From cd168e86c728a912c625b1750acb6d5fb0a9d247 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7x64builder0 Date: Sat, 1 Aug 2020 12:57:27 +0200 Subject: [PATCH] microcode_ctl package update Signed-off-by: basebuilder_pel7x64builder0 --- SOURCES/06-2d-07_readme | 24 +- SOURCES/06-4f-01_disclaimer | 2 +- SOURCES/06-55-04 | Bin 0 -> 33792 bytes SOURCES/06-55-04_config | 10 + SOURCES/06-55-04_disclaimer | 5 + SOURCES/06-55-04_readme | 64 ++++ SOURCES/README.caveats | 97 +++++- SOURCES/check_caveats | 173 +++++++++- ...crocode_ctl-fw_dir_override_module_init.sh | 93 ++---- SOURCES/gen_provides.sh | 88 +++-- SOURCES/intel_config | 2 +- ...ocode_ctl-use-microcode-20200602-tgz.patch | 13 + SPECS/microcode_ctl.spec | 300 ++++++++++++++++-- 13 files changed, 721 insertions(+), 150 deletions(-) create mode 100644 SOURCES/06-55-04 create mode 100644 SOURCES/06-55-04_config create mode 100644 SOURCES/06-55-04_disclaimer create mode 100644 SOURCES/06-55-04_readme create mode 100644 SOURCES/microcode_ctl-use-microcode-20200602-tgz.patch diff --git a/SOURCES/06-2d-07_readme b/SOURCES/06-2d-07_readme index bfb87438..2a9f5eca 100644 --- a/SOURCES/06-2d-07_readme +++ b/SOURCES/06-2d-07_readme @@ -1,17 +1,21 @@ -Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7) has issues -with MDS-related microcode update that may lead to a system hang after -a microcode update. In order to address this, microcode update +Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7) +have issues with MDS-related microcode update that may lead to a system hang +after a microcode update[1][2]. In order to address this, microcode update to the MDS-related revision 0x718 has been disabled, and the previously published microcode revision 0x714 is used by default for the OS-driven microcode update. +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 + For the reference, SHA1 checksums of 06-2d-07 microcode files containing microcode revisions in question are listed below: * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430 * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d + * 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6 Please contact your system vendor for a BIOS/firmware update that contains -the latest microcode version. For the information regarding microcode versions +the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer to the following knowledge base articles: * CVE-2017-5715 ("Spectre"): @@ -26,12 +30,12 @@ to the following knowledge base articles: The information regarding enforcing microcode load is provided below. -To enforce usage of this microcode revision, please create a file -"force-intel-06-2d-07" inside /lib/firmware/ directory, -run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware +To enforce usage of the 0x718 microcode revision for a specific kernel version, +please create file "force-intel-06-2d-07" inside /lib/firmware/ +directory, run "/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory where microcode will be available for late microcode update, -and run "dracut -f --kver 3.10.0-862.9.1", so initramfs for this version -is regenerated and the microcode can be loaded early: +and run "dracut -f --kver ", so initramfs for this kernel +version is regenerated and the microcode can be loaded early, for example: touch /lib/firmware/3.10.0-862.9.1/force-intel-06-2d-07 /usr/libexec/microcode_ctl/update_ucode @@ -41,7 +45,7 @@ After that, it is possible to perform a late microcode update by executing "/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to "/sys/devices/system/cpu/microcode/reload" directly. -To enforce addition of this microcode for all kernels, please create a file +To enforce addition of this microcode for all kernels, please create file "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-2d-07", run "/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, and "dracut -f --regenerate-all" for enabling early microcode updates: diff --git a/SOURCES/06-4f-01_disclaimer b/SOURCES/06-4f-01_disclaimer index d5bc60df..c978958e 100644 --- a/SOURCES/06-4f-01_disclaimer +++ b/SOURCES/06-4f-01_disclaimer @@ -1,4 +1,4 @@ -microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, +Microcode update for Intel Broadwell-EP/EX (BDX-ML B/M/R0; family 6, model 79, stepping 1; CPUID 0x406f1) CPUs is disabled as it may cause system instability. Please refer to /usr/share/doc/microcode_ctl/caveats/06-4f-01_readme and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SOURCES/06-55-04 b/SOURCES/06-55-04 new file mode 100644 index 0000000000000000000000000000000000000000..754d08173ed7f3ba6b92232000d9a630352bb76e GIT binary patch literal 33792 zcmaI7Q;aYS4<l`MmSez_ac#^94IT*9SF7({PTCK(pT9X%=5j}?75jz-) zssOnrVlhQT&$J2i`VF2Ule>cCpwd}KF*x5@eCv+>q|m&`xsnPQ@tjeYsmPTf475Rq zS|dG%aon~26zEgSD;2ooJ$Tp0BYy)D!0pq@C|C17--26Bg0xc)W*n#9W$J}0h$JF z_V&;HtFdV>Rpih=uU`@LpHof>KPAnW4Z|R=GDUqC#?oeqNxQG+-X)105)Squ@2F++ zFJIWwN7C8!3d(X1*j26ek{RGzzXmm7_Ql(xP0};h6_msfCEQTd-D&1!n_Bhrjn*L^ z4pKIr9T?0=l_=aaiz%jhI#IC$-yTo2*b4a(0wJsZODoNVXKynSYDH4(epn8!ubE8^LV7&_uJSVJ>dS6GPQ!&ewD=|RQ!QAz=3a$y+-&Up{zqX?S(T`%79v^o; zs9jDg-E>DyD&p#~I0sf&dcI`-kmKzznOR;Y{GdF$<^fI6=TD8I9|n9gOhn}7bigH@ zQP!|;mCd(?*uER&XH&>Uu2aj-k-sr=n*sAChiR{ft;8&?zWk zOAAy$)Sc7<(g0@IyKiI}UN-wBTS4jadBl2v=h=|3@rqp@DAa>eTD>lc5&qR@czkPVZ`=A_Yy7o_4tfbu1nKL4n`H!19O10;9Ol? zvXX+w>&aVgat~;KB3{YX#NV5FM;T3G|DBXaP`=ASZG`1jAIqQT4$bd_dw9t%7k0`u ze`e%CjwP6gdfU_nRU%a03y+h%PGNNW0BnKOmCGLceq6>qsAbr2&(+Q=*n6?OS4|FU z_6w+9|A>7ZSKJb?zJEL(ADiTxPY>177w+1U0Z|Dq`0cPyL~d1c@W7GnR}!E`rEE+L zr{IiP$9EbuYwBG4*GXIPj@MsKOk~IgIw%VP5Z|R>+G8xzcKxKSr9QvAz80I_4h2PP z)!7{YvRLN0x0jQ0!ofl#XwGxItVm~gmlIaqHOuIe>KwmiW${4wyK%cOkCfn4a}kmN zOFyQeRnj zJc@@cVmwq%LSNAvIH8KFc>X1%zHb!aTKH`W0ItF03WMO2!NYJ%vINf^lEm>dtD9yl zuF8~-wBai>EpEBDIV1^E5#|6v=<%1K89G<+wtvk@yxUkx1IBHtZway>Y)%*m?NQAU zkaei7l>)9isN${+cSdjU2zc)!*8x3JABIP!(aQ4_T=Sae>+wyR$Xko*{BX`)B-XLB zd-)dhos=90i>yRez$!6ESbfsQ4uvkZdEsc=Fv8Vm%USBR>~EFv)aV(KN0Vmd^GLng zkl+1F9itRIxeoSph!)CT6uCa-Ig&-HeUwz4UAJ%O(-QaWH&c{n7{L4EKwAGjlTL%Q z0!tp~Z|GT9P#yOst*B>JEd;m<*DX^=oSV?TuB7Cl)aYkq>h;xDdSS@85=#>bolo8& zaYKJ~Qs?gAxsopF1;q);YuCm;e|ljQ09dyg)Hi7Ou??z4@na?Pn2{162p|Jx9*rN8hYl3@DGpon2wh@l%1OM@i!_CE`lc>*L!-0fQg27 z##RX(Wvlzph%h+kWcNjlYPzYIR;Id!0;(l;FfmlV)z3!0n(~80i3SBH$nB+ZGt~Mf zec${dPzI~cBWp$bM8MDE7jWE_J1va>Uad1u@uljQiS#6{&}fYNjOHy**PLN1chx*d z`&W;bw~m_)g<)p7P!E@qY=xxG=RSvbWK;omqGU;{Kke;xLshxAq!WTRV>GYR?;TvB zQRyC(6X0jqKxTbIP8~pUUGe9j7h9mhQ^oKJPL63y9_&?6&ZF+-oD(*1HiK|Q#PJOk zcl57m6)nsxE6z0^kPlfq3&(5?M&ou^nmqW=oO09Px}vld_;3;zN{+8g-I7EIGcy#? z<*><1Y{2iy)Yvt$Vpq*itzEnX_0|g)djK}aoPv&S$HR$-IA?M`K;7%0n%MQ&GL>O6 z5*DRuNU3>>8n!Y?7smSM=nW<=J)srn9hV8n%Rj27xq@RnW5M59S}}mRA!Lb$d@dp9 zo)h57gT4u?(1ldQjOAzzq6D4vT3m#g^Q@gQsdh_>9#E-ib2d#u#|_p!HAItxveHkoXh|o zLoD?Od=<}*)*UJd1%G|1kDwO5+xPr<#RzN>1lAdF`gsW?{lt~jMPbgG`F;DLg;m%5 z_CUJT&24N>c)s>H#6A|IyH6$bx6rk;)LmzDRJCgYXT|EsYjyx?i`66?Nku#6DUI2O zWi?Jr5ik!;ST-Hv@W7I#nh*Z|!wm$Wt{Kv^l#{GA=6AL+BE9AG(juKFLbwy=OD|R+ zcpX<@Sxl%R%Pk+zOdNFr@bvPKOmKw)nz_h5^mGmF$nbB_5%hQV?WOJ$`}!uNfeq{6L(QU*398SA|^ae zW>$Ggtbdm<-Qh+m&2_ohVRPqXPB6$fCyi41(urX<*P{z@Fc@k(5-Yr1MC=%;UL%zO z8-!Q|7esU!h?MMoS``pH;SX zl@RJFYlP}#wgeh*HS;nyfXpXf)QrlERGL*~4_XU)I23xs=dB&4&_gbYq#`Esuoy+bxw;P|x{Bn~C*xAQW)Cyzx2Sx}YxcX0W8iN#7Uhf_wa; zA7C|XjDk@YZJc-g&71Y*Q@v#V9TRNuvgij05zB}8H4)3k3fmSna8_i3rt{AuD9>7> zSaI`Y2*vnj%9AKzLtrWqAN!7;hARD)QQqP0EADE25rmEApLWXf$_R6rNrzG}6+;g% za)p7Pj_M(P$l6u4(B+l~*1K!v#X1R-BNvWiDJsCuMbhm78Ba$R75I^&vkhgHzW3$j zpc&te@ckKqiax8?)}nEFQZ4w#l?cdfB|;`L24I9~*!nPUn)$C5B2DVDy>Eu;y5sW+ zO%_U)Mm6z)8U;ksTg^xkZqUwyiU){~pML5hRfz&Y6S*K|*WA|uYvkHJ&_9FtS6Fh<2fMAR4x`OQ*T-|NBCv-CTbUnHIG zGTQ00q!7KIn=tOf8Y$>Hf|FlF*jc(>XSamO4{>a;h(7qt|6wdxm1?Dh5TzMQe9;G} zRUh*kUHdc|A>52cFVm0QW0s&fg9{%zc6D^)YcW5M2gm2cxfgq@F=F5(0UU?Nj7K)) zYize?uHA7!4nWy3I)|#q1f2~=Xp8*AA6wJHj_TW@mGIQHWIL8*;qwGVIcyVM@>^-n z71Q()3-!{I)QxXf9%k2u=Fq2j_J)wA9Y>0M6J#`(AyuJ362_qCCw12TYT^+ji@_1O z7b$XqdL>@=!)w+W5}@xf2R7k+s2W50&7wrps!}TM&@m`;lI!v7x#Lq-d6j^!J0*t3 z<2e~W32v$ojNIP^a1oGNPdaod9lOq3CFY6Q#+=HErdUAl`vkNSxcl|26)3h+xCD`H zY=}?q64iW07yG19y~&=V2;NztxVPJ@L3ADDBCP;}&U`nTBtC*xWodc#g+BH<$P^+8 z5gvyE5tFi+K|v4uGIz&is;?&@I53BqkfyKm@|{%Fn!vJxy%;_WOR59$YfF2^aa_6& zJFCF%#z)+@zmyO*MX$WPjKGQNE|M@@1^(B9d(Ssx0mS4!xZr~x_?1r z^cxy2=A?@#3k*E6P}HtBXJr<|@rbPT(icOi?Y#~84fn!G%>ZIC-GVwhR%NeNeTeQ* zj?ec8A2Va5-}b?kbxGmhZ{C8lV|LmbIxlg%x4(K0s5<}V2kxpVTlq$?*QbuX@P&^~ z&7NpIyz1MK?F`s@MYrmf^iB=OoWXMQS%)Q9;f%QtO?G!*o`Xf(aORNYhBp+#WOn<> zpHJMo-+8FTYVT3H1F#x*raA~^x~CS~c>w0fb`V+Nt=U0en}(uJKh+6_BKw$Oi7cY#x^bh;`S~{M9TP1- zDItU26ZW&!#2$$w?(Ni5P$hK^*K_s~no!Ws#<>_4bR(GD=O{otJVI#`ssXaT*z^~lC@#=W%({Se?V<8Q?`#QOwv9L}uWEf_|3ureY0!7|<-U6o zDYnD6XMW-}R?Ms|+q(Sp?