Bug#1068082: bullseye-pu: package intel-microcode/3.20240312.1~deb11u1
On Mon, Apr 22, 2024, at 13:58, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Sat, Mar 30, 2024 at 07:50:45AM -0300, Henrique de Moraes Holschuh wrote: >> As requested by the security team, I would like to bring the microcode >> update level for Intel processors in Bullseye and Bookworm to match what >> we have in Sid and Trixie. This is the bug report for Bullseye, a >> separate one will be filled for Bookmorm. > > Please go ahead. Uploaded! Thank you! -- Henrique de Moraes Holschuh
Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1
Uploaded. On Mon, Apr 1, 2024, at 08:48, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Sat, Mar 30, 2024 at 07:47:05AM -0300, Henrique de Moraes Holschuh wrote: >> As requested by the security team, I would like to bring the microcode >> update level for Intel processors in Bullseye and Bookworm to match what >> we have in Sid and Trixie. This is the bug report for Bookworm, a >> separate one will be filled for Bullseye. > > Please go ahead. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 -- Henrique de Moraes Holschuh
Bug#1068084: bookworm-pu: package intel-microcode/3.20240312.1~deb12u1
ale register buffers. Affects SGX as well. + Requires kernel update to be effective. +- Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA: + Protection mechanism failure in some 3rd and 4th Generation Intel Xeon + Processors when using Intel SGX or Intel TDX may allow a privileged + user to potentially enable escalation of privilege via local access. + NOTE: effective only when loaded by firmware. Allows SMM firmware to + attack SGX/TDX. +- Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490): + Incorrect calculation in microcode keying mechanism for some Intel + Xeon D Processors with Intel SGX may allow a privileged user to + potentially enable information disclosure via local access. + * Fixes for other unspecified functional issues on many processors + * Updated microcodes: +sig 0x00050653, pf_mask 0x97, 2023-07-28, rev 0x1000191, size 36864 +sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 +sig 0x00050657, pf_mask 0xbf, 2023-07-28, rev 0x5003605, size 37888 +sig 0x0005065b, pf_mask 0xbf, 2023-08-03, rev 0x7002802, size 30720 +sig 0x00050665, pf_mask 0x10, 2023-08-03, rev 0xe15, size 23552 +sig 0x000506f1, pf_mask 0x01, 2023-10-05, rev 0x003e, size 11264 +sig 0x000606a6, pf_mask 0x87, 2023-09-14, rev 0xd0003d1, size 307200 +sig 0x000606c1, pf_mask 0x10, 2023-12-05, rev 0x1000290, size 299008 +sig 0x000706a1, pf_mask 0x01, 2023-08-25, rev 0x0040, size 76800 +sig 0x000706a8, pf_mask 0x01, 2023-08-25, rev 0x0024, size 76800 +sig 0x000706e5, pf_mask 0x80, 2023-09-14, rev 0x00c4, size 114688 +sig 0x000806c1, pf_mask 0x80, 2023-09-13, rev 0x00b6, size 111616 +sig 0x000806c2, pf_mask 0xc2, 2023-09-13, rev 0x0036, size 98304 +sig 0x000806d1, pf_mask 0xc2, 2023-09-13, rev 0x0050, size 104448 +sig 0x000806ec, pf_mask 0x94, 2023-07-16, rev 0x00fa, size 106496 +sig 0x000806f8, pf_mask 0x87, 2024-01-03, rev 0x2b000590, size 579584 +sig 0x000806f7, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f6, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f5, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f4, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x00090661, pf_mask 0x01, 2023-09-26, rev 0x0019, size 20480 +sig 0x00090672, pf_mask 0x07, 2023-09-19, rev 0x0034, size 224256 +sig 0x00090675, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f2, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f5, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000906a3, pf_mask 0x80, 2023-09-19, rev 0x0432, size 08 +sig 0x000906a4, pf_mask 0x80, 2023-09-19, rev 0x0432 +sig 0x000906c0, pf_mask 0x01, 2023-09-26, rev 0x2426, size 20480 +sig 0x000906e9, pf_mask 0x2a, 2023-09-28, rev 0x00f8, size 108544 +sig 0x000906ea, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 105472 +sig 0x000906ec, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 106496 +sig 0x000906ed, pf_mask 0x22, 2023-07-27, rev 0x00fc, size 106496 +sig 0x000a0652, pf_mask 0x20, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0653, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0655, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0660, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0661, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 96256 +sig 0x000a0671, pf_mask 0x02, 2023-09-14, rev 0x005e, size 108544 +sig 0x000b0671, pf_mask 0x32, 2023-12-14, rev 0x0122, size 215040 +sig 0x000b06a2, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000b06a3, pf_mask 0xe0, 2023-12-07, rev 0x4121 +sig 0x000b06e0, pf_mask 0x11, 2023-09-25, rev 0x0015, size 138240 + * New microcodes: +sig 0x000a06a4, pf_mask 0xe6, 2024-01-03, rev 0x001c, size 136192 +sig 0x000b06a8, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000c06f2, pf_mask 0x87, 2023-11-20, rev 0x21000200, size 549888 +sig 0x000c06f1, pf_mask 0x87, 2023-11-20, rev 0x21000200 + 2023-11-14: * New upstream microcode datafile 20231114 Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583) diff --git a/debian/changelog b/debian/changelog index c2aeefe..f156f68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,91 @@ +intel-microcode (3.20240312.1~deb12u1) bookworm; urgency=medium + + * Build for bookworm (no changes) + + -- Henrique de Moraes Holschuh Sat, 30 Mar 2024 07:01:52 -0300 + +intel-microcode (3.20240312.1) unstable; urgency=medium + + * New upstream microcode datafile 20240312 (closes: #1066108) +- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368): + Protection mechanism failure of bus lock regulator for some Intel + Processors may allow an unauthenticated user to potentially enable + denial of service via network access. +- Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575): + Non-transparent sharing of re
Bug#1068082: bullseye-pu: package intel-microcode/3.20240312.1~deb11u1
ure via local access. Enhances + VERW instruction to clear stale register buffers. Affects SGX as well. + Requires kernel update to be effective. +- Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA: + Protection mechanism failure in some 3rd and 4th Generation Intel Xeon + Processors when using Intel SGX or Intel TDX may allow a privileged + user to potentially enable escalation of privilege via local access. + NOTE: effective only when loaded by firmware. Allows SMM firmware to + attack SGX/TDX. +- Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490): + Incorrect calculation in microcode keying mechanism for some Intel + Xeon D Processors with Intel SGX may allow a privileged user to + potentially enable information disclosure via local access. + * Fixes for other unspecified functional issues on many processors + * Updated microcodes: +sig 0x00050653, pf_mask 0x97, 2023-07-28, rev 0x1000191, size 36864 +sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 +sig 0x00050657, pf_mask 0xbf, 2023-07-28, rev 0x5003605, size 37888 +sig 0x0005065b, pf_mask 0xbf, 2023-08-03, rev 0x7002802, size 30720 +sig 0x00050665, pf_mask 0x10, 2023-08-03, rev 0xe15, size 23552 +sig 0x000506f1, pf_mask 0x01, 2023-10-05, rev 0x003e, size 11264 +sig 0x000606a6, pf_mask 0x87, 2023-09-14, rev 0xd0003d1, size 307200 +sig 0x000606c1, pf_mask 0x10, 2023-12-05, rev 0x1000290, size 299008 +sig 0x000706a1, pf_mask 0x01, 2023-08-25, rev 0x0040, size 76800 +sig 0x000706a8, pf_mask 0x01, 2023-08-25, rev 0x0024, size 76800 +sig 0x000706e5, pf_mask 0x80, 2023-09-14, rev 0x00c4, size 114688 +sig 0x000806c1, pf_mask 0x80, 2023-09-13, rev 0x00b6, size 111616 +sig 0x000806c2, pf_mask 0xc2, 2023-09-13, rev 0x0036, size 98304 +sig 0x000806d1, pf_mask 0xc2, 2023-09-13, rev 0x0050, size 104448 +sig 0x000806ec, pf_mask 0x94, 2023-07-16, rev 0x00fa, size 106496 +sig 0x000806f8, pf_mask 0x87, 2024-01-03, rev 0x2b000590, size 579584 +sig 0x000806f7, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f6, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f5, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f4, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x00090661, pf_mask 0x01, 2023-09-26, rev 0x0019, size 20480 +sig 0x00090672, pf_mask 0x07, 2023-09-19, rev 0x0034, size 224256 +sig 0x00090675, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f2, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f5, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000906a3, pf_mask 0x80, 2023-09-19, rev 0x0432, size 08 +sig 0x000906a4, pf_mask 0x80, 2023-09-19, rev 0x0432 +sig 0x000906c0, pf_mask 0x01, 2023-09-26, rev 0x2426, size 20480 +sig 0x000906e9, pf_mask 0x2a, 2023-09-28, rev 0x00f8, size 108544 +sig 0x000906ea, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 105472 +sig 0x000906ec, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 106496 +sig 0x000906ed, pf_mask 0x22, 2023-07-27, rev 0x00fc, size 106496 +sig 0x000a0652, pf_mask 0x20, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0653, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0655, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0660, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0661, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 96256 +sig 0x000a0671, pf_mask 0x02, 2023-09-14, rev 0x005e, size 108544 +sig 0x000b0671, pf_mask 0x32, 2023-12-14, rev 0x0122, size 215040 +sig 0x000b06a2, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000b06a3, pf_mask 0xe0, 2023-12-07, rev 0x4121 +sig 0x000b06e0, pf_mask 0x11, 2023-09-25, rev 0x0015, size 138240 + * New microcodes: +sig 0x000a06a4, pf_mask 0xe6, 2024-01-03, rev 0x001c, size 136192 +sig 0x000b06a8, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000c06f2, pf_mask 0x87, 2023-11-20, rev 0x21000200, size 549888 +sig 0x000c06f1, pf_mask 0x87, 2023-11-20, rev 0x21000200 + 2023-11-14: * New upstream microcode datafile 20231114 Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583) diff --git a/debian/changelog b/debian/changelog index fa702cb..317fad2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,92 @@ +intel-microcode (3.20240312.1~deb11u1) bullseye; urgency=medium + + * Backport to Debian Bullseye + * debian/control: revert non-free-firmware change + + -- Henrique de Moraes Holschuh Sat, 30 Mar 2024 07:06:46 -0300 + +intel-microcode (3.20240312.1) unstable; urgency=medium + + * New upstream microcode datafile 20240312 (closes: #1066108) +- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368): + Protection mechanism failure of bus lock regulator for some Intel + Processors may allow an unauthenticated user to potentially enable + denial of service via netw
Bug#1068083: bullseye-pu: package intel-microcode/3.20240312.1~deb11u1
