Univention Bugzilla – Bug 46982
intel-microcode: Multiple issues (4.2)
Last modified: 2018-05-16 17:46:44 CEST
New Debian intel-microcode 3.20180425.1 fixes: This update addresses the following issue: * Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (CVE-2017-5715) CVE-2017-5715 hw: cpu: speculative execution branch target injection
[4.2-3] 9d74e65099 Bug #46982: intel-microcode_3.20180425.1 doc/errata/staging/intel-microcode.yaml | 5 ++--- QA: Debian released the same MCU for Debian-Buster 10 Debian-Stretch 9 Debian-Jessie 8 but rebuild it for each release individually as the Debian policy requires this. $ cd mnt/build-storage/upstream/debian/pool/non-free/i/intel-microcode $ ls -1 intel-microcode_3.20180425.1*.dsc intel-microcode_3.20180425.1~bpo8+1.dsc intel-microcode_3.20180425.1~bpo9+1.dsc intel-microcode_3.20180425.1.dsc $ dchdiff intel-microcode_3.20180425.1.dsc intel-microcode_3.20180425.1~bpo9+1.dsc --- intel-microcode_3.20180425.1.dsc +++ intel-microcode_3.20180425.1~bpo9+1.dsc @@ -1,3 +1,7 @@ +3.20180425.1~bpo9+1 [Thu, 03 May 2018 23:04:13 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Rebuild for stretch-backports (no changes) + 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: $ dchdiff intel-microcode_3.20180425.1.dsc intel-microcode_3.20180425.1~bpo8+1.dsc --- intel-microcode_3.20180425.1.dsc +++ intel-microcode_3.20180425.1~bpo8+1.dsc @@ -1,3 +1,7 @@ +3.20180425.1~bpo8+1 [Thu, 03 May 2018 23:06:51 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Rebuild for jessie-backports-sloppy (no changes) + 3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: Running "dchdiff" and "debdiff" on the binary packages shown no difference either: <http://10.200.17.11/4.2-3/#2666279656651672246> For UCS it is okay to use the same package for all UCS releases - for now I just do it for UCS-4.2-3, for UCS-4.3-0 clone this bug after QA. The binary packages were copied using "repo-copy-dsc -p -c".
--- mirror/ftp/4.2/unmaintained/4.2-0/source/intel-microcode_3.20161104.1~deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-3/source/intel-microcode_3.20180425.1.dsc @@ -1,20 +1,195 @@ -3.20161104.1~deb8u1 [Fri, 16 Dec 2016 09:42:04 -0200] Henrique de Moraes Holschuh <hmh@debian.org>: - - * This is the same package as 3.20161104.1 from unstable/testing and - 3.20161104.1~bpo8+1, from jessie-backports. It has been present in - unstable since 2016-11-09, testing since 2016-11-15, and jessie-backports - since 2016-11-17. - * STABLE RELEASE MANAGER INFORMATION: - + Supposed to fix critical Intel TSX erratum BDE85 on Xeon-D 1500 Y0 - + Known to fix critical errata on several Xeon-D 1500 models which - will crash vmware (KB2146388) and likely Linux as well - + Fixes likely critical errata (which ones unknown) on Broadwell-E - (Core extreme edition 5th gen, Xeon E5v4, Xeon E7v4) - + Removes (very likely outdated) microcode for the C3500 and C5500 family - of embedded Xeon (Jasper Forest). These embedded Xeons are typically - found on (older) network equipment appliances such as firewalls/IPS/IDS, - and also on data storage devices, and thus are supposed to receive - microcode updates through their vendors +3.20180425.1 [Wed, 02 May 2018 16:48:44 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20180425 (closes: #897443, #895878) + + Updated Microcodes: + sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + + Note that sig 0x000604f1 has been blacklisted from late-loading + since Debian release 3.20171117.1. + * source: remove undesired list files from microcode directories + * source: switch to microcode-<id>.d/ since Intel dropped .dat + support. + +3.20180312.1 [Wed, 14 Mar 2018 09:21:24 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20180312 (closes: #886367) + + New Microcodes: + sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + + Updated Microcodes: + sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 + sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 + sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 + sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 + sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 + sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 + sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 + sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 + sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 + sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 + sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 + sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 + sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: + Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, + Coffee Lake + + Missing production updates: + + Broadwell-E/EX Xeons (sig 0x406f1) + + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, + Gemini Lake, Denverton + * Update past changelog entries with new information: + Intel already had all necessary semanthics in LFENCE, so the + Spectre-related Intel microcode changes did not need to enhance LFENCE. + * debian/control: update Vcs-* fields for the move to salsa.debian.org + +3.20180108.1+really20171117.1 [Mon, 22 Jan 2018 23:01:59 -0200] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Revert to release 20171117, as per Intel instructions issued to + the public in 2018-01-22 (closes: #886998) + * This effectively removes IBRS/IBPB/STIPB microcode support for + Spectre variant 2 mitigation. + +3.20180108.1 [Wed, 10 Jan 2018 00:23:44 -0200] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20180108 (closes: #886367) + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 + sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 + sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 + sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 + sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 + sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 + sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 + sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 + sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 + sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + + Very likely fixes several other errata on some of the processors + * supplementary-ucode-CVE-2017-5715.d/: remove. + + Downgraded microcodes: + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 + sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + + Recall related to bug #886998 + * source: remove superseded upstream data file: 20171117 + * README.Debian, copyright: update download URLs (closes: #886368) + +3.20171215.1 [Thu, 04 Jan 2018 23:04:38 -0200] Henrique de Moraes Holschuh <hmh@debian.org>: + + * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) + New upstream microcodes to partially address CVE-2017-5715 + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 + sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 + sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 + sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 + sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 + sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 + * Implements IBRS and IBPB support via new MSR (Spectre variant 2 + mitigation, indirect branches). Support is exposed through cpuid(7).EDX. + +3.20171117.1 [Sat, 18 Nov 2017 18:55:09 -0200] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode data file 20171117 + + New Microcodes: + sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 + sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 + sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + + Updated Microcodes: + sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 + sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 + * source: remove superseded upstream data file: 20170707. + * source: remove unneeded intel-ucode/ directory for 20171117. + * debian/control: bump standards version to 4.1.1 (no changes) + * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. + * README.source: fix IUC_EXCLUDE example and minor issues. + * Makefile, README.souce: support loading ucode from directories. + * debian/rules: switch to dh mode (debhelper v9) + * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late + loading. + +3.20170707.1 [Sat, 08 Jul 2017 19:04:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20170707 + + New Microcodes: + sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 + sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 + sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 + sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ + SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby + Lake and Skylake processors: Skylake D0/R0 were fixed since the + previous upstream release (20170511). This new release adds the + fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 + (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) + * source: remove unneeded intel-ucode/ directory + * source: remove superseded upstream data file: 20170511 + +3.20170511.1 [Mon, 15 May 2017 15:12:25 -0300] Henrique de Moraes Holschuh <hmh@debian.org>: + + * New upstream microcode datafile 20170511 + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 + sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 + sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 + sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 + sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 + sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 + sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 + sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + + This release fixes undisclosed errata on the desktop, mobile and + server processor models from the Haswell, Broadwell, and Skylake + families, including even the high-end multi-socket server Xeons + + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and + similar) on several processor families + + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + + Likely fix serious or critical Skylake errata: SKL138/144, + SKL137/145, SLK149 + * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, + either this erratum is very-low-hitting, or gcc/clang/icc/msvc + won't usually issue the affected opcode pattern and it ends up + being rare. + SKL150 - Short loops using both the AH/BH/CH/DH registers and + the corresponding wide register *may* result in unpredictable + system behavior. Requires both logical processors of the same + core (i.e. sibling hyperthreads) to be active to trigger, as + well as a "complex set of micro-architectural conditions" + * source: remove unneeded intel-ucode/ directory + Since release 20170511, upstream ships the microcodes both in .dat + format, and as Linux-style split /lib/firmware/intel-ucode files. + It is simpler to just use the .dat format file for now, so remove + the intel-ucode/ directory. Note: before removal, it was verified + that there were no discrepancies between the two microcode sets + (.dat and intel-ucode/) + * source: remove superseded upstream data file: 20161104 3.20161104.1 [Wed, 09 Nov 2016 20:35:57 -0200] Henrique de Moraes Holschuh <hmh@debian.org>:
Verified: * Package version imported from Debian sid (currently same as in and jessie-backports-sloppy or stretch-backports) * No UCS specific patches * Binary package update Ok * Philipp demonstrated microcode revision update works on hardware Version lower than ucs_4.3-0 but that's ok for now: Version: 3.20161104.1~deb8u1 ucs_4.2-0 Version: 3.20180425.1 ucs_4.2-0-errata4.2-3 Version: 3.20170707.1~deb9u1 ucs_4.3-0
<http://errata.software-univention.de/ucs/4.2/414.html>