_*gLDk*2Xf1^6jYgvd3>As;vJYqz63bcv)tNw6604x;# z0bz~_vB?b4pGfp`=4KTv#mfWk?Bwtn~Z(BJOqeEYG zq5M))kk{~4jS#W8_q2$1p9jHyXS-rsUFwS}Aczimr1(Kwy5NvA8-L?&N4>Rr)Y0oz z%V6iFW_SI57|Z80^3+vj?bqF6sjNCg&!7$GIz@37N*H6bJ)vwar=hG)a^HQK!9Aac zi#5eI~95C-#yx+Xp-vOj#(V7!&C0m#;m=1s?wCm#O&=D_0- z$8|XC&jQ)5cS39}C^Mlgtx%V49S4jc3$}olo0Z=TmrTobi1a-&F7OJ;87Jk>fZD>m zAP%zLbEOkpn>)rpjL-|~*l)t`nif`huA=JVG~}1>`Bl5w(OqAgYuF;-iDOj1?`u&z zRUP%8YIqlxb_{TsT2Jtf=PNjY&5<*WQ*i1{;6>|x@<-9tc*M^-@darTYFWbMda}A? zvo0QZi~H}jD9UXd4yiwG$n6-M$ZM{~cN#pFxs)UorkucpZY0lvMEn~znF?vQ05)#E z0k|7{!ig64*yh_sxnthkZdPy&+q`LeO@@+}C+WCtfyK6Kl(4{7)R3K0e9`j^=d0nmHVFEqwm^;gT;eV`_v6nu{JIS#)M*(;4_=Pp1AuXHtkxpcChrl%N=N; zo8w(!d2ng=RgvP$=XLW1&{_L%?ldXIHJQufO6!zfDdO|`lZhI~D8WpXs(Jc1H`bcx z;Z;yd9pDOZWDk!a+wY#rkp5)7stHrr-fz7Ozf|RT&zQb*SPW^Q zfcD^TPAx`Nq)1Ye1NaD%2m)@mL>ZiAV(bNLjnd$I0d#ixhDs8WEtra6L z8_=TL!Pg74qNc0^iS3^KBc|JXT`crx?G)C3@iAPHrkJZrlgFs=^M7ahu48Pgka=i> z0wwH3DT>^&AMw4v3O1V9bHD#hU&|xClfCI{gbWj zjW^8eL?{f&KUhHH#}E0?0JZtQII%q$f(Ng!?QoCr8X=H&5D?(GL?uT9!4b76Yo&{4 z`6D}g!UYVVkgX%$9v9MEYrS@2z@ZesaT-34#F|AvrNXxnF>eHZ zXL=-hcMd}O+J~KHR@&SKd%^CD6LQmiaW?PQ#ObTlTs5bGYmt}fjTflk^i{fl7;t2h zTJG6QfNg_oMC7>gI`RBGPuW1MDluhr}8A}XpJRtU&K<7eZ5A#RX$k`I@@SssF6-Oi zl^HX~X3h}et{KMy&VBCMHBTVFTtp7wWGo(SVQ5>87LFTDF|}NG2z@~;)IXklEsZ7p zd%J~7tUa4&qjuZO?*~#&jY%P(U;Y}4k|7I2xGYx*FHtA|=wP6dBGdSWne$k@T-AR5 zzQ5w!!HN!!(N^Tpp)Htrd6j3*FZp0_2=-ZGr3~ z=pW)}+0wUPl=-7ZUcF+ztdk74ukvC|6D-Bvyj@T^>tKx%X_(Rxn74mAv}1FY_(|p1^mXPcj;*5P$IF>}GQ(sY^>%Sr6lG#NGW~9l?SQvS#*yK!mZn1C zsAU&=v1FxeSb!a3KiM8>k-~x*`d~AToPVdCQzS4Rmx4M?!>_EchJm?G*WH$}?%8?#$2N`|YO;k|ezN1x4uV2TlpM`|B}sJXR->?uGkWdI`7P z$h_WISO?rfjaq96Gt}nQp2o~46uXXG+D@`w@VW0V%WAi}d=y$W7=FU-kS>RDUAty0 zF$={#JZ^>^5_puD8)qf`v1$JjtNVNdMu7^Z;@WETG)irgou%=sC9GhySXxfOd<(UC&5KX#e;Cwet;PG z`ZwUvQoTf%3VQ1!5^45dBz)4{2iKT2jg$pXsX6*0wlX{RnkDQKz)rewru#4!oYkqw&D%@%VAK4J9?JEBU)mXkMi~)y5l-73^DDVJiUTrl_tfg zG;v@3P1(JQRaq`VmY-(NMw|dA6jQH08~kc=))TC}M#^Ju~W!fQ`c!Wgi}Eu*F=Gs?*%VHC+z6632nwj#h5zZ9F2NvX~hy3ke7nCsEyM zh1c{+#?@FtHjNFwUEoH^D_R|B5nj{rSM`Pt zq`hmUqxhC@&-JApTfoR+C3+dUtro+>MtR#FU|7es{)mlNfGhZF*U9CoadX;l7pHpnasDClk16*88*hK*M! zdbLX#Y5RI=U2J2BdvR~U@Rb8wEdp=&_whVE2N}iRQTJK1RwZ8#7TJ+*3e_4#1l-E8v0nCX+$N3k6Ca7Qm{t+vVs*6-80-6dBzPu-5VdPCR*^mx zUb)3Uue{N-Z?dH6nUy!aMyO{HSf;NHNfhua-m8}Pdm$c_a_~xbu4C1xHL*b zgowqJg^@~r^C-|`yN@J{qGRG;_$yN_p~>YH>K5+@w@MuV%%TRs#$YOn*r6( z@;^r(AX?6Npb&^M9Z~r0JwNr&1B0%Ox7sphMqBVUsInBBHZZKltxqjuQgYskr~a^5 z&3Q4|-3+L5HEwpl5AOXOQ{3$ z7NyDmdfoqP47gebt9~AQZj+ax&~@Y2qHcywu5lR%=9(YA1&C$$@7*G&2ov#E1^r!0?Of^2t?&e7Rj9wk??Q)~Gr{?P7lCh41%?+E6)f^T@~(J-p= z$U1F)x1h!{xqC8g*clJMY9EbcgfFy>U1^G=tMS~w>y1W-gV6!G^my!go}+JSUa|%L zWh7&w!On^~=u#0JsZUu8~9k#)Pze6JxD5JTKmjqiDc*scNY510CcP|kN$`aocN&`|ftfGU% z{VjdB{pKYRB!=b>2w)jU;?Cz<;8Px=!ytW#mVGAKa3&n{+B37tMiGVe%b&5?I%=MU zStfLM)t+9KYCMns5dP&MHtw$l*o|4p>GupZmk9iD-Tt9kCXflc$tkbl%m>-6*Djem| zilGoO1mWRVL!N8)cub4SASVGu5A%q-M(=0awzXCVn5pD?qaC^laio~6bnDL}@&g7U zfh#7pfXjBIus&HLn_;Fzc*a%b>VRU?@$;ue#EFIxVndP|K>u02YlbaCEJ+r#wVj03 z_X`A2w^|<(3PhAvLnoypN9PovUB(9X72>tkeO-GP0xAGgc`(A;=?#95uTN_o-*`y; zo{#k!hNq{12?jgn_@Fh7&$t&xQS)82d50N3m#hF;d|;nx!@C`gbFr7P>F#EpV z`jp;vXrGNv0|sjK=~WZ=0j_4TiiAoId6+Np9WcNL`+Bd~oOL&BMV08h6#z%O=KNw8 z2F#zBAvzg8y3z%ev7u-%2(kk(92L$1u>PK)ueU6fIeK^DJhlHT47UhSw$&l;=eN9~2)rINGvutgM4$XD~^&g~u4?XHI#^DNX% zw|XDezdp%1-_<0T#?@HDCmJN4-`e{UZ3s|%qUQX)_uoa|_i52`Mn%`J!Nm8d$M$CN%^`=&|{id~$TV&9gy|3EH_qO{t zt9j&fyP!i)PAyo3*f2rn#YFvTBYaDM!Xf_Yvvqei3Z8XO?>Pd7lH#jr9g9-1o(l72 ze3?jK5TBCaD7@vpwk~ah7x}I;(;yZ>f3c%1o<4>t$v{JXG-fwsGo9YRc6jt;N@K%sMLic0QrD{rB3FQrXJpsC$5Q|vkqeE+oL9=8XA^bin zf|Gvnh+t{T();3xM_+A?q8l1j$q9Jt!IxA+J*TkwTNi~JwPRKW7VnMMSHe-(D5UZ5 z)*|2RZ&COg3eJLG>EdIQ#)T%UAa)CthjTk9wDX@4BTR8Jm0MZbHN;`q8)Ixw(Y%n1 zz}F$s?!_uR&%6HeG|h;yd&XBst3}K`UdR`J;byI;JQsm>)4-CV z5(jx^hN#q3Tn|B5nX#Csm~2x0^_2T{t60o=!I=drd9(oh@+FTGYiNyKMS+La<)+|~@iL4i|uBpDZW2lz$ zI13Q5T<V&CJ^LW1utPkJ|eLppN>(3hfrGw5*+}!qo|amD?Fq+LTCT3{w`S|w zMM#!jn7+>jRld5YDMAYtyY%@HY1{+B*LTGifAG@6K)GQ}mWd^n8np_Li*Zy0C^(ud=eRBYN7W%ZxJ&H<=OxFk=x6@DvDN$7n;Q zDjj%dAlsivydQS#qx~d6fRHvpaZPz4Rc6`BE`R&3X(Toz?FuWwq}-)O;sMSMC100_ zwRBY8>xk#oNIU`bfMv(2N;u?UO_Jo7!wuQzxyiC>t1ML!$UiBcrC|~7x_oOxZa2Sa z_+{qWn+d}kc_RicEjz1_wTkBoabSIE_Ddg38R;NSCIuy>@vtcM5gD@j46I6WMKHPG z4#b=OyPP;;c^S=#h%a}X{|Lu$5)SQAxJXqqpLkGhZFIn>j2CH zyU&kf?)h(XGXIq5Zd$;@=;k0nv|QBfp-cfN1bG-SvA)Ky#{iCm@F5|MT|Cj9n{I-g zF798(Ic7QFZuF`x4(leg4yw}>-y2a3Ugk$~OESxm_KDFaOivwWSZbOzg%;DM;Z84D zHiP3z@imJ8-DuD!xTXWlZ}a22jy=799CB-rUp1ZhZz^`qwr{@y#&+2@^l$9e&8&wy z_ZFTFq7kC)$iL74G&ukthk4lQ4u2DVOPF% z?_IGb8r6pQg3M)#zUj zElU8Cqu-6r-S5UVbJNGa(IS608&cc(Gc?9IpIK{T$*EeW!N+Yl#U`5V$Fqe8YvgAFa&cEVWAWXq4=|twPg&C~?2M7^d zE^}TQ9}n=xrHGOqv;Iw1fWI-6NgL=+5RV@9_xGuPO}-5!Swnyy#;{~yFjKqq*&|kl zcv$WV{SmQ%XqbUJ>LRDXUl_f|Dw_pHI`8GNG7^W)ojCr}40!h+9NNHCNJBVSmabM? zw@IxzXzZRvH(XjXX;xO6L0bg7I7IJS89(ABC4M~0C$Wc`A6gq^6pW^huFbQ?DILnr zDOT^2DRXMLYz+a&QP9vsVTw-EdTD50bOrTH9)^d2Tg}sqKiEB$YuHzQnP59xOtQ4E zx_;QoG;lKoOTgNuuJ$jo1O8}~*b?bwO(EnSJ*L8bc6ODa$~IFmy807TC?%dD>7)T8 zgWm3z>ZeJ1*F&U0<6-TlCVoCrmJXjz?7EHFF1vR_j6&rar0d5AQdQBFG3G8tPOhS*Z2O0t@3 zASI<5`7_-QmB959*K*dD$^fjen5LnTM^`qy+9a*2vE*#O;*92r0!~?A`{4(e**ef4 zs*JXdMf>t>KvQtu`v`^5Zf{Z|e6xj)MfO~XDZJZ7A#TjG5xjCBUIb<=;@*~Bxi91dhnFaVxc+3Tr%lHTMDr~@4h8Ljgmuys*%QPyv{x%~2-Mfdd z1;&t}DPM(jTtyvnbZB5L4)N?*;(tMA@={0zdE-CgRCZ+Gw+BCcFV58^4MObZ&>e2^;~sK{rR}MN;`dd|tF1bvQLS3* zpxj<)s#|^Wxo`*JBCJn}$vXnelpb+3mQbHZfP3qW@`P_CQuo?u)Z%0))E9GCGHMCM zIg&ADpu|zhRN~L}wrdG!RP}!1=J2#=Cx3G$7tqrkuZBt=IX)c+^X5#}4!W*=-m}3ysujlxd#RoFoa9m%iw~qa?=I8mX28)nUpX0sUD`tvmZtKg{bwD?A4qCI<@ z6dpo`73ThF2N)24IjbhVz%>PW&^<=H)^HxM))eEr^PodZ_C5N#}O&=$`mya^0Bo2clt(i_s z-5=Ay)S>g#abZpg$F)r(cbXx99jj2ax%l4e9L8#++7(LSGQAz6**TYT%yirONapE8 z+qHD`M`M7QC(s2m6c3`V)dU&i43xMlxZdm$9>Um#X+8Wj{yNfEM4#?_?_ z;bYswPD3z~P7JWkHuc8Es6(5-i-pF#=E7vHJN*t-Cyeaynvy&bB_8hp=v>AFSS3o? z%tY~FtU7GlllaMh9dv<=k2Eh)Iq?ODi+^X%AeEXrG%hlm6sWHSOph$&;@4X!_ysqh zzvd{*DV>G&uowsN_B(|)J`V_4T#Oy(sPQ=@p`~4<^!SGq!}D+pt|xYk`61siRt8y} z%=SRn01K9%5gb#vDsr_I?qCr<(uDBBTfPrA?MX(S(wHF~C94ko)kX3c&U=##AE9Ed z^cKHehX_Fru{>m40QcSUq3}@zA(qSLiIWbQ-3O9L8ihI7Ug;=k5NVWYltA?~{Wt)U zp!fk^4|gVD&Zwem!(c%JAI1Nn<*JwP;RS<`X`=ap%P_w?5}@|AUGqtH+Z12wVb(w( z)yS0@=1`lgxFj+0kx8^GApbN_Wt$Csp+?06Qod}sy)2;wVpb*2$p7DtL3%AF1P7zH zoSplNR`a6(SA>maG$Sblh6zigSf5i6)#*~6ZDaE>yAw{;#d))rvB&8OaB%-%g0K25 z(3LI8)yPPdr7t`C+W2=NYAvYc&r^_gWDwMGHw|Dg8EbWz(DT})>1pYL2rRj@QQ@W! z#WTONL*VZE1+~BJlBp}!c!Lwd^B!pr{hf?{q&j#Ny~@S1E7>FC?`$#HpoZPVoWK|+ zgu)7t7ep_eXA}y+8Felcm5g-TLr?jNTEri68!3zN3I<1=d}-v9CVm7E1dYvh4cBxA z)&ZSKEwsi=3c+d8`;nX3xZW$^5Bgq3lP*`L9xCIH6EQ0BgJIo@Xqyq3;;9Q6w^ans zaTk_^SXc=|UnptNg$1jdzt1(7W{6I;Vvl!i3C6+OVM~2f$c}glH!^Qj=>gF?{dB49Z;I@&= zy#JLJf$={3wvwNqzNSoN73!ID`Itc!9m+*JrU8-f+qjeov0|7q0c`1r`chuL=ELmR zj=aTs> zfF+za3pq$%Ck8W4KA<(WnPP3N6tjxK4KX(98P?FgUQYnXXrHzEE0Q|VZu``cK7s0$I%+Kwf!{5-vpd_E@ImGy@Z;v zd5SJqatWV928|la4g@EL=lUSJGx%7(qWlL7gu#gxT>^sJ2IbH+GJ}kxNc*uo1oDOrBMV}jz1RX zEZq7fsJbFT3U(DDOxn68RjC;MI1wz?{sqb7dO%GpKY3p2rXsp^_MgKK^Q>vVyhg_u z_;cChdVUN~Z%U`p$ifz3k+g_;=-GCy8xC&h-u8sTemme8e}Rc&U8mCNJ2Htoj6+g! zhC4{Liii1sWeCUo@vDHq^g$GSJm6<;anJJORe>R7MU;~D-==OLFnyPsFd8QPH6(qk z7%k~_*ncNoy|jK6a2frgmp-$Rw8?OHr;6n7XUeJke+)xm6aR4F5-*7uy94>S;G?vsxFJN+c}R)EtCN4JSX#a31t&{|OB$6cdzjIJC3^dmU`@3|;o znnMdq)nYhykyNbs(&@kV0%bI%9sPxS*Gp|_1xOj|1&Va_aA>M7wBdqHJIm|CAhSh1 ztPPjjwKX*I8m!bd-|HavYzh54nbAf)jVOogz7P>VWx&b$EZnWcMJ^FMXK3P7>`y4l zeB}IQ)zR{^#UA2GpniH& zdTCoe!}YLu^>jP;o{sbcQ*OL|Gs1L2wkN?KZA|U((I*Ue*j=%uIn-o-HC_kj@K6-! z(9$3&0-$KMQ|^JstLNoTN7L8^=$a(nHPq#rH%5zoGP6MVBmU#_2gv>tw1t=>)^H6jZ#O?8-&b6|y`a&^4ys3cFwHTAHTx|3)-flXq{Mt!WCMrfJA8(ss`6y1 zUFDr}$W>ueP#>xySofxr(Jkk@NTw>aiMPBd5M)Sd2tcvbaBG}iWF?15eEAs1qd++` zL6-pGie07By4S8WOq@%nEtVKfaw)xHM4K54ye>4bMk{{73o-r9Y`uAaiX;{Gn0>7m zT7LaQq=Ar#D({+6=7;hX?-P(NX+ky2I-3pVm>XIarG=Nq0X#`oq+!IPyNeXzoU9h5 zcJ(#2Y6Qek@6ihU;=88);JeKbfF9kwUeLSB3ix?~Xw~Kqr$1kepWg{vdZ9p*Hb6#m zC2Au;>qLPmB}AB~;nx=Ut!KaYMP5gc0yT{q65_1w@GtaX3dQHM^3lz4do;FXn`w{g zbhr(6-oVYyA28hgkGbHIwm>e#z^7 zI8rFk0}8AhxfAXL;$oxs@ zNn5K>k*J0?g_6xC<|%$wR;3~PHCTvTLb7z*8GDcwW3{x`78}xX@$F!=Q)iGUx>iGx zNRduRKrfhBjR(d15(itUq8$`^W<7BiaT=2Yru=zyI;4yMimP-|7sZ=Fj&Ho_vqq^} zikus}&L;k41X^QqAXhgyE5dDzb=XFmsP?C{IV_i8Lgd7;IJQCG-gTPqZS_i@|JmRfoh3^dVqLJb|+HgQ*@J-9UZdJXb z=aRQRKJ&Jl&}jIX%fstzt|LILB6V9C4MN7v6}5$jtWSY7xEWow<{)HA7GMO@lF?FK zD+RK4@vF1sNC<;{$nG9PFaVXkYrE5&-Uz92kLwRmby}mb{)OXoem%xE61_TubUMCg zd+1h0dx4D-i-$vX0%+}4xuzK~kVCtWABeZ9n-d!08=0#qKTSW|1C>2-;{`736{zg@ zmk}Aml*h?zo2}a^ z5|jK#D&HTa_`BX9CI>Z%M4L3RaV;C$1!)Xtin?#s`Y#8KR!DXftdP<^>TF509mkq} z6qHAY>!}GzlmYi8seB`q=7$>Tdeq>+zwOR%8KhPlLQ&YG;E-fu=lVVlXgh=%49RCC zm<8XM&!x+Z4MzX!9*!|AJRQm7+|>O+PgREdDhm>7b|h-qF$+xd7op3*kfWzITgk?h zl)<=`ccr1MLmN(0c}3ut`=?