diff --git a/SOURCES/01-microcode.conf b/SOURCES/01-microcode.conf new file mode 100644 index 00000000..52511c08 --- /dev/null +++ b/SOURCES/01-microcode.conf @@ -0,0 +1 @@ +early_microcode="yes" diff --git a/SOURCES/06-2d-07 b/SOURCES/06-2d-07 new file mode 100644 index 00000000..0da2b9e3 Binary files /dev/null and b/SOURCES/06-2d-07 differ diff --git a/SOURCES/06-2d-07_config b/SOURCES/06-2d-07_config new file mode 100644 index 00000000..23e1d082 --- /dev/null +++ b/SOURCES/06-2d-07_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-2d-07 +path intel-ucode/06-2d-07 +disable early late diff --git a/SOURCES/06-2d-07_disclaimer b/SOURCES/06-2d-07_disclaimer new file mode 100644 index 00000000..b61889e5 --- /dev/null +++ b/SOURCES/06-2d-07_disclaimer @@ -0,0 +1,4 @@ +MDS-related microcode update for some Intel Sandy Bridge-E/EN/EP (family 6, +model 45, stepping 7; CPUID 0x206d7) CPUs is disabled as it may cause system +hangs. Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4f-01_config b/SOURCES/06-4f-01_config new file mode 100644 index 00000000..f589fbf9 --- /dev/null +++ b/SOURCES/06-4f-01_config @@ -0,0 +1,21 @@ +model GenuineIntel 06-4f-01 +path intel-ucode/06-4f-01 +kernel 4.17.0 +kernel 3.10.0-894 +kernel 3.10.0-862.6.1 +kernel 3.10.0-693.35.1 +kernel 3.10.0-514.52.1 +kernel 3.10.0-327.70.1 +kernel 2.6.32-754.1.1 +kernel 2.6.32-573.58.1 +kernel 2.6.32-504.71.1 +kernel 2.6.32-431.90.1 +kernel 2.6.32-358.90.1 +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 +mc_min_ver_late 0xb000019 +disable early late diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer new file mode 100644 index 00000000..d5bc60df --- /dev/null +++ b/SOURCES/06-4f-01_disclaimer @@ -0,0 +1,4 @@ +microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-4f-01_readme b/SOURCES/06-4f-01_readme new file mode 100644 index 00000000..962c7a63 --- /dev/null +++ b/SOURCES/06-4f-01_readme @@ -0,0 +1,78 @@ +Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues +with microcode update that may lead to a system hang; while some changes +to the Linux kernel have been made in an attempt to address these issues, +they were not eliminated, so a possibility of unstable system behaviour +after a microcode update performed on a running system is still present even +on a kernels that contain aforementioned changes. As a result, microcode update +for this CPU model has been disabled by default. + +For the reference, kernel versions for the respective RHEL minor versions +that contain the aforementioned changes, are listed below: + * Upstream/RHEL 8: kernel-4.17.0 or newer; + * RHEL 7.6 onwards: kernel-3.10.0-894 or newer; + * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer; + * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer; + * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer; + * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer. + +Please contact you system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 + +The information regarding enforcing microcode load is provided below. + +For enforcing addition of this microcode to the firmware directory +for a specific kernel, where it is available for a late microcode update, +please create a file "force-late-intel-06-4f-01" inside +/lib/firmware/ directory and run +"/usr/libexec/microcode_ctl/update_ucode": + + touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01 + /usr/libexec/microcode_ctl/update_ucode + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +For enforcing addition of this microcode to firmware directories for all +kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01" +and run "/usr/libexec/microcode_ctl/update_ucode": + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01 + /usr/libexec/microcode_ctl/update_ucode + +For enforcing early load of this microcode for a specific kernel, please +create a file "force-early-intel-06-4f-01" inside +"/lib/firmware/" directory and run +"dracut -f --kver ": + + touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01 + dracut -f --kver 3.10.0-862.9.1 + +For enforcing early load of this microcode for all kernels, please +create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01" +and run dracut -f --regenerate-all: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01 + dracut -f --regenerate-all + +If you want to avoid removal of the microcode file during cleanup performed by +/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme +file (/lib/firmware//readme-intel-06-4f-01). + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/99-microcode-override.conf b/SOURCES/99-microcode-override.conf new file mode 100644 index 00000000..c8988017 --- /dev/null +++ b/SOURCES/99-microcode-override.conf @@ -0,0 +1,7 @@ +## Uncomment the following line in order to disable +## microcode_ctl module that is used for $fw_dir variable overriding. +## +## Please refer to /usr/share/doc/microcode_ctl/README.caveats +## for additional information. +## +#omit_dracutmodules+=' microcode_ctl-fw_dir_override ' diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats new file mode 100644 index 00000000..97ae7bc8 --- /dev/null +++ b/SOURCES/README.caveats @@ -0,0 +1,471 @@ +The microcode_ctl package contains microcode files (vendor-provided binary data +and/or code in proprietary format that affects behaviour of a device) for Intel +CPUs that may be loaded into the CPU during boot. + +The microcode_ctl package contains provisions for some issues related +to microcode loading. While those provisions are expected to suit most users, +several knobs are available in order to provide ability to override the default +behaviour. + + +General behaviour +================= +In RHEL 7, there are currently two main handlers for CPU microcode update: + * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file + placed at the beginning of an initramfs image + (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel + version in the same format as provided by "uname -r") as a source + of microcode data, and is performed very early during the boot process + (if the relevant microcode file is available in the aforementioned file). + * On-demand (late) microcode update. It can be triggered by writing "1" to + /sys/devices/system/cpu/microcode/reload file (provided my the "microcode" + module). It relies on request_firmware infrastructure, which searches (and + loads, if found) microcode from a file present in one of the following + directories (in the search order): + /lib/firmware/updates/KERNEL_VERSION/ + /lib/firmware/updates/ + /lib/firmware/KERNEL_VERSION/ + /lib/firmware/ + (there is also an additional directory that can be configured via the + "fw_path_para" module option of the "firmware_class" module; as this module + is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para" + should be used for that purpose; this is out of the document's scope, however) + +The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for +AMD CPUs, a file under "amd-ucode" is searched. + +For Intel CPUs, the name of the specific microcode file the kernel tries to load +has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model +number, and "SS" is the stepping. All those numbers are zero-filled to two digits +and are written in hexadecimal (letters are in the lower case). For AMD CPUs, +the file name has the format "microcode_amd_famFFh.bin", where "FF" is the +family number, written in hexadecimal, letters are in the lower case, not +zero-filled. + +The early microcode is placed into initramfs image by the "dracut" script, which +scans the aforementioned subdirectories of the configured list of firmware +directories (by default, the list consists of two directories in RHEL 7, +"/lib/firmware/updates" and "/lib/firmware"). + +In RHEL 7, AMD CPU microcode is shipped as a part of the linux-firmware package, +and Intel microcode is shipped as a part of the microcode_ctl package. + +The microcode_ctl package currently includes the following: + * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode + directory (currently there are none); + * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override, + that controls which additional firmware directories will be added to dracut's + default configuration; + * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf, + that enables inclusion of early microcode to the generated initramfs + in dracut; + * A dracut configuration file, + /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way + to quickly disable 99microcode_ctl-fw_dir-override dracut module; + * A systemd service file, microcode.service, that triggers microcode reload + late during boot; + * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each + of which contains configuration and related data for various caveats related + to microcode: + * readme - description of caveat and related information, + * config - caveat configuration file, with syntax as described in "Caveat + configuration" section below, + * intel-ucode - directory containing microcode files related to the caveat; + * A set of support scripts, placed in /usr/libexec/microcode_ctl: + * "check_caveats" is an utility script that performs checks of the target + kernel (and running CPU) in accordance with caveat configuration files + in ucode_with_caveats directory and reports whether it passes them or not, + * "reload_microcode" is a script that is called by microcode.service and + triggers microcode reloading (by writing "1" to + /sys/devices/system/cpu/microcode/reload) if the running kernel passes + check_caveats checks, + * "update_ucode" is a script that populates symlinks to microcode files + in /lib/firmware, so it can be picked up by relevant kernels for the late + microcode loading. + +Also, microcode_ctl RPM includes triggers that run update_ucode script on every +installation or removal of a kernel RPM in order to provide microcode files +for newly installed kernels and cleanup symlinks for the uninstalled ones. + + +Caveat configuration +-------------------- +There is a directory for each caveat under +/usr/share/microcode_ctl/ucode_with_caveats, containing the following files: + * "config", a configuration file for the caveat; + * "readme", that contains description of the caveat; + * set of related associated microcode files. + +"config" file is a set of lines each containing option name and its value, +separated by white space. Currently, the following options are supported: + * "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies + to which CPU model the caveat is applicable (check_caveats ignores caveats + with non-matching models if "-m" option is passed to it). Can be set + in the configuration file only once (the last provided value is used). + * "vendor" option specifies CPUs of which vendor (as provided + in the /proc/cpuinfo file) the caveat is applicable to (check_caveats + ignores caveats with non-matching models when it is invoked with "-m" + option). Can be set in the configuration file only once. + * "path" is a glob pattern that specifies set of microcode files associated + with the caveat as a relative path to the caveat directory. This option + is used for populating files in /lib/firmware by update_ucode script and + for matching microcode file when dracut is run in host-only mode + (as in that case it uses only the first directory in firmware directory list + to look for the microcode file applicable to the host CPU). Can be set + in the configuration file multiple times. + * "kernel" is a minimal kernel version that supports proper handling + of the related microcode files during late microcode load. It may be + provided in one of the following formats that affect the way it is compared + to the running kernel version: + * A.B.C (where A, B, and C are decimal numbers), "upstream version". In this + case, simple version comparison against the respective part of the running + kernel version is used, and the running kernel version should be greater + or equal than the version provided in the configuration option in order + for comparison to succeed (that is, the first part, major version number, + of the running kernel version should be greater than the value provided + in the configuration option, or those should be equal and the second part, + minor version number, should be greater than the minor version number + of the kernel version provided in the configuration option, or the first + two parts should be equal and the third part, patch level, should + be greater or equal the patch level of the version in the configuration + option). + * A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version". + In this case, A.B.C part should be equal, and Y part of the running kernel + version should be greater or equal than the Y part of the configuration + option version in order to satisfy the comparison requirement. + * A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers), + "Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2 + part of the running kernel should be greater or equal than the respective + part of the configuration option version (when compared as a version) + for comparison to succeed. + Kernel version check passed if at least one comparison of the running kernel + version against a kernel version provided in a configuration option + succeeded. The "kernel" configuration option can be provided + in the configuration file multiple times. + * "kernel_early" is a minimal kernel version that supports proper handling + of the related microcode during early microcode load. The format of the + option and its semantics is similar to the "kernel" configuration options. + This option can be provided multiple times as well. + * "mc_min_ver_late" is the minimal version of the currently loaded microcode + on the CPU (as reported in /proc/cpuinfo) that supports late microcode + update. Microcode update will be attempted only if the currently loaded + microcode version is greater or equal the microcode version provided + in the configuration option. Can be set in the configuration file only once. + * "disable" is a way to disable a specific caveat from inside its + configuration. Argument for the argument is a list of stages ("early", + "late") for which the caveat should be disable. The configuration option + can be provided multiple times in a configuration file. + * "blacklist" is a marker for a start of list of blacklisted model names, + one model name per line. The model name of the running CPU (as reported + in /proc/cpuinfo) is compared against the names in the provided list, and, + if there is a match, caveat check fails. + + +check_caveats script +-------------------- +"check_caveats" is an utility script (called by update_ucode, reload_microcode, +dracut module) that performs checks of the target kernel (and running CPU) +in accordance with caveat configuration files in directory +"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether +the system passes the checks, or not. + +Usage: + check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]' + +Options: + -e - check for early microcode load possibility (instead of late microcode + load). "kernel_early" caveat configuration options are used for checking + instead of "kernel", and "mc_min_ver_late" is not checked. + -k - target kernel version to check against, $(uname -r) is used otherwise. + -c - caveat(s) to check, all caveat configurations found inside + $MC_CAVEATS_DATA_DIR are checked otherwise. + -m - ignore caveats that do not apply to the current CPU model. + -v - verbose output. + +Environment: + MC_CAVEATS_DATA_DIR - directory that contains caveats configurations, + "/usr/share/microcode_ctl/ucode_with_caveats" + by default. + FW_DIR - directory containing firmware files (per-kernel configuration + overrides are checked there), "/lib/firmware" by default. + CFG_DIR - directory containing global caveats overrides, + "/etc/microcode_ctl/ucode_with_caveats" by default. + +Output: + Script returns information about caveats check results. Output has a format + of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs. + Currently, the following data is issued: + - "cfgs" - list of caveats that have been processed (and not skipped + due to missing "config", "readme", or a disallow-* override described + below); + - "skip_cfgs" - list of caveats that have been skipped (due to missing + config/readme file, or because of overrides); + - "paths" - list of glob patterns matching files associated with caveats + that have been processed; + - "ok_cfgs" - list of caveat configurations that have all the checks passed + (or have enforced by one of force-* overrides described below); + - "ok_paths" - list of glob patterns associated with caveat files from + the "ok_cfgs" list; + - "fail_cfgs" - list of caveats that have one of the checks failed. + - "fail_paths" - list of glob patterns associated with caveats from the + "fail_cfgs" list. + +Return value: + - 0 in case caveats check has passed, 1 otherwise. + - In "-d" mode, 0 is always returned. + +Overrides: + +When check_caveats perform its checks, it also checks for presence of files +in specific places, and, if they exist, check_caveats skips a caveat or ignores +its checks; that mechanism allows overriding the information provided +in configuration on local systems and affect the behaviour of the microcode +update process. + +Current list of overrides (where $FW_DIR and $CFG_DIR are the environment +options described earlier; $kver - the currently processed kernel version, +$s is the requested stage ("early" or "late"), $cfg is the caveat directory +name): + $FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for + a specific kernel version.. + $FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific + kernel version for the requested stage without + performing any checks. + $FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific + kernel version. + $FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage + for a specific kernel version without checks. + $FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage + for a specific kernel version. + $CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all + kernel versions. + $FW_DIR/$kver/force-$s - apply all caveats for a specific stage + for a specific kernel version without checks. + $CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for + all kernel versions without checks. + $FW_DIR/$kver/disallow - skip all caveats for all stages for a specific + kernel version. + $CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel + versions. + $FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel + version without checks. + $CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions + without checks. + $CFG_DIR/disallow-$s - skip all caveat for all kernel versions + for a specific stage. + $CFG_DIR/force-$s - apply all caveats for all kernel versions for specific + stage without checks. + $CFG_DIR/disallow - skip all caveats for all stages for all kernel versions + (disable everything). + $CFG_DIR/force - force all caveats for all stages for all kernel versions + (enable everything). + +The "apply" action above means creating symlinks in /lib/firmware by +update_ucode in case of the "late" stage and adding caveat directory to the list +of firmware directories by dracut plugin in case of the "early" stage. + +The files are checked for existence until the first match, so more specific +overrides can override more broad ones. + +Also, a caveat is ignored if it lacks either config or readme file. + + +update_ucode script +------------------- +"update_ucode" populates symlinks to microcode files in accordance with caveats +configuration. It enables late microcode loading that is invoked by triggering +/sys/devices/system/cpu/microcode/reload file. Since caveats depend +on the kernel version, symlinks are populated inside +"/lib/firmware/KERNEL_VERSION" directory for each installed kernel. +As a consequence, this script is triggered upon each kernel package installation +and removal. + +The script has two parts: common and kernel-version-specific. + +During the common part, files are populated from +/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are +several possibilities to affect the process: + * Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping + the common part of the script. + * The same for "/lib/firmware/intel-ucode-disallow". + +During the kernel-version-specific part, each caveat is checked against every +kernel version, and those combinations, for which caveat check succeeds, +gets the symlinks to the associated microcode files populated. + * Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode + from removing symlinks related to the caveat for specific kernel version. + * Since the check is being done by check_caveats, all the overrides that + described there also stay. + +Usage: + update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]* + [--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode] + [--skip-common] [--skip-kernel-specific] + +Options: + --action - action to perform. Currently, the following actions are supported: + * "add" - create new symlinks. + * "remove" - remove old symlinks that are no longer needed. + * "refresh" - re-populate symlinks. + * "list" - list files under control of update_ucode. + By default, "refresh" action is executed. + --kernel - kernel version to process. By default, list of kernel versions + is formed based on contents of /lib/firmware and /lib/modules + directories. + --verbose - verbose output. + --dry-run - do not call commands, just print the invocation lines. + --cleanup - cleanup mode. Used by post-uninstall script during package + upgrades. Removes excess files in accordance to the contents + of the files provided in the arguments to the option. + --skip-common - do not process /lib/firmware directory. + --skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION + directories. + +Return value: + 0 on success, 1 on error. + + +reload_microcode script +----------------------- +"reload_microcode" is a script that is called by microcode.service and +triggers late microcode reloading (by writing "1" to +/sys/devices/system/cpu/microcode/reload) if the following check are passed: + * the microcode update performed not in a virtualised environment; + * running kernel passes "check_caveats" checks that applicable to the current + CPU model. + +For a virtualised environment check, the script searches the "/proc/cpuinfo" +file for presence of the "hypervisor" flag among CPU features (it corresponds +to a CPUID feature bit set by hypervisors in order to inform that the kernel +operates inside a virtual machine). This check can be overridden and skipped +by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag". + +The script has no options and always returns 0. + +In addition to overrides that affect check_caveats, the presence of the +"/etc/microcode_ctl/ignore-hypervisor-flag" flag provides an ability +to skip "hypervisor" flag check. + + +99microcode_ctl-fw_dir_override dracut module +--------------------------------------------- +This dracut module injects directories with microcode files for caveats +that pass "early" check_caveats check (with "-e" flag). In addition +to "check_caveats" overrides, the following abilities to control module's +behaviour are present: + * Presence of one of the following files: + - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check + - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg + - /lib/firmware/$kver/skip-host-only-check + - /lib/firmware/$kver/skip-host-only-check-$cfg + (where "$kver" is the kernel version in question and "$cfg" is the caveat + directory name) allows skipping matching of microcode file name when dracut's + Host-Only mode is enabled. + +When caveats_check succeeds, caveats directory (not its possibly populated +version for late microcode update: "/lib/firmware/KERNEL_VERSION"; +it is done so in order +to have ability to configure list of caveats enabled for early and late +microcode update, independently) is added to dracut's list of firmware search +directories. + +The module can be disabled by running dracut with +"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can +be disabled permanently by uncommenting string +"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in +/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file. + +See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable +"omit_dracutmodules" for additional information. + + +Caveats +======= + +Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat +---------------------------------------------- +Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0, +family 6, model 79, stepping 1) has issues that lead to system instability. +A series of changes for the Linux kernel has been developed in order to work +around those issues; however, as it turned out, some systems have issues even +when a microcode update performed on a kernel that contains those changes. +As a result, microcode update for this CPU model is disabled by default; +the microcode file, however, is still shipped as a part of microcode_ctl +package and can be used for performing a microcode update if it is enforced +via the aforementioned overriddes. (See sections "check_caveats script" +and "reload_microcode script" for details.) + +Affected microcode: intel-ucode/06-4f-01. + +Mitigation: microcode loading is disabled for the affected CPU model. + +Minimum versions of the kernel package that contain the aforementioned patch +series: + - Upstream/RHEL 8: 4.17.0 + - RHEL 7.6 onwards: 3.10.0-894 + - RHEL 7.5: 3.10.0-862.6.1 + - RHEL 7.4: 3.10.0-693.35.1 + - RHEL 7.3: 3.10.0-514.52.1 + - RHEL 7.2: 3.10.0-327.70.1 + - RHEL 6.10: 2.6.32-754.1.1 + - RHEL 6.7: 2.6.32-573.58.1 + - RHEL 6.6: 2.6.32-504.71.1 + - RHEL 6.5: 2.6.32-431.90.1 + - RHEL 6.4: 2.6.32-358.90.1 + + +Early microcode load inside a virtual machine +--------------------------------------------- +RHEL 7 kernel supports performing microcode update during early boot stage +from a cpio archive placed at the beginning of the initramfs image. However, +when an early microcode update is attempted inside some virtualised +environments, that may result in unexpected system behaviour. + +Affected microcode: all. + +Mitigation: early microcode loading is disabled for all CPU models. + +Minimum versions of the kernel package that contain the fix: + - Upstream/RHEL 8: 4.10.0 + - RHEL 7.6 onwards: 3.10.0-930 + - RHEL 7.5: 3.10.0-862.14.1 + - RHEL 7.4: 3.10.0-693.38.1 + - RHEL 7.3: 3.10.0-514.57.1 + - RHEL 7.2: 3.10.0-327.73.1 + + +Intel Sandy Bridge-E/EN/EP caveat +--------------------------------- +MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP +(SNB-EP, family 6, model 45, stepping 7) may lead to system instability. +In order to address this, this microcode update is not used and the previous +microcode revision is provided instead by default; the microcode file, however, +is still shipped as part of microcode_ctl package and can be used for performing +a microcode update if it is enforced via the aforementioned overriddes. (See +sections "check_caveats script" and "reload_microcode script" for details.) + +Affected microcode: intel-ucode/06-2d-07. + +Mitigation: previously published microcode revision 0x714 is used by default. + + + +Additional information +====================== +Red Hat provides updated microcode, developed by its microprocessor partners, +as a customer convenience. Please contact your hardware vendor to determine +whether more recent BIOS/firmware updates are recommended because additional +improvements may be available. + +Information regarding microcode revisions required for mitigating specific +microarchitectural side-channel attacks is available in the following +knowledge base articles: + * CVE-2017-5715 ("Spectre"): + https://access.redhat.com/articles/3436091 + * CVE-2018-3639 ("Speculative Store Bypass"): + https://access.redhat.com/articles/3540901 + * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): + https://access.redhat.com/articles/3562741 + * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 + ("Microarchitectural Data Sampling"): + https://access.redhat.com/articles/4138151 diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats new file mode 100755 index 00000000..462d5412 --- /dev/null +++ b/SOURCES/check_caveats @@ -0,0 +1,495 @@ +#! /bin/bash -eu + +# Script for checking various microcode caveats +# +# +# SPDX-License-Identifier: CC0-1.0 + +: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats} +: ${FW_DIR=/lib/firmware} +: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} + +usage() { + echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' + echo ' [-m] [-v]' + echo + echo ' -d - enables disclaimer printing mode' + echo ' -e - check for early microcode load possibility (instead of' + echo ' late microcode load)' + echo ' -k - target version to check against, $(uname -r) is used' + echo ' otherwise' + echo ' -c - caveat config(s) to check, all configs are checked' + echo ' otherwise' + echo ' -m - check that caveats actually apply to the current model' + echo ' -v - verbose output' + echo + echo 'Environment:' + echo ' MC_CAVEATS_DATA_DIR - directory that contains caveats' + echo ' configuration data' +} + +debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } + +# A simplified RPM version comparison that takes into account knowledge about +# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if +# the version against which comparison is performed has appropriate versioning +# scheme). +# +# $1 - kernel version to check +# $* - list of kernel versions to check against +check_kver() +{ + local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest= + local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest= + local cmp_type= + + # IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1" + # "cannot create temp file for here-document: Read-only file system" + # that's why we can't have nice things. + t_major=${1%%.*} + t_rest=${1#${t_major}} + t_rest=${t_rest#.} + t_minor=${t_rest%%.*} + t_rest=${t_rest#${t_minor}} + t_rest=${t_rest#.} + t_patch=${t_rest%%-*} + t_rest=${t_rest#${t_patch}} + t_rest=${t_rest#-} + t_y=${t_rest%%.*} + t_rest=${t_rest#${t_y}} + t_rest=${t_rest#.} + t_z1=${t_rest%%.*} + t_rest=${t_rest#${t_z1}} + t_rest=${t_rest#.} + t_z2=${t_rest%%.*} + + # minor/major/patch/y should be numeric + [ -n "${t_major##*[!0-9]*}" ] || return 1 + [ -n "${t_minor##*[!0-9]*}" ] || return 1 + [ -n "${t_patch##*[!0-9]*}" ] || return 1 + [ -n "${t_y##*[!0-9]*}" ] || return 1 + # reset z1/z2 to zero if non-numeric + [ -n "${t_z1##*[!0-9]*}" ] || t_z1=0 + [ -n "${t_z2##*[!0-9]*}" ] || t_z2=0 + + while [ 1 -lt "$#" ]; do + cmp_type=upstream + + shift + m_major=${1%%.*} + m_rest=${1#${m_major}} + m_rest=${m_rest#.} + m_minor=${m_rest%%.*} + m_rest=${m_rest#${m_minor}} + m_rest=${m_rest#.} + m_patch=${m_rest%%-*} + m_rest=${m_rest#${m_patch}} + m_rest=${m_rest#-} + m_y=${m_rest%%.*} + m_rest=${m_rest#${m_y}} + m_rest=${m_rest#.} + m_z1=${m_rest%%.*} + m_rest=${m_rest#${m_z1}} + m_rest=${m_rest#.} + m_z2=${m_rest%%.*} + + # minor/major/patch should be numeric + [ -n "${m_major##*[!0-9]*}" ] || continue + [ -n "${m_minor##*[!0-9]*}" ] || continue + [ -n "${m_patch##*[!0-9]*}" ] || continue + # reset z1/z2 to zero if non-numeric + [ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0 + [ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0 + [ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0 + + # Comparing versions + case "$cmp_type" in + upstream) + [ "$t_major" -ge "$m_major" ] || continue + [ "$t_minor" -ge "$m_minor" ] || continue + [ "$t_patch" -ge "$m_patch" ] || continue + return 0 + ;; + y) + [ "$t_major" -eq "$m_major" ] || continue + [ "$t_minor" -eq "$m_minor" ] || continue + [ "$t_patch" -eq "$m_patch" ] || continue + [ "$t_y" -ge "$m_y" ] || continue + return 0 + ;; + z) + [ "$t_major" -eq "$m_major" ] || continue + [ "$t_minor" -eq "$m_minor" ] || continue + [ "$t_patch" -eq "$m_patch" ] || continue + [ "$t_y" -eq "$m_y" ] || continue + [ "$t_z1" -ge "$m_z1" ] || continue + [ "$t_z2" -ge "$m_z2" ] || continue + return 0 + ;; + esac + done + + return 1 +} + +# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" +# +# We check only the first processor as we don't expect non-symmetrical setups +# with CPUs with caveats +get_model_string() +{ + /usr/bin/printf "%s %02x-%02x-%02x" \ + $(/bin/sed -rn '1,/^$/{ + s/^vendor_id[[:space:]]*: (.*)$/\1/p; + s/^cpu family[[:space:]]*: (.*)$/\1/p; + s/^model[[:space:]]*: (.*)$/\1/p; + s/^stepping[[:space:]]*: (.*)$/\1/p; + }' /proc/cpuinfo) +} + +get_model_name() +{ + /bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + +get_vendor_id() +{ + /bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + +get_mc_path() +{ + case "$1" in + GenuineIntel) + echo "intel-ucode/$2" + ;; + AuthenticAMD) + echo "amd-ucode/$2" + ;; + esac +} + +get_mc_ver() +{ + /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo +} + +fail() +{ + ret=1 + + fail_cfgs="$fail_cfgs $cfg" + fail_paths="$fail_paths $cfg_path" + + [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ + || cat "${dir}/disclaimer" +} + +#check_kver "$@" +#get_model_name + +match_model=0 +configs= +kver=$(/bin/uname -r) +verbose=0 +early_check=0 +print_disclaimers=0 + +ret=0 + +while getopts "dek:c:mv" opt; do + case "${opt}" in + d) + print_disclaimers=1 + early_check=2 + ;; + e) + early_check=1 + ;; + k) + kver="$OPTARG" + ;; + c) + configs="$configs $OPTARG" + ;; + m) + match_model=1 + ;; + v) + verbose=1 + ;; + *) + usage + exit 1; + ;; + esac +done + +: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")} + +cpu_model=$(get_model_string) +cpu_model_name=$(get_model_name) +cpu_vendor=$(get_vendor_id) + +ret_paths="" +ok_paths="" +fail_paths="" + +ret_cfgs="" +ok_cfgs="" +fail_cfgs="" + +skip_cfgs="" + +if [ 1 -eq "$early_check" ]; then + stage="early" +else + stage="late" +fi + + +for cfg in $(echo "${configs}"); do + dir="$MC_CAVEATS_DATA_DIR/$cfg" + + # We add cfg to the skip list first and then, if we do not skip it, + # we remove the configuration from the list. + skip_cfgs="$skip_cfgs $cfg" + + [ -r "${dir}/readme" ] || { + debug "File 'readme' in ${dir} is not found, skipping" + continue + } + + [ -r "${dir}/config" ] || { + debug "File 'config' in ${dir} is not found, skipping" + continue + } + + cfg_model= + cfg_vendor= + cfg_path= + cfg_kvers= + cfg_kvers_early= + cfg_blacklist= + cfg_mc_min_ver_late= + cfg_disable= + + while read -r key value; do + case "$key" in + model) + cfg_model="$value" + ;; + vendor) + cfg_vendor="$value" + ;; + path) + cfg_path="$cfg_path $value" + ;; + kernel) + cfg_kvers="$cfg_kvers $value" + ;; + kernel_early) + cfg_kvers_early="$cfg_kvers_early $value" + ;; + mc_min_ver_late) + cfg_mc_min_ver_late="$value" + ;; + disable) + cfg_disable="$cfg_disable $value " + ;; + blacklist) + cfg_blacklist=1 + break + ;; + esac + done < "${dir}/config" + + [ -z "${cfg_blacklist}" ] || \ + cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" | + /usr/bin/tail -n +2) + + debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" + debug "${cfg}: blacklist '$cfg_blacklist'" + + # Check for override files in the following order: + # - disallow early/late specific caveat for specific kernel + # - force early/late specific caveat for specific kernel + # - disallow specific caveat for specific kernel + # - force specific caveat for specific kernel + # + # - disallow early/late specific caveat for any kernel + # - disallow early/late any caveat for specific kernel + # - force early/late specific caveat for any kernel + # - force early/late any caveat for specific kernel + # - disallow specific caveat for any kernel + # - disallow any caveat for specific kernel + # - force specific caveat for any kernel + # - force any caveat for specific kernel + # + # - disallow early/late everything + # - force early/late everyhting + # - disallow everything + # - force everyhting + ignore_cfg=0 + force_cfg=0 + override_file="" + overrides=" + 0:$FW_DIR/$kver/disallow-$stage-$cfg + 1:$FW_DIR/$kver/force-$stage-$cfg + 0:$FW_DIR/$kver/disallow-$cfg + 1:$FW_DIR/$kver/force-$cfg + 0:$FW_DIR/$kver/disallow-$stage + 0:$CFG_DIR/disallow-$stage-$cfg + 1:$FW_DIR/$kver/force-$stage + 1:$CFG_DIR/force-$stage-$cfg + 0:$FW_DIR/$kver/disallow + 0:$CFG_DIR/disallow-$cfg + 1:$FW_DIR/$kver/force + 1:$CFG_DIR/force-$cfg + 0:$CFG_DIR/disallow-$stage + 1:$CFG_DIR/force-$stage + 0:$CFG_DIR/disallow + 1:$CFG_DIR/force" + for o in $(echo "$overrides"); do + o_force=${o%%:*} + override_file=${o#$o_force:} + + [ -e "$override_file" ] || continue + + if [ 0 -eq "$o_force" ]; then + ignore_cfg=1 + else + force_cfg=1 + fi + + break + done + + [ 0 -eq "$ignore_cfg" ] || { + debug "Configuration \"$cfg\" is ignored due to presence of" \ + "\"$override_file\"." + continue + } + + # Check model