ale register buffers. Affects SGX as well. + Requires kernel update to be effective. +- Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA: + Protection mechanism failure in some 3rd and 4th Generation Intel Xeon + Processors when using Intel SGX or Intel TDX may allow a privileged + user to potentially enable escalation of privilege via local access. + NOTE: effective only when loaded by firmware. Allows SMM firmware to + attack SGX/TDX. +- Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490): + Incorrect calculation in microcode keying mechanism for some Intel + Xeon D Processors with Intel SGX may allow a privileged user to + potentially enable information disclosure via local access. + * Fixes for other unspecified functional issues on many processors + * Updated microcodes: +sig 0x00050653, pf_mask 0x97, 2023-07-28, rev 0x1000191, size 36864 +sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 +sig 0x00050657, pf_mask 0xbf, 2023-07-28, rev 0x5003605, size 37888 +sig 0x0005065b, pf_mask 0xbf, 2023-08-03, rev 0x7002802, size 30720 +sig 0x00050665, pf_mask 0x10, 2023-08-03, rev 0xe15, size 23552 +sig 0x000506f1, pf_mask 0x01, 2023-10-05, rev 0x003e, size 11264 +sig 0x000606a6, pf_mask 0x87, 2023-09-14, rev 0xd0003d1, size 307200 +sig 0x000606c1, pf_mask 0x10, 2023-12-05, rev 0x1000290, size 299008 +sig 0x000706a1, pf_mask 0x01, 2023-08-25, rev 0x0040, size 76800 +sig 0x000706a8, pf_mask 0x01, 2023-08-25, rev 0x0024, size 76800 +sig 0x000706e5, pf_mask 0x80, 2023-09-14, rev 0x00c4, size 114688 +sig 0x000806c1, pf_mask 0x80, 2023-09-13, rev 0x00b6, size 111616 +sig 0x000806c2, pf_mask 0xc2, 2023-09-13, rev 0x0036, size 98304 +sig 0x000806d1, pf_mask 0xc2, 2023-09-13, rev 0x0050, size 104448 +sig 0x000806ec, pf_mask 0x94, 2023-07-16, rev 0x00fa, size 106496 +sig 0x000806f8, pf_mask 0x87, 2024-01-03, rev 0x2b000590, size 579584 +sig 0x000806f7, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f6, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f5, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x000806f4, pf_mask 0x87, 2024-01-03, rev 0x2b000590 +sig 0x00090661, pf_mask 0x01, 2023-09-26, rev 0x0019, size 20480 +sig 0x00090672, pf_mask 0x07, 2023-09-19, rev 0x0034, size 224256 +sig 0x00090675, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f2, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000b06f5, pf_mask 0x07, 2023-09-19, rev 0x0034 +sig 0x000906a3, pf_mask 0x80, 2023-09-19, rev 0x0432, size 08 +sig 0x000906a4, pf_mask 0x80, 2023-09-19, rev 0x0432 +sig 0x000906c0, pf_mask 0x01, 2023-09-26, rev 0x2426, size 20480 +sig 0x000906e9, pf_mask 0x2a, 2023-09-28, rev 0x00f8, size 108544 +sig 0x000906ea, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 105472 +sig 0x000906ec, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 106496 +sig 0x000906ed, pf_mask 0x22, 2023-07-27, rev 0x00fc, size 106496 +sig 0x000a0652, pf_mask 0x20, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0653, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0655, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0660, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 97280 +sig 0x000a0661, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 96256 +sig 0x000a0671, pf_mask 0x02, 2023-09-14, rev 0x005e, size 108544 +sig 0x000b0671, pf_mask 0x32, 2023-12-14, rev 0x0122, size 215040 +sig 0x000b06a2, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000b06a3, pf_mask 0xe0, 2023-12-07, rev 0x4121 +sig 0x000b06e0, pf_mask 0x11, 2023-09-25, rev 0x0015, size 138240 + * New microcodes: +sig 0x000a06a4, pf_mask 0xe6, 2024-01-03, rev 0x001c, size 136192 +sig 0x000b06a8, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 +sig 0x000c06f2, pf_mask 0x87, 2023-11-20, rev 0x21000200, size 549888 +sig 0x000c06f1, pf_mask 0x87, 2023-11-20, rev 0x21000200 + 2023-11-14: * New upstream microcode datafile 20231114 Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583) diff --git a/debian/changelog b/debian/changelog index fa702cb..317fad2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,92 @@ +intel-microcode (3.20240312.1~deb11u1) bullseye; urgency=medium + + * Backport to Debian Bullseye + * debian/control: revert non-free-firmware change + + -- Henrique de Moraes Holschuh Sat, 30 Mar 2024 07:06:46 -0300 + +intel-microcode (3.20240312.1) unstable; urgency=medium + + * New upstream microcode datafile 20240312 (closes: #1066108) +- Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368): + Protection mechanism failure of bus lock regulator for some Intel + Processors may allow an unauthenticated user to potentially enable + denial of service via network access. +- Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-
Bug#1053292: bookworm-pu: package amd64-microcode/3.20230808.1.1~deb12u1
Uploaded (source). Thank you! On Sun, Oct 1, 2023, at 05:53, Adam D. Barratt wrote: > Control: tags -1 confirmed -- Henrique de Moraes Holschuh
Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1
Uploaded (source + amd64 binaries). Thank you! -- Henrique de Moraes Holschuh
Bug#1053292: bookworm-pu: package amd64-microcode/3.20230808.1.1~deb12u1
6SAFWiXbNZ+P8p19afhcYddDl97xtpzA6/8b20a2eHkrqnu/Ds -jTozF9kmhiifYMYpXtXgSOwI3GRZbQ== -=t+j1 +iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmTEYrcACgkQ5L5TOfMo +rnN4IQf/QKbOezXZ4OYzaPANvsZQEAzLNfuylC/aQMwrPaO7daz5/zmCN4HU5XkH +dDT8DYfPg+fQHIgxAw0/L24xPOm5Op/QuLVDyDqVr4qvL8+65eeI+JqxD/wXMXYN +V34kkLM2p8iuyY1Nc8IDLXu4X75KGNPbKZlMRKMU3Pr7ai5O4ihmiAM+N6qv1KEJ +YToNN6vrg0qt1cv0SLM8sa4e7L1+oblUrg/o0FViYE8pxsU3ZRRVSJMUg+lKjvl/ +1ZPGKOdD80fcNJ+ItYGHNNs3eCc3WgW7Kc/E668eH75Yu9Zt7ewWZX8Sg/mygleY +OzMwhbPJg4bF4zm7C/Pku7i1T2Omcg== +=km2X -END PGP SIGNATURE- diff --git a/debian/NEWS b/debian/NEWS index 433ac3f..0780d06 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,18 @@ +amd64-microcode (3.20230808.1) unstable; urgency=high + +This release requires *either* new-enough system firmware, *or* a +recent-enough Linux kernel to properly work on AMD Genoa and Bergamo +processors. + +The firmware requirement is AGESA 1.0.0.8 or newer. + +The Linux kernel requirement is a group of patches that are already +present in the Linux stable/LTS trees since versions: v4.19.289, +v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These +patches are also present in Linux v6.5-rc1. + + -- Henrique de Moraes Holschuh Thu, 10 Aug 2023 09:32:37 -0300 + amd64-microcode (2.20141028.1) unstable; urgency=medium This release drops support for automatically applying microcode updates diff --git a/debian/changelog b/debian/changelog index 3adcf37..fd5fbd3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,37 @@ +amd64-microcode (3.20230808.1.1~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm (no changes) + + -- Henrique de Moraes Holschuh Sat, 02 Sep 2023 19:49:26 -0300 + +amd64-microcode (3.20230808.1.1) unstable; urgency=high + + * Update package data from linux-firmware 20230804-6-gf2eb058a +* Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors +(closes: #1043381) + * WARNING: for proper operation on AMD Genoa and Bergamo processors, +either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date +Linux kernels (minimal versions on each active Linux stable branch: +v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1) +are *required* + * New Microcode patches: ++ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e ++ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e ++ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 ++ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 + * README: update for new release + * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions + * debian/changelog: update entry for release 3.20230719.1, noting +that it included fixes for "AMD Inception" for Zen3 processors. +We did not know about AMD Inception at the time, but we always +include all available microcode updates when issuing a new +package, so we lucked out. + * debian/changelog: correct some information in 3.20230808.1 +entry and reupload as 3.20230808.1.1. There's no Zenbleed + for Zen4... oops! + + -- Henrique de Moraes Holschuh Thu, 10 Aug 2023 10:18:38 -0300 + amd64-microcode (3.20230719.1~deb12u1) bookworm-security; urgency=high * Rebuild for bookworm-security (no changes) @@ -9,6 +43,9 @@ amd64-microcode (3.20230719.1) unstable; urgency=high * Update package data from linux-firmware 20230625-39-g59fbffa9: * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors (closes: #1041863) +* Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors + (this changelog entry time-travelled from the future, we were + lucky we always include all microcode updates available) * New Microcode patches: + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a8 * Updated Microcode patches: signature.asc Description: PGP signature
Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1
6SAFWiXbNZ+P8p19afhcYddDl97xtpzA6/8b20a2eHkrqnu/Ds -jTozF9kmhiifYMYpXtXgSOwI3GRZbQ== -=t+j1 +iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmTEYrcACgkQ5L5TOfMo +rnN4IQf/QKbOezXZ4OYzaPANvsZQEAzLNfuylC/aQMwrPaO7daz5/zmCN4HU5XkH +dDT8DYfPg+fQHIgxAw0/L24xPOm5Op/QuLVDyDqVr4qvL8+65eeI+JqxD/wXMXYN +V34kkLM2p8iuyY1Nc8IDLXu4X75KGNPbKZlMRKMU3Pr7ai5O4ihmiAM+N6qv1KEJ +YToNN6vrg0qt1cv0SLM8sa4e7L1+oblUrg/o0FViYE8pxsU3ZRRVSJMUg+lKjvl/ +1ZPGKOdD80fcNJ+ItYGHNNs3eCc3WgW7Kc/E668eH75Yu9Zt7ewWZX8Sg/mygleY +OzMwhbPJg4bF4zm7C/Pku7i1T2Omcg== +=km2X -END PGP SIGNATURE- diff --git a/debian/NEWS b/debian/NEWS index 433ac3f..0780d06 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,18 @@ +amd64-microcode (3.20230808.1) unstable; urgency=high + +This release requires *either* new-enough system firmware, *or* a +recent-enough Linux kernel to properly work on AMD Genoa and Bergamo +processors. + +The firmware requirement is AGESA 1.0.0.8 or newer. + +The Linux kernel requirement is a group of patches that are already +present in the Linux stable/LTS trees since versions: v4.19.289, +v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These +patches are also present in Linux v6.5-rc1. + + -- Henrique de Moraes Holschuh Thu, 10 Aug 2023 09:32:37 -0300 + amd64-microcode (2.20141028.1) unstable; urgency=medium This release drops support for automatically applying microcode updates diff --git a/debian/changelog b/debian/changelog index 8288d46..fdf0d2e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,38 @@ +amd64-microcode (3.20230808.1.1~deb11u1) bullseye; urgency=medium + + * Build for bullseye + * Revert move to non-free-firmware + + -- Henrique de Moraes Holschuh Sat, 02 Sep 2023 20:38:42 -0300 + +amd64-microcode (3.20230808.1.1) unstable; urgency=high + + * Update package data from linux-firmware 20230804-6-gf2eb058a +* Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors +(closes: #1043381) + * WARNING: for proper operation on AMD Genoa and Bergamo processors, +either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date +Linux kernels (minimal versions on each active Linux stable branch: +v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1) +are *required* + * New Microcode patches: ++ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e ++ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e ++ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 ++ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 + * README: update for new release + * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions + * debian/changelog: update entry for release 3.20230719.1, noting +that it included fixes for "AMD Inception" for Zen3 processors. +We did not know about AMD Inception at the time, but we always +include all available microcode updates when issuing a new +package, so we lucked out. + * debian/changelog: correct some information in 3.20230808.1 +entry and reupload as 3.20230808.1.1. There's no Zenbleed + for Zen4... oops! + + -- Henrique de Moraes Holschuh Thu, 10 Aug 2023 10:18:38 -0300 + amd64-microcode (3.20230719.1~deb11u1) bullseye-security; urgency=high * Build for bullseye-security @@ -10,6 +45,9 @@ amd64-microcode (3.20230719.1) unstable; urgency=high * Update package data from linux-firmware 20230625-39-g59fbffa9: * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors (closes: #1041863) +* Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors + (this changelog entry time-travelled from the future, we were + lucky we always include all microcode updates available) * New Microcode patches: + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a8 * Updated Microcode patches: signature.asc Description: PGP signature
Bug#1008031: bullseye-pu: package intel-microcode/3.20210608.2