(Pvg=ij5v-94obPYwzZQRw#_I@(MZugtMhz@;z~mUw z5CjJpS6P!LF{TNuKtjs=q*N>Xdi#6+Wj}w7lq5u*mQ%#ODI<==_jaUeJIKS2>dz++ zm0#y!PUWKE$&$Ownt%H0K@A(VmmBkB20BKVN22itiT@t}BS750_r|VRRS_x9bC<(s6@zgo-)Y8^kjmyU3`NQCZ)wD>?JHoy&LScucmt$jEA~hsYj@(=Aa{ zQF^wk&LmqRe&ZP)kFzgf*%?fooYlk4@H?KtGAZmJ1`Q@D9%gZ=(_9}DRB*2r(>oQI zI|P}jGbZ+9Wu!==6v21=Jl6Y~iNB=|!)BOolDAbnbN`Vr35lSl6!uVhn-0rW|At^% z4=Fg6Kd-1WO(!yQ)m7(Oqehy@<*UY+j#>JGf2nNrAM(i+u)RKuYL_G}kHB&N~Z?#p%3B(a3Gh zJAl!zXMo!}=Me)iMRa|9SY}Kz=lxfUklK>{5X@eT_mBy~4o8}LXjhlZz+2>rjh4(Q$Y+>+&BN_Fk*-)sr?o}1 zUb7w6wj3U>_26fy4%wSr0~c7xKtVKLm0p&?ixB34axfjQ;tn?hHcRl%P#G&*-4 zzj6G`jqLvq6#|=c4F!!XQgWwplLUw5ih5k8?^>DeUK1?o7;L| zlcrg4k6bUfAN4&$m`t=o6ka2(b$w-czv$MMeYu}tW%d-g7(hHfB#cPiLfHr44KiGi zP3y^ubW>qsQgQ3%QZl$^#*1>e0ZDm>HDd24A-LV?n8-k)+yj;dzZgH4q#(RBFhyD48< z+X(P9{cz8{^GLu&?wyqk-);Qs1GQ*=8mz0#fH6YBWkWx_Cvh0KfMESjrZhBVFqs=- z=Lh~hz1@&kL#Bos7WiqoOiBz{_N#DxilZrJ-YEE0Q(FbNUPwvEO8`Aj*ld@uhhTFu zNJ3#yZ>1f;gOm#d3Y8zte}LM;ir5;yYn=xQ`&@M*Xn)mPRiRc|342EZ)efr6C^J`N zxP}ZRUKwpxs zFeACAj_pbIy-nz3Yo5TTV+c-KV$|UC#M$WLDd`K%tY6s95PSE;`vX-%tQ zrLaa*T#)LU=sfQ;CYyO6+Elu}p7BQx#70>Ga#!I=h3l#ypX(qtz`F>{*<)Oa_yE#t z!~+7@jy5(Hwb)6(L=e-V)YD20OSqvV`45?RHskwW%xXS7r@r}GF64&q;RA|nthkWL z3X)^43+i~})XNpp`bShbbcB?v z_q|Ra@?Q=}Ee_nxH*KQMnr>DP;#91C8wT08jWT9BIFDQ$2=kpCDaFg{XE4S@GpV#$ ziCK`#xb|DEPEA5u)itq+Ig2X#TTb?eS1$lgRP=}|QElK9iQQz_vy0eclt#hl)c2 zS$sbdZ0t*pq0nIS3y=6*>7=E^CaSPa<$PiEe&-j&l48nK03fvWn zn}R(edZGL`=rXPecHyl!Y)_iIT;1(w{Fx&;kJv_Gr_)SSl%g8PeVO)#=bZ>?n)g}E zOpZ%rpE~zjNdReQ$w3u6qUi}V45~oh8Q8{njdEu<_Ixyu%ew1+@tI@YEnN%TzjT3N z%7~BloQ*7SfII2xZOqXn5}vjyXZqP4}dzEXJdrtOh0h`8}pkr%_V3Ax}w^YeC%q zc>kkZ?10> zzcrXCZ0S1XH0>`J6%UO6e0gVSJ&MB>+>wX;)LWN$Oc@2i4^gKL5;w~sm-!Jk6mp)g zptZRYL*s=7`G-j^_Q;blna|&$&~@VHK(hOoy$cv6vi}R>ky&zFhxeF@b8Se2{uo6 z^t*hL7+ZEaJ;Vf`TC~>qqtg)^YFU4So-ni?Y~xI8y(`ie?b{XRU)JtB|KBz3lMTEg z3exz9wC`w8?5xtCA=sF^5KUDRp@4PLBQ}4(FO61wPf2rrl`)C(KAkP3wyXPUKh}37 z1Yf1P$LBesjQaJ{`o&JF^B(U`mHr#G6F@lH$LLn40+E;?q3~qvwS=&P`Y_Qf3}9hJ za^k1AE5&+RbIqE-s`7KJx4Tw0@=rSXOU#&#?vpX83y_I0N37zFQm>^k*tGzm7^u{} z+OOgoTa@huLa?CawKW@xIK@ zzDAyQMjLp4^TZ4mwJOzh=K!BioDxIItGYtp0AGdHP32~uEcTtvTt$)qe@oVwuCq$v zHW}p$o7+b>h-zW(pE;~yNO3T&A4?k~+NT#VVoqu*0$Wx5eHXJrbd}*oHQgD)gP$}!jb*JDCSlPu(Kx>7F$ zHJD_iWbcyV^Yk}+A5$0sEGH)sBxH$r(1zTV@K#C3bHEcfgWQRKLl;uhh>3Y88l_kH zQYGbe6*E`KLF(vqal@aalDQ)(@Rr$Ry3$ZCvhtX=V{88X_Q;L?M!j~7Qkhqynd(%% z&#>cSa};~Nmo!T&B~yW35VY3UH_at=i64(bVpA6QPc;j&bVS2plmf=yL^?L-xbND* zqnU$^&rC^|%af!>+omV+%=TZ~cj(FOXM6E;OgaAfSc^8K3Unrck+@VPfp#VyLi4ggP9A}0%8@FN@stfg^gF;(%B$ zQ6jBkl#}{9bngr9r{Y}o25R8;Exv(0H9OwC@v4S)}uNa7k50?bCyJq;iDVY`G$rFZOab|X#8^h{vq2-kV z>~1?ARUJ;t3WYTCP=ue#5AcE%bC#^90C>l5TNDJwbGZz0VFmDw?;C*&-p!-t59i?Z z&Hq$Xuar-o!V&9wPg;JS>oxV@7BGRq9_yN6ou295E9J?t!>fw!%Cphl6Lx?9hMiUdtjefmA6W?G?HV6JL_o z0ZN+mtvhlMgwxrd?7!TAiO9VmS7|MU6A~7PitpcfohVx8fFgIH+YFX=E{)i?=)*?N zimyM;g_2d9H|Wy-){cSEvl7rZOzKwEh>W!84{$*Ki0tli92{?%N3?8t86d`yZUCn0 z+31%wBmd#j@ZvB5v*Uq?P&RIaBMjd2cOmtu(Lx?Lw#9#PXM%WjD%ABSwsG~@DkC(Me~)V|0J07rmPP~R z$cg&eDZLdCCw4w4rd8{c9E)>N(e>Nh&ZHUcp0xst#9E^mRbF5U=l89&TfjD2GR|6- zXo(g*&p6CayNc@3`B4wh_Q9}#-KT7hbFi2dVC{EJ0qwa;iLdZ&EI3gcTdfvUB@=Z2 z0T!<&WOU~wh(WNf%&x2c*=DcoO({}Upd<<~k}kv^<#V~|7!;x~58pKfcSkp*q89`J zio*IQ76A-;YUa>XX@rtSpn<2grM0~uegR;yc?>;1wziLBY16R zPj-FeB-5wnBpCw@ZkiTD+dbmPmLm(&+{Mxc(5!z6B1;}-E=uaD*;Ot}X8zHQ?rKiXlh5J_2ZA8UHo%(Upli}DGDEVU zsd(`S=?+ByWZBo;E%dWhLXm}4wq()2xWY1%Of9=o$kK2TmmY)Y9@qxItp_{Snw7Mq ziWAz;{}gJMHU3o>HT4DM!1~h!V`wxI7!18r@wEqaz&JihQ8ZRdR$Fa*NRdZOIe#X@ zsGRbE^~n>wwpZVggqAH{UH6(Tp|JtRYw>9r`zR9&|ynkIY0csA~*+C`I5z=qZ6Z+V-^k4cC&oK{qB-!xqB21O9DYcBSGY0uAw!GS2vx z>94F-!$d-b1dOep5bW43kFU`G9d8#M^PH1`a-L@o4BA3lW$Lyb1@ zAOq7s)4(9GywPtUyCWX~`Re)XDh=^9%VzXBb42tZIl8H9<{)3p9MmxT!V=pj=ID0> zn&Oo?8Chpnq}jVz?~jz>)JNZ`=pZ12Yy%q=bb!$eKN_+;-rV|w`ybg#!#-VQ*10^8 zJIIX%$EZ6xjvJFDM`F7|TUW)9Am6 z=+!iyVg+#@H@3e^*G>e#`tQ`fXp=|m-c&f82KKYo-a@*kuOEp+Tyd7xLnE#)N}`-F zdG0ZOgpUUJJdv~>5)0%OVNN@S#>*=@-;=LpWV+m6`@Le1Bq43M`fb|l6MM6;l;O9= zuxq zF+K#`V11q>3W}(5l*H1~{;-X$R9`Yuff5m12;M#%2`V9~$0h(yaJSBvppGToMM<1) zS+5%JLk?Epa~O9~XMHG%KIlx!JC@cdP2mrOi@F79m4M>4X#@4@(l&XfOv?wNU#EzL ztIM~>o-0*AcRFJGI}`T^YhqLJV;K4H$*S~>5W=6z=vqp{uuZwU#4^63+hKPBRR@Ob z1%6|zWb;$YPa5%@oc1|M)5?vQlO(w6N4xoJ;>|0C-o0jm7y1q1M zKmL$Z_;`=o9|=K1pZvheCq?yZPrM6#wX;bdn2bJY{xet_T|bwrPvly$1j-%A8I`m9nJf{>V)Ylm1pPI93g8@UdG{XnKInD8?&}yD6a+WLMgzn5F0|k@Pc>`wEOg06z;p?pq{mN}md06h#zJz!FuJvIlL|71 z#^3xInRUC9H^rDk8R)Gw+E;^+7L$Q?c+P02Vg=(Rc8qT#EnJ%_2$A+7ldcWw<)fo8 zlld5|kj1fN9JobmTJH$ZKK^({T?Bxk2tl^Ll8Qk@p(|PekT$aSkQ2t){~W`^CyyGc zyImkG@A{5sax}eN%nO`*=F09`)PBA8cJxC(j8tL(uHgto-7AhZ0zIaKcp&}VMCZAf zOUl#KOi@MXV;q7oJ=*G2?wUNlL8~!^%GX7q|F!?AY-%ScA_;(&u;{JjU$0(0DPQiA z)1DYqQ#g&jtkWGo5ycUoPRvZ!TRtL-dq|XOQF}HaDzKf6HWK2yv(C!XCfb;1N8rM8 zXW+J->{F}N;nCXD>CTDYOAL=%h81;Mhga5W8zb2w=d@Xafw(V3xhQdRB71cnw~vp5+uvax z-?zy{kOjXcN9+ynEA&$=fsIl^tg3}hMFw#8M*_|XaSA!>+-w2&o=yo%BW!g8K>zy{ zZuT7zZH^|0$-po!=*g0cq6$A-UY%kAt|zBXWH>PE zMV{tGe6{~^z9)u0ID106Y$Mb`jc&7NGo4#oHF^&Qf|RTA2I?Z?;*0+c+m3Lw=_3>i z4B3aILHTpQ6(!MTmB*z4lP_o0w~}5^q`2qDx2ouCa_-6@1egLBJoJ0IAR0swc<3tv z=bHLhb8H(un5UVsq(S3ksDkLQ%2$X2duu-=Y&M4^>hM>=$O49$P7g*a#ddXw$zLpo zpISs8>_O#>3NivxSC&@;CcY>~M$Va{+q=gQm+QI=7~y3jf`^H0Be1;`U?gOJVMD!% zzLJDaTECgt2Y4m?x<_?hat4L8|9RxD2784$jQgKLO zLV2kW@`sI!_z0>kQUh`xae4WJghWf~XJFU?)Zf+EawN9ra$nLP?3gvsN9hclOgm+) zSa=!`8azoM9$poLjzJh1!R}s6IkZ5wkZE%Z18hl(Uzxt#q@U4*55Sl_4w+6%tK0vT zzCVH5J&{?gqvFiMU$AUH`ty_Z=yQ0h+H4(W)V0^+y4Mb7cVgoCYoRHxysIo(uKpM6 zzL-y(Gemk5(fS0tT>gR7KR2%I0Y~#J&>J7Qw5JXE5;;teGIRdHAFGbpt?0EaRlQSI zTtJzM5vMUR2E%zH`;LHp`hP~^TT8NXk1SJ9RLPNo+UaCUVm8@A8p1Ww_=9eJ3RX>q z6ICQnJ@(XPGQ+k|Hjm)UN@WW9YEM@@G5_>}`E-eE_q35_Yigl6+%#lG^Q&IXw-MkM zU}nYm(@VRKO8I;?kuwunCCfi*f+$I}jV4^z8YiLp;b@~nVNbwm3o8u3)4-Ih^m#ao z9u)dWn&Vv#p;SkvwUuW3Fk<@w$C7K&aMqw1$-Xs~6Hd#JvR8#Nd@xrYW^*ulvSUsl zk^fMk<(L^XY^4>8%asw<(i%U#@>3ro;_rS&Um)B*AEN|MjTJXndkRdI{_#5-n?7)J zvyYYsSnq00o)=@kff`mfQKqz^ZRrz{=^@A$^&q{Wv?FJtQ(69@{mL*sSjM!uYzV^kDk zLyvb*v^>LWx|5H2huG#)bR-{;&Fkj|azxvEqnqAjU=25^^vXx^&wg`Tv)XP0KtGW}xdRq&6Q*bIjW_sAzi!)sA(& zj}6RwVzOEC|DN?b1t%a2fNNTI>ERR|_2{EDgj@*nuBH-IjbQT^iMiKaMWO$@?BCI9 z2JyYBL#Rh3Yjg4@r@QP?1iUsKRjnyQH`Nm%C)oeDgc?h!qT=PdW&4&e%Jh0^(qxuc z$RHmmIfc?}v}-g)%h9w7MK5<1i z1HO4m1HIQP#{r}Hl(wdD(pg3z^N<+#j62|r9B;AVtucj2(WA#`2yh0VHFa`Kods9+ z*hNv(ACIVU#$hdBY=_|k%qB-qwe#m#*kcYl-5%aQ^nKYSC$VAk>Q_FeyZt^U_pYKr zVk|Vbwt;?AZV7xQIo2Zk>n(L^fa=09D{)RDO-INryoPv`91<2Y0o^0c!&Z9XnLdk3 zxXHWQn&11-CY{vjE2to5Yy*jgFxjsvl)k|}MCJwROvj zuhdL5Q0@2AZ8}-0^W)eP4OxZYT&FQFu5FQABuF{$;* zuMfl6kZX-Fw_>iV!Cs$Inlz7W`&H56(#%Pk_7X%9{j>Zg&(2fYe-|E`;vDS-xG{f ze;-zD^*tlFt|E$N$+tf$)>^XqWB4uoaj_>F-WoafEYT*`PHRT;63k2sG>OA-xDk28bj8^bDmNm(?*&sTx%Y@W6 zT14Rx_g_v{2I)ZXi%-s1L0WbLNDDo-_NOGRO)<6yS`{E3XC%6oxxtgouH3&7Th;P~ zA5SV&%U^z8Ve6$ysE9N{Zq3K~^rLk(Ac^vop*uw(-u^dr)W^#pF`!~Ge0Fl#XjL|& zdd6nDidynl>*=z-8qA^%4c+>of@yj_d*kHc*dCj$HExwvj@ZXci-bNM5_rPYlrxMlBG4f{dV zpQjW#)ouIo_ z6Ih7|^D~?zy=Iv5hq+*HT)^!N(nrFHhOWAx1JCPWxFU6 zC9IHm-qwdMMRU&?dUK$_-=)=}U#7gtG_fs$7B1g-CVMFLY5zK!- z(g^R=_GYq}t03(6GYIb2{~lkWkZ|Xb#@O5~^p1@NdS}(6ve&KK(ex9e%=(6>`q}mB z>7B@q=Gcy=^cPygLjyd33=NWPx-Nk`U?ezXXx-Nz-^-6Q5F6AiX(oG`H6N-efR7&n zb9P-Mh#!gmy(fg{l((h7O`MFA&WjBuCRT}u@y;p}(?OiMOgOS4koTc%D?&^uIG3n& zr)HEl_uDO!a^q`B5-Nqz^-6jS4WL>-?y06VFC3UKx^9(=I56UW6L(9<*XvN>&~AD| zHOK@+tYPWz$9FY}<&acigB~pq>9hRWcvy|Qc*(x-wX4_PTP5s;u3fD=G`>nTYO_eq z$cni{ktyU8kN#BVtq_y?Pi=e?;^4xvcHoN{@kyN#6XOj}Gz7-wAyaB}4&WF+B2vlc z7~4P29h(4%XU3F%?!Eie67g7pAUR!OeSU%R0RUr17yCiTMOuUd4S%!dp#XXIEPSLO z=Uib#-7u@3n3_?SvJwvbq9AcIY-4#3l|46}Ety=m9QFYYJ27_E&MNNqa0sK;EMP(W zVAsN$0SBAsHiqn6fg(Aok#UtcLO>cY?1UO((7n`AgryWv((1c2^ye?D z9)*Zt>qJ1IP2eGNI&nC@-sCm+s-*x&AdyH;&+CzbA-*x~B2JE%i(aumiQ`typf_Gp zNN8tkR~%CLX@2UXRKz3U(7dpcLe(wElwSbJ~3n6>FMac7F1 z&sm3% zx}j>m^3!kbQ!xtdUzux=-4IDu)p$c9nV#p~zRizZ*8>3KXz@_cQ}dokNyrM)nj_|! zi+g7kcsBAMA}(IzLWlwm@dCjZ3IIKE!FBmi`JoLk(1@a5IdI()M_lw_(6 zY)G;RL=Gsk^%WMt!k^rN8+UtGAs;EMtuRWe12Dd&p+!x6x`PZEKAe1D`n1yrW-}(+eBLUn*&QqvEdxSZCpzUtIadq^AZA8YMRfAN9q)evobWwzl z3<{;w+KmT$jpw=UuzoSzuw2E~X#uY+hqSbrcErigWSK&lqixb$JrqZ+7T_jjqmswl zdV8$ibrjJAueH-=^=z3XHR$kiU5)VwQm$v86g(@&(6gpJX4~SNsjf_~B<+7+r7;#niyguvz;|4XF>UcNrTWV0H)+9#WWWmw}SN(?oYH|h^87`GlT6M6x4 zrCxg3f-h0jLh05dC#CKK^UeLHc@ShC$VelmIlqT=+bckbe|^;bN$!jP*ghOsJr$*9 zBHZS)`WMVovYm=iEf4GiWVi&xwoM#}t*BsYO!%>@7Ci^d$#qseb4PGR568d7%ZeM6z;0V0pcBe@9{cQ^j1#!n zxHF*QQP5!`Jp)Nz;$qbBJ4`S3K@@J3%fi3Hh-Huwd@&ONdxA4l(kF0--d9Twk|F>H z)huD922xfA8BDXuWt7=jFN%$0oei49_z=Cv7rLd(U=)pbp|@|O?xO!Y{aZ$IdY+Q% zQ3K8UHZmkPY&&5*iEEN{lk%vGI@xb)!72 zXAa0U7=})Xq(&S2euZ^*>|R>fi8(QfF;jW&&OMX4VQN;i$Thp4Nk!6t-pvknhCKyT z4x>{-y8X6U7JX8{^}i+rfo;M4WB&2`QRrU?iTHoG1s&L!tE+McAR)A> z>pMpN&! zpn@#BCU)sKDr0oL!dEsQGx+lPa>Y(-HJCp@{Z6AAsWYh02bW+qHaAwI#{7^%y0l4) zq0h!5a}(jO@s}|1FgD+fF*ytWL4Nq`F-N^WnA5ewU5CIyFH>8lIxTZRk0bAGVPj*U6!^<5AF@} z5y!+iOk>7YUG>KD$1%@RM_nFA-jK1;NxTtziB+)i+vtr_{G?