if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_model" ]; then + [ "x$cpu_model" = "x$cfg_model" ] || { + debug "Current CPU model '$cpu_model' doesn't" \ + "match configuration CPU model '$cfg_model'," \ + "skipping" + continue + } + fi + + # Check paths if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then + cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ + "$cpu_vendor" "${cpu_model#* }")" + cfg_mc_present=0 + + for p in $(printf "%s" "$cfg_path"); do + find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | grep -zFxq "$cpu_mc_path" \ + || continue + + cfg_mc_present=1 + done + + [ 1 = "$cfg_mc_present" ] || { + debug "No matching microcode files in '$cfg_path'" \ + "for CPU model '$cpu_model', skipping" + continue + } + fi + + # Check vendor if model filter is enabled + if [ 1 -eq "$match_model" -a -n "$cfg_vendor" ]; then + [ "x$cpu_vendor" = "x$cfg_vendor" ] || { + debug "Current CPU vendor '$cpu_vendor' doesn't" \ + "match configuration CPU vendor '$cfg_vendor'," \ + "skipping" + continue + } + fi + + # Check configuration files + + ret_cfgs="$ret_cfgs $cfg" + ret_paths="$ret_paths $cfg_path" + skip_cfgs="${skip_cfgs% $cfg}" + + [ 0 -eq "$force_cfg" ] || { + debug "Checks for configuration \"$cfg\" are ignored due to" \ + "presence of \"$override_file\"." + + ok_cfgs="$ok_cfgs $cfg" + ok_paths="$ok_paths $cfg_path" + + continue + } + + [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { + debug "${cfg}: caveat is disabled in configuration" + fail + continue + } + + # Check late load kernel version + if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then + check_kver "$kver" $cfg_kvers || { + debug "${cfg}: late load kernel version check for" \ + " '$kver' against '$cfg_kvers' failed" + fail + continue + } + fi + + # Check early load kernel version + if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then + check_kver "$kver" $cfg_kvers_early || { + debug "${cfg}: early load kernel version check for" \ + "'$kver' against '$cfg_kvers_early' failed" + fail + continue + } + fi + + # Check model blacklist + if [ -n "$cfg_blacklist" ]; then + echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || { + debug "${cfg}: model '${cpu_model_name}' is blacklisted" + fail + continue + } + fi + + # Check current microcode version for the late update + if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \ + "x$cpu_model" = "x$cfg_model" ]; then + cpu_mc_ver="$(get_mc_ver)" + + [ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || { + debug "${cfg}: CPU microcode version $cpu_mc_ver" \ + "failed check (should be at least" \ + "${cfg_mc_min_ver_late})" + fail + continue + } + fi + + ok_cfgs="$ok_cfgs $cfg" + ok_paths="$ok_paths $cfg_path" +done + +[ 0 -eq "$print_disclaimers" ] || exit 0 + +echo "cfgs$ret_cfgs" +echo "skip_cfgs$skip_cfgs" +echo "paths$ret_paths" +echo "ok_cfgs$ok_cfgs" +echo "ok_paths$ok_paths" +echo "fail_cfgs$fail_cfgs" +echo "fail_paths$fail_paths" + +exit $ret diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh new file mode 100755 index 00000000..8dc327a8 --- /dev/null +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -0,0 +1,177 @@ +#!/bin/bash + +# Hack in additional firmware directories for supported caveats. +# +# SPDX-License-Identifier: CC0-1.0 + +check() { + return 0 +} + +install() { + local FW_DIR=/lib/firmware + local DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats + local CFG_DIR="/etc/microcode_ctl/ucode_with_caveats" + local check_caveats=/usr/libexec/microcode_ctl/check_caveats + + local verbose_opt + local cc_out + local path + local ignored + local do_skip_host_only + local p + + verbose_opt= + [ 4 -gt "$stdloglvl" ] || verbose_opt="-v" + + # HACK: we override external fw_dir variable in order to get + # an additional ucode based on the kernel version. + dinfo " microcode_ctl module: mangling fw_dir" + + [ -z "$fw_dir_l" ] || { + dinfo " microcode_ctl: avoid touching fw_dir as" \ + "it has been changed (fw_dir_l is '$fw_dir_l')" + + return 0 + } + + # Reset fw_dir to avoid inclusion of kernel-version-specific directories + # populated with microcode for the late load + [ "x$fw_dir" != \ + "x/lib/firmware/updates /lib/firmware /lib/firmware/$kernel" ] || { + fw_dir="/lib/firmware/updates /lib/firmware" + dinfo " microcode_ctl: reset fw_dir to \"${fw_dir}\"" + } + + fw_dir_add="" + while read -d $'\n' -r i; do + dinfo " microcode_ctl: processing data directory " \ + "\"$DATA_DIR/$i\"..." + + if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" $verbose_opt) + then + dinfo " microcode_ctl: kernel version \"$kernel\"" \ + "failed early load check for \"$i\", skipping" + continue + fi + + path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') + [ -n "$path" ] || { + ignored=$(printf "%s" "$cc_out" | \ + sed -n 's/^skip_cfgs //p') + + if [ -n "$ignored" ]; then + dinfo " microcode_ctl: configuration" \ + "\"$i\" is ignored" + else + dinfo " microcode_ctl: no microcode paths" \ + "are associated with \"$i\", skipping" + fi + + continue + } + + if [ "x" != "x$hostonly" ]; then + do_skip_host_only=0 + + local sho_overrides=" + $CFG_DIR/skip-host-only-check + $CFG_DIR/skip-host-only-check-$i + $FW_DIR/$kernel/skip-host-only-check + $FW_DIR/$kernel/skip-host-only-check-$i" + + for p in $(echo "$sho_overrides"); do + [ -e "$p" ] || continue + + do_skip_host_only=1 + dinfo " microcode_ctl: $i; skipping" \ + "Host-Only check, since \"$p\" exists." + break + done + else + do_skip_host_only=1 + fi + + if [ 0 -eq "$do_skip_host_only" ]; then + local hostonly_passed=0 + local ucode + local uvendor + local ucode_dir="" + + ucode=$(get_ucode_file) + uvendor=$(get_cpu_vendor) + + case "$uvendor" in + Intel) + ucode_dir="intel-ucode" + ;; + AMD) + ucode_dir="amd-ucode" + ;; + *) + dinfo " microcode_ctl: unknown CPU" \ + "vendor: \"$uvendor\", bailing out of" \ + "Host-Only check" + continue + ;; + esac + + # $path is a list of globs, so it needs special care + for p in $(printf "%s" "$path"); do + find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -print0 \ + | grep -zFxq \ + "$DATA_DIR/$i/$ucode_dir/$ucode" \ + || continue + + dinfo " microcode_ctl: $i: Host-Only" \ + "mode is enabled and" \ + "\"$ucode_dir/$ucode\" matches \"$p\"" + + hostonly_passed=1 + break + done + + [ 1 -eq "$hostonly_passed" ] || { + dinfo " microcode_ctl: $i: Host-Only mode" \ + "is enabled and ucode name does not" \ + "match the expected one, skipping" \ + "caveat (\"$ucode\" not in \"$path\")" + continue + } + fi + + dinfo " microcode_ctl: $i: caveats check for kernel" \ + "version \"$kernel\" passed, adding" \ + "\"$DATA_DIR/$i\" to fw_dir variable" + + if [ 0 -eq "$do_skip_host_only" ]; then + fw_dir_add="$DATA_DIR/$i " + else + fw_dir_add="$DATA_DIR/$i $fw_dir_add" + fi + # The list of directories is reverse-sorted in order to preserve the + # "last wins" policy in case of presence of multiple microcode + # revisions. + # + # In case of hostonly == 0, all microcode revisions will be included, + # but since the microcode search is done with the "first wins" policy + # by the (early) microcode loading code, the correct microcode revision + # still has to be picked. + # + # Note that dracut without patch [1] puts only the last directory + # in the early cpio; we try to address this by putting only the last + # matching caveat in the search path, but that workaround works only + # for host-only mode; non-host-only mode early cpio generation is still + # broken without that patch. + # + # [1] https://github.com/dracutdevs/dracut/commit/c44d2252bb4b + done <<-EOF + $(find "$DATA_DIR" -maxdepth 1 -mindepth 1 -type d -printf "%f\n" \ + | LC_ALL=C sort) + EOF + + fw_dir="${fw_dir_add}${fw_dir}" + dinfo " microcode_ctl: final fw_dir: \"${fw_dir}\"" +} + diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh new file mode 100755 index 00000000..0ecf7aac --- /dev/null +++ b/SOURCES/gen_provides.sh @@ -0,0 +1,114 @@ +#! /bin/bash -efux + +# Generator of RPM "Provides:" tags for Intel microcode files. +# +# SPDX-License-Identifier: CC0-1.0 + +IFS=$'\n' +UPDATED="intel-beta" +CODENAMES="codenames" + +if [ "$#" -ge 1 ]; then + CODENAMES="$1" + shift +fi + +# Match only FF-MM-SS ucode files under intel-ucode/intel-ucode-with-caveats +# directories. +for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]$'); do + ucode=$(basename "$f") + ucode_caveat="$(basename "$(dirname "$(dirname "$f")")")" + ucode_fname="$ucode_caveat/$ucode" + file_sz="$(stat -c "%s" "$f")" + skip=0 + + while :; do + [ "$skip" -lt "$file_sz" ] || break + + # Microcode header format description: + # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c + IFS=' ' read hdrver rev \ + date_y date_d date_m \ + cpuid cksum ldrver \ + pf_mask datasz totalsz <<- EOF + $(dd if="$f" bs=1 skip="$skip" count=36 status=none \ + | hexdump -e '"" 1/4 "%u " 1/4 "%#x " \ + 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ + 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ + 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"') + EOF + + [ 0 != "$datasz" ] || datasz=2000 + [ 0 != "$totalsz" ] || totalsz=2048 + + # TODO: add some sanity/safety checks here. As of now, there's + # a (pretty fragile) assumption that all the matched files + # are valid Intel microcode files in the expected format. + + skip=$((skip + totalsz)) + + #[ -n "$rev" ] || continue + + # Basic "Provides:" tag. Everything else is bells and whistles. + # It's possible that microcode files for different platform_id's + # and the same CPUID have the same version, that's why "sort -u" + # in the end. + printf "firmware(intel-ucode/%s) = %s\n" "$ucode" "$rev" + + # Generate extended "Provides:" tags with additional + # information, which allow more precise matching. + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$date_y" "$date_m" "$date_d" + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" "$rev" + + # Generate tags for each possible platform_id + _pf=1 + _pf_mask="$pf_mask" + while [ 0 -lt "$_pf_mask" ]; do + [ 1 -ne "$((_pf_mask % 2))" ] || \ + # We try to provide a more specific firmware() + # dependency here. It has incorrect file name, + # but allows constructing a required RPM + # capability name by (directly) using + # the contents of /proc/cpuinfo and + # /sys/devices/system/cpu/cpu*/microcode/processor_flags + # (except for a Deschutes CPU with sig 0x1632) + printf "iucode_rev(fname:%s;platform_id:0x%x) = %s\n" \ + "$ucode_fname" "$_pf" "$rev" + + _pf_mask=$((_pf_mask / 2)) + _pf=$((_pf * 2)) + done + + # Generate tags with codename information, in case + # it is available + cpuid_up="$(echo "$cpuid" | tr 'a-z' 'A-Z')" + if [ -e "$CODENAMES" ]; then + grep ' '"$cpuid_up"' ' "$CODENAMES" \ + | while IFS=$'\t' read segm int_fname codename stepping candidate_pf rest; do + codename=$(echo "$codename" | tr ' (),' '_[];') + candidate_pf=$(printf "%u" "0x${candidate_pf}") + [ \( 0 -ne "$pf_mask" \) -a \ + \( "$candidate_pf" -ne "$((candidate_pf & pf_mask))" \) ] || { \ + printf "iucode_rev(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$stepping" "$candidate_pf" \ + "$rev"; + printf "iucode_date(fname:%s;cpuid:%s;pf_mask:0x%x;segment:\"%s\";codename:\"%s\";stepping:\"%s\";pf_model:0x%x) = %s.%s.%s\n" \ + "$ucode_fname" "$cpuid" "$pf_mask" \ + "$segm" "$codename" "$stepping" "$candidate_pf" \ + "$date_y" "$date_m" "$date_d"; + } + done + fi + + # Kludge squared: generate additional "Provides:" tags + # for the files in the overrides tarball (that a placed + # in a separate caveat with a specific name) + [ "x${ucode_caveat}" != "x${UPDATED}" ] || { + printf "firmware_updated(intel-ucode/%s) = %s\n" \ + "$ucode" "$rev"; + } + done +done | sort -u diff --git a/SOURCES/intel-microcode2ucode.8.in b/SOURCES/intel-microcode2ucode.8.in new file mode 100644 index 00000000..829ec9f0 --- /dev/null +++ b/SOURCES/intel-microcode2ucode.8.in @@ -0,0 +1,90 @@ +.\" intel-microcode2ucode stub man page +.\" +.\" SPDX-License-Identifier: CC0-1.0 +.\" +.TH INTEL-MICROCODE2UCODE 8 "@DATE@" "MICROCODE_CTL @VERSION@" +.\" +.SH NAME +intel\-microcode2ucode \- convert Intel microcode.dat file into ucode files +.\" +.SH SYNOPSIS +.SY intel\-microcode2ucode +.RI [ MICROCODE_FILE ] +.YS +.