/deletion change from previous release.
It'll cause grief with selinux, and was a hack to get around
a udev shortcoming that should be fixed properly.

* Fri Jan 21 2005 Dave Jones <davej@redhat.com>
- Create/remove the /dev/cpu/microcode dev node as needed.
- Use correct path again for the microcode.dat.
- Remove some no longer needed tests in the init script.

* Fri Jan 14 2005 Dave Jones <davej@redhat.com>
- Only enable microcode_ctl service if the CPU is capable.
- Prevent microcode_ctl getting restarted multiple times on initlevel change (#141581)
- Make restart/reload work properly
- Do nothing if not started by root.

* Wed Jan 12 2005 Dave Jones <davej@redhat.com>
- Adjust dev node location. (#144963)

* Tue Jan 11 2005 Dave Jones <davej@redhat.com>
- Load/Remove microcode module in initscript.

* Mon Jan 10 2005 Dave Jones <davej@redhat.com>
- Update to upstream 1.11 release.

* Sat Dec 18 2004 Dave Jones <davej@redhat.com>
- Initial packaging, based upon kernel-utils.