Compare commits

...

No commits in common. 'c9' and 'i8c' have entirely different histories.
c9 ... i8c

@ -10,8 +10,8 @@ behaviour.
General behaviour General behaviour
================= =================
In RHEL 9 (as well as in RHEL 7 and RHEL 8 before it), there are currently In RHEL 8 (as well as RHEL 7 before it), there are currently two main handlers
two main handlers for CPU microcode update: for CPU microcode update:
* Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
placed at the beginning of an initramfs image placed at the beginning of an initramfs image
(/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
@ -45,10 +45,10 @@ zero-filled.
The early microcode is placed into initramfs image by the "dracut" script, which The early microcode is placed into initramfs image by the "dracut" script, which
scans the aforementioned subdirectories of the configured list of firmware scans the aforementioned subdirectories of the configured list of firmware
directories (by default, the list consists of two directories in RHEL 9, directories (by default, the list consists of two directories in RHEL 8,
"/lib/firmware/updates" and "/lib/firmware"). "/lib/firmware/updates" and "/lib/firmware").
In RHEL 9, AMD CPU microcode is shipped as a part of the linux-firmware package, In RHEL 8, AMD CPU microcode is shipped as a part of the linux-firmware package,
and Intel microcode is shipped as a part of the microcode_ctl package. and Intel microcode is shipped as a part of the microcode_ctl package.
The microcode_ctl package currently includes the following: The microcode_ctl package currently includes the following:
@ -613,7 +613,7 @@ Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch Minimum versions of the kernel package that contain the aforementioned patch
series: series:
- Upstream/RHEL 8/RHEL 9: 4.17.0 - Upstream/RHEL 8: 4.17.0
- RHEL 7.6 onwards: 3.10.0-894 - RHEL 7.6 onwards: 3.10.0-894
- RHEL 7.5: 3.10.0-862.6.1 - RHEL 7.5: 3.10.0-862.6.1
- RHEL 7.4: 3.10.0-693.35.1 - RHEL 7.4: 3.10.0-693.35.1
@ -628,7 +628,7 @@ series:
Early microcode load inside a virtual machine Early microcode load inside a virtual machine
--------------------------------------------- ---------------------------------------------
RHEL 9 kernel supports performing microcode update during early boot stage RHEL 8 kernel supports performing microcode update during early boot stage
from a cpio archive placed at the beginning of the initramfs image. However, from a cpio archive placed at the beginning of the initramfs image. However,
when an early microcode update is attempted inside some virtualised when an early microcode update is attempted inside some virtualised
environments, that may result in unexpected system behaviour. environments, that may result in unexpected system behaviour.
@ -643,7 +643,7 @@ Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix. without the fix.
Minimum versions of the kernel package that contain the fix: Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8/RHEL 9: 4.10.0 - Upstream/RHEL 8: 4.10.0
- RHEL 7.6 onwards: 3.10.0-930 - RHEL 7.6 onwards: 3.10.0-930
- RHEL 7.5: 3.10.0-862.14.1 - RHEL 7.5: 3.10.0-862.14.1
- RHEL 7.4: 3.10.0-693.38.1 - RHEL 7.4: 3.10.0-693.38.1

