Bug 46982 - intel-microcode: Multiple issues (4.2)
intel-microcode: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on: 46489
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-09 09:15 CEST by Philipp Hahn
Modified: 2018-05-16 17:46 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-05-09 09:15:37 CEST
New Debian intel-microcode 3.20180425.1 fixes:
This update addresses the following issue:
* Systems with microprocessors utilizing speculative execution and indirect
  branch prediction may allow unauthorized disclosure of information to an
  attacker with local user access via a side-channel analysis (CVE-2017-5715)

CVE-2017-5715 hw: cpu: speculative execution branch target injection
Comment 1 Philipp Hahn univentionstaff 2018-05-09 10:39:12 CEST
[4.2-3] 9d74e65099 Bug #46982: intel-microcode_3.20180425.1
 doc/errata/staging/intel-microcode.yaml | 5 ++---

QA: Debian released the same MCU for
  Debian-Buster 10
  Debian-Stretch 9
  Debian-Jessie 8
but rebuild it for each release individually as the Debian policy requires this.
$ cd mnt/build-storage/upstream/debian/pool/non-free/i/intel-microcode
$ ls -1 intel-microcode_3.20180425.1*.dsc
intel-microcode_3.20180425.1~bpo8+1.dsc
intel-microcode_3.20180425.1~bpo9+1.dsc
intel-microcode_3.20180425.1.dsc
$ dchdiff intel-microcode_3.20180425.1.dsc intel-microcode_3.20180425.1~bpo9+1.dsc
--- intel-microcode_3.20180425.1.dsc
+++ intel-microcode_3.20180425.1~bpo9+1.dsc
@@ -1,3 +1,7 @@
+3.20180425.1~bpo9+1 [Thu, 03 May 2018 23:04:13 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for stretch-backports (no changes)
+
 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
$ dchdiff intel-microcode_3.20180425.1.dsc intel-microcode_3.20180425.1~bpo8+1.dsc
--- intel-microcode_3.20180425.1.dsc
+++ intel-microcode_3.20180425.1~bpo8+1.dsc
@@ -1,3 +1,7 @@
+3.20180425.1~bpo8+1 [Thu, 03 May 2018 23:06:51 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for jessie-backports-sloppy (no changes)
+
 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:

Running "dchdiff" and "debdiff" on the binary packages shown no difference either:
<http://10.200.17.11/4.2-3/#2666279656651672246>