\" +.SH DESCRIPTION +.B intel\-microcode2ucode +parses Intel microcode combined text data file (which usually has name +.BR microcode.dat ) +and splits it into individual binary microcode files that can be loaded by the +Linux kernel. +.LP +Generated microcode files are placed into +.B intel-ucode +directory, which is created in the current working directory, and have file name +format of +.IR FF - MM - SS , +where +.I FF +is the CPU family number, +.I MM +is the model number, and +.I SS +is stepping. +All three values are zero-filled to two digits and are hexadecimal +(letters are in the lower case). +.LP +This tool is mostly of historic interest, as Intel ships separate microcode +files now. +.\" +.SH OPTIONS +.\" +.TP +.I MICROCODE_FILE +Path to the +.B microcode.dat +file. +If no path has been provided, the default path +.B /lib/firmware/microcode.dat +is used. +If +.B - +(single dash) is provided as an argument, data is read from the standard input. +.\" +.SH EXIT STATUS +.TP +.B 0 +Success. +.TP +.B 1 +Error occurred: +temporary buffer cannot be allocated, +input microcode file cannot be opened, +microcode version and/or format are unknown, +cannot open output file, +cannot write to the output file. +.\" +.SH REPORTING BUGS +Problems with +.B intel-microcode2ucode +should be reported to +.UR https://bugzilla.redhat.com/ +Red Hat Bugzilla +.UE +.\" +.SH AUTHORS +.B intel-microcode2ucode +was written by +Kay Sievers and +Anton Arapov . +This manpage was written for Red Hat Enterprise Linux and may be +used, modified, and/or distributed freely by anyone. +.\" +.SH "SEE ALSO" +.UR https://gitlab.com\:/iucode-tool\:/iucode-tool +iucode-tool, a tool for manipulating Intel microcode files +.UE , +.LP +.UR @MICROCODE_URL@ +Intel microcode +.UE diff --git a/SOURCES/intel_config b/SOURCES/intel_config new file mode 100644 index 00000000..d37878d7 --- /dev/null +++ b/SOURCES/intel_config @@ -0,0 +1,8 @@ +path intel-ucode/* +vendor_id GenuineIntel +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SOURCES/intel_disclaimer b/SOURCES/intel_disclaimer new file mode 100644 index 00000000..c4669baa --- /dev/null +++ b/SOURCES/intel_disclaimer @@ -0,0 +1,10 @@ +This kernel doesn't handle early microcode load properly (it tries to load +microcode even in virtualised environment, which may lead to a panic on some +hypervisors), thus the microcode files have not been added to the initramfs +image. Please update your kernel to one of the following: + RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + RHEL 7.2: kernel-3.10.0-327.73.1 or newer. +Please refer to /usr/share/doc/microcode_ctl/caveats/intel_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/intel_readme b/SOURCES/intel_readme new file mode 100644 index 00000000..32be52f5 --- /dev/null +++ b/SOURCES/intel_readme @@ -0,0 +1,52 @@ +Older RHEL 7 kernels try to early load microcode even inside virtual +machine, which may lead to panic on some hypervisors. In order to circumvent +that, microcode is installed into a kernel-version-specific directory (which +is not scanned by the dracut script, that constructs early microcode binary +in initramfs, by default), and path to microcode files provided only in case +initramfs is generated for the kernel version that properly handles early +microcode inside a virtual machine (i.e. do not attempts yo load it). +The versions of the kernel package that properly handle early microcode load +inside a virtual machine are as follows: + * RHEL 7.6 onwards: kernel-3.10.0-930 or newer; + * RHEL 7.5: kernel-3.10.0-862.14.1 or newer; + * RHEL 7.4: kernel-3.10.0-693.38.1 or newer; + * RHEL 7.3: kernel-3.10.0-514.57.1 or newer; + * RHEL 7.2: kernel-3.10.0-327.73.1 or newer. + +If you want to avoid early load of microcode for a specific kernel, please +create "disallow-early-intel" file inside /lib/firmware/ +directory and run dracut -f --kver "": + + touch /lib/firmware/3.10.0-862.9.1/disallow-early-intel + dracut -f --kver 3.10.0-862.9.1 + +If you want to avoid early load of microcode for all kernels, please create +"disallow-early-intel" file inside the "/etc/microcode_ctl/ucode_with_caveats" +directory and run dracut -f --regenerate-all: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-early-intel + dracut -f --regenerate-all + +If you want to enforce early load of microcode for a specific kernel, please +create "force-early-intel" file inside /lib/firmware/ directory +and run dracut -f --kver "": + + touch /lib/firmware/3.10.0-862.9.1/force-early-intel + dracut -f --kver 3.10.0-862.9.1 + +If you want to enforce early load of microcode for all kernels, please create +"force-early-intel" file inside /etc/microcode_ctl/ucode_with_caveats +directory and run dracut -f --kver "": + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel + dracut -f --regenerate-all + +In order to override the late load behaviour, the "early" part of file names +should be replaced with "late" (and there is no need to call dracut +in that case). + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/microcode.service b/SOURCES/microcode.service new file mode 100644 index 00000000..a96138f6 --- /dev/null +++ b/SOURCES/microcode.service @@ -0,0 +1,12 @@ +[Unit] +Description=Load CPU microcode update +After=basic.target +ConditionVirtualization=false +ConditionPathExists=/sys/devices/system/cpu/microcode/reload + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/usr/libexec/microcode_ctl/reload_microcode +[Install] +WantedBy=basic.target diff --git a/SOURCES/microcode_ctl-do-not-install-intel-ucode.patch b/SOURCES/microcode_ctl-do-not-install-intel-ucode.patch new file mode 100644 index 00000000..110557bb --- /dev/null +++ b/SOURCES/microcode_ctl-do-not-install-intel-ucode.patch @@ -0,0 +1,20 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-08-16 04:48:33.466867302 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-16 04:55:46.140598645 +0200 +@@ -29,14 +29,13 @@ + $(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c + + clean: +- rm -rf $(PROGRAM) intel-ucode ++ rm -rf $(PROGRAM) + + install: + $(INS) -d $(DESTDIR)$(INSDIR) $(DESTDIR)$(DOCDIR) \ + $(DESTDIR)$(MICDIRINTEL) + $(INS) -m 755 $(PROGRAM) $(DESTDIR)$(INSDIR) + $(INS) -m 644 README $(DESTDIR)$(DOCDIR) +- $(INS) -m 644 intel-ucode/* $(DESTDIR)$(MICDIRINTEL) + + uninstall: + rm -rf $(DESTDIR)$(INSDIR)/$(PROGRAM) \ diff --git a/SOURCES/microcode_ctl-do-not-merge-ucode-with-caveats.patch b/SOURCES/microcode_ctl-do-not-merge-ucode-with-caveats.patch new file mode 100644 index 00000000..a1e90bbe --- /dev/null +++ b/SOURCES/microcode_ctl-do-not-merge-ucode-with-caveats.patch @@ -0,0 +1,16 @@ +Do not extract intel-ucode-with-caveats into the same directory as it needs +special handling. +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-09 08:55:53.000000000 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-07-20 17:52:34.767187807 +0200 +@@ -21,8 +21,7 @@ + MICDIRINTEL = $(MICDIR)/intel-ucode + + all: +- tar xf $(MICROCODE_INTEL) ./intel-ucode/* ./intel-ucode-with-caveats/* \ +- --one-top-level=intel-ucode --strip-components=2 --backup=simple ++ tar -xf $(MICROCODE_INTEL) ./intel-ucode + + clean: + rm -rf intel-ucode diff --git a/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch b/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch new file mode 100644 index 00000000..d4f136ca --- /dev/null +++ b/SOURCES/microcode_ctl-ignore-first-directory-level-in-archive.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2019-04-16 00:47:14.671953255 +0200 ++++ microcode_ctl-2.1-18/Makefile 2019-04-16 00:57:29.656380940 +0200 +@@ -23,7 +23,7 @@ + MICDIRINTEL = $(MICDIR)/intel-ucode + + all: microcode_ctl +- tar -xf $(MICROCODE_INTEL) ./intel-ucode ++ tar -xf ${MICROCODE_INTEL} --wildcards --strip-components=1 \*/intel-ucode + + microcode_ctl: intel-microcode2ucode.c + $(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c diff --git a/SOURCES/microcode_ctl-intel-microcode2ucode-buf-handling.patch b/SOURCES/microcode_ctl-intel-microcode2ucode-buf-handling.patch new file mode 100644 index 00000000..9a014a88 --- /dev/null +++ b/SOURCES/microcode_ctl-intel-microcode2ucode-buf-handling.patch @@ -0,0 +1,95 @@ +Fix most obvious intel-microcode2ucode buffer overruns. +Index: microcode_ctl-2.1-19/intel-microcode2ucode.c +=================================================================== +--- microcode_ctl-2.1-19.orig/intel-microcode2ucode.c 2018-08-20 04:32:26.803450076 +0200 ++++ microcode_ctl-2.1-19/intel-microcode2ucode.c 2018-08-20 04:33:49.324661025 +0200 +@@ -47,16 +47,25 @@ + char c[0]; + }; + ++#define MAX_MICROCODE 4000000 ++ + int main(int argc, char *argv[]) + { + char *filename = "/lib/firmware/microcode.dat"; + FILE *input, *f; + char line[LINE_MAX]; +- char buf[4000000]; ++ char *buf = NULL; + union mcbuf *mc; + size_t bufsize, count, start; + int rc = EXIT_SUCCESS; + ++ buf = malloc(MAX_MICROCODE); ++ if (!buf) { ++ printf("can't allocate buffer\n"); ++ rc = EXIT_FAILURE; ++ goto out; ++ } ++ + if (argv[1] != NULL) + filename = argv[1]; + +@@ -74,6 +83,12 @@ + count = 0; + mc = (union mcbuf *) buf; + while (fgets(line, sizeof(line), input) != NULL) { ++ if ((count + 3) >= (MAX_MICROCODE / sizeof(mc->i[0]))) { ++ printf("input file is too big"); ++ rc = EXIT_FAILURE; ++ goto out; ++ } ++ + if (sscanf(line, "%x, %x, %x, %x", + &mc->i[count], + &mc->i[count + 1], +@@ -102,6 +117,10 @@ + unsigned int family, model, stepping; + unsigned int year, month, day; + ++ if ((start > bufsize) || ++ ((bufsize - start) < sizeof(struct microcode_header_intel))) ++ goto out; ++ + mc = (union mcbuf *) &buf[start]; + + if (mc->hdr.totalsize) +@@ -109,8 +128,12 @@ + else + size = 2000 + sizeof(struct microcode_header_intel); + ++ if (size > (bufsize - start)) ++ goto out; ++ + if (mc->hdr.ldrver != 1 || mc->hdr.hdrver != 1) { +- printf("unknown version/format:\n"); ++ printf("unknown version/format: %d/%d\n", ++ mc->hdr.ldrver, mc->hdr.hdrver); + rc = EXIT_FAILURE; + break; + } +@@ -135,7 +158,11 @@ + month = mc->hdr.date >> 24; + day = (mc->hdr.date >> 16) & 0xff; + +- asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family, model, stepping); ++ if (asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family, ++ model, stepping) == -1) { ++ printf("Failed to generate ucode filename\n"); ++ goto out; ++ } + printf("\n"); + printf("%s\n", filename); + printf("signature: 0x%02x\n", mc->hdr.sig); +@@ -164,6 +191,11 @@ + } + printf("\n"); + ++ if (start != bufsize) ++ printf("Finished parsing at byte %zu of %zu\n", start, bufsize); ++ + out: ++ free(buf); ++ + return rc; + } diff --git a/SOURCES/microcode_ctl-revert-intel-microcode2ucode-removal.patch b/SOURCES/microcode_ctl-revert-intel-microcode2ucode-removal.patch new file mode 100644 index 00000000..6b3b3a62 --- /dev/null +++ b/SOURCES/microcode_ctl-revert-intel-microcode2ucode-removal.patch @@ -0,0 +1,226 @@ +Revert removal of intel_microcode2ucode [1]. + +Since it was shipped to end users, its removal may introduce unneeded +disruption. + +[1] https://pagure.io/microcode_ctl/c/fde91236cc7b45ecffa5c48a7cd8b30ff75752cf.patch +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-20 17:52:34.767187807 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-07-20 19:13:37.948699082 +0200 +@@ -7,6 +7,7 @@ + # as published by the Free Software Foundation; either version + # 2 of the License, or (at your option) any later version. + ++PROGRAM = intel-microcode2ucode + MICROCODE_INTEL = microcode-20180703.tgz + + INS = install +@@ -16,23 +17,29 @@ + DESTDIR = + PREFIX = /usr/local + ++INSDIR = $(PREFIX)/sbin + DOCDIR = $(PREFIX)/share/doc/microcode_ctl + MICDIR = /lib/firmware + MICDIRINTEL = $(MICDIR)/intel-ucode + +-all: ++all: microcode_ctl + tar -xf $(MICROCODE_INTEL) ./intel-ucode + ++microcode_ctl: intel-microcode2ucode.c ++ $(CC) $(CFLAGS) -o $(PROGRAM) intel-microcode2ucode.c ++ + clean: +- rm -rf intel-ucode ++ rm -rf $(PROGRAM) intel-ucode + + install: +- $(INS) -d $(DESTDIR)$(DOCDIR) \ ++ $(INS) -d $(DESTDIR)$(INSDIR) $(DESTDIR)$(DOCDIR) \ + $(DESTDIR)$(MICDIRINTEL) ++ $(INS) -m 755 $(PROGRAM) $(DESTDIR)$(INSDIR) + $(INS) -m 644 README $(DESTDIR)$(DOCDIR) + $(INS) -m 644 intel-ucode/* $(DESTDIR)$(MICDIRINTEL) + + uninstall: +- rm -rf $(DESTDIR)$(MICDIRINTEL) \ ++ rm -rf $(DESTDIR)$(INSDIR)/$(PROGRAM) \ ++ $(DESTDIR)$(MICDIRINTEL) \ + $(DESTDIR)$(DOCDIR) + +Index: microcode_ctl-2.1-18/intel-microcode2ucode.