Compare commits

...

No commits in common. 'i8c' and 'c9' have entirely different histories.
i8c ... c9

@ -10,8 +10,8 @@ behaviour.
General behaviour
=================
In RHEL 8 (as well as RHEL 7 before it), there are currently two main handlers
for CPU microcode update:
In RHEL 9 (as well as in RHEL 7 and RHEL 8 before it), there are currently
two main handlers for CPU microcode update:
* Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
placed at the beginning of an initramfs image
(/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
@ -45,10 +45,10 @@ zero-filled.
The early microcode is placed into initramfs image by the "dracut" script, which
scans the aforementioned subdirectories of the configured list of firmware
directories (by default, the list consists of two directories in RHEL 8,
directories (by default, the list consists of two directories in RHEL 9,
"/lib/firmware/updates" and "/lib/firmware").
In RHEL 8, AMD CPU microcode is shipped as a part of the linux-firmware package,
In RHEL 9, AMD CPU microcode is shipped as a part of the linux-firmware package,
and Intel microcode is shipped as a part of the microcode_ctl package.
The microcode_ctl package currently includes the following:
@ -613,7 +613,7 @@ Mitigation: microcode loading is disabled for the affected CPU model.
Minimum versions of the kernel package that contain the aforementioned patch
series:
- Upstream/RHEL 8: 4.17.0
- Upstream/RHEL 8/RHEL 9: 4.17.0
- RHEL 7.6 onwards: 3.10.0-894
- RHEL 7.5: 3.10.0-862.6.1
- RHEL 7.4: 3.10.0-693.35.1
@ -628,7 +628,7 @@ series:
Early microcode load inside a virtual machine
---------------------------------------------
RHEL 8 kernel supports performing microcode update during early boot stage
RHEL 9 kernel supports performing microcode update during early boot stage
from a cpio archive placed at the beginning of the initramfs image. However,
when an early microcode update is attempted inside some virtualised
environments, that may result in unexpected system behaviour.
@ -643,7 +643,7 @@ Mitigation: early microcode loading is disabled for all CPU models on kernels
without the fix.
Minimum versions of the kernel package that contain the fix:
- Upstream/RHEL 8: 4.10.0
- Upstream/RHEL 8/RHEL 9: 4.10.0
- RHEL 7.6 onwards: 3.10.0-930
- RHEL 7.5: 3.10.0-862.14.1
- RHEL 7.4: 3.10.0-693.38.1

@ -43,25 +43,43 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
# ext_sig, 12 bytes in size
IFS=' ' read cpuid pf_mask <<- EOF
$(hexdump -s "$skip" -n 8 \
-e '"" 1/4 "%08x " 1/4 "%u" "\n"' "$f")
$(dd if="$f" ibs=1 skip="$skip" count=8 status=none \
| xxd -e -g4 | xxd -r | hexdump -n 8 \
-e '"" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
EOF
# Converting values from the constructed %#08x format
pf_mask="$((pf_mask))"
skip="$((skip + 12))"
ext_sig_pos="$((ext_sig_pos + 1))"
else
# Microcode header, 48 bytes, last 3 fields reserved
# cksum, ldrver are ignored
IFS=' ' read hdrver rev \
date_y date_d date_m \
date_m date_d date_y \
cpuid cksum ldrver \
pf_mask datasz totalsz <<- EOF
$(hexdump -s "$skip" -n 36 \
-e '"" 1/4 "%u " 1/4 "%#x " \
1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \
1/4 "%08x " 1/4 "%x " 1/4 "%#x " \
1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"' "$f")
$(dd if="$f" ibs=1 skip="$skip" count=36 status=none \
| xxd -e -g4 | xxd -r | hexdump -n 36 \
-e '"0x" 4/1 "%02x" " 0x" 4/1 "%02x" " " \
1/1 "%02x " 1/1 "%02x " 2/1 "%02x" " " \
4/1 "%02x" " 0x" 4/1 "%02x" " 0x" 4/1 "%02x" \
" 0x" 4/1 "%x" \
" 0x" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
EOF
# Converting values from the constructed %#08x format
rev="$(printf '%#x' "$((rev))")"
pf_mask="$((pf_mask))"
datasz="$((datasz))"
totalsz="$((totalsz))"
# Skipping files with unexpected hdrver value
[ 1 = "$((hdrver))" ] || {
echo "$f+$skip@$file_sz: incorrect hdrver $((hdrver))" >&2
break
}
[ 0 != "$datasz" ] || datasz=2000
[ 0 != "$totalsz" ] || totalsz=2048
@ -80,9 +98,12 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
# ext_sig table header, 20 bytes in size,
# last 3 fields are reserved.
IFS=' ' read ext_sig_cnt <<- EOF
$(hexdump -s "$skip" -n 4 \
-e '"" 1/4 "%u" "\n"' "$f")
$(dd if="$f" ibs=1 skip="$skip" count=4 status=none \
| xxd -e -g4 | hexdump -n 4 \
-e '"0x" 4/1 "%02x" "\n"')
EOF
# Converting values from the constructed format
ext_sig_cnt="$((ext_sig_cnt))"
skip="$((skip + 20))"
else