For UCS it is okay to use the same package for all UCS releases - for now I just do it for UCS-4.2-3, for UCS-4.3-0 clone this bug after QA.
The binary packages were copied using "repo-copy-dsc -p -c".
Comment 2 Quality Assurance univentionstaff 2018-05-09 10:39:32 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/intel-microcode_3.20161104.1~deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/intel-microcode_3.20180425.1.dsc
@@ -1,20 +1,195 @@
-3.20161104.1~deb8u1 [Fri, 16 Dec 2016 09:42:04 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
-
-  * This is the same package as 3.20161104.1 from unstable/testing and
-    3.20161104.1~bpo8+1, from jessie-backports.  It has been present in
-    unstable since 2016-11-09, testing since 2016-11-15, and jessie-backports
-    since 2016-11-17.
-  * STABLE RELEASE MANAGER INFORMATION:
-    + Supposed to fix critical Intel TSX erratum BDE85 on Xeon-D 1500 Y0
-    + Known to fix critical errata on several Xeon-D 1500 models which
-      will crash vmware (KB2146388) and likely Linux as well
-    + Fixes likely critical errata (which ones unknown) on Broadwell-E
-      (Core extreme edition 5th gen, Xeon E5v4, Xeon E7v4)
-    + Removes (very likely outdated) microcode for the C3500 and C5500 family
-      of embedded Xeon (Jasper Forest).  These embedded Xeons are typically
-      found on (older) network equipment appliances such as firewalls/IPS/IDS,
-      and also on data storage devices, and thus are supposed to receive
-      microcode updates through their vendors
+3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode data file 20180425 (closes: #897443, #895878)
+    + Updated Microcodes:
+      sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648
+      sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+    + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
+    + Note that sig 0x000604f1 has been blacklisted from late-loading
+      since Debian release 3.20171117.1.
+  * source: remove undesired list files from microcode directories
+  * source: switch to microcode-<id>.d/ since Intel dropped .dat
+    support.
+
+3.20180312.1 [Wed, 14 Mar 2018 09:21:24 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode data file 20180312 (closes: #886367)
+    + New Microcodes:
+      sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
+      sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432
+    + Updated Microcodes:
+      sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
+      sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
+      sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
+      sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
+      sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
+      sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
+      sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
+      sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
+      sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
+      sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
+      sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
+      sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
+      sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288
+      sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+      sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672
+      sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744
+      sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528
+      sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528
+      sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+      sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304
+      sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280
+      sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304
+      sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256
+      sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304
+    + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for:
+      Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake,
+      Coffee Lake
+    + Missing production updates:
+      + Broadwell-E/EX Xeons (sig 0x406f1)
+      + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell,
+        Gemini Lake, Denverton
+  * Update past changelog entries with new information:
+    Intel already had all necessary semanthics in LFENCE, so the
+    Spectre-related Intel microcode changes did not need to enhance LFENCE.
+  * debian/control: update Vcs-* fields for the move to salsa.debian.org
+
+3.20180108.1+really20171117.1 [Mon, 22 Jan 2018 23:01:59 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Revert to release 20171117, as per Intel instructions issued to
+    the public in 2018-01-22 (closes: #886998)
+  * This effectively removes IBRS/IBPB/STIPB microcode support for
+    Spectre variant 2 mitigation.
+
+3.20180108.1 [Wed, 10 Jan 2018 00:23:44 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode data file 20180108 (closes: #886367)
+    + Updated Microcodes:
+      sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+      sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+      sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
+      sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+      sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
+      sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+      sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
+      sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
+      sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+      sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
+      sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
+      sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
+      sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+      sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+      sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+      sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+      sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
+      sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
+      sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+    + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715)
+    + Very likely fixes several other errata on some of the processors
+  * supplementary-ucode-CVE-2017-5715.d/: remove.
+    + Downgraded microcodes:
+      sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624
+      sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+    + Recall related to bug #886998
+  * source: remove superseded upstream data file: 20171117
+  * README.Debian, copyright: update download URLs (closes: #886368)
+
+3.20171215.1 [Thu, 04 Jan 2018 23:04:38 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367)
+    New upstream microcodes to partially address CVE-2017-5715
+    + Updated Microcodes:
+      sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+      sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+      sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+      sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+      sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+      sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
+      sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
+      sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
+      sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
+      sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
+  * Implements IBRS and IBPB support via new MSR (Spectre variant 2
+    mitigation, indirect branches).  Support is exposed through cpuid(7).EDX.
+
+3.20171117.1 [Sat, 18 Nov 2017 18:55:09 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode data file 20171117
+    + New Microcodes:
+      sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+      sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704
+      sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232
+      sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280
+    + Updated Microcodes:
+      sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624
+      sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256
+  * source: remove superseded upstream data file: 20170707.
+  * source: remove unneeded intel-ucode/ directory for 20171117.
+  * debian/control: bump standards version to 4.1.1 (no changes)
+  * Makefile: rename microcode-extras.pbin to microcode-includes.pbin.
+  * README.source: fix IUC_EXCLUDE example and minor issues.
+  * Makefile, README.souce: support loading ucode from directories.
+  * debian/rules: switch to dh mode (debhelper v9)
+  * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late
+    loading.
+
+3.20170707.1 [Sat, 08 Jul 2017 19:04:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20170707
+    + New Microcodes:
+      sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600
+      sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280
+      sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232
+      sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280
+    + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/
+      SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby
+      Lake and Skylake processors: Skylake D0/R0 were fixed since the
+      previous upstream release (20170511).  This new release adds the
+      fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X).
+    + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0
+      (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9)
+  * source: remove unneeded intel-ucode/ directory
+  * source: remove superseded upstream data file: 20170511
+
+3.20170511.1 [Mon, 15 May 2017 15:12:25 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * New upstream microcode datafile 20170511
+    + Updated Microcodes:
+      sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+      sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408
+      sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768
+      sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384
+      sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480
+      sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576
+      sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264
+      sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
+      sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624
+      sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
+    + This release fixes undisclosed errata on the desktop, mobile and
+      server processor models from the Haswell, Broadwell, and Skylake
+      families, including even the high-end multi-socket server Xeons
+    + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and
+      similar) on several processor families
+    + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606)
+    + Likely fix serious or critical Skylake errata: SKL138/144,
+      SKL137/145, SLK149
+    * Likely fix nightmare-level Skylake erratum SKL150.  Fortunately,
+      either this erratum is very-low-hitting, or gcc/clang/icc/msvc
+      won't usually issue the affected opcode pattern and it ends up
+      being rare.
+      SKL150 - Short loops using both the AH/BH/CH/DH registers and
+      the corresponding wide register *may* result in unpredictable
+      system behavior.  Requires both logical processors of the same
+      core (i.e. sibling hyperthreads) to be active to trigger, as
+      well as a "complex set of micro-architectural conditions"
+  * source: remove unneeded intel-ucode/ directory
+    Since release 20170511, upstream ships the microcodes both in .dat
+    format, and as Linux-style split /lib/firmware/intel-ucode files.
+    It is simpler to just use the .dat format file for now, so remove
+    the intel-ucode/ directory. Note: before removal, it was verified
+    that there were no discrepancies between the two microcode sets
+    (.dat and intel-ucode/)
+  * source: remove superseded upstream data file: 20161104
 
 3.20161104.1 [Wed, 09 Nov 2016 20:35:57 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
Comment 3 Arvid Requate univentionstaff 2018-05-09 13:49:47 CEST
Verified:
* Package version imported from Debian sid (currently same as in and jessie-backports-sloppy or stretch-backports)

* No UCS specific patches
* Binary package update Ok
* Philipp demonstrated microcode revision update works on hardware


Version lower than ucs_4.3-0 but that's ok for now:

Version:        3.20161104.1~deb8u1     ucs_4.2-0
Version:        3.20180425.1    ucs_4.2-0-errata4.2-3
Version:        3.20170707.1~deb9u1     ucs_4.3-0
Comment 4 Arvid Requate univentionstaff 2018-05-09 14:46:44 CEST
<http://errata.software-univention.de/ucs/4.2/414.html>