egressions introduced by this microcode +drelease. + + -- Henrique de Moraes Holschuh Sun, 20 Mar 2022 17:40:05 -0300 + +intel-microcode (3.20220207.1) unstable; urgency=medium + + * upstream changelog: new upstream datafile 20220207 +* Mitigates (*only* when loaded from UEFI firmware through the FIT) + CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through + debug port, on Pentium, Celeron and Atom processors with signatures + 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 +* Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint + may cause a system hang, on many processors. +* Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due + to improper sanitization of shared resources (fast-store forward + predictor), on many processors. +* Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some + Atom Processors may allow information disclosure or denial of service + via network access. +* Fixes critical errata (functional issues) on many processors +* Adds a MSR switch to enable RAPL filtering (default off, once enabled + it can only be disabled by poweroff or reboot). Useful to protect + SGX and other threads from side-channel info leak. Improves the + mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many + processors. +* Disables TSX in more processor models. +* Fixes issue with WBINDV on multi-socket (server) systems which could + cause resets and unpredictable system behavior. +* Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket + Lake) processors, to control a fix for (hopefully rare) unpredictable + processor behavior when HyperThreading is enabled. This MSR switch + is enabled by default on *server* processors. On other processors, + it needs to be explicitly enabled by an updated UEFI/BIOS (with added + configuration logic). An updated operating system kernel might also + be able to enable it. When enabled, this fix can impact performance. +* Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912 + sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552 + sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472 + sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008 + sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840 + sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864 + sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672 + sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x71c, size 28672 + sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf1a, size 27648 + sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe14, size 23552 + sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408 + sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384 + sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544 + sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264 + sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840 + sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752 + sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776 + sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592 + sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816 + sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256 + sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376 + sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448 + sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480 + sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x241f, size 20480 + sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496 + sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x
Bug#1008030: buster-pu: package intel-microcode/3.20210608.2~deb10u1
microcode +drelease. + + -- Henrique de Moraes Holschuh Sun, 20 Mar 2022 18:19:10 -0300 + +intel-microcode (3.20220207.1) unstable; urgency=medium + + * upstream changelog: new upstream datafile 20220207 +* Mitigates (*only* when loaded from UEFI firmware through the FIT) + CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through + debug port, on Pentium, Celeron and Atom processors with signatures + 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 +* Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint + may cause a system hang, on many processors. +* Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due + to improper sanitization of shared resources (fast-store forward + predictor), on many processors. +* Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some + Atom Processors may allow information disclosure or denial of service + via network access. +* Fixes critical errata (functional issues) on many processors +* Adds a MSR switch to enable RAPL filtering (default off, once enabled + it can only be disabled by poweroff or reboot). Useful to protect + SGX and other threads from side-channel info leak. Improves the + mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many + processors. +* Disables TSX in more processor models. +* Fixes issue with WBINDV on multi-socket (server) systems which could + cause resets and unpredictable system behavior. +* Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket + Lake) processors, to control a fix for (hopefully rare) unpredictable + processor behavior when HyperThreading is enabled. This MSR switch + is enabled by default on *server* processors. On other processors, + it needs to be explicitly enabled by an updated UEFI/BIOS (with added + configuration logic). An updated operating system kernel might also + be able to enable it. When enabled, this fix can impact performance. +* Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912 + sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552 + sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472 + sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008 + sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840 + sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864 + sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672 + sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x71c, size 28672 + sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf1a, size 27648 + sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe14, size 23552 + sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408 + sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384 + sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544 + sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264 + sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840 + sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752 + sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776 + sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592 + sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816 + sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256 + sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376 + sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448 + sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480 + sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x241f, size 20480 + sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496 + sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208 + sig
Bug#990319: unblock: intel-microcode/3.20210608.2
rect INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and +debian/changelog (3.20210608.1). + + -- Henrique de Moraes Holschuh Wed, 23 Jun 2021 13:42:19 -0300 + +intel-microcode (3.20210608.1) unstable; urgency=high + + * New upstream microcode datafile 20210608 (closes: #989615) +* Implements mitigations for CVE-2020-24511 CVE-2020-24512 + (INTEL-SA-00464), information leakage through shared resources, + and timing discrepancy sidechannels +* Implements mitigations for CVE-2020-24513 (INTEL-SA-00465), + Domain-bypass transient execution vulnerability in some Intel Atom + Processors, affects Intel SGX. +* Implements mitigations for CVE-2020-24489 (INTEL-SA-00442), Intel + VT-d privilege escalation +* Fixes critical errata on several processors +* New Microcodes: + sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x310, size 47104 + sig 0x000606a5, pf_mask 0x87, 2021-03-08, rev 0xc0002f0, size 283648 + sig 0x000606a6, pf_mask 0x87, 2021-04-25, rev 0xd0002a0, size 283648 + sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb0f, size 130048 + sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb0f, size 130048 + sig 0x000806c1, pf_mask 0x80, 2021-03-31, rev 0x0088, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-04-07, rev 0x0016, size 94208 + sig 0x000806d1, pf_mask 0xc2, 2021-04-23, rev 0x002c, size 99328 + sig 0x00090661, pf_mask 0x01, 2021-02-04, rev 0x0011, size 19456 + sig 0x000906c0, pf_mask 0x01, 2021-03-23, rev 0x001d, size 19456 + sig 0x000a0671, pf_mask 0x02, 2021-04-11, rev 0x0040, size 100352 +* Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-01-27, rev 0x0046, size 34816 + sig 0x000306f4, pf_mask 0x80, 2021-02-05, rev 0x0019, size 19456 + sig 0x000406e3, pf_mask 0xc0, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000406f1, pf_mask 0xef, 2021-02-06, rev 0xb3e, size 31744 + sig 0x00050653, pf_mask 0x97, 2021-03-08, rev 0x100015b, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-03-08, rev 0x2006b06, size 36864 + sig 0x00050656, pf_mask 0xbf, 2021-03-08, rev 0x4003102, size 30720 + sig 0x00050657, pf_mask 0xbf, 2021-03-08, rev 0x5003102, size 30720 + sig 0x0005065b, pf_mask 0xbf, 2021-04-23, rev 0x7002302, size 27648 + sig 0x00050663, pf_mask 0x10, 2021-02-04, rev 0x71b, size 24576 + sig 0x00050664, pf_mask 0x10, 2021-02-04, rev 0xf19, size 24576 + sig 0x00050665, pf_mask 0x10, 2021-02-04, rev 0xe12, size 19456 + sig 0x000506c9, pf_mask 0x03, 2020-10-23, rev 0x0044, size 17408 + sig 0x000506ca, pf_mask 0x03, 2020-10-23, rev 0x0020, size 15360 + sig 0x000506e3, pf_mask 0x36, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000506f1, pf_mask 0x01, 2020-10-23, rev 0x0034, size 11264 + sig 0x000706a1, pf_mask 0x01, 2020-10-23, rev 0x0036, size 74752 + sig 0x000706a8, pf_mask 0x01, 2020-10-23, rev 0x001a, size 75776 + sig 0x000706e5, pf_mask 0x80, 2020-11-01, rev 0x00a6, size 110592 + sig 0x000806a1, pf_mask 0x10, 2020-11-06, rev 0x002a, size 32768 + sig 0x000806e9, pf_mask 0x10, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-01-06, rev 0x00ea, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906e9, pf_mask 0x2a, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ea, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-02-07, rev 0x00ea, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-03-08, rev 0x00ea, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-03-08, rev 0x00ec, size 94208 + sig 0x000a0660, pf_mask 0x80, 2020-12-08, rev 0x00e8, size 94208 + sig 0x000a0661, pf_mask 0x80, 2021-02-07, rev 0x00ea, size 93184 + * source: update symlinks to reflect id of the latest release, 20210608 + + -- Henrique de Moraes Holschuh Tue, 08 Jun 2021 22:37:57 -0300 + intel-microcode (3.20210216.1) unstable; urgency=medium * New upstream microcode datafile 20210216 diff --git a/intel-ucode-with-caveats/06-4f-01 b/intel-ucode-with-caveats/06-4f-01 index b38c4a5..1c6e793 100644 Binary files a/intel-ucode-with-caveats/06-4f-01 and b/intel-ucode-with-caveats/06-4f-01 differ diff --git a/intel-ucode/06-3f-02 b/intel-ucode/06-3f-02 index 8c9f14b..04a67cf 100644 Binary files a/intel-ucode/06-3f-02 and b/intel-ucode/06-3f-02 differ diff --git a/intel-ucode/06-3f-04 b/intel-ucode/06-3f-04 index 2cdbb7c..fa7f56f 100644 Binary files a/intel-ucode/06-3f-04 and b/intel-ucode/06-3f-04 diff
Bug#985609: buster-pu: package intel-microcode/3.20210216.1~deb10u1
On Sat, 20 Mar 2021, Adam D. Barratt wrote: > On Sat, 2021-03-20 at 13:43 -0300, Henrique de Moraes Holschuh wrote: > > I'd like to update the intel-microcode in buster non-free. > > > > This is a safe update: it only changes a few microcodes from what is > > alrady in buster non-free, fixing a security issue. There are no > > regressions reported regarding this microcode update [when compared > > with > > what is already in non-free buster]. > > > > Please go ahead, bearing in mind that the window for 10.9 closes during > this weekend. Thank you. I have just uploaded the packages, hopefully they get picked up by the queue daemon soon. Given the very tight deadline, and my past experience with non-free and source-only uploads not working in every situation, I have done a source+amd64+i386 multi upload. If it gets rejected, I will try a source-only upload. -- Henrique Holschuh