@ -43,43 +43,25 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
# ext_sig, 12 bytes in size # ext_sig, 12 bytes in size
IFS=' ' read cpuid pf_mask <<- EOF IFS=' ' read cpuid pf_mask <<- EOF
$(dd if="$f" ibs=1 skip="$skip" count=8 status=none \ $(hexdump -s "$skip" -n 8 \
| xxd -e -g4 | xxd -r | hexdump -n 8 \ -e '"" 1/4 "%08x " 1/4 "%u" "\n"' "$f")
-e '"" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
EOF EOF
# Converting values from the constructed %#08x format
pf_mask="$((pf_mask))"
skip="$((skip + 12))" skip="$((skip + 12))"
ext_sig_pos="$((ext_sig_pos + 1))" ext_sig_pos="$((ext_sig_pos + 1))"
else else
# Microcode header, 48 bytes, last 3 fields reserved # Microcode header, 48 bytes, last 3 fields reserved
# cksum, ldrver are ignored
IFS=' ' read hdrver rev \ IFS=' ' read hdrver rev \
date_m date_d date_y \ date_y date_d date_m \
cpuid cksum ldrver \ cpuid cksum ldrver \
pf_mask datasz totalsz <<- EOF pf_mask datasz totalsz <<- EOF
$(dd if="$f" ibs=1 skip="$skip" count=36 status=none \ $(hexdump -s "$skip" -n 36 \
| xxd -e -g4 | xxd -r | hexdump -n 36 \ -e '"" 1/4 "%u " 1/4 "%#x " \
-e '"0x" 4/1 "%02x" " 0x" 4/1 "%02x" " " \ 1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \
1/1 "%02x " 1/1 "%02x " 2/1 "%02x" " " \ 1/4 "%08x " 1/4 "%x " 1/4 "%#x " \
4/1 "%02x" " 0x" 4/1 "%02x" " 0x" 4/1 "%02x" \ 1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"' "$f")
" 0x" 4/1 "%x" \
" 0x" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
EOF EOF
# Converting values from the constructed %#08x format
rev="$(printf '%#x' "$((rev))")"
pf_mask="$((pf_mask))"
datasz="$((datasz))"
totalsz="$((totalsz))"
# Skipping files with unexpected hdrver value
[ 1 = "$((hdrver))" ] || {
echo "$f+$skip@$file_sz: incorrect hdrver $((hdrver))" >&2
break
}
[ 0 != "$datasz" ] || datasz=2000 [ 0 != "$datasz" ] || datasz=2000
[ 0 != "$totalsz" ] || totalsz=2048 [ 0 != "$totalsz" ] || totalsz=2048
@ -98,12 +80,9 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
# ext_sig table header, 20 bytes in size, # ext_sig table header, 20 bytes in size,
# last 3 fields are reserved. # last 3 fields are reserved.
IFS=' ' read ext_sig_cnt <<- EOF IFS=' ' read ext_sig_cnt <<- EOF
$(dd if="$f" ibs=1 skip="$skip" count=4 status=none \ $(hexdump -s "$skip" -n 4 \
| xxd -e -g4 | hexdump -n 4 \ -e '"" 1/4 "%u" "\n"' "$f")
-e '"0x" 4/1 "%02x" "\n"')
EOF EOF
# Converting values from the constructed format
ext_sig_cnt="$((ext_sig_cnt))"
skip="$((skip + 20))" skip="$((skip + 20))"
else else

@ -144,7 +144,7 @@ def read_revs_dir(path, args, src=None, ret=None):
offs = 0 offs = 0
while offs < sz: while offs < sz:
f.seek(offs, os.SEEK_SET) f.seek(offs, os.SEEK_SET)
hdr = struct.unpack("<IiIIIIIIIIII", f.read(48)) hdr = struct.unpack("IiIIIIIIIIII", f.read(48))
ret.append({"path": rp, "src": src or path, ret.append({"path": rp, "src": src or path,
"cpuid": hdr[3], "pf": hdr[6], "rev": hdr[1], "cpuid": hdr[3], "pf": hdr[6], "rev": hdr[1],
"date": hdr[2], "offs": offs, "cksum": hdr[4], "date": hdr[2], "offs": offs, "cksum": hdr[4],
@ -152,7 +152,7 @@ def read_revs_dir(path, args, src=None, ret=None):
if hdr[8] and hdr[8] - hdr[7] > 48: if hdr[8] and hdr[8] - hdr[7] > 48:
f.seek(hdr[7], os.SEEK_CUR) f.seek(hdr[7], os.SEEK_CUR)
ext_tbl = struct.unpack("<IIIII", f.read(20)) ext_tbl = struct.unpack("IIIII", f.read(20))
log_status("Found %u extended signatures for %s:%#x" % log_status("Found %u extended signatures for %s:%#x" %
(ext_tbl[0], rp, offs), level=1) (ext_tbl[0], rp, offs), level=1)
@ -160,7 +160,7 @@ def read_revs_dir(path, args, src=None, ret=None):
ext_sig_cnt = 0 ext_sig_cnt = 0
while cur_offs < offs + hdr[8] \ while cur_offs < offs + hdr[8] \
and ext_sig_cnt <= ext_tbl[0]: and ext_sig_cnt <= ext_tbl[0]:
ext_sig = struct.unpack("<III", f.read(12)) ext_sig = struct.unpack("III", f.read(12))
ignore = args.ignore_ext_dups and \ ignore = args.ignore_ext_dups and \
(ext_sig[0] == hdr[3]) (ext_sig[0] == hdr[3])
if not ignore: if not ignore:

@ -1,4 +1,5 @@
%define intel_ucode_version 20240910 %define intel_ucode_version 20240910
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats %define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl %define microcode_ctl_libexec %{_libexecdir}/microcode_ctl
@ -121,12 +122,10 @@ Source1000: gen_provides.sh
Source1001: codenames.list Source1001: codenames.list
Source1002: gen_updates2.py Source1002: gen_updates2.py
BuildArch: noarch ExclusiveArch: %{ix86} x86_64
BuildRequires: systemd-units BuildRequires: systemd-units
# dd, hexdump, and xxd are used in gen_provides.sh # hexdump is used in gen_provides.sh
BuildRequires: coreutils util-linux /usr/bin/xxd BuildRequires: coreutils util-linux
# gen_updates2.py requires python interpreter
BuildRequires: /usr/bin/python3
Requires: coreutils Requires: coreutils
Requires(post): systemd coreutils Requires(post): systemd coreutils
Requires(preun): systemd coreutils Requires(preun): systemd coreutils
@ -314,7 +313,7 @@ install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer"
# SUMMARY.intel-ucode generation # SUMMARY.intel-ucode generation
# It is to be done only after file population, so, it is here, # It is to be done only after file population, so, it is here,
# at the end of the install stage # at the end of the install stage
/usr/bin/python3 "%{SOURCE1002}" -C "%{SOURCE1001}" \ /usr/libexec/platform-python "%{SOURCE1002}" -C "%{SOURCE1001}" \
summary -A "%{buildroot}" \ summary -A "%{buildroot}" \
> "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode" > "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode"
@ -554,8 +553,8 @@ rm -rf %{buildroot}
%changelog %changelog
* Mon Sep 23 2024 Eugene Syromiatnikov <esyr@redhat.com> - 4:20240910-1 * Mon Sep 23 2024 Eugene Syromiatnikov <esyr@redhat.com> - 4:20240910-1
- Update Intel CPU microcode to microcode-20240910 release, addresses - Update Intel CPU microcode to microcode-20240910 release, addresses
- Addresses CVE-2024-23984, CVE-2024-24853, CVE-2024-24968, CVE-2024-24980, CVE-2024-23984, CVE-2024-24853, CVE-2024-24968, CVE-2024-24980,
CVE-2024-25939 (RHEL-58057): CVE-2024-25939 (RHEL-59081):
- Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in - Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in
intel-06-8c-01/intel-ucode/06-8c-01) from revision 0xb6 up to 0xb8; intel-06-8c-01/intel-ucode/06-8c-01) from revision 0xb6 up to 0xb8;
- Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in - Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in
@ -681,8 +680,8 @@ rm -rf %{buildroot}
- Update Intel CPU microcode to microcode-20240531 release, addresses - Update Intel CPU microcode to microcode-20240531 release, addresses
CVE-2023-22655, CVE-2023-23583. CVE-2023-28746, CVE-2023-38575, CVE-2023-22655, CVE-2023-23583. CVE-2023-28746, CVE-2023-38575,
CVE-2023-39368, CVE-2023-42667, CVE-2023-43490, CVE-2023-45733, CVE-2023-39368, CVE-2023-42667, CVE-2023-43490, CVE-2023-45733,
CVE-2023-46103, CVE-2023-49141 (RHEL-30861, RHEL-30864, RHEL-30867, CVE-2023-46103, CVE-2023-49141 (RHEL-30859, RHEL-30862, RHEL-30865,
RHEL-30870, RHEL-30873, RHEL-41094, RHEL-41109): RHEL-30868, RHEL-30871, RHEL-41093, RHEL-41108):
- Addition of 06-aa-04/0xe6 (MTL-H/U C0) microcode at revision 0x1c; - Addition of 06-aa-04/0xe6 (MTL-H/U C0) microcode at revision 0x1c;
- Addition of 06-ba-08/0xe0 microcode (in intel-ucode/06-ba-02) at - Addition of 06-ba-08/0xe0 microcode (in intel-ucode/06-ba-02) at
revision 0x4121; revision 0x4121;
@ -1056,8 +1055,8 @@ rm -rf %{buildroot}
* Thu Aug 10 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230808-1 * Thu Aug 10 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230808-1
- Update Intel CPU microcode to microcode-20230808 release, addresses - Update Intel CPU microcode to microcode-20230808 release, addresses
CVE-2022-40982, CVE-2022-41804, CVE-2023-23908 (#2213124, #2223992, #2230677, CVE-2022-40982, CVE-2022-41804, CVE-2023-23908 (#2213125, #2223993, #2230678,
#2230689): #2230690):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006f05 up intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006f05 up
to 0x2007006; to 0x2007006;
@ -1257,7 +1256,7 @@ rm -rf %{buildroot}
to 0x11 (old pf 0x1). to 0x11 (old pf 0x1).
* Mon Aug 07 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230516-1 * Mon Aug 07 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230516-1
- Update Intel CPU microcode to microcode-20230516 release (#2213124): - Update Intel CPU microcode to microcode-20230516 release (#2213125):
- Addition of 06-be-00/0x01 (ADL-N A0) microcode at revision 0x10; - Addition of 06-be-00/0x01 (ADL-N A0) microcode at revision 0x10;
- Addition of 06-9a-04/0x40 (AZB A0) microcode at revision 0x4; - Addition of 06-9a-04/0x40 (AZB A0) microcode at revision 0x4;
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
@ -1430,19 +1429,22 @@ rm -rf %{buildroot}
* Tue Aug 01 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-4 * Tue Aug 01 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-4