(dq#}(r7&sLYjBOq!;C1A)tzK; zJUDyATdL0u!Ss_bZTw`S37-#$vwS$c;<{OrC%`;$xy7ZW$7PvM@|dD}ky-{n=xdJH zAo~8nL6Cml>$*~~feX1Zp_a8VYD}|;ulrgPB3<&C%FFu{=N=oUF8Tgh zT@3)qlpe*gI4NF499i4k{^XWAj)MeU1@LxfEFkq-t+IK+W+Pi zhfg4xZF{q__c`O?2+g>}j3_0M025utV{*9GZOXMNzPXNcasfv_YwYRqs@d zQk+g}{aH;F>wB?eTZ=?}^;%S~v*`Dv`sNwMF-K>SHpHZ!Cgh_2a8lZRF+Vsy4qxA- z3j3fGgb#vPi2?=32E-6B-B|wdfs2o*Wkzy92xqdrHjLkmBuZa?b#5ZsUJG2=iHtB& zFlO7a|83)+`AOuxzw26fwRn3}4lS?WyPJjPa3Uv@1K59QfSC5$OFcvj#L%5yp&-RA zQ;EQgR7Uipgc<+ae>4(y1RSrk3n9D`4Tj#SYw4Rp{!TupX}+cl*3=PfSLq3r*RJM( z;9f|I>{;dYgGij@Do?*jW}T7#HXBMmKL}@~VU|TAFnOGWjNoUqVNVU#u5dBA)mtM1 zQR2B$T^;2BG8eMzrKK*ZfZ2isi=ijmlt0nu-^MQ1gdB%&Ej5~s+qM^X7iWthFI2l6fW<%45dHIBjC*g7eXn9gfbLRf#B z2vUeXBa<=L*>mf3jI4}(?5ZS@{fTpftA}N@7e2nfW3LzopF0U{<)M3 zoq)Iupdxi=>{WR1TadJp%Ec9so2;M224YWs59Qm;zIJoU)B31i7lx@buWi}zBN_SX zG18VJYF&Yw^Ae_Y><(aW3Pesg4W+6UsxD+d&?E_G8{rVxeGZZEjaDql&7=@JGe{Mf zBFR8ZtxO^m>eGY%A=`LqLu8;N7CqwL8p42N{H>vjV1_l}irK!6D2@sbqSP8Kjf=6K z#i%f;p)cTIn*+g@yV0kAuJ(^rtNyOQFb^3JYKY29R!9uvi=w-QbN^VvVEFuf{x~MV zod@wt{JbrCcW;;ALj57c5VIR#?CQWe@M(9yk-4u0T9YLZbRM#jC7W2Bx&x&V3)^(ahz}%;`NXFso};VQfyDwP)T0P30nHyG=syf02q(Wki%)^Lbu6qieg# zU?4PC`r&s)kp~q8YFc#0*v0VUg>+T2_TnjI`k0)awnuL6%`1f7m(dVJ7O1PcMhztk zD@!^78C5WtKk6u+hsRXGx-BOp#hHn_*BN3#nnZ4l3E)*F(|a0%fO&kuhS-_R0hq>9 zh^dLAJxL=zt$6o0!cFIQ9Iz2ZRINKiV#LcNMidR1;?$`BMqK$uuh%mQH;vJtAud)%PVtJ&{RS_{*yWFvwqib>ga(L@z>qyc{qybVHd=fUl=!HQegIjfRrGG zk56FKz}^Qy!R-LUZy)~Unxu^e({x;>^eAC&Yx^X{c+d>Cfw|=;2~nsP^7f)wtDl9Y($TA@1j_dOa$G?0BG+COjc<$t8P6 z!5+qMbvYlVn_=;0lw7TlDjcg<*Xu^^b;eO0}a zs))AjODfxLHKFoe_gEhRZ3S`JyKe&kiAC`gqc_>H^_m@FKrQ^g332{1=~;Ba4=-?- zM!^!&-1e9s|Bka++6Tk+SV|kAGFT-1=aY9C1q}(I=ma6i$0;eun`-{nLllF4i4@AI zbtHSNvSP)mvOd!h7~3oTRBY&`nj1lXdk25ezG@iRrRPrLXYf<4R_8A|8Od)QN|~Bi zpb-u}fnl{{!k&&5S5nTSqmh!O2fZW@6)5KOlhR}qY#=kUl9c%ssq0KRts)ZT==OX- z0_9LR8WzTC&x)Kpz!t6lqm@|BxW%_Pz?l;ywEMpB014KBI7TvC#uZpw`jB7<^QYR0m0aSbu&~ejP-$cye2O7?Q7vrc@1ST9Lzkej|J zAfetgtN8Ws+12j}giJMxnIBCQZGPA8Wk_ zriEWg%TloWn0tt4@+749qFMzJ$KOW@19?%!s{Vz8dSfMP`uC4FP-<|@N%w`yK+Cz( zSUJnLhdvRWS1xfTQAN%)gTrEFErB5>R5qmCZyjv%a24Bce^5unHj?Pw25J^5_F%%o zJoBa#5)Mao&Yo|IyW@KA-3fn;-cb*S!RDVjsI1eB)HtXzzXtibb-5Lulqhd!+20jV zAdWALAZAL0P3wD{a0G1by^8j0^OYvNgAO0d6HTW4>3~fy>Y*TvdmPuYQ_Dz&x_%t))l%_$okNNM3cgHI#qk`t+b(D3Q|HqS7S7 zV0WQsA>%D_v{zda!(CqoT3czw)K>*2&=|M=LRD$0$O-C>A5uqrU<~KQK4AsV&}CiRXcttqQcId)3a8lnsK0Vxz!OpXuH<)m+q1aiqEts3uSk#=x4ZAxGA1lrib<_ zEzkx)hZO*PW-Q_=Wzo6?NT^~f4OxXL(v6HY`fN_w?{{@7bM@N}qO+ssg?EfTBrn-v zW8Z1XZ|zh@aRvoADm&>9uI6q9IWelACU6$?5IBNjnLVxHK?gET3feFEB67nZ*SDvA z|MCdeE@D*|k^}Gf!?xDwfrVy5DOf!cCaQql?MQnU&Vv^?HX)txN4s@i;xB?9eIa74 zyQpTByHngtJg^z}y>)meV-`^3n{OpODi7LHBxrfdGd!@1k)*cl1u-6`e??7B;zq$o zKeIabk`hR_4|Ty~q>%0+D?FUU@x2`RIAC`R_#uzzk@(DwxA4>MvunKL09a<$a-i|QrWt=T3vYDC`lLL)Z&kTop! z0t-zL5os4qCwb3mMTKLbUughBM@U~5VtZ(|#oj^>J+A7GQIMehx^0p?Kgr5IK>V(y zk>#M!L=9;ompuq3mfPsig_K?CI`4K&Qe+4_* zv<0^>9AOa9yG1L9cPEaSN<0Q>>pP-k&W%>{K&64ILo0GC_5ut_K1nm&c_&p%E>?v3 zsM5@kkTDR$5xRHl#E+5&-2skRI<}mq_KArhVt>d~m1*i5IA)TJPNB55wvj?k{4ab; zt3@dD{{T`&TB2uOXfRubPehKg;Y!-#I)8QKCFiR~Zey zQ?|kp6Y1gM_ZQ192I2j$h3zCu2}tU0eYxlup3f^Zn}-|8B79bI-Di`fA5ZZ&0YueF zUGTYl@!|lB$Ivr6c#~-L2clPITL=iSf@!qP5Y7b{jluJ6U=rW@CE2x18Is$TWe~oM zNA+toK6i||oZc`h$tICnVdk@*VC!bjXCko(oeU?Wgvi}z;j*m0?~B4*&{z;0~I^iruK*=z52o}bo*lYQ3c3tx00=n zk?}P|%5jmUBiP^?qN)UGxh=BpI&ryVGUTyTDA~ksok@{z9LC6NLuHSuwwD~GptUpA z*7JKURFc1*YP=B{<$@p-uveJdO-ZX(&<=#Dkq=&L>#{O3vE!bdN#s9`GJdj5C)*8d zPf6`1$<@F$Drv??cJ*s72)+fpM!Pr{ag762&nzfZXmCqV>a=IHsD{sRub>Cb33{!R zufU#JBtEginGPc^{?v~n-W zck>l#yhUaUARK0BXBD4%G_3B<-jZObUG`spzzQ`#4q6yTcu`m^688vbb@Ot0&=F^d z#YEMvFK)daQjn1lQbg^7xJTELR$9NiN6n-7_n}w09ab4z6ggeUd~-F;Zh!bw@*eWW ztJfhhdiO(0#0{+f62!onifa4g^Xnma3bS|RscXPj5gif)mJ}h`?@DmvWG#>*?)Lsn z$Gnha2h|pNOf8~20&JuE;aNTZ8qG_<08CS*RmrnBTWY+rKz#nQq2BUZ8d`8lmMWT# zpF3{*h!_IU@#8*!3&M}ES&6Xo&kO{UKH@1dH?;FyBi{hNw0Q-Y>Y8vhR*#Xk+!n`^ zX4ng(*JMs?y8AQ|2N#h9>N$W4y>Vpk;Gx6xAA)*7y}-6(_i3`1Q>>O>wHG-juMMzL z_}}2@0@vP!`^ozXVB!y%tCb!N5kTipa{BA_A)Ia@Np@~n7x@CDx|f5kM?zd4Jrld7 zrFEf>Q0yBs{+ebAO2mTv*`PHeVSvolu&|P#=I=R8f*!pzXy_u=lg+gE-}LP0ym-#8 zt&4zK>J}(_t;^%k$O@l&T_p;-jYrvo{F?2*qTaLoqZa=@O*TF1Ijl-AMd(T&8*b{* z>;zMq0tEkVEiA~vP=L^hH`GtWsCSK)EzyY{v{g9cGcn|NTgmVk-Zo(NAy&LdpCFmz z-MuqtlcLK3fnx5KnU?vC2$r$1m_r+#;*fo9uUSw}9)fsejl3KSBz_SQEMGz)nD0p2 z;HF8iS|8DR{gn4*B84SMY=8xkE0~R#t}JsqN&on+K~K2DrI{znVV4FZd4s@^B6}SU zFU<>FECi*(YUn!p6CX$1JZ^E{O<3~LOhjw0F(MPnW_bThVK~`fu3dE14XrpV4s1qe zvdY9Xz?O^$qn1}aNpA}IXLQ#T_+`VE)GslwA(LfnE3rDZYKEcl`a$SuZ^?S>PulyN z2n^ExB>0_5Qta~{{pneDg?1!=s%8!c(v5#LOJ}X~j(e}7X5D@V&^&Jr2_dp}5q&Q@ z8&`iZ)F3132?Okph{>H8BeP`^*oUR+{gaU0f+ixYJJn$G(9)UN1XbId5!1kJf%=u> zzCK4;LV651^3j=VOkp!Jyy6$J45PO%D5j;aPzQ5xsC zw?v)8d#fMpTRLRTFs<$`X~*wk*8d~UuselRP)PSWLl|9GpN>Ds_r9&Ny!$fHBNl<$ z0;)CehS zh`;%dp7b}EpTzqY4%!~5&Ne~mZs8gLefSn=f%(HHtBIz<=z5-J5Z7*F_EJ+TjcK54u{%zTX1NSTESsossV7^DHX| z1$X$yJy^%-8ico$3CKna>upW65<;E;y6<9a5B@s^d|VC!4#8e(I@s%ao1LRn<8$CV z!5?>`PPh@whO$;E*tDqN!;VT5G*M_jk2hLNP39Z++@c5AZc!_Ah$0_Oo zZnd?Uj^68RlmmJG(L<+Yse%<*{~>&3(HC&mMIw!1b5UmzY&PQ^ZeTo>2H?W`LuI5T zm;I#dy{Xpy2!Pi^AV?rVX8DTt1BJ)R_SJKFgD_=~3hmWCOq5*~@$c7G%~4EBebDze zis^VR8+iD9On6KV`2Ho?l3j_A&*?o@S=24bp=5)^BFAIQ8DT~#9`9qe9eU;Q8RTcV z@%GO_l@8O>{2vzs{f3=)D2MB0zTgmN781hR2@;U!qqrWcnv;i!`C$giBXwaT+R5aFBi%U@9PvU6gvTQqGwSKLWYjIe?59_bER directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SOURCES/README.caveats b/SOURCES/README.caveats index 97ae7bc8..c1018010 100644 --- a/SOURCES/README.caveats +++ b/SOURCES/README.caveats @@ -159,6 +159,49 @@ separated by white space. Currently, the following options are supported: one model name per line. The model name of the running CPU (as reported in /proc/cpuinfo) is compared against the names in the provided list, and, if there is a match, caveat check fails. + * "pci_config_val" performs check for specific values in selected parts + of configuration space of specified PCI devices. If "-m" option + is not specified, then the actual check is skipped, and the check returns + result in accordance with the provided "mode" option (se below). Check + arguments are a white-space-separated list of "key=value" pairs. + The following keys are supported: + * "domain" - PCI domain number, or "*" (an asterisk) for any domain. + Default is "*". + * "bus" - PCI bus number, or "*" (an asterisk) for any bus. Default is "*". + * "device" - PCI device number, or "*" (an asterisk) for any device. + Default is "*". + * "function" - PCI function number, or "*" (an asterisk) for any function. + Default is "*". + * "vid" - PCI vendor ID, or empty string for any vendor ID. Default + is empty string. + * "did" - PCI device ID, or empty string for any device ID. Default + is empty string. + * "offset" - offset in device's configuration space where the value resides. + Default is 0. + * "size" - field size. Possible values are 1, 2, 4, or 8. Default is 4. + * "mask" - mask applied to the values during the check. Default is 0. + * "val" - comma-separated list of matching values. Default is 0. + * "mode" - check mode, the way matches are interpreted: + * "success-any" - check succeeds if there was at least one match, + otherwise it fails. + * "success-all" - check succeeds if there was at least one device checked + and all the checked devices have matches, otherwise the check fails. + * "fail-any" - check fails if there was at least one match, otherwise + it succeeds. + * "fail-all" - check fails if there was at least one device checked + and all the checked devices have matches, otherwise the check succeeds. + An example of a check: + pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 + It interprets 4 bytes at offset 0x84 of special files "config" under + directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3" + as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3 + of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111, + 0b011, or 0b001 in bits 5..3, respectively); if there are such files, + and all the checked values in every checked file has matched at least one + of the aforementioned value, then the check is successful, otherwise + it fails (in accordance with "mode=success-all" semantics). This check fails + if "-m" option is not specified. + check_caveats script @@ -342,10 +385,6 @@ by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag". The script has no options and always returns 0. -In addition to overrides that affect check_caveats, the presence of the -"/etc/microcode_ctl/ignore-hypervisor-flag" flag provides an ability -to skip "hypervisor" flag check. - 99microcode_ctl-fw_dir_override dracut module --------------------------------------------- @@ -392,9 +431,11 @@ when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced -via the aforementioned overriddes. (See sections "check_caveats script" +via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) +Caveat name: intel-06-4f-01 + Affected microcode: intel-ucode/06-4f-01. Mitigation: microcode loading is disabled for the affected CPU model. @@ -421,9 +462,12 @@ from a cpio archive placed at the beginning of the initramfs image. However, when an early microcode update is attempted inside some virtualised environments, that may result in unexpected system behaviour. +Caveat name: intel + Affected microcode: all. -Mitigation: early microcode loading is disabled for all CPU models. +Mitigation: early microcode loading is disabled for all CPU models on kernels +without the fix. Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 @@ -437,18 +481,45 @@ Minimum versions of the kernel package that contain the fix: Intel Sandy Bridge-E/EN/EP caveat --------------------------------- MDS-related microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP -(SNB-EP, family 6, model 45, stepping 7) may lead to system instability. +(SNB-EP, family 6, model 45, stepping 7) may lead to system instability[1][2]. In order to address this, this microcode update is not used and the previous microcode revision is provided instead by default; the microcode file, however, is still shipped as part of microcode_ctl package and can be used for performing -a microcode update if it is enforced via the aforementioned overriddes. (See -sections "check_caveats script" and "reload_microcode script" for details.) +a microcode update if it is enforced via the aforementioned overrides. (See +the sections "check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 +[2] https://access.redhat.com/solutions/4593951 + +Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. Mitigation: previously published microcode revision 0x714 is used by default. +Intel Skylake-SP/W/X caveat +--------------------------- +Microcode revisions 0x2000065 and later for some CPU models that belong to +Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, +Workstation/HEDT segments) may lead to hangs during reboot[1]. In order +to address this, by default these microcode updates are not used +and the previous microcode revision is provided instead; the microcode file, +however, is still shipped as part of microcode_ctl package and can be used +for performing a microcode update if it is enforced via the aforementioned +overrides. (See the sections "check_caveats script" and "reload_microcode +script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 + +Caveat name: intel-06-55-04 + +Affected microcode: intel-ucode/06-55-04. + +Mitigation: previously published microcode revision 0x2000064 is used +by default. + + Additional information ====================== @@ -458,8 +529,7 @@ whether more recent BIOS/firmware updates are recommended because additional improvements may be available. Information regarding microcode revisions required for mitigating specific -microarchitectural side-channel attacks is available in the following -knowledge base articles: +Intel CPU vulnerabilities is available in the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): @@ -469,3 +539,8 @@ knowledge base articles: * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 + * CVE-2019-0117 (Intel SGX Information Leak), + CVE-2019-0123 (Intel SGX Privilege Escalation), + CVE-2019-11135 (TSX Asynchronous Abort), + CVE-2019-11139 (Voltage Setting Modulation): + https://access.redhat.com/solutions/2019-microcode-nov diff --git a/SOURCES/check_caveats b/SOURCES/check_caveats index 462d5412..f43fb4aa 100755 --- a/SOURCES/check_caveats +++ b/SOURCES/check_caveats @@ -132,6 +132,132 @@ check_kver() return 1 } +# It is needed for SKX[1] for which different product segments +# are differentiated by a value in the CAPID0 field of PCU registers +# device[2]. +# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +# [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 +# +# $1 - params in config file, space-spearated, in key=value form: +# domain=* - PCI domain, '*' or number +# bus=* - PCI bus, '*' or number +# device=* - PCI device, '*' or number +# function=* - PCI function, '*' or number +# vid= - PCI vendor ID, empty or number +# did= - PCI device ID, empty or number +# offset=0 - offset in configuration space +# size=4 - field size +# mask=0 - mask applied to the data read +# val=0 - comma-separated list of possible values +# mode=success-any [ success-ail, fail-any, fail-all ] - matching mode: +# success-any: Returns 0 if there was at least one match, otherwise 1. +# success-all: Returns 0 if there was at least one device checked and all +# the checked devices have matches, otherwise 1. +# fail-any: Returns 1 if there was at least one match, otherwise 0. +# fail-all: Returns 1 if there was at least one device checked and all +# the checked devices have matches, otherwise 0. +# $2 - whether model filter is engaged (if it is not '1', just return the result +# based on "mode" value that assumes that there were 0 checks/0 matches). +check_pci_config_val() +{ + local domain='*' bus='*' device='*' func='*' vid= did= + local offset=0 size=4 mask=0 val=0 mode=success-any + local checked=0 matched=0 path='' + local dev_path dev_vid dev_did dev_val + local opts="${1:-}" + local match_model="${2:0}" + + set -- $1 + while [ "$#" -gt 0 ]; do + [ "x${1#domain=}" = "x${1}" ] || domain="${1#domain=}" + [ "x${1#bus=}" = "x${1}" ] || bus="${1#bus=}" + [ "x${1#device=}" = "x${1}" ] || device="${1#device=}" + [ "x${1#function=}" = "x${1}" ] || func="${1#function=}" + [ "x${1#vid=}" = "x${1}" ] || vid="${1#vid=}" + [ "x${1#did=}" = "x${1}" ] || did="${1#did=}" + [ "x${1#offset=}" = "x${1}" ] || offset="${1#offset=}" + [ "x${1#size=}" = "x${1}" ] || size="${1#size=}" + [ "x${1#mask=}" = "x${1}" ] || mask="${1#mask=}" + [ "x${1#val=}" = "x${1}" ] || val="${1#val=}" + [ "x${1#mode=}" = "x${1}" ] || mode="${1#mode=}" + + shift + done + + path="$domain" + if [ "x$bus" = 'x*' ]; then + path="$path:$bus"; + else + path=$(printf '%s:%02x' "$path" "$bus") + fi + if [ "x$device" = 'x*' ]; then + path="$path:$device"; + else + path=$(printf '%s:%02x' "$path" "$device") + fi + if [ "x$func" = 'x*' ]; then + path="$path.$func"; + else + path=$(printf '%s.%01x' "$path" "$func") + fi + + # Normalise VID, DID + [ -n "$vid" ] || vid="$(printf '0x%04x' "$vid")" + [ -n "$did" ] || did="$(printf '0x%04x' "$did")" + + ( [ 1 != "$match_model" ] \ + || /usr/bin/find /sys/bus/pci/devices/ -maxdepth 1 -name "$path" \ + || : ) | ( + while read -r dev_path; do + # Filter VID, DID + if [ -n "$vid" ]; then + dev_vid=$(/bin/cat "$dev_path/vendor") + [ "x$vid" = "x$dev_vid" ] || continue + fi + if [ -n "$did" ]; then + dev_did=$(/bin/cat "$dev_path/device") + [ "x$did" = "x$dev_did" ] || continue + fi + + checked="$((checked + 1))" + + dev_val="$(/usr/bin/od -j "$offset" -N "$size" -A n \ + -t "u$size" "$dev_path/config")" + + val_rest="${val}" + while :; do + cur_val="${val_rest%%,*}" + if [ "$((dev_val & mask))" = "$((cur_val & mask))" ] + then + matched="$((matched + 1))" + break + fi + [ "x${val_rest}" != "x${val_rest#*,}" ] || break + val_rest="${val_rest#*,}" + done + + case "$mode" in + success-any) [ "$matched" -eq 0 ] || { echo 0; exit; } ;; + success-all) [ "$matched" -eq "$checked" ] || { echo 1; exit; } ;; + fail-any) [ "$matched" -eq 0 ] || { echo 1; exit; } ;; + fail-all) [ "$matched" -eq "$checked" ] || { echo 0; exit; } ;; + *) echo 2; exit;; + esac + done + + debug "PCI config value check ($opts): checked $checked," \ + "matched $matched (model check is set to $match_model)" + + case "$mode" in + success-any) if [ "$matched" -eq 0 ]; then echo 1; else echo 0; fi ;; + success-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 0; else echo 1; fi ;; + fail-any) if [ "$matched" -eq 0 ]; then echo 0; else echo 1; fi ;; + fail-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 1; else echo 0; fi ;; + *) echo 2; exit;; + esac + ) +} + # Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" # # We check only the first processor as we don't expect non-symmetrical setups @@ -182,7 +308,7 @@ fail() fail_paths="$fail_paths $cfg_path" [ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \ - || cat "${dir}/disclaimer" + || /bin/cat "${dir}/disclaimer" } #check_kver "$@" @@ -225,7 +351,7 @@ while getopts "dek:c:mv" opt; do esac done -: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")} +: "${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}" cpu_model=$(get_model_string) cpu_model_name=$(get_model_name) @@ -273,6 +399,7 @@ for cfg in $(echo "${configs}"); do