Bug#985609: buster-pu: package intel-microcode/3.20210216.1~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode in buster non-free. This is a safe update: it only changes a few microcodes from what is alrady in buster non-free, fixing a security issue. There are no regressions reported regarding this microcode update [when compared with what is already in non-free buster]. Here's the relevant changelog: intel-microcode (3.20210216.1~deb10u1) buster; urgency=medium * RELEASE MANAGER INFORMATION: this update mitigates an extra security issue on a few processors, as described in 3.20210216.1 changelog. It has zero reports of regressions when compared with 3.20201118.1~deb10u1 thus it is a safe stable update. * Rebuild for buster, keeping all changes to avoid regressions present in 3.20201118.1~deb10u1. -- Henrique de Moraes Holschuh Sat, 20 Mar 2021 11:57:37 -0300 intel-microcode (3.20210216.1) unstable; urgency=medium * New upstream microcode datafile 20210216 * Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx, and Cascade Lake Server (B0/B1) when using an active JTAG agent like In Target Probe (ITP), Direct Connect Interface (DCI) or a Baseboard Management Controller (BMC) to take the CPU JTAG/TAP out of reset and then returning it to reset. * This issue is related to the INTEL-SA-00381 mitigation. * Updated Microcodes: sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864 sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248 sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248 * source: update symlinks to reflect id of the latest release, 20210216 -- Henrique de Moraes Holschuh Wed, 17 Feb 2021 11:26:06 -0300 The git diff is attached. Here's the diffstat: changelog| 12 debian/changelog | 28 intel-ucode/06-55-04 |binary intel-ucode/06-55-06 |binary intel-ucode/06-55-07 |binary license |2 +- releasenote.md | 23 +++ 7 files changed, 64 insertions(+), 1 deletion(-) Thank you. -- Henrique Holschuh diff --git a/changelog b/changelog index 2444e14..1c60ff2 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,15 @@ +2021-02-16: + * Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx, +and Cascade Lake Server (B0/B1) when using an active JTAG +agent like In Target Probe (ITP), Direct Connect Interface +(DCI) or a Baseboard Management Controller (BMC) to take the +CPU JTAG/TAP out of reset and then returning it to reset. + * This issue is related to the INTEL-SA-00381 mitigation. + * Updated Microcodes: +sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864 +sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248 +sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248 + 2020-11-18: * Removes a faulty microcode update from release 2020-11-10 which results on boot failures with a MCE (firmware error) diff --git a/debian/changelog b/debian/changelog index b746f58..45661aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,31 @@ +intel-microcode (3.20210216.1~deb10u1) buster; urgency=medium + + * RELEASE MANAGER INFORMATION: this update mitigates an extra security +issue on a few processors, as described in 3.20210216.1 changelog. +It has zero reports of regressions when compared with 3.20201118.1~deb10u1 +thus it is a safe stable update. + * Rebuild for buster, keeping all changes to avoid regressions present +in 3.20201118.1~deb10u1. + + -- Henrique de Moraes Holschuh Sat, 20 Mar 2021 11:57:37 -0300 + +intel-microcode (3.20210216.1) unstable; urgency=medium + + * New upstream microcode datafile 20210216 +* Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx, + and Cascade Lake Server (B0/B1) when using an active JTAG + agent like In Target Probe (ITP), Direct Connect Interface + (DCI) or a Baseboard Management Controller (BMC) to take the + CPU JTAG/TAP out of reset and then returning it to reset. +* This issue is related to the INTEL-SA-00381 mitigation. +* Updated Microcodes: + sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864 + sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248 + sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248 + * source: update symlinks to reflect id of the latest release, 20210216 + + -- Henrique de Moraes Holschuh Wed, 17 Feb 2021 11:26:06 -0300 + intel-microcode (3.20201118.1~deb10u1) buster; urgency=high * Rebuild for buster, with changes to avoid regressions diff --git a/intel-ucode/06-55-04 b/intel-ucode/06-55-04 index 3822870..aa33771 100644 Binary files a/intel-ucode/06-55-04 and b/intel-ucode/06-55-04 differ diff --git a/intel-ucode/06-55
Re: source-only uploads for future point releases (Re: Bug#980962: buster-pu: package intel-microcode/3.20201118.1~deb10u1)
On Sat, 30 Jan 2021, Holger Levsen wrote: > On Fri, Jan 29, 2021 at 04:32:27PM -0300, Henrique de Moraes Holschuh wrote: > > > Please feel free to upload, bearing in mind that the window for 10.8 > > > closes during this weekend. > > Uploaded (source, i386, amd64). > > one can do source only uploads to stable(-security) and oldstable() too. Well, I tried that for *non-free* stretch-security. It didn't work. I don't think I forgot anything: "XS-Autobuild: true" has been in intel-microcode's control file since basically forever, and it does work properly in non-free unstable. Can someone please take a look? Alternatively, I will just upload the binaries to jessie-security. -- Henrique Holschuh
Re: source-only uploads for future point releases (Re: Bug#980962: buster-pu: package intel-microcode/3.20201118.1~deb10u1)
On Sat, Jan 30, 2021, at 09:16, Holger Levsen wrote: > On Fri, Jan 29, 2021 at 04:32:27PM -0300, Henrique de Moraes Holschuh wrote: > > > Please feel free to upload, bearing in mind that the window for 10.8 > > > closes during this weekend. > > Uploaded (source, i386, amd64). > > one can do source only uploads to stable(-security) and oldstable() too. > > Can we have source-only uploads for future point releases please? Sure, I wanted to do just that, but given the time frame for the upload and the deadline, I did not want to risk the need for a second upload with binaries. There is a pain point for *non-free* (which is the case here), in that in the past, not all possibilities were covered by autobuilders. And there was (is?) no documentation of such border conditions, because they were not on purpose. I guess I got the cat-and-water behaviour re. that :-) I will assume non-free, non-free backports and non-free security are fully supported by autobuilders for stretch and beyond now. But just in case, what about Jessie ELTS non-free ? -- Henrique de Moraes Holschuh
Bug#980962: buster-pu: package intel-microcode/3.20201118.1~deb10u1
On Fri, 29 Jan 2021, Adam D. Barratt wrote: > Control: tags -1 + confirmed > On Fri, 2021-01-29 at 13:27 -0300, Henrique de Moraes Holschuh wrote: > > On Sun, 24 Jan 2021, Henrique de Moraes Holschuh wrote: > > The 3.20201118.1~deb10u1 version of the package (the one I am > > > proposing for the stable update) contains changes not (yet?) in > > > unstable to address the Skylake D0/R0 issue: they had their updates > > > frozen to the same revision currently in Debian stable. > > > > I better explain that in a more direct, clear way: > > Thanks. > > Please feel free to upload, bearing in mind that the window for 10.8 > closes during this weekend. Uploaded (source, i386, amd64). Thank you! -- Henrique Holschuh
Bug#980962: buster-pu: package intel-microcode/3.20201118.1~deb10u1
On Sun, 24 Jan 2021, Henrique de Moraes Holschuh wrote: Regressions were indeed reported (as expected). A few days ago, Intel > published relevant information pinpointing the regression on Skylake D0 > and Skylake R0 processors to specific conditions (detailed below for > completeness). > > The 3.20201118.1~deb10u1 version of the package (the one I am proposing > for the stable update) contains changes not (yet?) in unstable to > address the Skylake D0/R0 issue: they had their updates frozen > to the same revision currently in Debian stable. I better explain that in a more direct, clear way: The reason why I want to update the package in stable is: the updated microcode in this package have security mitigations for a few newer speculative execution sidechannel attacks, and fix some critical defects/"errata" on many recent processor models, *other than Skylake R0/D0*. The s-p-u version of the intel-microcode package I am proposing has *less* changes than the packages currently in unstable/testing. The microcode updates have been tested in unstable since 2020-12-27, and in testing since 2020-01-02. Issues with it were reported in Ubuntu and Arch Linux, for specific system vendors and computer models (not processor models -- i.e. it does not look like a general issue with the microcode updates) when running outdated firmware. A *general* microcode update issue was reported only for Skylake D0/R0. The offending microcode changes for Skylake D0/R0 are *reverted* in this s-p-u package. To do that, the package keeps the microcode for these two processor models *exactly the same* as they already are in Debian stable. The package changes when compared to the packages currently in Debian stable are: 1. microcode binary data (except for Skylake D0 and R0) 2. upstream documentation 3. Debian metadata (changelog, version). Thanks! -- Henrique Holschuh
Bug#980962: buster-pu: package intel-microcode/3.20201118.1~deb10u1
o +reintroduce SRBDS mitigations for: +Skylake-U/Y, Skylake Xeon E3 (CVE-2020-0543, INTEL-SA-00320). + * New Microcodes: +sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x71e, size 27648 +sig 0x000806a1, pf_mask 0x10, 2020-06-26, rev 0x0028, size 32768 +sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 +sig 0x000a0652, pf_mask 0x20, 2020-07-08, rev 0x00e0, size 93184 +sig 0x000a0653, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 94208 +sig 0x000a0655, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 93184 +sig 0x000a0661, pf_mask 0x80, 2020-07-02, rev 0x00e0, size 93184 + * Updated Microcodes: +sig 0x000306f2, pf_mask 0x6f, 2020-05-27, rev 0x0044, size 34816 +sig 0x000406e3, pf_mask 0xc0, 2020-07-14, rev 0x00e2, size 105472 +sig 0x00050653, pf_mask 0x97, 2020-06-18, rev 0x1000159, size 33792 +sig 0x00050654, pf_mask 0xb7, 2020-06-16, rev 0x2006a08, size 35840 +sig 0x00050656, pf_mask 0xbf, 2020-06-18, rev 0x4003003, size 52224 +sig 0x00050657, pf_mask 0xbf, 2020-06-18, rev 0x5003003, size 52224 +sig 0x000506c9, pf_mask 0x03, 2020-02-27, rev 0x0040, size 17408 +sig 0x000506ca, pf_mask 0x03, 2020-02-27, rev 0x001e, size 15360 +sig 0x000506e3, pf_mask 0x36, 2020-07-14, rev 0x00e2, size 105472 +sig 0x000706a8, pf_mask 0x01, 2020-06-09, rev 0x0018, size 75776 +sig 0x000706e5, pf_mask 0x80, 2020-07-30, rev 0x00a0, size 109568 +sig 0x000806e9, pf_mask 0x10, 2020-05-27, rev 0x00de, size 104448 +sig 0x000806e9, pf_mask 0xc0, 2020-05-27, rev 0x00de, size 104448 +sig 0x000806ea, pf_mask 0xc0, 2020-06-17, rev 0x00e0, size 104448 +sig 0x000806eb, pf_mask 0xd0, 2020-06-03, rev 0x00de, size 104448 +sig 0x000806ec, pf_mask 0x94, 2020-05-18, rev 0x00de, size 104448 +sig 0x000906e9, pf_mask 0x2a, 2020-05-26, rev 0x00de, size 104448 +sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424 +sig 0x000906eb, pf_mask 0x02, 2020-05-25, rev 0x00de, size 104448 +sig 0x000906ec, pf_mask 0x22, 2020-06-03, rev 0x00de, size 103424 +sig 0x000906ed, pf_mask 0x22, 2020-05-24, rev 0x00de, size 103424 +sig 0x000a0660, pf_mask 0x80, 2020-07-08, rev 0x00e0, size 94208 + 2020-06-16: * Downgraded microcodes (to a previously shipped revision): sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 diff --git a/debian/changelog b/debian/changelog index 67308d4..b746f58 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,90 @@ +intel-microcode (3.20201118.1~deb10u1) buster; urgency=high + + * Rebuild for buster, with changes to avoid regressions + * Stable Release Manager: this intel-microcode update *keeps the same +revision* of Skylake D0/R0 microcode updates already in Debian 10; they're +"downgraded" from the point of view of intel-microcode 3.20201118.1. +For these two processor models, an attempt to update to revisions 0xd8 +and higher can hang the system should the system firmware have a microcode +revision older than 0x80 -- and revision 0x72/0x74/0x76 apparently are +common enough in the field to ensure many users are affected. +Refer to: +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + * Downgraded microcodes (to upstream release 20200616): +sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 +sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 + + -- Henrique de Moraes Holschuh Sat, 23 Jan 2021 20:21:54 -0300 + +intel-microcode (3.20201118.1) unstable; urgency=medium + + * New upstream microcode datafile 20201118 +* Removes a faulty microcode update from release 2020-11-10 for Tiger Lake + processors. Note that Debian already had removed this specific falty + microcode update on the 3.20201110.1 release +* Add a microcode update for the Pentium Silver N/J5xxx and Celeron + N/J4xxx which didn't make it to release 20201110, fixing security issues + (INTEL-SA-00381, INTEL-SA-00389) +* Updated Microcodes: + sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752 +* Removed Microcodes: + sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 + + -- Henrique de Moraes Holschuh Sun, 27 Dec 2020 15:59:32 -0300 + +intel-microcode (3.20201110.1) unstable; urgency=medium + + * New upstream microcode datafile 20201110 (closes: #974533) +* Implements mitigation for CVE-2020-8696 and CVE-2020-8698, + aka INTEL-SA-00381: AVX register information leakage; + Fast-Forward store predictor information leakage +* Implements mitigation for CVE-2020-8695, Intel SGX information + disclosure via RAPL, aka INTEL-SA-00389 +* Fixes critical errata on several processor models +* Reintroduces SRBDS mitigations(CVE-2020-0543, INTEL-SA-00320) + for Skylake-U/Y, Skylake Xeon E3 +* New Microcodes + sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x71e, size 27648 +
Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1
On Sun, 05 Jul 2020, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> On Sun, 2020-07-05 at 17:46 -0300, Henrique de Moraes Holschuh wrote:
> > I'd like to update the intel-microcode packages in buster and stretch
> > to 3.202006016.1~deb{9,10}u1.