- Avoid spurious find failures due to calls on directories that may not exist - Avoid spurious find failures due to calls on directories that may not exist
(#2225681). (#2231065).
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 4:20230214-3
- Rebuilt for MSVSphere 8.8
* Wed Jun 28 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-3 * Wed Jun 28 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-3
- Force locale to C in check_caveats, reload_microcode, and update_ucode - Force locale to C in check_caveats, reload_microcode, and update_ucode
(#2218104). (#2218096).
* Tue Jun 06 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-2 * Tue Jun 06 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-2
- Cleanup the dangling symlinks in update_ucode (#2213022). - Cleanup the dangling symlinks in update_ucode (#2135376).
* Wed Feb 15 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-1 * Wed Feb 15 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-1
- Update Intel CPU microcode to microcode-20230214 release, addresses - Update Intel CPU microcode to microcode-20230214 release, addresses
CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171237, CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171234,
#2171262): #2171259):
- Addition of 06-6c-01/0x10 (ICL-D B0) microcode at revision 0x1000211; - Addition of 06-6c-01/0x10 (ICL-D B0) microcode at revision 0x1000211;
- Addition of 06-8f-04/0x87 (SPR-SP E0/S1) microcode at revision - Addition of 06-8f-04/0x87 (SPR-SP E0/S1) microcode at revision
0x2b000181; 0x2b000181;
@ -1618,11 +1620,11 @@ rm -rf %{buildroot}
* Tue Oct 25 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-2 * Tue Oct 25 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-2
- Change the logger severity level to warning to align with the kmsg one - Change the logger severity level to warning to align with the kmsg one
(#2136506). (#2136224).
* Tue Aug 09 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-1 * Tue Aug 09 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-1
- Update Intel CPU microcode to microcode-20220510 release, addresses - Update Intel CPU microcode to microcode-20220510 release, addresses
CVE-2022-21233 (#2115663): CVE-2022-21233 (#2115667):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in - Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006d05 up intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006d05 up
to 0x2006e05; to 0x2006e05;
@ -1685,8 +1687,7 @@ rm -rf %{buildroot}
* Tue May 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220510-1 * Tue May 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220510-1
- Update Intel CPU microcode to microcode-20220510 release, addresses - Update Intel CPU microcode to microcode-20220510 release, addresses
CVE-2022-0005, CVE-2022-21131, CVE-2022-21136, CVE-2022-21151 (#2090248, CVE-2022-0005, CVE-2022-21131, CVE-2022-21136, CVE-2022-21151 (#2086743):
#2090261, #2086751, #2040069):
- Addition of 06-97-02/0x03 (ADL-HX C0) microcode at revision 0x1f; - Addition of 06-97-02/0x03 (ADL-HX C0) microcode at revision 0x1f;
- Addition of 06-97-05/0x03 (ADL-S 6+0 K0) microcode (in - Addition of 06-97-05/0x03 (ADL-S 6+0 K0) microcode (in
intel-ucode/06-97-02) at revision 0x1f; intel-ucode/06-97-02) at revision 0x1f;
@ -1809,8 +1810,13 @@ rm -rf %{buildroot}
to 0x53. to 0x53.
* Thu Feb 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220207-1 * Thu Feb 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220207-1
- Update Intel CPU microcode to microcode-20220207 release, addresses - Update Intel CPU microcode to microcode-20220207 release:
CVE-2021-0127, CVE-2021-0145, and CVE-2021-33120 (#2053253): - Fixes in releasenote.md file.
* Mon Feb 07 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220204-1
- Update Intel CPU microcode to microcode-20220204 release, addresses
CVE-2021-0127, CVE-2021-0145, and CVE-2021-33120 (#1971906, #2049543,
#2049554, #2049571):
- Removal of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f; - Removal of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f;
- Removal of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04) - Removal of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04)
at revision 0xb00000f; at revision 0xb00000f;
@ -1914,10 +1920,6 @@ rm -rf %{buildroot}
- Update of 06-a7-01/0x02 (RKL-S B0) microcode from revision 0x40 up - Update of 06-a7-01/0x02 (RKL-S B0) microcode from revision 0x40 up
to 0x50. to 0x50.
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4:20210608-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jul 05 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210608-1 * Mon Jul 05 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210608-1
- Update Intel CPU microcode to microcode-20210608 release (#1921773): - Update Intel CPU microcode to microcode-20210608 release (#1921773):
- Fixes in releasenote.md file. - Fixes in releasenote.md file.

Loading…
Cancel
Save