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ microcode_ctl-2.1-18/intel-microcode2ucode.c 2018-07-20 19:02:19.510433818 +0200 +@@ -0,0 +1,169 @@ ++/* ++ * Convert Intel microcode.dat into individual ucode files ++ * named: intel-ucode/$family-$model-$stepping ++ * ++ * The subdir intel-ucode/ is created in the current working ++ * directory. We get multiple ucodes in the same file, so they ++ * are appended to an existing file. Make sure the directory ++ * is empty before every run of the converter. ++ * ++ * Kay Sievers ++ * Anton Arapov ++ */ ++ ++ ++#ifndef _GNU_SOURCE ++# define _GNU_SOURCE 1 ++#endif ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++struct microcode_header_intel { ++ unsigned int hdrver; ++ unsigned int rev; ++ unsigned int date; ++ unsigned int sig; ++ unsigned int cksum; ++ unsigned int ldrver; ++ unsigned int pf; ++ unsigned int datasize; ++ unsigned int totalsize; ++ unsigned int reserved[3]; ++}; ++ ++union mcbuf { ++ struct microcode_header_intel hdr; ++ unsigned int i[0]; ++ char c[0]; ++}; ++ ++int main(int argc, char *argv[]) ++{ ++ char *filename = "/lib/firmware/microcode.dat"; ++ FILE *input, *f; ++ char line[LINE_MAX]; ++ char buf[4000000]; ++ union mcbuf *mc; ++ size_t bufsize, count, start; ++ int rc = EXIT_SUCCESS; ++ ++ if (argv[1] != NULL) ++ filename = argv[1]; ++ ++ if (!strcmp(filename, "-")) { ++ input = stdin; ++ } else { ++ input = fopen(filename, "re"); ++ if (input == NULL) { ++ printf("open %s: %m\n", filename); ++ rc = EXIT_FAILURE; ++ goto out; ++ } ++ } ++ ++ count = 0; ++ mc = (union mcbuf *) buf; ++ while (fgets(line, sizeof(line), input) != NULL) { ++ if (sscanf(line, "%x, %x, %x, %x", ++ &mc->i[count], ++ &mc->i[count + 1], ++ &mc->i[count + 2], ++ &mc->i[count + 3]) != 4) ++ continue; ++ count += 4; ++ } ++ fclose(input); ++ ++ bufsize = count * sizeof(int); ++ printf("%s: %lu(%luk) bytes, %zu integers\n", ++ filename, ++ bufsize, ++ bufsize / 1024, ++ count); ++ ++ if (bufsize < sizeof(struct microcode_header_intel)) ++ goto out; ++ ++ mkdir("intel-ucode", 0750); ++ ++ start = 0; ++ for (;;) { ++ size_t size; ++ unsigned int family, model, stepping; ++ unsigned int year, month, day; ++ ++ mc = (union mcbuf *) &buf[start]; ++ ++ if (mc->hdr.totalsize) ++ size = mc->hdr.totalsize; ++ else ++ size = 2000 + sizeof(struct microcode_header_intel); ++ ++ if (mc->hdr.ldrver != 1 || mc->hdr.hdrver != 1) { ++ printf("unknown version/format:\n"); ++ rc = EXIT_FAILURE; ++ break; ++ } ++ ++ /* ++ * 0- 3 stepping ++ * 4- 7 model ++ * 8-11 family ++ * 12-13 type ++ * 16-19 extended model ++ * 20-27 extended family ++ */ ++ family = (mc->hdr.sig >> 8) & 0xf; ++ if (family == 0xf) ++ family += (mc->hdr.sig >> 20) & 0xff; ++ model = (mc->hdr.sig >> 4) & 0x0f; ++ if (family == 0x06) ++ model += ((mc->hdr.sig >> 16) & 0x0f) << 4; ++ stepping = mc->hdr.sig & 0x0f; ++ ++ year = mc->hdr.date & 0xffff; ++ month = mc->hdr.date >> 24; ++ day = (mc->hdr.date >> 16) & 0xff; ++ ++ asprintf(&filename, "intel-ucode/%02x-%02x-%02x", family, model, stepping); ++ printf("\n"); ++ printf("%s\n", filename); ++ printf("signature: 0x%02x\n", mc->hdr.sig); ++ printf("flags: 0x%02x\n", mc->hdr.pf); ++ printf("revision: 0x%02x\n", mc->hdr.rev); ++ printf("date: %04x-%02x-%02x\n", year, month, day); ++ printf("size: %zu\n", size); ++ ++ f = fopen(filename, "ae"); ++ if (f == NULL) { ++ printf("open %s: %m\n", filename); ++ rc = EXIT_FAILURE; ++ goto out; ++ } ++ if (fwrite(mc, size, 1, f) != 1) { ++ printf("write %s: %m\n", filename); ++ rc = EXIT_FAILURE; ++ goto out; ++ } ++ fclose(f); ++ free(filename); ++ ++ start += size; ++ if (start >= bufsize) ++ break; ++ } ++ printf("\n"); ++ ++ out: ++ return rc; ++} diff --git a/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch new file mode 100644 index 00000000..0abecf84 --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20191112-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20191112.pre.tar.gz + + INS = install + CC = gcc diff --git a/SOURCES/reload_microcode b/SOURCES/reload_microcode new file mode 100644 index 00000000..5d4d1b18 --- /dev/null +++ b/SOURCES/reload_microcode @@ -0,0 +1,22 @@ +#! /bin/bash -efu + +# Trigger microcode reload with additional check for BDW-EP that can have +# microcode reloaded only in case kernel has specific patches. +# +# SPDX-License-Identifier: CC0-1.0 + +CHECK_CAVEATS=/usr/libexec/microcode_ctl/check_caveats +IGNORE_HYPERVISOR="/etc/microcode_ctl/ignore-hypervisor-flag" + +[ -e "$IGNORE_HYPERVISOR" ] || { + if grep -q '^flags[[:space:]]*:.* hypervisor\( .*\)\?$' /proc/cpuinfo + then + exit 0 + fi +} + +"$CHECK_CAVEATS" -m > /dev/null || exit 0 + +echo 2>/dev/null 1 > /sys/devices/system/cpu/microcode/reload || : + +exit 0 diff --git a/SOURCES/update_ucode b/SOURCES/update_ucode new file mode 100644 index 00000000..51c9106f --- /dev/null +++ b/SOURCES/update_ucode @@ -0,0 +1,290 @@ +#! /bin/bash -eu + +# Maintain kernel-version-specific symlinks in /lib/firmware based on +# configuration present in /usr/share/microcode_ctl/ucode_with_caveats. +# +# SPDX-License-Identifier: CC0-1.0 + +usage() +{ + echo "Usage: update_ucode [--action {add|remove|refresh|list}]" \ + "[--kernel KERNELVER]* [--verbose] [--dry-run]" \ + "[--cleanup intel_ucode caveats_ucode]" \ + "[--skip-common] [--skip-kernel-specific]" >&2 +} + +debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } + +MC_DIR=/usr/share/microcode_ctl +INTEL_UCODE_DIR=intel-ucode +DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats +FW_DIR=/lib/firmware +check_caveats=/usr/libexec/microcode_ctl/check_caveats + +action=refresh +kernel= +verbose=0 +verbose_opt= +dry_run=0 +remove_cleanup=0 +cleanup_intel= +cleanup_caveats= +skip_common=0 +skip_caveats=0 + +while [ 1 -le "$#" ]; do + case "$1" in + -C|--skip-common) + skip_common=1 + ;; + -K|--skip-kernel-specific) + skip_caveats=1 + ;; + -a|--action) + shift + action="$1" + ;; + -k|--kernel) + shift + kernel="$kernel $1" + ;; + -v|--verbose) + verbose=1 + verbose_opt="-v" + ;; + -n|--dry-run) + dry_run=1 + ;; + -c|--cleanup) + remove_cleanup=1 + shift + cleanup_intel="$1" + shift + cleanup_caveats="$1" + ;; + *) + echo "Unknown argument \"$1\"" >&2 + usage + exit 1 + esac + shift +done + +cmd= +[ 0 -eq "$dry_run" ] || cmd=echo + +case "$action" in +add|remove|refresh|list) + # Scan all directories in FW_DIR and all existing kernels + if [ -z "$kernel" ]; then + debug "No kernel versions provided, scanning..." + + kvers=$(find /lib/modules/ -name '[2-9].*' -print) + for k_dir in $kvers; do + k="${k_dir#/lib/modules/}" + [ ! -e "/boot/symvers-$k.gz" ] || { + debug " Adding $k (from /lib/modules)" + kernel="$kernel $k" + } + done + + kvers=$(find /lib/firmware/ -name '[2-9].*' -print) + for k_dir in $kvers; do + k="${k_dir#/lib/firmware/}" + [ ! -d "$k_dir" ] || { + debug " Adding $k (from /lib/firmware)" + kernel="$kernel $k" + } + done + + kernel=$(printf "%s" "$kernel" | xargs -n 1 | sort -u) + fi + ;; +*) + echo "Unknown action \"$action\"" >&2 + usage + exit 1 + ;; +esac + +# Generic part: managing intel ucode +debug "Running action \"$action\" on common Intel microcode directory" +while :; do + [ 0 -eq "$skip_common" ] || break + + [ ! -e "/etc/microcode_ctl/intel-ucode-disallow" ] || { + debug " Skipping \"$i\":" \ + "\"/etc/microcode_ctl/intel-ucode-disallow\"" \ + "present" + break + } + [ ! -e "$FW_DIR/intel-ucode-disallow" ] || { + debug " Found \"$FW_DIR/intel-ucode-disallow\"," \ + "skipping" + break + } + + # Removing old files + case "$action" in + refresh|remove|list) + debug " Removing old files from ${FW_DIR}/${INTEL_UCODE_DIR}" + if [ 0 = "$remove_cleanup" ]; then + find "${MC_DIR}/${INTEL_UCODE_DIR}" \ + -maxdepth 1 -mindepth 1 \ + -type f -printf '%f\n' + else + cat "$cleanup_intel" + fi | while read -r fname; do + name="${FW_DIR}/${INTEL_UCODE_DIR}/${fname}" + + # Needed in case we downgrade to a version where + # no symlinks in /lib/firmware were used + if [ 1 = "$remove_cleanup" ]; then + [ -L "$name" ] || continue + fi + + [ "xlist" != "x$action" ] || { + echo "$name" + continue + } + + $cmd rm -f $verbose_opt "$name" + done + [ "xlist" = "x$action" ] || { + $cmd rmdir -p $verbose_opt \ + "${FW_DIR}/${INTEL_UCODE_DIR}" 2>/dev/null \ + || true + } + ;; + esac + + # Adding new ones + case "$action" in + add|refresh) + debug " Creating symlinks in ${FW_DIR}/${INTEL_UCODE_DIR}" + $cmd mkdir -p $verbose_opt "${FW_DIR}/${INTEL_UCODE_DIR}" + $cmd find "${MC_DIR}/${INTEL_UCODE_DIR}" -maxdepth 1 -mindepth 1 \ + -type f -exec bash -c 'ln -fs '"$verbose_opt"' '\''{}'\'' \ + "'"${FW_DIR}/${INTEL_UCODE_DIR}/"'$(basename '\''{}'\'')"' \; + ;; + esac + + break +done + +debug "Running action \"$action\" on kernels $kernel" + +if [ 0 = "$remove_cleanup" ]; then + ls "$DATA_DIR" +else + cat "$cleanup_caveats" +fi | while read -r i; do + [ 0 -eq "$skip_caveats" ] || break + + debug "Processing data directory \"$i\"..." + + for k in $(echo "$kernel"); do + debug " Processing kernel version \"$k\"" + { + out=$($check_caveats -k "$k" -c "$i" $verbose_opt) + ret="$?" + } || : + paths=$(printf "%s" "$out" | sed -n 's/^paths //p') + ignore=$(printf "%s" "$out" | sed -n 's/^skip_cfgs //p') + + [ -z "$ignore" ] || { + debug " Configuration is ignored, skipping" + continue + } + + case "$action" in + remove|refresh|list) + [ "xlist" = "x$action" ] || \ + debug " Removing \"$paths\" (part of $action)..." + + for p in $(printf "%s" "$paths"); do + find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -printf "%P\n" + done | while read -r path; do + [ -e "$FW_DIR/$k/readme-$i" ] || { + debug " \"$FW_DIR/$k/readme-$i\"" \ + "is not found, skipping" \ + "\"$paths\" removal" + + break + } + + if [ "xlist" = "x$action" ]; then + echo "$FW_DIR/$k/$path" + else + debug " Removing \"$FW_DIR/$k/$path\"" + $cmd rm -f $verbose_opt "$FW_DIR/$k/$path" + $cmd rmdir -p $verbose_opt \ + "$FW_DIR/$k/$(dirname $path)" 2>/dev/null \ + || true + fi + done + + if [ -e "$FW_DIR/$k/readme-$i" ]; then + if [ "xlist" = "x$action" ]; then + echo "$FW_DIR/$k/readme-$i" + else + $cmd rm -f $verbose_opt \ + "$FW_DIR/$k/readme-$i" + $cmd rmdir -p $verbose_opt \ + "$FW_DIR/$k" 2>/dev/null || true + fi + fi + ;; + esac + + [ 0 -eq "$ret" ] || { + debug " Checking for caveats failed" \ + "(kernel version \"$k\"), skipping" + continue + } + + [ -n "$paths" ] || { + debug " List of paths to add is empty, skipping" + continue + } + + case "$action" in + add|refresh) + debug " Adding $paths (part of $action)..." + + [ -e "/boot/symvers-$k.gz" ] || { + debug " \"/boot/symvers-$k.gz\"" \ + "does not exist, skipping" + continue + } + + for p in $(printf "%s" "$paths"); do + find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ + -printf "%P\n" + done | while read -r path; do + [ ! -e "$FW_DIR/$k/$path" ] || { + debug " $FW_DIR/$k/$path already" \ + "exists, skipping" + continue + } + + debug " Adding \"$FW_DIR/$k/$path\"" + $cmd mkdir -p $verbose_opt \ + "$(dirname "$FW_DIR/$k/$path")" + $cmd ln -fs $verbose_opt "$DATA_DIR/$i/$path" \ + "$FW_DIR/$k/$path" + done + + if [ -e "$FW_DIR/$k/readme-$i" ]; then + debug " $FW_DIR/$k/readme-$i already" \ + "exists, skipping creation" + else + $cmd cp $verbose_opt "$DATA_DIR/$i/readme" \ + "$FW_DIR/$k/readme-$i" + fi + ;; + remove) + esac + done +done diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec new file mode 100644 index 00000000..8e8f528d --- /dev/null +++ b/SPECS/microcode_ctl.spec @@ -0,0 +1,818 @@ +%define upstream_version 2.1-18 +%define intel_ucode_version 20191112 +%define intel_ucode_file_id 28727 + +%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats +%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl + +%define update_ucode %{microcode_ctl_libexec}/update_ucode +%define check_caveats %{microcode_ctl_libexec}/check_caveats +%define reload_microcode %{microcode_ctl_libexec}/reload_microcode + +%define dracutlibdir %{_prefix}/lib/dracut + +%define i_m2u_man intel-microcode2ucode.8 + +# In microcode_ctl, documentation directory is unversioned historically. +# In RHEL 8 spec, %{_pkgdocdir} is used as installation destination; however, +# it is unversioned only since Fedora 20, per #986871, +# and not in Fedora 18/19-based RHEL 7. +%define _pkgdocdir %{_docdir}/%{name} + +Summary: Tool to transform and deploy CPU microcode update for x86. +Name: microcode_ctl +Version: 2.1 +Release: 53.3%{?dist} +Epoch: 