> >
> > This is basically the same packages already in buster and stretch via
> > buster/strech-security, with one extra microcode revert. It
> > effectively fixes a regression introduced by the security updates for
> > a single processor model (Xeon E3 with signature 0x506e3).
> >
>
> Please go ahead.
Uploaded, thanks!
--
Henrique Holschuh
Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1
On Sun, 05 Jul 2020, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> On Sun, 2020-07-05 at 17:45 -0300, Henrique de Moraes Holschuh wrote:
> > I'd like to update the intel-microcode packages in buster and stretch
> > to 3.202006016.1~deb{9,10}u1.
> >
> > This is basically the same packages already in buster and stretch via
> > buster/strech-security, with one extra microcode revert. It
> > effectively fixes a regression introduced by the security updates for
> > a single processor model (Xeon E3 with signature 0x506e3).
>
> Please go ahead.
Uploded, thanks!
--
Henrique Holschuh
Bug#964351: stretch-pu: package intel-microcode/3.20200616.1~deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
I'd like to update the intel-microcode packages in buster and stretch to
3.202006016.1~deb{9,10}u1.
This is basically the same packages already in buster and stretch via
buster/strech-security, with one extra microcode revert. It effectively
fixes a regression introduced by the security updates for a single
processor model (Xeon E3 with signature 0x506e3).
The upload via s-p-u/os-p-u was suggested by the security team: we
agreed the revert of microcode 0x506e3 did not really deserve a DSA and
could be handled through the upcoming point releases (it affects only
*some* motherboards with such processors).
The git diff is attached. Unfortunately, stable debdiff gets mightly
confused by a directory rename that only has binary files inside, so git
diff does a much better job here.
diffstat:
changelog | 8 ++
debian/changelog | 19
intel-ucode/06-4e-03 | Bin 104448 -> 101376 bytes
intel-ucode/06-5e-03 | Bin 104448 -> 101376 bytes
microcode-20200609.d => microcode-20200616.d | 0
releasenote| 32 -
s000406E3_m00C0_r00D6.fw | Bin 101376 -> 0 bytes
bin => supplementary-ucode-20200616_BDX-ML.bin | 0
8 files changed, 32 insertions(+), 27 deletions(-)
--
Henrique Holschuh
diff --git a/changelog b/changelog
index d033202..b0565f2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+2020-06-16:
+ * Downgraded microcodes (to a previously shipped revision):
+sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * This update *removes* the SRBDS mitigations from the above processors
+
2020-06-09:
* Implements mitigation for CVE-2020-0543 Special Register Buffer Data
Sampling (SRBDS), aka INTEL-SA-00320
diff --git a/debian/changelog b/debian/changelog
index 9a576a8..863eecf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+intel-microcode (3.20200616.1~deb9u1) stretch; urgency=high
+
+ * Rebuild for Debian oldstable (stretch), no changes
+
+ -- Henrique de Moraes Holschuh Sun, 05 Jul 2020 15:26:41
-0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20200616
++ Downgraded microcodes (to a previously shipped revision):
+ sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+ sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * This update *removes* the SRBDS mitigations from the above processors
+ * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh Sun, 28 Jun 2020 18:38:57
-0300
+
intel-microcode (3.20200609.2~deb9u1) stretch-security; urgency=high
* Rebuild for stretch-security, no changes
diff --git a/intel-ucode/06-4e-03 b/intel-ucode/06-4e-03
index 33b963e..1fabcf8 100644
Binary files a/intel-ucode/06-4e-03 and b/intel-ucode/06-4e-03 differ
diff --git a/intel-ucode/06-5e-03 b/intel-ucode/06-5e-03
index 4e947ea..a3119d5 100644
Binary files a/intel-ucode/06-5e-03 and b/intel-ucode/06-5e-03 differ
diff --git a/microcode-20200609.d b/microcode-20200616.d
similarity index 100%
rename from microcode-20200609.d
rename to microcode-20200616.d
diff --git a/releasenote b/releasenote
index 9b60007..f7302d5 100644
--- a/releasenote
+++ b/releasenote
@@ -82,37 +82,15 @@ OS vendors must ensure that the late loader patches
(provided in
linux-kernel-patches\) are included in the distribution before packaging the
BDX-ML microcode for late-loading.
-== 20200609 Release ==
--- Updates upon 20200520 release --
+== 20200616 Release ==
+-- Updates upon 20200609 release --
Processor Identifier Version Products
ModelStepping F-MO-S/PI Old->New
new platforms
updated platforms
-HSW C0 6-3c-3/32 0027->0028 Core Gen4
-BDW-U/Y E0/F06-3d-4/c0 002e->002f Core Gen5
-HSW-UC0/D06-45-1/72 0025->0026 Core Gen4
-HSW-HC0 6-46-1/32 001b->001c Core Gen4
-BDW-H/E3 E0/G06-47-1/22 0021->0022 Core Gen5
-SKL-U/Y D0 6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKL-U23e K1 6-4e-3/c0 00d6->00dc Core Gen6
Bug#964350: buster-pu: package intel-microcode/3.20200616.1~deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
I'd like to update the intel-microcode packages in buster and stretch to
3.202006016.1~deb{9,10}u1.
This is basically the same packages already in buster and stretch via
buster/strech-security, with one extra microcode revert. It effectively
fixes a regression introduced by the security updates for a single
processor model (Xeon E3 with signature 0x506e3).
The upload via s-p-u/os-p-u was suggested by the security team: we
agreed the revert of microcode 0x506e3 did not really deserve a DSA and
could be handled through the upcoming point releases (it affects only
*some* motherboards with such processors).
The git diff is attached. Unfortunately, stable debdiff gets mightly
confused by a directory rename that only has binary files inside, so git
diff does a much better job here.
diffstat:
changelog | 8 ++
debian/changelog | 19
intel-ucode/06-4e-03 | Bin 104448 -> 101376 bytes
intel-ucode/06-5e-03 | Bin 104448 -> 101376 bytes
microcode-20200609.d => microcode-20200616.d | 0
releasenote| 32 -
s000406E3_m00C0_r00D6.fw | Bin 101376 -> 0 bytes
bin => supplementary-ucode-20200616_BDX-ML.bin | 0
8 files changed, 32 insertions(+), 27 deletions(-)
--
Henrique Holschuh
diff --git a/changelog b/changelog
index d033202..b0565f2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,11 @@
+2020-06-16:
+ * Downgraded microcodes (to a previously shipped revision):
+sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * This update *removes* the SRBDS mitigations from the above processors
+
2020-06-09:
* Implements mitigation for CVE-2020-0543 Special Register Buffer Data
Sampling (SRBDS), aka INTEL-SA-00320
diff --git a/debian/changelog b/debian/changelog
index 89ee06e..67308d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+intel-microcode (3.20200616.1~deb10u1) buster; urgency=high
+
+ * Rebuild for Debian stable (buster), no changes
+
+ -- Henrique de Moraes Holschuh Sun, 05 Jul 2020 15:18:54
-0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20200616
++ Downgraded microcodes (to a previously shipped revision):
+ sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+ sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * This update *removes* the SRBDS mitigations from the above processors
+ * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh Sun, 28 Jun 2020 18:38:57
-0300
+
intel-microcode (3.20200609.2~deb10u1) buster-security; urgency=high
* Rebuild for buster-security, no changes
diff --git a/intel-ucode/06-4e-03 b/intel-ucode/06-4e-03
index 33b963e..1fabcf8 100644
Binary files a/intel-ucode/06-4e-03 and b/intel-ucode/06-4e-03 differ
diff --git a/intel-ucode/06-5e-03 b/intel-ucode/06-5e-03
index 4e947ea..a3119d5 100644
Binary files a/intel-ucode/06-5e-03 and b/intel-ucode/06-5e-03 differ
diff --git a/microcode-20200609.d b/microcode-20200616.d
similarity index 100%
rename from microcode-20200609.d
rename to microcode-20200616.d
diff --git a/releasenote b/releasenote
index 9b60007..f7302d5 100644
--- a/releasenote
+++ b/releasenote
@@ -82,37 +82,15 @@ OS vendors must ensure that the late loader patches
(provided in
linux-kernel-patches\) are included in the distribution before packaging the
BDX-ML microcode for late-loading.