@ -144,7 +144,7 @@ def read_revs_dir(path, args, src=None, ret=None):
offs = 0
while offs < sz:
f.seek(offs, os.SEEK_SET)
hdr = struct.unpack("IiIIIIIIIIII", f.read(48))
hdr = struct.unpack("<IiIIIIIIIIII", f.read(48))
ret.append({"path": rp, "src": src or path,
"cpuid": hdr[3], "pf": hdr[6], "rev": hdr[1],
"date": hdr[2], "offs": offs, "cksum": hdr[4],
@ -152,7 +152,7 @@ def read_revs_dir(path, args, src=None, ret=None):
if hdr[8] and hdr[8] - hdr[7] > 48:
f.seek(hdr[7], os.SEEK_CUR)
ext_tbl = struct.unpack("IIIII", f.read(20))
ext_tbl = struct.unpack("<IIIII", f.read(20))
log_status("Found %u extended signatures for %s:%#x" %
(ext_tbl[0], rp, offs), level=1)
@ -160,7 +160,7 @@ def read_revs_dir(path, args, src=None, ret=None):
ext_sig_cnt = 0
while cur_offs < offs + hdr[8] \
and ext_sig_cnt <= ext_tbl[0]:
ext_sig = struct.unpack("III", f.read(12))
ext_sig = struct.unpack("<III", f.read(12))
ignore = args.ignore_ext_dups and \
(ext_sig[0] == hdr[3])
if not ignore:

@ -1,5 +1,4 @@
%define intel_ucode_version 20240910
%global debug_package %{nil}
%define caveat_dir %{_datarootdir}/microcode_ctl/ucode_with_caveats
%define microcode_ctl_libexec %{_libexecdir}/microcode_ctl
@ -122,10 +121,12 @@ Source1000: gen_provides.sh
Source1001: codenames.list
Source1002: gen_updates2.py
ExclusiveArch: %{ix86} x86_64
BuildArch: noarch
BuildRequires: systemd-units
# hexdump is used in gen_provides.sh
BuildRequires: coreutils util-linux
# dd, hexdump, and xxd are used in gen_provides.sh
BuildRequires: coreutils util-linux /usr/bin/xxd
# gen_updates2.py requires python interpreter
BuildRequires: /usr/bin/python3
Requires: coreutils
Requires(post): systemd coreutils
Requires(preun): systemd coreutils
@ -313,7 +314,7 @@ install -m 644 "%{SOURCE182}" "%{tgl_inst_dir}/disclaimer"
# SUMMARY.intel-ucode generation
# It is to be done only after file population, so, it is here,
# at the end of the install stage
/usr/libexec/platform-python "%{SOURCE1002}" -C "%{SOURCE1001}" \
/usr/bin/python3 "%{SOURCE1002}" -C "%{SOURCE1001}" \
summary -A "%{buildroot}" \
> "%{buildroot}/%{_pkgdocdir}/SUMMARY.intel-ucode"
@ -553,8 +554,8 @@ rm -rf %{buildroot}
%changelog
* Mon Sep 23 2024 Eugene Syromiatnikov <esyr@redhat.com> - 4:20240910-1
- Update Intel CPU microcode to microcode-20240910 release, addresses
CVE-2024-23984, CVE-2024-24853, CVE-2024-24968, CVE-2024-24980,
CVE-2024-25939 (RHEL-59081):
- Addresses CVE-2024-23984, CVE-2024-24853, CVE-2024-24968, CVE-2024-24980,
CVE-2024-25939 (RHEL-58057):
- Update of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode (in
intel-06-8c-01/intel-ucode/06-8c-01) from revision 0xb6 up to 0xb8;
- Update of 06-8e-09/0x10 (AML-Y 2+2 H0) microcode (in
@ -680,8 +681,8 @@ rm -rf %{buildroot}
- Update Intel CPU microcode to microcode-20240531 release, addresses
CVE-2023-22655, CVE-2023-23583. CVE-2023-28746, CVE-2023-38575,
CVE-2023-39368, CVE-2023-42667, CVE-2023-43490, CVE-2023-45733,
CVE-2023-46103, CVE-2023-49141 (RHEL-30859, RHEL-30862, RHEL-30865,
RHEL-30868, RHEL-30871, RHEL-41093, RHEL-41108):
CVE-2023-46103, CVE-2023-49141 (RHEL-30861, RHEL-30864, RHEL-30867,
RHEL-30870, RHEL-30873, RHEL-41094, RHEL-41109):
- Addition of 06-aa-04/0xe6 (MTL-H/U C0) microcode at revision 0x1c;
- Addition of 06-ba-08/0xe0 microcode (in intel-ucode/06-ba-02) at
revision 0x4121;
@ -1055,8 +1056,8 @@ rm -rf %{buildroot}
* Thu Aug 10 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230808-1
- Update Intel CPU microcode to microcode-20230808 release, addresses
CVE-2022-40982, CVE-2022-41804, CVE-2023-23908 (#2213125, #2223993, #2230678,
#2230690):
CVE-2022-40982, CVE-2022-41804, CVE-2023-23908 (#2213124, #2223992, #2230677,
#2230689):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006f05 up
to 0x2007006;
@ -1256,7 +1257,7 @@ rm -rf %{buildroot}
to 0x11 (old pf 0x1).
* Mon Aug 07 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230516-1
- Update Intel CPU microcode to microcode-20230516 release (#2213125):
- Update Intel CPU microcode to microcode-20230516 release (#2213124):
- Addition of 06-be-00/0x01 (ADL-N A0) microcode at revision 0x10;
- Addition of 06-9a-04/0x40 (AZB A0) microcode at revision 0x4;
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
@ -1429,22 +1430,19 @@ rm -rf %{buildroot}
* Tue Aug 01 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-4
- Avoid spurious find failures due to calls on directories that may not exist
(#2231065).
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 4:20230214-3
- Rebuilt for MSVSphere 8.8
(#2225681).
* Wed Jun 28 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-3
- Force locale to C in check_caveats, reload_microcode, and update_ucode
(#2218096).
(#2218104).
* Tue Jun 06 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-2
- Cleanup the dangling symlinks in update_ucode (#2135376).
- Cleanup the dangling symlinks in update_ucode (#2213022).
* Wed Feb 15 2023 Eugene Syromiatnikov <esyr@redhat.com> - 4:20230214-1
- Update Intel CPU microcode to microcode-20230214 release, addresses
CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171234,
#2171259):
CVE-2022-21216, CVE-2022-33196, CVE-2022-33972, CVE-2022-38090 (#2171237,
#2171262):
- Addition of 06-6c-01/0x10 (ICL-D B0) microcode at revision 0x1000211;
- Addition of 06-8f-04/0x87 (SPR-SP E0/S1) microcode at revision
0x2b000181;
@ -1620,11 +1618,11 @@ rm -rf %{buildroot}
* Tue Oct 25 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-2
- Change the logger severity level to warning to align with the kmsg one
(#2136224).
(#2136506).
* Tue Aug 09 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220809-1
- Update Intel CPU microcode to microcode-20220510 release, addresses
CVE-2022-21233 (#2115667):
CVE-2022-21233 (#2115663):
- Update of 06-55-04/0xb7 (SKX-D/SP/W/X H0/M0/M1/U0) microcode (in
intel-06-55-04/intel-ucode/06-55-04) from revision 0x2006d05 up
to 0x2006e05;
@ -1687,7 +1685,8 @@ rm -rf %{buildroot}
* Tue May 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220510-1
- Update Intel CPU microcode to microcode-20220510 release, addresses
CVE-2022-0005, CVE-2022-21131, CVE-2022-21136, CVE-2022-21151 (#2086743):
CVE-2022-0005, CVE-2022-21131, CVE-2022-21136, CVE-2022-21151 (#2090248,
#2090261, #2086751, #2040069):
- Addition of 06-97-02/0x03 (ADL-HX C0) microcode at revision 0x1f;
- Addition of 06-97-05/0x03 (ADL-S 6+0 K0) microcode (in
intel-ucode/06-97-02) at revision 0x1f;
@ -1810,13 +1809,8 @@ rm -rf %{buildroot}
to 0x53.
* Thu Feb 10 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220207-1
- Update Intel CPU microcode to microcode-20220207 release:
- Fixes in releasenote.md file.
* Mon Feb 07 2022 Eugene Syromiatnikov <esyr@redhat.com> - 4:20220204-1
- Update Intel CPU microcode to microcode-20220204 release, addresses
CVE-2021-0127, CVE-2021-0145, and CVE-2021-33120 (#1971906, #2049543,
#2049554, #2049571):
- Update Intel CPU microcode to microcode-20220207 release, addresses
CVE-2021-0127, CVE-2021-0145, and CVE-2021-33120 (#2053253):
- Removal of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f;
- Removal of 06-86-05/0x01 (SNR B1) microcode (in intel-ucode/06-86-04)
at revision 0xb00000f;
@ -1920,6 +1914,10 @@ rm -rf %{buildroot}
- Update of 06-a7-01/0x02 (RKL-S B0) microcode from revision 0x40 up
to 0x50.
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4:20210608-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jul 05 2021 Eugene Syromiatnikov <esyr@redhat.com> - 4:20210608-1
- Update Intel CPU microcode to microcode-20210608 release (#1921773):
- Fixes in releasenote.md file.

Loading…
Cancel
Save