2 +Group: System Environment/Base +License: GPLv2+ and Redistributable, no modification permitted +URL: https://pagure.io/microcode_ctl +Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz +Source1: microcode-%{intel_ucode_version}.pre.tar.gz +# (Pre-MDS) revision 0x714 of 06-2d-07 microcode +Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 + + +# systemd unit +Source10: microcode.service + +# dracut-related stuff +Source20: 01-microcode.conf +Source21: 99-microcode-override.conf +Source22: dracut_99microcode_ctl-fw_dir_override_module_init.sh + +# libexec +Source30: update_ucode +Source31: check_caveats +Source32: reload_microcode + +# docs +Source40: %{i_m2u_man}.in +Source41: README.caveats + +## Caveats +# BDW EP/EX +# https://bugzilla.redhat.com/show_bug.cgi?id=1622180 +# https://bugzilla.redhat.com/show_bug.cgi?id=1623630 +# https://bugzilla.redhat.com/show_bug.cgi?id=1646383 +Source100: 06-4f-01_readme +Source101: 06-4f-01_config +Source102: 06-4f-01_disclaimer + +# Unsafe early MC update inside VM: +# https://bugzilla.redhat.com/show_bug.cgi?id=1596627 +Source110: intel_readme +Source111: intel_config +Source112: intel_disclaimer + +# SNB-EP (CPUID 0x206d7) post-MDS hangs +# https://bugzilla.redhat.com/show_bug.cgi?id=1758382 +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +Source120: 06-2d-07_readme +Source121: 06-2d-07_config +Source122: 06-2d-07_disclaimer + + +# "Provides:" RPM tags generator +Source200: gen_provides.sh + +Patch1: microcode_ctl-do-not-merge-ucode-with-caveats.patch +Patch2: microcode_ctl-revert-intel-microcode2ucode-removal.patch +Patch3: microcode_ctl-use-microcode-%{intel_ucode_version}-tgz.patch +Patch4: microcode_ctl-do-not-install-intel-ucode.patch +Patch5: microcode_ctl-intel-microcode2ucode-buf-handling.patch +Patch6: microcode_ctl-ignore-first-directory-level-in-archive.patch + +Buildroot: %{_tmppath}/%{name}-%{version}-root +ExclusiveArch: %{ix86} x86_64 +BuildRequires: systemd-units +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(posttrans): kernel + +%global _use_internal_dependency_generator 0 +%define __find_provides "%{SOURCE200}" + +%description +The microcode_ctl utility is a companion to the microcode driver written +by Tigran Aivazian . + +The microcode update is volatile and needs to be uploaded on each system +boot i.e. it doesn't reflash your cpu permanently, reboot and it reverts +back to the old microcode. + +%prep +%setup -q -n %{name}-%{upstream_version} +%patch1 -p1 +%patch2 -p1 + +# Use the latest archive instead of microcode-20180703.tgz bundled +# with upstream microcode_ctl-2.1-18. +cp "%{SOURCE1}" . +%patch3 -p1 + +# We install ucode files manually into "intel" caveat directory +%patch4 -p1 + +%patch5 -p1 + +# The archive published on github has an additional top-level directory, +# strip it. +%patch6 -p1 + +%build +make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} + +# We do not populate any intel-ucode files into /lib/firmware directly due to +# early microcode load inside VM issue: +# https://bugzilla.redhat.com/show_bug.cgi?id=1596627 +# https://bugzilla.redhat.com/show_bug.cgi?id=1607899 +#find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list +touch ghost_list + +tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ + \*/intel-ucode-with-caveats \*/license \*/releasenote + +# replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version +mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ +cp "%{SOURCE2}" intel-ucode/ + +# man page +sed "%{SOURCE40}" \ + -e "s/@DATE@/2019-05-09/g" \ + -e "s/@VERSION@/%{version}-%{release}/g" \ + -e "s|@MICROCODE_URL@|https://downloadcenter.intel.com/download/%{intel_ucode_file_id}|g" > "%{i_m2u_man}" + +%install +rm -rf %{buildroot} +make DESTDIR=%{buildroot} PREFIX=%{_prefix} INSDIR=/usr/sbin MICDIR=/usr/share/microcode_ctl install clean + +install -m 755 -d \ + "%{buildroot}/%{_datarootdir}/microcode_ctl/intel-ucode" \ + "%{buildroot}/%{caveat_dir}/" \ + "%{buildroot}/etc/microcode_ctl/ucode_with_caveats/" + +# systemd unit +install -m 755 -d "%{buildroot}/%{_unitdir}" +install -m 644 "%{SOURCE10}" -t "%{buildroot}/%{_unitdir}/" + +# dracut +%define dracut_mod_dir "%{buildroot}/%{dracutlibdir}/modules.d/99microcode_ctl-fw_dir_override" +install -m 755 -d \ + "%{dracut_mod_dir}" \ + "%{buildroot}/%{dracutlibdir}/dracut.conf.d/" +install -m 644 "%{SOURCE20}" "%{SOURCE21}" \ + -t "%{buildroot}/%{dracutlibdir}/dracut.conf.d/" +install -m 755 "%{SOURCE22}" "%{dracut_mod_dir}/module-setup.sh" + +# Internal helper scripts +install -m 755 -d "%{buildroot}/%{microcode_ctl_libexec}" +install "%{SOURCE30}" "%{SOURCE31}" "%{SOURCE32}" \ + -m 755 -t "%{buildroot}/%{microcode_ctl_libexec}" + + +## Documentation +install -m 755 -d "%{buildroot}/%{_pkgdocdir}/caveats" + +# caveats readme +install "%{SOURCE41}" \ + -m 644 -t "%{buildroot}/%{_pkgdocdir}/" + +# Provide Intel microcode license, as it requires so +install -m 644 license \ + "%{buildroot}/%{_pkgdocdir}/LICENSE.intel-ucode" + +# Provide release notes for Intel microcode +install -m 644 releasenote \ + "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" + +# caveats +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \ + -t "%{buildroot}/%{_pkgdocdir}/caveats/" + +# Man page +install -m 755 -d %{buildroot}/%{_mandir}/man8/ +install -m 644 "%{i_m2u_man}" -t %{buildroot}/%{_mandir}/man8/ + + +## Caveat data + +# BDW caveat +%define bdw_inst_dir %{buildroot}/%{caveat_dir}/intel-06-4f-01/ +install -m 755 -d "%{bdw_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-4f-01 -t "%{bdw_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE100}" "%{bdw_inst_dir}/readme" +install -m 644 "%{SOURCE101}" "%{bdw_inst_dir}/config" +install -m 644 "%{SOURCE102}" "%{bdw_inst_dir}/disclaimer" + +# Early update caveat +%define intel_inst_dir %{buildroot}/%{caveat_dir}/intel/ +install -m 755 -d "%{intel_inst_dir}/intel-ucode" +install -m 644 intel-ucode/* -t "%{intel_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE110}" "%{intel_inst_dir}/readme" +install -m 644 "%{SOURCE111}" "%{intel_inst_dir}/config" +install -m 644 "%{SOURCE112}" "%{intel_inst_dir}/disclaimer" + +# SNB caveat +%define snb_inst_dir %{buildroot}/%{caveat_dir}/intel-06-2d-07/ +install -m 755 -d "%{snb_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-2d-07 -t "%{snb_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" +install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" +install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" + +# Cleanup +rm -f intel-ucode-with-caveats/06-4f-01 +rm -f intel-ucode-with-caveats/06-2d-07 +rmdir intel-ucode-with-caveats +rm -rf intel-ucode + +%post +%systemd_post microcode.service +%{update_ucode} +%{reload_microcode} + +# send the message to syslog, so it gets recorded on /var/log +if [ -e /usr/bin/logger ]; then + %{check_caveats} -m -d | /usr/bin/logger -p syslog.notice -t DISCLAIMER +fi +# also paste it over dmesg (some customers drop dmesg messages while +# others keep them into /var/log for the later case, we'll have the +# disclaimer recorded twice into system logs. +%{check_caveats} -m -d > /dev/kmsg + +exit 0 + +%posttrans +# We only want to regenerate the initramfs for a fully booted +# system; if this package happened to e.g. be pulled in as a build +# dependency, it is pointless at best to regenerate the initramfs, +# and also does not work with rpm-ostree: +# https://bugzilla.redhat.com/show_bug.cgi?id=1199582 +# +# Also check that the running kernel is actually installed: +# https://bugzilla.redhat.com/show_bug.cgi?id=1591664 +# We use the presence of symvers file as an indicator, the check similar +# to what weak-modules script does. +if [ -d /run/systemd/system -a -e "/boot/symvers-$(uname -r).gz" ]; then + dracut -f +fi + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state + + +%preun +%systemd_preun microcode.service + +# Storing ucode list before uninstall +ls /usr/share/microcode_ctl/intel-ucode | + sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" +ls /usr/share/microcode_ctl/ucode_with_caveats | + sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" +%{update_ucode} --action list --skip-common | + sort > "%{rpm_state_dir}/microcode_ctl_un_file_list" + +%postun +%systemd_postun microcode.service + +ls /usr/share/microcode_ctl/intel-ucode 2> /dev/null | + sort > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" +comm -23 \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" \ + > "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + +if [ -e "%{update_ucode}" ]; then + ls /usr/share/microcode_ctl/ucode_with_caveats 2> /dev/null | + sort > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" + + comm -23 \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" \ + > "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" + + %{update_ucode} --action remove --cleanup \ + "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" \ + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" || exit 0 + + rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" + rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" +else + while read -r f; do + [ -L "/lib/firmware/intel-ucode/$f" ] || continue + rm -f "/lib/firmware/intel-ucode/$f" + done < "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + + rmdir "/lib/firmware/intel-ucode" 2>/dev/null || : + + # We presume that if we don't have update_ucode script, we can remove + # all the caveats-related files. + while read -r f; do + if [ -L "$f" ] || [ "${f%%readme-*}" != "$f" ]; then + rm -f "$f" + rmdir -p $(dirname "$f") 2>/dev/null || : + fi + done < "%{rpm_state_dir}/microcode_ctl_un_file_list" +fi + +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode" +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_after" +rm -f "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" + +rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats" + +rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list" + + +exit 0 + +%triggerin -- kernel +%{update_ucode} + +%triggerpostun -- kernel +%{update_ucode} + + +%clean +rm -rf %{buildroot} + +%files -f ghost_list +%ghost %attr(0755, root, root) /lib/firmware/intel-ucode/ +/usr/sbin/intel-microcode2ucode +%{microcode_ctl_libexec} +/usr/share/microcode_ctl +%{dracutlibdir}/modules.d/* +%config(noreplace) %{dracutlibdir}/dracut.conf.d/* +%{_unitdir}/microcode.service +%doc %{_pkgdocdir} +%{_mandir}/man8/* + + +%changelog +* Thu Nov 07 2019 Eugene Syromiatnikov - 2:2.1-53.3 +- Intel CPU microcode update to 20191112, addresses CVE-2017-5715, + CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764050, #1764070, #1764949, + #1764969, #1764997, #1765401, #1765413, #1766438, #1766870, #1769889): + - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6; + - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a; + - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150; + - Addition of 06-7e-05/0x80 (ICL-U/Y D1) microcode at revision 0x46; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xcc to 0xd4; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) microcode from revision 0xcc + to 0xd4 + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (AML-Y V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (CML-U 4+2 V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-8e-0c/0x94 (WHL-U V0) microcode from revision 0xb8 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-G/X H0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-09/0x2a (KBL-H/S/Xeon E3 B0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) microcode from revision 0xb4 + to 0xc6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6. +- Rework dracut hook to address dracut's early initramfs generation + behaviour. + +* Sun Oct 06 2019 Eugene Syromiatnikov - 2:2.1-53.2 +- Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 + by default. + +* Thu Sep 19 2019 Eugene Syromiatnikov - 2:2.1-53.1 +- Intel CPU microcode update to 20190918. +- Add new disclaimer, generated based on relevant caveats. +- Resolves: #1758572. + +* Wed Jun 19 2019 Eugene Syromiatnikov - 2:2.1-53 +- Intel CPU microcode update to 20190618. +- Resolves: #1717241. + +* Sun Jun 02 2019 Eugene Syromiatnikov - 2:2.1-52 +- Remove disclaimer, as it is not as important now to justify kmsg/log + pollution; its contents are partially adopted