-== 20200609 Release ==
--- Updates upon 20200520 release --
+== 20200616 Release ==
+-- Updates upon 20200609 release --
Processor Identifier Version Products
ModelStepping F-MO-S/PI Old->New
new platforms
updated platforms
-HSW C0 6-3c-3/32 0027->0028 Core Gen4
-BDW-U/Y E0/F06-3d-4/c0 002e->002f Core Gen5
-HSW-UC0/D06-45-1/72 0025->0026 Core Gen4
-HSW-HC0 6-46-1/32 001b->001c Core Gen4
-BDW-H/E3 E0/G06-47-1/22 0021->0022 Core Gen5
-SKL-U/Y D0 6-4e-3/c0 00d6->00dc Core Gen6 Mobile
-SKL-U23e K1 6-4e-3/c0 00d6->00dc Core Gen6
Bug#954023: stretch-pu: package amd64-microcode/3.20181128.1~deb9u1
On Sat, 21 Mar 2020, Adam D. Barratt wrote: > On Sun, 2020-03-15 at 21:37 +0100, Anton Gladky wrote: > > I have prepared an update for amd64-microcode for Debian Stretch, > > which fixes CVE-2017-5715. Please see an attached debdiff. > > > > This is the newer upstream version, which fixes CVE-2017-5715. > > Security team marked this CVE for Stretch as [1]. > > Do you have any input / thoughts on this proposed update? The microcode might be safe enough, we don't have regressions reported against the lastest one (which is just a revert by AMD of an update that did cause regressions when not applied through UEFI). But that's with recent kernels. I have no idea about the kernel codepaths it might activate, though, if new MSRs are exposed. -- Henrique Holschuh
Bug#930794: unblock: intel-microcode/3.20190618.1
On Fri, 21 Jun 2019, Paul Gevers wrote: > On 20-06-2019 20:05, Henrique de Moraes Holschuh wrote: > > unblock intel-microcode/3.20190618.1 > > Unblocked, thanks. Thanks! > Just one question, the reason why all the binary blobs are different in > the package is that because the builds by Intel aren't reproducible? > I.e. they are rebuild every time? git tells me they're the same on the source tree, and diff -ru after a dpkg-deb -x also told me they're the same on the binary debs... debdiff told me they differ on the source package, but I haven't managed to find out why. I decided to trust dpkg-deb + diff on the generated binaries... For the record, this was the first time something like this happened, but this was also the first time I tried debdiff from devscripts 2.19.5~bpo9+1. And it also told me the data on the older packages also differed -- but they went through older versions of debdiff just fine! -- so I went with "this release of debdiff seems broken". Might have something to do with the use of a symlink. -- Henrique Holschuh
Bug#930794: unblock: intel-microcode/3.20190618.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package intel-microcode This is an update that adds the MDS mitigations for Sandybridge server and HEDT (Core-X). Other than those two updated microcode files, there are just changes to text files. It has been the subject of a security update (DSA 4447-2, and soon DLA 1789-2), please refer to https://security-tracker.debian.org/tracker/CVE-2019-11091 for details. diff attached (with the microcode blob changes removed for clarity). diffstat (git, ignores rename of symlink): changelog|7 +++ debian/changelog | 106 +-- intel-ucode/06-2d-06 |binary intel-ucode/06-2d-07 |binary releasenote | 46 ++ 5 files changed, 74 insertions(+), 85 deletions(-) unblock intel-microcode/3.20190618.1 Thank you -- Henrique Holschuh diff --git a/changelog b/changelog index b6f59a6..f3579cf 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,10 @@ +2019-06-18: + * Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 +CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + * Updated Microcodes: +sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 +sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 + 2019-05-14: * Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 diff --git a/debian/changelog b/debian/changelog index f7c67ce..ac6bfe1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,50 +1,68 @@ +intel-microcode (3.20190618.1) unstable; urgency=medium + + * New upstream microcode datafile 20190618 ++ SECURITY UPDATE + Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + for Sandybridge server and Core-X processors ++ Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 + * Add some missing (minor) changelog entries to 3.20190514.1 + * Reformat 3.20190514.1 changelog entry to match rest of changelog + + -- Henrique de Moraes Holschuh Wed, 19 Jun 2019 09:05:54 -0300 + intel-microcode (3.20190514.1) unstable; urgency=high * New upstream microcode datafile 20190514 - * SECURITY UPDATE -Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 -CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 - * New Microcodes: -sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 -sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 -sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 -sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 -sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 -sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x521, size 47104 - * Updated Microcodes: -sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 -sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 -sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 -sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 -sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 -sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 -sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 -sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 -sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 -sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 -sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 -sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 -sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb36, size 30720 -sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x25e, size 32768 -sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 -sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x717, size 24576 -sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf15, size 23552 -sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe0d, size 19456 -sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 -sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360 -sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 -sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 -sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 -sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 -sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 -sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 -sig 0x000806eb
Bug#929030: unblock: intel-microcode/3.20190514.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package intel-microcode This is a security update, as per DSA-4447. It will be needed in buster. Thank you! unblock intel-microcode/3.20190514.1 -- Henrique Holschuh
Bug#920632: stretch-pu: package intel-microcode/3.20180807a.2~deb9u1
On Mon, 04 Feb 2019, Adam D. Barratt wrote: > On Sun, 2019-01-27 at 16:09 -0200, Henrique de Moraes Holschuh wrote: > > Please update the intel-microcode package in stable (stretch) to > > version 3.20180807a.2~deb9u1.  This is a limited security update that > > affects Intel Westmere EP processors, only. > > Please go ahead. Uploaded. Thank you! -- Henrique Holschuh
Bug#920632: stretch-pu: package intel-microcode/3.20180807a.2~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Please update the intel-microcode package in stable (stretch) to version 3.20180807a.2~deb9u1. This is a limited security update that affects Intel Westmere EP processors, only. It has been tested for several months in unstable, testing, and backports. Also, other distros have been shipping it for months and I could not find any issue reported. The source debdiff is attached, and the binary debdiff is also attached. The changes are very minimal, they just enable shipping the microcode update for Westmere EP. Reasoning for this update is included in the Debian changelog, reproduced below: * Release managers: This update is being distributed by Debian in unstable, testing and jessie- and stretch-backports since 2018-10-30 without issues, and by most distros since 2018-08/2018-09, with no known reports of regressions on Westmere EP processors (Spectre mitigations are very expensive on Nehalem and Westmere, though). * SECURITY FIX: this update adds the accumulated fixes for Westmere EP (signature 0x206c2) from nearly a decade, including but likely not limited to: + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + Implements SSBD support (Spectre v4 mitigation), Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation. Intel SA-0088, CVE-2017-5753, CVE-2017-5754 + Very likely implements LAPIC sinkhole fix + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging may cause system crash * This Westmere EP microcode update has been explicitly approved by Intel for general distribution by operating systems, refer to the changelog entry for 3.20180807a.2 below Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20180807a.1~deb9u1/debian/changelog intel-microcode-3.20180807a.2~deb9u1/debian/changelog --- intel-microcode-3.20180807a.1~deb9u1/debian/changelog 2018-09-15 00:53:22.0 -0300 +++ intel-microcode-3.20180807a.2~deb9u1/debian/changelog 2019-01-27 13:07:47.0 -0200 @@ -1,3 +1,40 @@ +intel-microcode (3.20180807a.2~deb9u1) unstable; urgency=medium + + * Release managers: +This update is being distributed by Debian in unstable, testing and +jessie- and stretch-backports since 2018-10-30 without issues, and by +most distros since 2018-08/2018-09, with no known reports of +regressions on Westmere EP processors (Spectre mitigations are very +expensive on Nehalem and Westmere, though). + * SECURITY FIX: this update adds the accumulated fixes for Westmere EP +(signature 0x206c2) from nearly a decade, including but likely not +limited to: ++ Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) + Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 ++ Implements SSBD support (Spectre v4 mitigation), + Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) + Intel SA-00115, CVE-2018-3639, CVE-2018-3640 ++ Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation. + Intel SA-0088, CVE-2017-5753, CVE-2017-5754 ++ Very likely implements LAPIC sinkhole fix ++ Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging + may cause system crash + * This Westmere EP microcode update has been explicitly approved by +Intel for general distribution by operating systems, refer to the +changelog entry for 3.20180807a.2 below + + -- Henrique de Moraes Holschuh Sun, 27 Jan 2019 13:07:47 -0200 + +intel-microcode (3.20180807a.2) unstable; urgency=medium + + * Makefile: unblacklist 0x206c2 (Westmere EP) +According to pragyansri.pa...@intel.com, on message to LP#1795594 +on 2018-10-09, we can ship 0x206c2 updates without restrictions. +Also, there are no reports in the field about this update causing +issues (closes: #907402) (LP: #1795594) + + -- Henrique de Moraes Holschuh Tue, 23 Oct 2018 19:52:40 -0300 + intel-microcode (3.20180807a.1~deb9u1) stretch-security; urgency=high * Upload to Debian stretch (no changes) diff -Nru intel-microcode-3.20180807a.1~deb9u1/Makefile intel-microcode-3.20180807a.2~deb9u1/Makefile --- intel-microcode-3.20180807a.1~deb9u1/Makefile 2018-08-24 08:10:09.0 -0300 +++ intel-microcode-3.20180807a.2~deb9u1/Makefile 2019-01-27 10:04:48.0 -0200 @@ -31,27 +31,6 @@ # 0x106c0: alpha hardware, seen in a very very old microcode data file IUC_EXCLUDE += -s !0x106c0 -# 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen). -# -# When Intel released a fix for Intel SA-00030, they issued a MCU that -# bumps the minimum acceptable version of the Intel TXT ACMs in the -# TPM persistent storage. This permanently black
Bug#899006: stretch-pu: package intel-microcode/3.20180425.1~deb9u1
On Sat, 09 Jun 2018, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2018-05-18 at 10:32 -0300, Henrique de Moraes Holschuh wrote: > > I'd like to update the intel-microcode package in Debian stretch. > > > > This update adds the microcode-side fix for CVE-2017-5715 aka Spectre > > v2. > > > > Please go ahead. Uploaded. Thank you! -- Henrique Holschuh
Bug#899030: jessie-pu: package intel-microcode/3.20180425.1~deb8u1
On Fri, 08 Jun 2018, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2018-05-18 at 12:24 -0300, Henrique de Moraes Holschuh wrote: > ... > > I'd like to update the intel-microcode package in Debian jessie. > > > > This update adds the microcode-side fix for CVE-2017-5715 aka Spectre > > v2. > > > > It has been very extensibly tested, as noted in the changelog: > > > > Please go ahead. Uploaded, thank you! Now waiting for a go-ahead for the stretch-pu version (#899006). It is the very same package, the only differences between the two are in debian/changelog. -- Henrique Holschuh
Bug#899030: jessie-pu: package intel-microcode/3.20180425.1~deb8u1
deb8u1/debian/changelog 2017-07-08 20:25:31.0 -0300 +++ intel-microcode-3.20180425.1~deb8u1/debian/changelog 2018-05-18 09:38:22.0 -0300 @@ -1,3 +1,163 @@ +intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium + + * Upload to Debian jessie (no changes) + * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix +for CVE-2017-5715 (Spectre v2). On the more recent processors, it also +fixes other unspecified errata. This microcode update pack has been +extensively tested in Debian unstable, testing, strech-backports and +jessie-backports. It has been extensively deployed by other distributions +to their stable branches without causing any issues, with one notable +exception (a distro-specific kernel bug, already fixed by that distro). + + -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 18 May 2018 09:38:22 -0300 + +intel-microcode (3.20180425.1) unstable; urgency=medium + + * New upstream microcode data file 20180425 (closes: #897443, #895878) ++ Updated Microcodes: + sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 ++ Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation ++ Note that sig 0x000604f1 has been blacklisted from late-loading + since Debian release 3.20171117.1. + * source: remove undesired list files from microcode directories + * source: switch to microcode-.d/ since Intel dropped .dat + support. + + -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 02 May 2018 16:48:44 -0300 + +intel-microcode (3.20180312.1) unstable; urgency=medium + + * New upstream microcode data file 20180312 (closes: #886367) ++ New Microcodes: + sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432 ++ Updated Microcodes: + sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 + sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 + sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 + sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 + sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 + sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 + sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 + sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 + sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x243, size 28672 + sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 + sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x712, size 22528 + sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf11, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 + sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 ++ Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: + Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, + Coffee Lake ++ Missing production updates: + + Broadwell-E/EX Xeons (sig 0x406f1) + + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, +Gemini Lake, Denverton + * Update past changelog entries with new information: +Intel already had all necessary semanthics in LFENCE, so the +Spectre-related Intel microcode changes did not need to enhance LFENCE. + * debian/control: update Vcs-* fields for the move to salsa.debian.org + + -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 14 Mar 2018 09:21:24 -0300 + +intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical + + * Revert to release 20171117, as per Intel instructions issued to +the public in 2018-01-22 (closes: #886998) + * This effectively removes IBRS/IBPB/STIPB microcode support for + Spectre variant 2 mitigation. + + -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 22 Jan 2018 23:01:59 -0200 + +intel-microcode (3.20180108.1) unstable; urgency=high + + * New upstream microcode data file 20180108 (closes: #886367) ++ Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023,