cfg_blacklist= cfg_mc_min_ver_late= cfg_disable= + cfg_pci= while read -r key value; do case "$key" in @@ -299,7 +426,17 @@ for cfg in $(echo "${configs}"); do ;; blacklist) cfg_blacklist=1 - break + ;; + pci_config_val) + cfg_pci="$cfg_pci + $value" + ;; + '#'*|'') + continue + ;; + *) + debug "Unknown key '$key' (value '$value') in config" \ + "'$cfg'" ;; esac done < "${dir}/config" @@ -388,12 +525,14 @@ for cfg in $(echo "${configs}"); do cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do - find "$MC_CAVEATS_DATA_DIR/$cfg" \ - -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ - | grep -zFxq "$cpu_mc_path" \ + { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0; + /bin/true; } \ + | /bin/grep -zFxq "$cpu_mc_path" \ || continue cfg_mc_present=1 + break done [ 1 = "$cfg_mc_present" ] || { @@ -478,6 +617,28 @@ for cfg in $(echo "${configs}"); do } fi + # Check PCI devices if model filter is enabled + # Note that the model filter check is done inside check_pci_config_val + # based on the 'mode=' parameter. + if [ -n "$cfg_pci" ]; then + pci_line="$(printf "%s\n" "$cfg_pci" | while read -r pci_line; do + [ -n "$pci_line" ] || continue + pci_res=$(check_pci_config_val "$pci_line" \ + "$match_model") + [ 0 != "$pci_res" ] || continue + echo "$pci_res $pci_line" + break + done + echo "0 ")" + + [ -z "${pci_line#* }" ] || { + debug "PCI configuration word check '${pci_line#* }'" \ + "failed (with return code ${pci_line%% *})" + fail + continue + } + fi + ok_cfgs="$ok_cfgs $cfg" ok_paths="$ok_paths $cfg_path" done diff --git a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh index 8dc327a8..854e278a 100755 --- a/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh +++ b/SOURCES/dracut_99microcode_ctl-fw_dir_override_module_init.sh @@ -48,29 +48,6 @@ install() { dinfo " microcode_ctl: processing data directory " \ "\"$DATA_DIR/$i\"..." - if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" $verbose_opt) - then - dinfo " microcode_ctl: kernel version \"$kernel\"" \ - "failed early load check for \"$i\", skipping" - continue - fi - - path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') - [ -n "$path" ] || { - ignored=$(printf "%s" "$cc_out" | \ - sed -n 's/^skip_cfgs //p') - - if [ -n "$ignored" ]; then - dinfo " microcode_ctl: configuration" \ - "\"$i\" is ignored" - else - dinfo " microcode_ctl: no microcode paths" \ - "are associated with \"$i\", skipping" - fi - - continue - } - if [ "x" != "x$hostonly" ]; then do_skip_host_only=0 @@ -92,55 +69,33 @@ install() { do_skip_host_only=1 fi - if [ 0 -eq "$do_skip_host_only" ]; then - local hostonly_passed=0 - local ucode - local uvendor - local ucode_dir="" - - ucode=$(get_ucode_file) - uvendor=$(get_cpu_vendor) - - case "$uvendor" in - Intel) - ucode_dir="intel-ucode" - ;; - AMD) - ucode_dir="amd-ucode" - ;; - *) - dinfo " microcode_ctl: unknown CPU" \ - "vendor: \"$uvendor\", bailing out of" \ - "Host-Only check" - continue - ;; - esac - - # $path is a list of globs, so it needs special care - for p in $(printf "%s" "$path"); do - find "$DATA_DIR/$i" -path "$DATA_DIR/$i/$p" \ - -print0 \ - | grep -zFxq \ - "$DATA_DIR/$i/$ucode_dir/$ucode" \ - || continue - - dinfo " microcode_ctl: $i: Host-Only" \ - "mode is enabled and" \ - "\"$ucode_dir/$ucode\" matches \"$p\"" - - hostonly_passed=1 - break - done + match_model_opt="" + [ 1 = "$do_skip_host_only" ] || match_model_opt="-m" - [ 1 -eq "$hostonly_passed" ] || { - dinfo " microcode_ctl: $i: Host-Only mode" \ - "is enabled and ucode name does not" \ - "match the expected one, skipping" \ - "caveat (\"$ucode\" not in \"$path\")" - continue - } + if ! cc_out=$($check_caveats -e -k "$kernel" -c "$i" \ + $verbose_opt $match_model_opt) + then + dinfo " microcode_ctl: kernel version \"$kernel\"" \ + "failed early load check for \"$i\", skipping" + continue fi + path=$(printf "%s" "$cc_out" | sed -n 's/^paths //p') + [ -n "$path" ] || { + ignored=$(printf "%s" "$cc_out" | \ + sed -n 's/^skip_cfgs //p') + + if [ -n "$ignored" ]; then + dinfo " microcode_ctl: configuration" \ + "\"$i\" is ignored" + else + dinfo " microcode_ctl: no microcode paths" \ + "are associated with \"$i\", skipping" + fi + + continue + } + dinfo " microcode_ctl: $i: caveats check for kernel" \ "version \"$kernel\" passed, adding" \ "\"$DATA_DIR/$i\" to fw_dir variable" diff --git a/SOURCES/gen_provides.sh b/SOURCES/gen_provides.sh index 0ecf7aac..5e2a2a41 100755 --- a/SOURCES/gen_provides.sh +++ b/SOURCES/gen_provides.sh @@ -1,4 +1,4 @@ -#! /bin/bash -efux +#! /bin/bash -efu # Generator of RPM "Provides:" tags for Intel microcode files. # @@ -21,31 +21,75 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0- ucode_fname="$ucode_caveat/$ucode" file_sz="$(stat -c "%s" "$f")" skip=0 + ext_hdr=0 + ext_sig_cnt=0 + ext_sig_pos=0 + next_skip=0 + # Microcode header format description: + # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c while :; do [ "$skip" -lt "$file_sz" ] || break - # Microcode header format description: - # https://gitlab.com/iucode-tool/iucode-tool/blob/master/intel_microcode.c - IFS=' ' read hdrver rev \ - date_y date_d date_m \ - cpuid cksum ldrver \ - pf_mask datasz totalsz <<- EOF - $(dd if="$f" bs=1 skip="$skip" count=36 status=none \ - | hexdump -e '"" 1/4 "%u " 1/4 "%#x " \ - 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ - 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ - 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"') - EOF - - [ 0 != "$datasz" ] || datasz=2000 - [ 0 != "$totalsz" ] || totalsz=2048 - - # TODO: add some sanity/safety checks here. As of now, there's - # a (pretty fragile) assumption that all the matched files - # are valid Intel microcode files in the expected format. - - skip=$((skip + totalsz)) + # Do we parse ext_sig table or another microcode header? + if [ 0 != "$next_skip" ]; then + # Check whether we should abort ext_sig table parsing + [ \( "${skip}" -lt "${next_skip}" \) -a \ + \( "${ext_sig_pos}" -lt "${ext_sig_cnt}" \) ] || { + skip="${next_skip}" + next_skip=0 + continue + } + + # ext_sig, 12 bytes in size + IFS=' ' read cpuid pf_mask <<- EOF + $(hexdump -s "$skip" -n 8 \ + -e '"" 1/4 "%08x " 1/4 "%u" "\n"' "$f") + EOF + + skip="$((skip + 12))" + ext_sig_pos="$((ext_sig_pos + 1))" + else + # Microcode header, 48 bytes, last 3 fields reserved + IFS=' ' read hdrver rev \ + date_y date_d date_m \ + cpuid cksum ldrver \ + pf_mask datasz totalsz <<- EOF + $(hexdump -s "$skip" -n 36 \ + -e '"" 1/4 "%u " 1/4 "%#x " \ + 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \ + 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \ + 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"' "$f") + EOF + + [ 0 != "$datasz" ] || datasz=2000 + [ 0 != "$totalsz" ] || totalsz=2048 + + # TODO: add some sanity/safety checks here. As of now, + # there's a (pretty fragile) assumption that all + # the matched files are valid Intel microcode + # files in the expected format. + + # ext_sig table is after the microcode payload, + # check for its presence + if [ 48 -lt "$((totalsz - datasz))" ]; then + next_skip="$((skip + totalsz))" + skip="$((skip + datasz + 48))" + ext_sig_pos=0 + + # ext_sig table header, 20 bytes in size, + # last 3 fields are reserved. + IFS=' ' read ext_sig_cnt <<- EOF + $(hexdump -s "$skip" -n 4 \ + -e '"" 1/4 "%u" "\n"' "$f") + EOF + + skip="$((skip + 20))" + else + skip="$((skip + totalsz))" + next_skip=0 + fi + fi #[ -n "$rev" ] || continue diff --git a/SOURCES/intel_config b/SOURCES/intel_config index d37878d7..1f47b87c 100644 --- a/SOURCES/intel_config +++ b/SOURCES/intel_config @@ -1,5 +1,5 @@ path intel-ucode/* -vendor_id GenuineIntel +vendor GenuineIntel kernel_early 4.10.0 kernel_early 3.10.0-930 kernel_early 3.10.0-862.14.1 diff --git a/SOURCES/microcode_ctl-use-microcode-20200602-tgz.patch b/SOURCES/microcode_ctl-use-microcode-20200602-tgz.patch new file mode 100644 index 00000000..d10700ed --- /dev/null +++ b/SOURCES/microcode_ctl-use-microcode-20200602-tgz.patch @@ -0,0 +1,13 @@ +Index: microcode_ctl-2.1-18/Makefile +=================================================================== +--- microcode_ctl-2.1-18.orig/Makefile 2018-07-24 09:15:12.463115045 +0200 ++++ microcode_ctl-2.1-18/Makefile 2018-08-09 06:18:45.524503945 +0200 +@@ -8,7 +8,7 @@ + # 2 of the License, or (at your option) any later version. + + PROGRAM = intel-microcode2ucode +-MICROCODE_INTEL = microcode-20180703.tgz ++MICROCODE_INTEL = microcode-20200602.tar.gz + + INS = install + CC = gcc diff --git a/SPECS/microcode_ctl.spec b/SPECS/microcode_ctl.spec index 8e8f528d..78e63d59 100644 --- a/SPECS/microcode_ctl.spec +++ b/SPECS/microcode_ctl.spec @@ -1,6 +1,5 @@ %define upstream_version 2.1-18 -%define intel_ucode_version 20191112 -%define intel_ucode_file_id 28727 +%define intel_ucode_version 20200602 %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl @@ -22,16 +21,19 @@ Summary: Tool to transform and deploy CPU microcode update for x86. Name: microcode_ctl Version: 2.1 -Release: 53.3%{?dist} +Release: 61.6%{?dist} Epoch: 2 Group: System Environment/Base License: GPLv2+ and Redistributable, no modification permitted URL: https://pagure.io/microcode_ctl Source0: https://releases.pagure.org/microcode_ctl/%{name}-%{upstream_version}.tar.xz -Source1: microcode-%{intel_ucode_version}.pre.tar.gz +Source1: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-%{intel_ucode_version}.tar.gz # (Pre-MDS) revision 0x714 of 06-2d-07 microcode Source2: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190514/intel-ucode/06-2d-07 +# (Pre-20191112) revision 0x2000064 of 06-55-04 microcode +Source3: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/microcode-20190918/intel-ucode/06-55-04 + # systemd unit Source10: microcode.service @@ -72,6 +74,12 @@ Source120: 06-2d-07_readme Source121: 06-2d-07_config Source122: 06-2d-07_disclaimer +# SKL-SP/W/X (CPUID 0x50654) post-20191112 hangs +# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +Source130: 06-55-04_readme +Source131: 06-55-04_config +Source132: 06-55-04_disclaimer + # "Provides:" RPM tags generator Source200: gen_provides.sh @@ -86,10 +94,13 @@ Patch6: microcode_ctl-ignore-first-directory-level-in-archive.patch Buildroot: %{_tmppath}/%{name}-%{version}-root ExclusiveArch: %{ix86} x86_64 BuildRequires: systemd-units -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd -Requires(posttrans): kernel +# hexdump is used in gen_provides.sh +BuildRequires: coreutils util-linux +Requires: coreutils +Requires(post): systemd coreutils +Requires(preun): systemd coreutils +Requires(postun): systemd coreutils +Requires(posttrans): dracut coreutils %global _use_internal_dependency_generator 0 %define __find_provides "%{SOURCE200}" @@ -104,6 +115,10 @@ back to the old microcode. %prep %setup -q -n %{name}-%{upstream_version} + +tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ + \*/intel-ucode-with-caveats \*/license \*/releasenote + %patch1 -p1 %patch2 -p1 @@ -131,18 +146,19 @@ make CFLAGS="$RPM_OPT_FLAGS" %{?_smp_mflags} #find intel-ucode -type f | sed 's/^/%%ghost \/lib\/firmware\//' > ghost_list touch ghost_list -tar xf "%{SOURCE1}" --wildcards --strip-components=1 \ - \*/intel-ucode-with-caveats \*/license \*/releasenote - # replacing SNB-EP (CPUID 0x206d7) microcode with pre-MDS version mv intel-ucode/06-2d-07 intel-ucode-with-caveats/ cp "%{SOURCE2}" intel-ucode/ +# replacing SKL-SP/W/X (CPUID 0x50654) microcode with pre-20191112 version +mv intel-ucode/06-55-04 intel-ucode-with-caveats/ +cp "%{SOURCE3}" intel-ucode/ + # man page sed "%{SOURCE40}" \ -e "s/@DATE@/2019-05-09/g" \ -e "s/@VERSION@/%{version}-%{release}/g" \ - -e "s|@MICROCODE_URL@|https://downloadcenter.intel.com/download/%{intel_ucode_file_id}|g" > "%{i_m2u_man}" + -e "s|@MICROCODE_URL@|https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files|g" > "%{i_m2u_man}" %install rm -rf %{buildroot} @@ -188,7 +204,7 @@ install -m 644 releasenote \ "%{buildroot}/%{_pkgdocdir}/RELEASE_NOTES.intel-ucode" # caveats -install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" \ +install -m 644 "%{SOURCE100}" "%{SOURCE110}" "%{SOURCE120}" "%{SOURCE130}" \ -t "%{buildroot}/%{_pkgdocdir}/caveats/" # Man page @@ -222,9 +238,18 @@ install -m 644 "%{SOURCE120}" "%{snb_inst_dir}/readme" install -m 644 "%{SOURCE121}" "%{snb_inst_dir}/config" install -m 644 "%{SOURCE122}" "%{snb_inst_dir}/disclaimer" +# SKL-SP caveat +%define skl_inst_dir %{buildroot}/%{caveat_dir}/intel-06-55-04/ +install -m 755 -d "%{skl_inst_dir}/intel-ucode" +install -m 644 intel-ucode-with-caveats/06-55-04 -t "%{skl_inst_dir}/intel-ucode/" +install -m 644 "%{SOURCE130}" "%{skl_inst_dir}/readme" +install -m 644 "%{SOURCE131}" "%{skl_inst_dir}/config" +install -m 644 "%{SOURCE132}" "%{skl_inst_dir}/disclaimer" + # Cleanup rm -f intel-ucode-with-caveats/06-4f-01 rm -f intel-ucode-with-caveats/06-2d-07 +rm -f intel-ucode-with-caveats/06-55-04 rmdir intel-ucode-with-caveats rm -rf intel-ucode @@ -250,14 +275,113 @@ exit 0 # dependency, it is pointless at best to regenerate the initramfs, # and also does not work with rpm-ostree: # https://bugzilla.redhat.com/show_bug.cgi?id=1199582 +# https://bugzilla.redhat.com/show_bug.cgi?id=1530400 +[ -d /run/systemd/system ] || exit 0 + +# We can't simply update all initramfs images, since "dracut --regenerate-all" +# generates initramfs even for removed kernels and if dracut generates botched +# initramfs image, that results in unbootable system, even with older kernels +# that can't be used as a fallback: +# https://bugzilla.redhat.com/show_bug.cgi?id=1420180 +# https://access.redhat.com/support/cases/#/case/01779274 +# https://access.redhat.com/support/cases/#/case/01814106 # -# Also check that the running kernel is actually installed: -# https://bugzilla.redhat.com/show_bug.cgi?id=1591664 -# We use the presence of symvers file as an indicator, the check similar -# to what weak-modules script does. -if [ -d /run/systemd/system -a -e "/boot/symvers-$(uname -r).gz" ]; then - dracut -f -fi +# ...and we can't simply limit ourselves to updating only the currently +# running kernel, as this doesn't work well with cases where kernel +# is installed before the updated microcode, or in the same transaction. +# And we can't rely on late update either, due to issues like this: +# https://bugzilla.redhat.com/show_bug.cgi?id=1710445 +# +# ...and there are also issues with setups with increased "installonly_limit" +# in /etc/yum.conf, which could lead to unacceptably long package installation +# times. +# +# So, in the end, we try to grab no more than 2 most recently installed kernels +# that are installed after the currently running one (with the currently running +# kernel that makes up to 3 in total, the default "installonly_limit" value) +# as a kernel package selection heuristic that tries to accomodate both the need +# to put the latest microcode in freshly installed kernels and also addresses +# existing concerns. +# +# For RPM selection, kernel flavours (like "debug" or "kdump" or "zfcp", +# with only the former being relevant to x86 architecture) are a part or RPM +# name; it's also a part of uname, with different separator used in RHEL 6/7 +# and RHEL 8. RT kernel, however, is special, as "rt" is another part +# of RPM name and it has its own versioning scheme both in NVR and uname. +# And there's the kernel package split in RHEL 8, so one should look for *-core +# and not the main package. +pkgs="kernel kernel-debug kernel-rt kernel-rt-debug" +qf='%%{NAME} %%{VERSION}-%%{RELEASE}.%%{ARCH} %%{installtime}\n' +: "${MICROCODE_RPM_KVER_LIMIT=2}" + +rpm -qa --qf "${qf}" ${pkgs} | sort -r -n -k'3,3' | { + kver_cnt=0 + processed="" + skipped="" + skip=0 + + while read -r pkgname vra install_ts; do + flavour='' + + # For x86, only "debug" flavour exists in RHEL 8 + [ "x${pkgname%*-debug}" = "x${pkgname}" ] \ + || flavour='.debug' + + kver_cnt="$((kver_cnt + 1))" + kver_uname="${vra}${flavour}" + + # Also check that the kernel is actually installed: + # https://bugzilla.redhat.com/show_bug.cgi?id=1591664 + # We use the presence of symvers file as an indicator, the check + # similar to what weak-modules script does. + # + # XXX: Not sure if this check is still needed, since we now + # iterate over the rpm output. + [ -e "/boot/symvers-${kver_uname}.gz" ] || continue + # Check that modules.dep for the kernel is present as well, + # otherwise dracut complains with "/lib/modules/.../modules.dep + # is missing. Did you run depmod?". + [ -e "/lib/modules/${kver_uname}/modules.dep" ] || continue + + # We update the kernels with the same uname as the running kernel + # regardless of the selected limit + if [ "x$(uname -r)" = "x${kver_uname}" \ + -o \( "${kver_cnt}" -le "${MICROCODE_RPM_KVER_LIMIT}" \ + -a "${skip}" = 0 \) ] + then + dracut -f --kver "${kver_uname}" + + processed="${processed} ${pkgname}-${vra}" + else + skipped="${skipped} ${pkgname}-${vra}" + fi + + # The packages are processed until a package with the same uname + # as the running kernel is hit (since they are sorted + # in the descending installation time stamp older). + [ "x$(uname -r)" != "x${kver_uname}" ] || skip=1 + done + + if [ -n "${skipped}" ]; then + skip_msg="After installation of a new version of microcode_ctl package, +initramfs hasn't been re-generated for all the installed kernel packages. +The following kernel packages have been skipped:${skipped}. +Please re-generate initramfs manually for these kernel packages with the +\"dracut -f --kver KERNEL_VERSION\" command in order to get the latest +Intel CPU microcode included into early initramfs image for it, if needed." + + if [ -e /usr/bin/logger ]; then + echo "${skip_msg}" | + /usr/bin/logger -p syslog.notice -t microcode_ctl + fi + + if [ -e /dev/kmsg ]; then + echo "${skip_msg}" > /dev/kmsg + fi + fi +} + +exit 0 %global rpm_state_dir %{_localstatedir}/lib/rpm-state @@ -294,7 +418,7 @@ if [ -e "%{update_ucode}" ]; then %{update_ucode} --action remove --cleanup \ "%{rpm_state_dir}/microcode_ctl_un_intel-ucode_diff" \ - "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" || exit 0 + "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" || : rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_after" rm -f "%{rpm_state_dir}/microcode_ctl_un_ucode_caveats_diff" @@ -327,10 +451,10 @@ rm -f "%{rpm_state_dir}/microcode_ctl_un_file_list" exit 0 -%triggerin -- kernel +%triggerin -- kernel, kernel-debug, kernel-rt, kernel-rt-debug %{update_ucode} -%triggerpostun -- kernel +%triggerpostun -- kernel, kernel-debug, kernel-rt, kernel-rt-debug %{update_ucode} @@ -350,10 +474,124 @@ rm -rf %{buildroot} %changelog -* Thu Nov 07 2019 Eugene Syromiatnikov - 2:2.1-53.3 +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.6 +- Avoid temporary file creation, used for here-documents in check_caveats. + +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.5 +- Update Intel CPU microcode to microcode-20200602 release, addresses + CVE-2020-0543, CVE-2020-0548, CVE-2020-0549 (#1827189): + - Update of 06-2d-06/0x6d (SNB-E/EN/EP C1/M0) microcode from revision 0x61f + up to 0x621; + - Update of 06-2d-07/0x6d (SNB-E/EN/EP C2/M1) microcode from revision 0x718 + up to 0x71a; + - Update of 06-3c-03/0x32 (HSW C0) microcode from revision 0x27 up to 0x28; + - Update of 06-3d-04/0xc0 (BDW-U/Y E0/F0) microcode from revision 0x2e + up to 0x2f; + - Update of 06-45-01/0x72 (HSW-U C0/D0) microcode from revision 0x25 + up to 0x26; + - Update of 06-46-01/0x32 (HSW-H C0) microcode from revision 0x1b up to 0x1c; + - Update of 06-47-01/0x22 (BDW-H/Xeon E3 E0/G0) microcode from revision 0x21 + up to 0x22; + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-55-03/0x97 (SKX-SP B1) microcode from revision 0x1000151 + up to 0x1000157; + - Update of 06-55-04/0xb7 (SKX-SP H0/M0/U0, SKX-D M1) microcode + (in intel-06-55-04/intel-ucode/06-55-04) from revision 0x2000065 + up to 0x2006906; + - Update of 06-55-06/0xbf (CLX-SP B0) microcode from revision 0x400002c + up to 0x4002f01; + - Update of 06-55-07/0xbf (CLX-SP B1) microcode from revision 0x500002c + up to 0x5002f01; + - Update of 06-5e-03/0x36 (SKL-H/S R0/N0) microcode from revision 0xd6 + up to 0xdc; + - Update of 06-7e-05/0x80 (ICL-U/Y D1) microcode from revision 0x46 + up to 0x78; + - Update of 06-8e-09/0x10 (AML-Y22 H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0a/0xc0 (CFL-U43e D0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0b/0xd0 (WHL-U W0) microcode from revision 0xca + up to 0xd6; + - Update of 06-8e-0c/0x94 (AML-Y42 V0, CML-Y42 V0, WHL-U V0) microcode + from revision 0xca up to 0xd6; + - Update of 06-9e-09/0x2a (KBL-G/H/S/X/Xeon E3 B0) microcode from revision + 0xca up to 0xd6; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E3 U0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xca up to 0xd6; + - Update of 06-9e-0c/0x22 (CFL-H/S P0) microcode from revision 0xca + up to 0xd6; + - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xca up to 0xd6. +- Change the URL in the intel-microcode2ucode.8 to point to the GitHub + repository since the microcode download section at Intel Download Center + does not exist anymore. + +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.4 +- Narrow down SKL-SP/W/X blacklist to exclude Server/FPGA/Fabric segment + models. + +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.3 +- Re-generate initramfs not only for the currently running kernel, + but for several recently installed kernels as well. + +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.2 +- Avoid find being SIGPIPE'd on early "grep -q" exit in the dracut script. + +* Thu Jun 04 2020 Eugene Syromiatnikov - 2:2.1-61.1 +- Update stale posttrans dependency, add triggers for proper handling + of the debug kernel flavour along with kernel-rt. + +* Wed Nov 20 2019 Eugene Syromiatnikov - 2:2.1-61 +- Do not update 06-55-04 (SKL-SP/W/X) to revision 0x2000065, use 0x2000064 + by default (#1774329). + +* Sat Nov 16 2019 Eugene Syromiatnikov - 2:2.1-60 +- Update Intel CPU microcode to microcode-20191115 release: + - Update of 06-4e-03/0xc0 (SKL-U/Y D0) from revision 0xd4 up to 0xd6; + - Update of 06-5e-03/0x36 (SKL-H/S/Xeon E3 R0/N0) from revision 0xd4 + up to 0xd6; + - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-09/0xc0 (KBL-U/Y H0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0a/0xc0 (CFL-U 4+3e D0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0b/0xd0 (WHL-U W0) from revision 0xc6 up to 0xca; + - Update of 06-8e-0c/0x94 (AML-Y V0, CML-U 4+2 V0, WHL-U V0) from revision + 0xc6 up to 0xca; + - Update of 06-9e-09/0x2a (KBL-G/X H0, KBL-H/S/Xeon E3 B0) from revision 0xc6 + up to 0xca; + - Update of 06-9e-0a/0x22 (CFL-H/S/Xeon E U0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0b/0x02 (CFL-S B0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0c/0x22 (CFL-S/Xeon E P0) from revision 0xc6 up to 0xca; + - Update of 06-9e-0d/0x22 (CFL-H/S R0) from revision 0xc6 up to 0xca; + - Update of 06-a6-00/0x80 (CML-U 6+2 A0) from revision 0xc6 up to 0xca. + +* Fri Nov 15 2019 Eugene Syromiatnikov - 2:2.1-59 +- Update Intel CPU microcode to microcode-20191113 release: + - Update of 06-9e-0c (CFL-H/S P0) microcode from revision 0xae up to 0xc6. +- Drop 0001-releasenote-changes-summary-fixes.patch. + +* Tue Nov 12 2019 Eugene Syromiatnikov - 2:2.1-58 +- Package the publicy available microcode-20191112 release (#1755025): + - Addition of 06-4d-08/0x1 (AVN B0/C0) microcode at revision 0x12d; + - Addition of 06-55-06/0xbf (CSL-SP B0) microcode at revision 0x400002c; + - Addition of 06-7a-08/0x1 (GLK R0) microcode at revision 0x16; + - Update of 06-55-03/0x97 (SKL-SP B1) microcode from revision 0x1000150 + up to 0x1000151; + - Update of 06-55-04/0xb7 (SKL-SP H0/M0/U0, SKL-D M1) microcode from revision + 0x2000064 up to 0x2000065; + - Update of 06-55-07/0xbf (CSL-SP B1) microcode from revision 0x500002b + up to 0x500002c; + - Update of 06-7a-01/0x1 (GLK B0) microcode from revision 0x2e up to 0x32; +- Include 06-9e-0c (CFL-H/S P0) microcode from the microcode-20190918 release. +- Correct the releasenote file (0001-releasenote-changes-summary-fixes.patch). +- Update README.caveats with the link to the new Knowledge Base article. + +* Thu Nov 07 2019 Eugene Syromiatnikov - 2:2.1-57 - Intel CPU microcode update to 20191112, addresses CVE-2017-5715, - CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1764050, #1764070, #1764949, - #1764969, #1764997, #1765401, #1765413, #1766438, #1766870, #1769889): + CVE-2019-0117, CVE-2019-11135, CVE-2019-11139 (#1755025, #1764058, #1764071, + #1764950, #1764970, #1764998, #1765402, #1765414, #1766439, #1766871): - Addition of 06-a6-00/0x80 (CML-U 6+2 A0) microcode at revision 0xc6; - Addition of 06-66-03/0x80 (CNL-U D0) microcode at revision 0x2a; - Addition of 06-55-03/0x97 (SKL-SP B1) microcode at revision 0x1000150; @@ -376,17 +614,19 @@ rm -rf %{buildroot} to 0xc6; - Update of 06-9e-0b/0x02 (CFL-S B0) microcode from revision 0xb4 to 0xc6; - Update of 06-9e-0d/0x22 (CFL-H R0) microcode from revision 0xb8 to 0xc6. + +* Thu Oct 10 2019 Eugene Syromiatnikov - 2:2.1-56 - Rework dracut hook to address dracut's early initramfs generation - behaviour. + behaviour (#1769413). -* Sun Oct 06 2019 Eugene Syromiatnikov - 2:2.1-53.2 +* Sun Oct 06 2019 Eugene Syromiatnikov - 2:2.1-55 - Do not update 06-2d-07 (SNB-E/EN/EP) to revision 0x718, use 0x714 by default. -* Thu Sep 19 2019 Eugene Syromiatnikov - 2:2.1-53.1 +* Thu Sep 19 2019 Eugene Syromiatnikov - 2:2.1-54 - Intel CPU microcode update to 20190918. - Add new disclaimer, generated based on relevant caveats. -- Resolves: #1758572. +- Resolves: #1753541. * Wed Jun 19 2019 Eugene Syromiatnikov - 2:2.1-53 - Intel CPU microcode update to 20190618.