in README.caveats. + +* Mon May 20 2019 Eugene Syromiatnikov - 2:2.1-51 +- Intel CPU microcode update to 20190514a. +- Resolves: #1711941. + +* Thu May 09 2019 Eugene Syromiatnikov - 2:2.1-50 +- Intel CPU microcode update to 20190507_Public_DEMO. +- Resolves: #1697904. + +* Mon Apr 15 2019 Eugene Syromiatnikov - 2:2.1-49 +- Intel CPU microcode update to 20190312. +- Add "Provides:" tags generation. +- Resolves: #1697904. + +* Thu Sep 20 2018 Eugene Syromiatnikov - 2:2.1-48 +- Fix %postun script (#1628629) + +* Wed Sep 05 2018 Eugene Syromiatnikov - 2:2.1-47 +- Add 7.3.z kernel version to kernel_early configuration. + +* Thu Aug 30 2018 Eugene Syromiatnikov - 2:2.1-46 +- Fix dracut module checks in Host-Only mode. + +* Thu Aug 30 2018 Eugene Syromiatnikov - 2:2.1-45 +- Disable 06-4f-01 microcode in config (#1623630). + +* Tue Aug 28 2018 Eugene Syromiatnikov - 2:2.1-44 +- Intel CPU microcode update to 20180807a. +- Add README.caveats documentation file. +- Add intel-microcode2ucode manual page. +- Add check for early microcode load, use it in microcode_ctl dracut module. +- Resolves: #1596627. + +* Mon Aug 20 2018 Eugene Syromiatnikov - 2:2.1-43 +- Check that the currently running kernel is installed before + running dracut -f. + +* Thu Aug 16 2018 Eugene Syromiatnikov - 2:2.1-42 +- Drop "hypervisor" /proc/cpuinfo flag check. + +* Thu Aug 09 2018 Eugene Syromiatnikov - 2:2.1-41 +- Intel CPU microcode update to 20180807. +- Resolves: #1614422 + +* Mon Aug 06 2018 Eugene Syromiatnikov - 2:2.1-40 +- Add an ability to disable "hypervisor" /proc/cpuinfo flag check. + +* Fri Jul 27 2018 Eugene Syromiatnikov - 2:2.1-39 +- Provide %attr for the ghosted /lib/firmware/intel-ucode. + +* Thu Jul 26 2018 Eugene Syromiatnikov - 2:2.1-38 +- Remove model name blacklists from caveats configuration files. +- Resolves: #1596627 + +* Wed Jul 25 2018 Eugene Syromiatnikov - 2:2.1-37 +- Add model name blacklist infrastructure. +- Store Intel ucode files in /usr/share/microcode_ctl; do not populate them + in a virtualised environment. +- Resolves: #1596627 + +* Fri Jul 20 2018 Eugene Syromiatnikov - 2:2.1-35 +- Add intel-microcode2ucode back +- Resolves: #1574582 + +* Fri Jul 20 2018 Eugene Syromiatnikov - 2:2.1-34 +- Update to upstream 2.1-18. Intel CPU microcode update to 20180703. +- Add infrastructure for handling kernel-version-dependant microcode. +- Resolves: #1574582 + +* Wed Jun 13 2018 Petr Oros - 2.1-33 +- CVE-2018-3639 hw: cpu: speculative store bypass +- Resolves: #1495071 + +* Mon Jun 11 2018 Petr Oros - 2.1-32 +- Fix: Operation not permitted when installing microcode_ctl +- Resolves: #1584247 + +* Tue May 15 2018 Petr Oros - 2.1-31 +- Update disclaimer text +- Resolves: #1574574 + +* Mon May 7 2018 Petr Oros - 2.1-30 +- Intel CPU microcode update to 20180425. +- Resolves: #1574574 + +* Fri Jan 12 2018 Petr Oros - 2.1-29 +- Revert Microcode from Intel for Side Channel attack +- Resolves: #1533939 + +* Fri Jan 12 2018 Petr Oros - 2.1-29 +- Don't run dracut if not on a live system +- Resolves: #1530400 + +* Tue Jan 9 2018 Petr Oros - 2.1-28 +- Remove old binary tool +- Resolves: #1527360 + +* Tue Jan 9 2018 Petr Oros - 2.1-27 +- Update to upstream 2.1-15. Intel CPU microcode update to 20180108. +- Resolves: #1527360 + +* Fri Dec 15 2017 Petr Oros - 2.1-26 +- Update Intel CPU microde for 06-3f-02, 06-4f-01, and 06-55-04 +- Resolves: #1527360 + +* Wed Nov 22 2017 Petr Oros - 2.1-25 +- Update to upstream 2.1-14. Intel CPU microcode update to 20171117. +- Resolves: #1457522 + +* Tue Oct 17 2017 Petr Oros - 2.1-24 +- Fix upstream URL +- Resolves: #1502360 + +* Fri Jul 14 2017 Petr Oros - 2.1-23 +- Update to upstream 2.1-13. Intel CPU microcode update to 20170707. +- Resolves: #1457522 + +* Wed May 24 2017 Petr Oros - 2.1-22 +- Update to upstream 2.1-12. Intel CPU microcode update to 20170511. +- Resolves: #1384218 + +* Tue Mar 7 2017 Petr Oros - 2.1-21 +- Rpm scriptlets should only rebuild the current kernel's initrd. +- Resolves: #1420180 + +* Wed Jan 18 2017 Petr Oros - 2.1-20 +- Fix issue with hot microcode cpu reload. +- Resolves: #1411232 + +* Mon Jan 9 2017 Petr Oros - 2.1-19 +- Fix broken quoting in ExecStart line. +- Resolves: #1411232 + +* Fri Dec 16 2016 Petr Oros - 2.1-18 +- Fix issue with hot microcode cpu reload. +- Resolves: #1398698 + +* Wed Nov 30 2016 Petr Oros - 2.1-17 +- Move dracut call into posttrans phase. +- Resolves: #1398698 + +* Thu Jul 21 2016 Petr Oros - 2.1-16 +- Update to upstream 2.1-10. Intel CPU microcode update to 20160714. +- Resolves: #1358047 + +* Wed Jun 29 2016 Petr Oros - 2.1-15 +- Load CPU microcode update only on supproted systems. +- Resolves: #1307179 + +* Fri Jun 24 2016 Petr Oros - 2.1-14 +- Update to upstream 2.1-9. Intel CPU microcode update to 20160607. +- Resolves: #1253106 + +* Thu May 19 2016 Petr Oros - 2.1-13 +- Run dracut -f for all kernels. +- Resolves: #1292158 + +* Fri Jul 3 2015 Petr Oros - 2.1-12 +- Update to upstream 2.1-7. Intel CPU microcode update to 20150121. +- Resolves: #1174983 + +* Fri Oct 10 2014 Petr Oros - 2.1-11 +- Run dracut -f after install microcode for update initramfs. +- Resolves: #1151192 + +* Tue Sep 30 2014 Petr Oros - 2.1-10 +- Update to upstream 2.1-6. Intel CPU microcode update to 20140913. +- Resolves: #1142302 + +* Tue Jul 15 2014 Petr Oros - 2.1-9 +- Update to upstream 2.1-5. Intel CPU microcode update to 20140624. +- Resolves: #1113396 + +* Tue Jun 3 2014 Petr Oros - 2.1-8 +- Fix bogus time in changelog +- Resolves: #1085117 + +* Tue Jun 3 2014 Petr Oros - 2.1-8 +- Update to upstream 2.1-4. Intel CPU microcode update to 20140430. +- Resolves: #1085117 + +* Wed Mar 12 2014 Anton Arapov - 2.1-7.1 +- Fix the microcode's behaviour in virtual environment. + +* Fri Feb 28 2014 Anton Arapov - 2.1-7 +- Fix the microcode's dracut configuration file location. + +* Tue Feb 18 2014 Anton Arapov - 2.1-6 +- Enable early microcode capabilities. Systemd and Dracut support. (Jeff Bastian) + +* Fri Jan 24 2014 Anton Arapov - 2.1-5 +- Update to upstream 2.1-3. Intel CPU microcode update to 20140122. + +* Fri Dec 27 2013 Daniel Mach - 2:2.1-4 +- Mass rebuild 2013-12-27 + +* Mon Sep 09 2013 Anton Arapov 2.1-3 +- Imported to RHEL tree + +* Mon Sep 09 2013 Anton Arapov 2.1-2 +- Update to upstream 2.1-2. + +* Wed Aug 14 2013 Anton Arapov 2.1-1 +- Update to upstream 2.1-1. + +* Sat Jul 27 2013 Anton Arapov 2.1-0 +- Update to upstream 2.1. AMD microcode has been removed, find it in linux-firmware. + +* Wed Apr 03 2013 Anton Arapov 2.0-3.1 +- Update to upstream 2.0-3 + +* Thu Feb 14 2013 Fedora Release Engineering - 2:2.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Oct 17 2012 Anton Arapov 2.0-2 +- Update to upstream 2.0-2 + +* Tue Oct 02 2012 Anton Arapov 2.0-1 +- Update to upstream 2.0-1 + +* Mon Aug 06 2012 Anton Arapov 2.0 +- Update to upstream 2.0 + +* Wed Jul 25 2012 Anton Arapov 1.18-1 +- Update to upstream 1.18 + +* Fri Jul 20 2012 Fedora Release Engineering - 1:1.17-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 07 2012 Anton Arapov 1.17-25 +- Update to microcode-20120606.dat + +* Tue Feb 07 2012 Anton Arapov 1.17-24 +- Update to amd-ucode-2012-01-17.tar + +* Fri Jan 13 2012 Fedora Release Engineering - 1:1.17-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Dec 22 2011 Anton Arapov 1.17-21 +- Fix a segfault that may be triggered by very long parameter [#768803] + +* Tue Dec 13 2011 Anton Arapov 1.17-20 +- Update to microcode-20111110.dat + +* Tue Sep 27 2011 Anton Arapov 1.17-19 +- Update to microcode-20110915.dat + +* Thu Aug 04 2011 Anton Arapov 1.17-18 +- Ship splitted microcode for Intel CPUs [#690930] +- Include tool for splitting microcode for Intl CPUs (Kay Sievers ) + +* Thu Jun 30 2011 Anton Arapov 1.17-17 +- Fix udev rules (Dave Jones ) [#690930] + +* Thu May 12 2011 Anton Arapov 1.17-14 +- Update to microcode-20110428.dat + +* Thu Mar 24 2011 Anton Arapov 1.17-13 +- fix memory leak. + +* Mon Mar 07 2011 Anton Arapov 1.17-12 +- Update to amd-ucode-2011-01-11.tar + +* Tue Feb 08 2011 Fedora Release Engineering - 1:1.17-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 19 2011 Anton Arapov 1.17-10 +- manpage fix (John Bradshaw ) [#670879] + +* Wed Jan 05 2011 Anton Arapov 1.17-9 +- Update to microcode-20101123.dat + +* Mon Nov 01 2010 Anton Arapov 1.17-8 +- Update to microcode-20100914.dat + +* Wed Sep 29 2010 jkeating - 1:1.17-7 +- Rebuilt for gcc bug 634757 + +* Wed Sep 15 2010 Anton Arapov 1.17-6 +- Update to microcode-20100826.dat + +* Tue Sep 07 2010 Toshio Kuratomi 1.17-5 +- Fix license tag: bz#450491 + +* Fri Aug 27 2010 Dave Jones 1.17-4 +- Update to microcode-20100826.dat + +* Tue Mar 23 2010 Anton Arapov 1.17-3 +- Fix the udev rules (Harald Hoyer ) + +* Mon Mar 22 2010 Anton Arapov 1.17-2 +- Make microcode_ctl event driven (Bill Nottingham ) [#479898] + +* Thu Feb 11 2010 Dave Jones 1.17-1.58 +- Update to microcode-20100209.dat + +* Fri Dec 04 2009 Kyle McMartin 1.17-1.57 +- Fix duplicate message pointed out by Edward Sheldrake. + +* Wed Dec 02 2009 Kyle McMartin 1.17-1.56 +- Add AMD x86/x86-64 microcode. (Dated: 2009-10-09) + Doesn't need microcode_ctl modifications as it's loaded by + request_firmware() like any other sensible driver. +- Eventually, this AMD firmware can probably live inside + kernel-firmware once it is split out. + +* Wed Sep 30 2009 Dave Jones +- Update to microcode-20090927.dat + +* Fri Sep 11 2009 Dave Jones +- Remove some unnecessary code from the init script. + +* Sat Jul 25 2009 Fedora Release Engineering - 1:1.17-1.52.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jun 25 2009 Dave Jones +- Shorten sleep time during init. + This really needs to be replaced with proper udev hooks, but this is + a quick interim fix. + +* Wed Jun 03 2009 Kyle McMartin 1:1.17-1.50 +- Change ExclusiveArch to i586 instead of i386. Resolves rhbz#497711. + +* Wed May 13 2009 Dave Jones +- update to microcode 20090330 + +* Wed Feb 25 2009 Fedora Release Engineering - 1:1.17-1.46.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Sep 12 2008 Dave Jones +- update to microcode 20080910 + +* Tue Apr 01 2008 Jarod Wilson +- Update to microcode 20080401 + +* Sat Mar 29 2008 Dave Jones +- Update to microcode 20080220 +- Fix rpmlint warnings in specfile. + +* Mon Mar 17 2008 Dave Jones +- specfile cleanups. + +* Fri Feb 22 2008 Jarod Wilson +- Use /lib/firmware instead of /etc/firmware + +* Wed Feb 13 2008 Jarod Wilson +- Fix permissions on microcode.dat + +* Thu Feb 07 2008 Jarod Wilson +- Spec cleanup and macro standardization. +- Update license +- Update microcode data file to 20080131 revision. + +* Mon Jul 2 2007 Dave Jones +- Update to upstream 1.17 + +* Thu Oct 12 2006 Jon Masters +- BZ209455 fixes. + +* Mon Jul 17 2006 Jesse Keating +- rebuild + +* Fri Jun 16 2006 Bill Nottingham +- remove kudzu requirement +- add prereq for coreutils, awk, grep + +* Thu Feb 09 2006 Dave Jones +- rebuild. + +* Fri Jan 27 2006 Dave Jones +- Update to upstream 1.13 + +* Fri Dec 16 2005 Jesse Keating +- rebuilt for new gcj + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 14 2005 Dave Jones +- initscript tweaks. + +* Tue Sep 13 2005 Dave Jones +- Update to upstream 1.12 + +* Wed Aug 17 2005 Dave Jones +- Check for device node *after* loading the module. (#157672) + +* Tue Mar 1 2005 Dave Jones +- Rebuild for gcc4 + +* Thu Feb 17 2005 Dave Jones +- s/Serial/Epoch/ + +* Tue Jan 25 2005 Dave Jones +- Drop the node creation/deletion change from previous release. + It'll cause grief with selinux, and was a hack to get around + a udev shortcoming that should be fixed properly. + +* Fri Jan 21 2005 Dave Jones +- Create/remove the /dev/cpu/microcode dev node as needed. +- Use correct path again for the microcode.dat. +- Remove some no longer needed tests in the init script. + +* Fri Jan 14 2005 Dave Jones +- Only enable microcode_ctl service if the CPU is capable. +- Prevent microcode_ctl getting restarted multiple times on initlevel change (#141581) +- Make restart/reload work properly +- Do nothing if not started by root. + +* Wed Jan 12 2005 Dave Jones +- Adjust dev node location. (#144963) + +* Tue Jan 11 2005 Dave Jones +- Load/Remove microcode module in initscript. + +* Mon Jan 10 2005 Dave Jones +- Update to upstream 1.11 release. + +* Sat Dec 18 2004 Dave Jones +- Initial packaging, based upon kernel-utils. +