diff --git a/SPECS/06-55-04 b/SPECS/06-55-04 index 754d081..d78784a 100644 Binary files a/SPECS/06-55-04 and b/SPECS/06-55-04 differ diff --git a/SPECS/06-55-04.20190918 b/SPECS/06-55-04.20190918 new file mode 100644 index 0000000..754d081 Binary files /dev/null and b/SPECS/06-55-04.20190918 differ diff --git a/SPECS/06-55-04_readme b/SPECS/06-55-04_readme index 5df5775..822e7a0 100644 --- a/SPECS/06-55-04_readme +++ b/SPECS/06-55-04_readme @@ -10,7 +10,12 @@ Since revision 0x2006906 (included with the microcode-20200609 release) it is reported that the issue is no longer present, so the newer microcode revision is enabled by default now (but can be disabled explicitly; see below). +Revision 0x2006a08 (included since the microcode-20201110 release) exhibits +a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2 +caveat; please refer to [2] for details. + [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 +[2] /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme For the reference, SHA1 checksums of 06-55-04 microcode files containing microcode revisions in question are listed below: diff --git a/SPECS/06-55-06 b/SPECS/06-55-06 new file mode 100644 index 0000000..e0cfe7a Binary files /dev/null and b/SPECS/06-55-06 differ diff --git a/SPECS/06-55-07 b/SPECS/06-55-07 new file mode 100644 index 0000000..0ca9df0 Binary files /dev/null and b/SPECS/06-55-07 differ diff --git a/SPECS/06-55-0x-ipu-2020.2_config b/SPECS/06-55-0x-ipu-2020.2_config new file mode 100644 index 0000000..80aa372 --- /dev/null +++ b/SPECS/06-55-0x-ipu-2020.2_config @@ -0,0 +1,20 @@ +path intel-ucode/* +vendor GenuineIntel +## It is deemed that blocking the SKX/CLX microcode update on all hardware +## in cases where no model filter is used is too broad, hence +## no-model-mode=success. +## https://bugzilla.redhat.com/1902884 https://bugzilla.redhat.com/1905111 +dmi mode=fail-equal no-model-mode=success key=product_name val="Superdome Flex" +## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45 +dmi mode=fail-equal no-model-mode=success key=product_name val="SYS-2029TP-HTR/X11DPT-PS" +## The "kernel_early" statements are carried over from the intel caveat config +## in order to avoid enabling this newer microcode on these problematic kernels; +## see the caveat description in /usr/share/doc/microcode_ctl/caveats/intel_readme +## (That also means that this caveat has to be enforced separately on these +## kernels.) +kernel_early 4.10.0 +kernel_early 3.10.0-930 +kernel_early 3.10.0-862.14.1 +kernel_early 3.10.0-693.38.1 +kernel_early 3.10.0-514.57.1 +kernel_early 3.10.0-327.73.1 diff --git a/SPECS/06-55-0x-ipu-2020.2_disclaimer b/SPECS/06-55-0x-ipu-2020.2_disclaimer new file mode 100644 index 0000000..788f089 --- /dev/null +++ b/SPECS/06-55-0x-ipu-2020.2_disclaimer @@ -0,0 +1,6 @@ +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +are disabled on some systems as these updates may cause system instability; +microcode from the previous microcode-20200609 release is used instead. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-0x-ipu-2020.2_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SPECS/06-55-0x-ipu-2020.2_readme b/SPECS/06-55-0x-ipu-2020.2_readme new file mode 100644 index 0000000..11324a7 --- /dev/null +++ b/SPECS/06-55-0x-ipu-2020.2_readme @@ -0,0 +1,83 @@ +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +may cause system instability on some systems, namely, HPE Superdome Flex +and Supermicro systems, when an update is performed with the resivions +that come with microcode-20201110 release, so the previously released microcode +(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively) +from microcode-20200609 release are used on these systems by default instead +for the OS-driven microcode update. + +For the reference, SHA1 checksums of the relevant microcode files containing +microcode revisions in question are listed below: + * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967 + * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212 + + * 06-55-06, revision 0x4004f01: 8affd949151a0badd3f71e23cf9ad668d4c1d82f + * 06-55-06, revision 0x4003003: b187866d2570f90ea69f434c2b012a8c88d85f43 + + * 06-55-07, revision 0x5002f01: a7121c5f49753cc783f82135e268bc4efe85d4be + * 06-55-07, revision 0x5003003: 74e129b108e676f0286742f609b2c1fa65d73db1 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. For the information regarding microcode versions +required for mitigating specific side-channel cache attacks, please refer +to the following knowledge base articles: + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest microcode revision for a specific kernel +version, please create a file "force-intel-06-55-0x-ipu-2020.2" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To disallow usage of the latest microcode revision for a specific kernel +version, please create a file "disallow-intel-06-55-0x-ipu-2020.2" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory +used for late microcode updates, and run "dracut -f --kver ", +so initramfs for this kernel version is regenerated, for example: + + touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +To enforce addition of this microcode for all kernels, please create a file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +To disallow usage of the latest microcode revision for all kernels, please +create a file +"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2", +run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories +used for late microcode updates, and run "dracut -f --regenerate-all" +so initramfs images get regenerated, for example: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SPECS/README.caveats b/SPECS/README.caveats index d18c2a5..b177eed 100644 --- a/SPECS/README.caveats +++ b/SPECS/README.caveats @@ -560,6 +560,11 @@ to enable ability to disable it in case such a need arises. (See the sections "check_caveats script" and "reload_microcode script" for details regarding caveats mechanism operation.) +Revision 0x2006a08 (included since the microcode-20201110 release) exhibits +a different issue on some systems, so it is controlled by 06-55-0x-ipu-2020.2 +caveat; please refer to the "Intel Skylake-SP and Cascade Lake-SP +microcode-20201110 caveats" section for details. + [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 Caveat name: intel-06-55-04 @@ -571,6 +576,28 @@ previously published microcode revision 0x2000064 is still available as a fallback as part of "intel" caveat. +Intel Skylake-SP and Cascade Lake-SP microcode-20201110 caveats +--------------------------------------------------------------- +Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs +(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657) +may cause system instability on some systems (there were reports for HPE +Superdome Flex and Supermicro systems[1]) with the resivions that come +with microcode-20201110 release, so the previously released microcode +(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively) +from microcode-20200609 release are used by default instead for the OS-driven +microcode update. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/45 + +Caveat name: intel-06-55-0x-ipu-2020.2 + +Affected microcode: intel-ucode/06-55-04, intel-ucode/06-55-06, + intel-ucode/06-55-07 + +Mitigation: previously published microcode files (revision 0x2006906 for 06-55-04, + 0x4002f01 for 06-55-06, 0x5002f01 for 06-55-07) are used by default. + + Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats ---------------------------------------- Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3; diff --git a/SPECS/check_caveats b/SPECS/check_caveats index ab02a02..ee8db57 100755 --- a/SPECS/check_caveats +++ b/SPECS/check_caveats @@ -628,10 +628,9 @@ for cfg in $(echo "${configs}"); do cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do - { /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ - -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0; - /bin/true; } \ - | /bin/grep -zFxq "$cpu_mc_path" \ + /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ + -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ + | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ || continue cfg_mc_present=1