Bug#899006: stretch-pu: package intel-microcode/3.20180425.1~deb9u1
@@ +intel-microcode (3.20180425.1~deb9u1) stretch; urgency=medium + + * Upload to Debian stretch (no changes) + * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix +for CVE-2017-5715 (Spectre v2). On the more recent processors, it also +fixes other unspecified errata. This microcode update pack has been +extensively tested in Debian unstable, testing, strech-backports and +jessie-backports. It has been extensively deployed by other distributions +to their stable branches without causing any issues, with one notable +exception (a distro-specific kernel bug, already fixed by that distro). + + -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 18 May 2018 09:15:59 -0300 + +intel-microcode (3.20180425.1) unstable; urgency=medium + + * New upstream microcode data file 20180425 (closes: #897443, #895878) ++ Updated Microcodes: + sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb2c, size 27648 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 ++ Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation ++ Note that sig 0x000604f1 has been blacklisted from late-loading + since Debian release 3.20171117.1. + * source: remove undesired list files from microcode directories + * source: switch to microcode-.d/ since Intel dropped .dat + support. + + -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 02 May 2018 16:48:44 -0300 + +intel-microcode (3.20180312.1) unstable; urgency=medium + + * New upstream microcode data file 20180312 (closes: #886367) ++ New Microcodes: + sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe09, size 18432 ++ Updated Microcodes: + sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 + sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 + sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 + sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 + sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 + sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 + sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 + sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 + sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x243, size 28672 + sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 + sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x712, size 22528 + sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf11, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 + sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 ++ Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: + Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, + Coffee Lake ++ Missing production updates: + + Broadwell-E/EX Xeons (sig 0x406f1) + + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, +Gemini Lake, Denverton + * Update past changelog entries with new information: +Intel already had all necessary semanthics in LFENCE, so the +Spectre-related Intel microcode changes did not need to enhance LFENCE. + * debian/control: update Vcs-* fields for the move to salsa.debian.org + + -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 14 Mar 2018 09:21:24 -0300 + +intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical + + * Revert to release 20171117, as per Intel instructions issued to +the public in 2018-01-22 (closes: #886998) + * This effectively removes IBRS/IBPB/STIPB microcode support for + Spectre variant 2 mitigation. + + -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 22 Jan 2018 23:01:59 -0200 + +intel-microcode (3.20180108.1) unstable; urgency=high + + * New upstream microcode data file 20180108 (closes: #886367) ++ Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 + sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 +
Re: Updating x86 microcode in stable
On Tue, 15 May 2018, Ben Hutchings wrote: > I notice that amd64-microcode and intel-microcode haven't been updated > in stable this year. (Indeed, amd64-microcode hasn't been updated at > all this year, but I know AMD has issued an update!) AMD did not issue any public updates AFAIK(!), the one we have [which is not in stable] is only for EPYC processors, and came from SuSE... So far we do not have a *single* report from someone with an EPYC box whether it works or not, as far as I know. I am not confortable with proposing a stable update for this one unless we get such a report, since that microcode update is *still* not available in linux-firmware upstream... If I am wrong about this, please correct me (and point me to the AMD microcode release) and I will fix it ASAP. > You have updated intel-microcode in backports suites instead. What's > the reasoning behind this? I would expect all microcode updates to One of the stable release managers suggested to be more careful with this recent crop of microcode updates... Given the fact that it triggered a number of issues in the kernels of some vendors (kernel bug, not microcode bug), I agree with their reasoning, so I did not send a SPU request after an one-month wait. However, I don't see any reason why we could not start the process for an upload of intel-microcode to stable right now. It has been tested widely enough by Debian users and other distros by now, and the only kernels that regressed were Ubuntu's (related to apparmor and IBPB support, worked around by noibpb), AFAIK. > As you probably know, updated microcode is needed to mitigate against > Spectre v2 when running code that has not been rebuilt with the > "retpoline" mitigation, such as when making BIOS/UEFI calls. I think > it's also needed to support Spectre v2 mitigation in KVM guests running > Windows. Yes, that's correct. > The Linux kernel in stretch has had support for the microcode-based > mitigation since version 4.9.82-1+deb9u1. I'm currently working on > backporting these changes to jessie, so microcode updates would be > useful there too. ACK. I usually send spu and ospu requests at the same time anyway, since the criteria for acceptance is mostly the same. -- Henrique Holschuh
Bug#867989: stretch-pu: package intel-microcode/3.20170707.1~deb9u1
On Sat, 15 Jul 2017, Adam D. Barratt wrote: > On Thu, 2017-07-13 at 18:40 -0300, Henrique de Moraes Holschuh wrote: > > On Thu, 13 Jul 2017, Adam D. Barratt wrote: > > > Please go ahead. > > > > Uploaded, thank you very much! > > Flagged for acceptance. Thanks! -- Henrique Holschuh
Bug#863682: jessie-pu: package intel-microcode/3.20170511.1~deb8u1 [v2]: target jessie
On Sat, 15 Jul 2017, Adam D. Barratt wrote: > On Tue, 2017-06-20 at 14:58 -0300, Henrique de Moraes Holschuh wrote: > > Attached new debdiff and diffstat files (v2) with the following fixes: > > * target jessie > > Flagged for acceptance. Thank you! -- Henrique Holschuh
Bug#867989: stretch-pu: package intel-microcode/3.20170707.1~deb9u1
On Thu, 13 Jul 2017, Adam D. Barratt wrote: > Please go ahead. Uploaded, thank you very much! -- Henrique Holschuh
Bug#863682: superseeding with new version
On Thu, 13 Jul 2017, Adam D. Barratt wrote: > > Intel released the fixes for Kaby Lake as well, so I am updating this > > s-p-u bug for the newer version of the intel-microcode package. > > Please go ahead. I've just uploaded it. Thank you very much! -- Henrique Holschuh
Bug#863682: more information
I have been taking a daily look for any reports of issues with intel microcode updates over the last 30 days, and so far there are no reports of issues caused by these updates. Due to the HT errata issue, these microcode updates had a lot more adoption than usual by users across most Linux distros, so they had a lot of extra exposure already. Version 20170511 shipped with stretch non-free, and we had no regression reports about it. It was also backported to jessie-backports, and even with everyone that installed it both in stretch and jessie due to the hyper-threading errata (about 2000 additional new installs according to popcon), there were no regression reports. It was widely installed on other distros, and I could not find any regression reports on Gentoo, Arch, Mint or Fedora, nor through Google searches. Version 20170707 only added new microcode for newer processors (Kaby Lake, and very recently launched Skylake server and Skylake-X), leaving all other microcodes unchanged from 20170511. Since the motherboards that support such processors were launched relatively recently, and Kaby Lake is quite close to Skylake firmware-wise as far as microcode and closely related platform modules, the chances of regressions due to outdated firmware are lower. Again, I can't find any regression reports at all related to this microcode update. There are several reports from Ubuntu users about sucessfull installs of both 20170511 and 20170707, since they're also evaluating it for SRUs as well. No regressions were reported so far: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373 Thanks! -- Henrique Holschuh
Bug#867989: stretch-pu: package intel-microcode/3.20170707.1~deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode package in Debian stretch. This s-p-u request is related to the os-p-u request at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863682 This package update is related to: https://lists.debian.org/debian-devel/2017/06/msg00308.html This microcode update fixes the SKL150 and KBL095 errata (hyper-threading bug) on every Skylake and Kaby Lake processor affected by the issue. It also fixes other undisclosed errata on Kaby Lake processors. As usual, I have removed the noise caused by the binary blob changes from upstream from the debdiff output for clarity. The abridged debdiff is attached. Full diffstat: changelog |7 debian/changelog | 26 microcode-20170511.dat |61886 - microcode-20170707.dat |81602 + releasenote| 18 5 files changed, 81641 insertions(+), 61898 deletions(-) Abridged diffstat: changelog|7 +++ debian/changelog | 26 ++ releasenote | 18 ++ 3 files changed, 39 insertions(+), 12 deletions(-) Other than the microcode blob, the changes are only to documentation and the changelogs. Please note that the new upstream "releasenote" file is not going to be shipped in the binary packages, since it has way too much incorrect information. It is present only in the source package. Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20170511.1/changelog intel-microcode-3.20170707.1~deb9u1/changelog --- intel-microcode-3.20170511.1/changelog 2017-05-13 20:09:28.0 -0300 +++ intel-microcode-3.20170707.1~deb9u1/changelog 2017-07-08 19:47:45.0 -0300 @@ -1,3 +1,10 @@ +2017-07-07: + * New Microcodes: +sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x222, size 25600 +sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 +sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 +sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + 2017-05-11: * Updated Microcodes: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 diff -Nru intel-microcode-3.20170511.1/debian/changelog intel-microcode-3.20170707.1~deb9u1/debian/changelog --- intel-microcode-3.20170511.1/debian/changelog 2017-05-15 15:12:25.0 -0300 +++ intel-microcode-3.20170707.1~deb9u1/debian/changelog 2017-07-08 19:47:45.0 -0300 @@ -1,3 +1,29 @@ +intel-microcode (3.20170707.1~deb9u1) stretch; urgency=medium + + * Rebuild for stretch (no changes) + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 08 Jul 2017 19:47:45 -0300 + +intel-microcode (3.20170707.1) unstable; urgency=high + + * New upstream microcode datafile 20170707 ++ New Microcodes: + sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x222, size 25600 + sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 + sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 + sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 ++ This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ + SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby + Lake and Skylake processors: Skylake D0/R0 were fixed since the + previous upstream release (20170511). This new release adds the + fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). ++ Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 + (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) + * source: remove unneeded intel-ucode/ directory + * source: remove superseded upstream data file: 20170511 + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 08 Jul 2017 19:04:27 -0300 + intel-microcode (3.20170511.1) unstable; urgency=medium * New upstream microcode datafile 20170511 diff -Nru intel-microcode-3.20170511.1/releasenote intel-microcode-3.20170707.1~deb9u1/releasenote --- intel-microcode-3.20170511.1/releasenote 2017-05-13 20:09:28.0 -0300 +++ intel-microcode-3.20170707.1~deb9u1/releasenote 2017-07-08 19:47:45.0 -0300 @@ -1,17 +1,11 @@ Intel Processor Microcode Package for Linux -20170511 Release +20170707 Release --- Updates -- -BDX-ML B0/M0/R0 (06-4f-01:ef) b1f->b21 -Skylake D0 (06-4e-03:c0) 9e->ba -Broadwell ULT/ULX E/F-step (06-3d-04:c0) 24->25 -ULT Cx/Dx (06-45-01:72) 1f->20 -Crystalwell Cx (06-46-01:32) 16->17 -Broadwell Halo E/G-step (06-47-01:22) 16->17 -HSX EX E0 (06-3f-04:80) d->f -Skylake R0 (06-5e-03:36) 9e->ba -Haswell Cx/Dx (06-3c-03:32) 20->22 -HSX C0 (06-3f-02:6f) 39->3a +-- New Platforms -- +KBL H0 (06-8e-09:c0) 62 +KBL Y0 (06-8e-0a:c0) 66 +KBL B0 (06-9e-09:2a) 5e +SKX H0 (06-55-04:97) 222 -- Microcode update instructions -- This package contains Intel microcode files in two formats:
Bug#863682: superseeding with new version
retitle 863682 jessie-pu: package intel-microcode/3.20170707.1~deb8u1 thanks Intel released the fixes for Kaby Lake as well, so I am updating this s-p-u bug for the newer version of the intel-microcode package. Attached are the new diffs and diffstats. The reasoning for the stable update is still the same, so I will quote it below. Thank you! For the record, this is related to: https://lists.debian.org/debian-devel/2017/06/msg00308.html On Mon, 29 May 2017, Henrique de Moraes Holschuh wrote: > I'd like to update the intel-microcode package in Debian jessie. > > Usually, I'd wait for an extra month before sending this request, > however I have received word from the OCamn community that this > microcode update fixes an extremely serious erratum... and that OCaml > code compiled with the gcc backend (including the OCaml compiler itself) > could trivially trigger it. > > The OCaml bug report is here: > https://caml.inria.fr/mantis/view.php?id=7452 > > From the intel-microcode package changelog: > >SKL150 - Short loops using both the AH/BH/CH/DH registers and >the corresponding wide register *may* result in unpredictable >system behavior. Requires both logical processors of the same >core (i.e. sibling hyperthreads) to be active to trigger, as >well as a "complex set of micro-architectural conditions" > > This microcode update also fixes other important errata, including one > that makes it safe to have intel-microcode installed on some recent > high-end models of the E7v4 and possibly E5v4 Xeons (previous versions > of intel-microcode are likely to hang these processors during boot, > refer to bug #862606 for details[1])... but the SKL150 fix takes the > cake. > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862606 As usual, I have removed the noise caused by the binary blob changes from upstream from the debdiff output for clarity. The abridged debdiff is attached. Full diffstat: changelog | 20 debian/changelog | 68 microcode-20161104.dat |61630 - microcode-20170707.dat |81602 + releasenote| 35 5 files changed, 81725 insertions(+), 61630 deletions(-) Abridged diffstat: changelog| 20 debian/changelog | 68 +++ releasenote | 35 3 files changed, 123 insertions(+) Other than the microcode blob, the changes are only to documentation and the changelogs. Please note that the new upstream "releasenote" file is not going to be shipped in the binary packages, since it has way too much incorrect information. It is present only in the source package. Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20161104.1~deb8u1/changelog intel-microcode-3.20170707.1~deb8u1/changelog --- intel-microcode-3.20161104.1~deb8u1/changelog 2016-12-16 08:53:58.0 -0200 +++ intel-microcode-3.20170707.1~deb8u1/changelog 2017-07-08 20:18:26.0 -0300 @@ -1,3 +1,23 @@ +2017-07-07: + * New Microcodes: +sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x222, size 25600 +sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 +sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 +sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + +2017-05-11: + * Updated Microcodes: +sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 +sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 +sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 +sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 +sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 +sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 +sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 +sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 +sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624 +sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + 2016-11-04: * New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x70d, size 20480 diff -Nru intel-microcode-3.20161104.1~deb8u1/debian/changelog intel-microcode-3.20170707.1~deb8u1/debian/changelog --- intel-microcode-3.20161104.1~deb8u1/debian/changelog 2016-12-16 09:42:12.0 -0200 +++ intel-microcode-3.20170707.1~deb8u1/debian/changelog 2017-07-08 20:25:31.0 -0300 @@ -1,3 +1,71 @@ +intel-microcode (3.20170707.1~deb8u1) jessie; urgency=high + + * Upload to jessie (no changes) + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 08 Jul 2017 20:25:31 -0300 + +intel-microcode (3.20170707.1) unstable; urgency=high + + * New upstream microcode datafile 20170707 +
Bug#863682: jessie-pu: package intel-microcode/3.20170511.1~deb8u1 [v2]: target jessie
Attached new debdiff and diffstat files (v2) with the following fixes: * target jessie Full diffstat: changelog | 13 debian/changelog | 58 microcode-20161104.dat |61630 microcode-20170511.dat |61886 + releasenote| 41 5 files changed, 61998 insertions(+), 61630 deletions(-) Abridged diffstat: changelog| 13 debian/changelog | 58 +++ releasenote | 41 ++ 3 files changed, 112 insertions(+) Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20161104.1~deb8u1/changelog intel-microcode-3.20170511.1~deb8u1/changelog --- intel-microcode-3.20161104.1~deb8u1/changelog 2016-12-16 08:53:58.0 -0200 +++ intel-microcode-3.20170511.1~deb8u1/changelog 2017-05-29 19:28:58.0 -0300 @@ -1,3 +1,16 @@ +2017-05-11: + * Updated Microcodes: +sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 +sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 +sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 +sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 +sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 +sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 +sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 +sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 +sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624 +sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + 2016-11-04: * New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x70d, size 20480 diff -Nru intel-microcode-3.20161104.1~deb8u1/debian/changelog intel-microcode-3.20170511.1~deb8u1/debian/changelog --- intel-microcode-3.20161104.1~deb8u1/debian/changelog2016-12-16 09:42:12.0 -0200 +++ intel-microcode-3.20170511.1~deb8u1/debian/changelog2017-06-20 14:13:40.0 -0300 @@ -1,3 +1,61 @@ +intel-microcode (3.20170511.1~deb8u1) jessie; urgency=high + + * This is the same package as 3.20170511.1 from unstable/testing and +3.20170511.1~bpo8+1, from jessie-backports. It has been present in +unstable since 2017-05-15, testing since 2017-05-26, and jessie-backports +since 2017-05-29. + * Urgency updated to high: ++ Confirmed fix: nightmare-level Skylake erratum SKL150 ++ Confirmed: gcc may generate the code patterns that trigger SKL150 + (unpredictable behavior). The OCaml community was hit by this erratum + and has been investigating the issue since 2017-01. It affected the + OCaml compiler, and OCaml programs when gcc was used as the backend. + https://caml.inria.fr/mantis/view.php?id=7452 + + -- Henrique de Moraes Holschuh <h...@debian.org> Tue, 20 Jun 2017 14:13:38 -0300 + +intel-microcode (3.20170511.1) unstable; urgency=medium + + * New upstream microcode datafile 20170511 ++ Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 + sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 + sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 + sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 + sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 + sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 + sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624 + sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 ++ This release fixes undisclosed errata on the desktop, mobile and + server processor models from the Haswell, Broadwell, and Skylake + families, including even the high-end multi-socket server Xeons ++ Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and + similar) on several processor families ++ Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) ++ Likely fix serious or critical Skylake errata: SKL138/144, + SKL137/145, SLK149 +* Likely fix nightmare-level Skylake erratum SKL150. Fortunately, + either this erratum is very-low-hitting, or gcc/clang/icc/msvc + won't usually issue the affected opcode pattern and it ends up + being rare. + SKL150 - Short loops using both the AH/BH/CH/DH registers and + the corresponding wide register *may* result in unpredictable + system behavior. Requires both logical processors of the same + core (i.e. sibling hyperthreads) to be active to trigger, as + well as a "complex set of micro-architectural conditions" + * source: remove unneeded intel-
Bug#863682: jessie-pu: package intel-microcode/3.20170511.1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode package in Debian jessie. Usually, I'd wait for an extra month before sending this request, however I have received word from the OCamn community that this microcode update fixes an extremely serious erratum... and that OCaml code compiled with the gcc backend (including the OCaml compiler itself) could trivially trigger it. The OCaml bug report is here: https://caml.inria.fr/mantis/view.php?id=7452 >From the intel-microcode package changelog: SKL150 - Short loops using both the AH/BH/CH/DH registers and the corresponding wide register *may* result in unpredictable system behavior. Requires both logical processors of the same core (i.e. sibling hyperthreads) to be active to trigger, as well as a "complex set of micro-architectural conditions" This microcode update also fixes other important errata, including one that makes it safe to have intel-microcode installed on some recent high-end models of the E7v4 and possibly E5v4 Xeons (previous versions of intel-microcode are likely to hang these processors during boot, refer to bug #862606 for details[1])... but the SKL150 fix takes the cake. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862606 As usual, I have removed the noise caused by the binary blob changes from upstream from the debdiff output for clarity. The abridged debdiff is attached. Full diffstat: changelog | 13 debian/changelog | 58 microcode-20161104.dat |61630 microcode-20170511.dat |61886 + releasenote| 41 5 files changed, 61998 insertions(+), 61630 deletions(-) Abridged diffstat: changelog| 13 debian/changelog | 58 +++ releasenote | 41 ++ 3 files changed, 112 insertions(+) Other than the microcode blob, the changes are only to documentation and the changelogs. Please note that the new upstream "releasenote" file is not going to be shipped in the binary packages, since it has way too much incorrect information. It is present only in the source package. Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20161104.1~deb8u1/changelog intel-microcode-3.20170511.1~deb8u1/changelog --- intel-microcode-3.20161104.1~deb8u1/changelog 2016-12-16 08:53:58.0 -0200 +++ intel-microcode-3.20170511.1~deb8u1/changelog 2017-05-26 08:24:17.0 -0300 @@ -1,3 +1,16 @@ +2017-05-11: + * Updated Microcodes: +sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 +sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 +sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 +sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 +sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 +sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 +sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 +sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 +sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624 +sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + 2016-11-04: * New Microcodes: sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x70d, size 20480 diff -Nru intel-microcode-3.20161104.1~deb8u1/debian/changelog intel-microcode-3.20170511.1~deb8u1/debian/changelog --- intel-microcode-3.20161104.1~deb8u1/debian/changelog2016-12-16 09:42:12.0 -0200 +++ intel-microcode-3.20170511.1~deb8u1/debian/changelog2017-05-29 19:06:07.0 -0300 @@ -1,3 +1,61 @@ +intel-microcode (3.20170511.1~deb8u1) stable; urgency=high + + * This is the same package as 3.20170511.1 from unstable/testing and +3.20170511.1~bpo8+1, from jessie-backports. It has been present in +unstable since 2017-05-15, testing since 2017-05-26, and jessie-backports +since 2017-05-29. + * Urgency updated to high: ++ Confirmed fix: nightmare-level Skylake erratum SKL150 ++ Confirmed: gcc may generate the code patterns that trigger SKL150 + (unpredictable behavior). The OCaml community was hit by this erratum + and has been investigating the issue since 2017-01. It affected the + OCaml compiler, and OCaml programs when gcc was used as the backend. + https://caml.inria.fr/mantis/view.php?id=7452 + + -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 29 May 2017 19:06:06 -0300 + +intel-microcode (3.20170511.1) unstable; urgency=medium + + * New upstream microcode datafile 20170511 ++ Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 + sig 0x000306d4, pf_mask
Bug#862871: unblock: intel-microcode/3.20170511.1
On Thu, 18 May 2017, Jonathan Wiltshire wrote: > On 2017-05-17 22:44, Henrique de Moraes Holschuh wrote: > >Please unblock package intel-microcode. > > Unblocked. Thank you! -- Henrique Holschuh
Bug#862871: unblock: intel-microcode/3.20170511.1
0020, size 20480 + sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 + sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 + sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb21, size 26624 + sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 ++ This release fixes undisclosed errata on the desktop, mobile and + server processor models from the Haswell, Broadwell, and Skylake + families, including even the high-end multi-socket server Xeons ++ Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and + similar) on several processor families ++ Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) ++ Likely fix serious or critical Skylake errata: SKL138/144, + SKL137/145, SLK149 +* Likely fix nightmare-level Skylake erratum SKL150. Fortunately, + either this erratum is very-low-hitting, or gcc/clang/icc/msvc + won't usually issue the affected opcode pattern and it ends up + being rare. + SKL150 - Short loops using both the AH/BH/CH/DH registers and + the corresponding wide register *may* result in unpredictable + system behavior. Requires both logical processors of the same + core (i.e. sibling hyperthreads) to be active to trigger, as + well as a "complex set of micro-architectural conditions" + * source: remove unneeded intel-ucode/ directory +Since release 20170511, upstream ships the microcodes both in .dat +format, and as Linux-style split /lib/firmware/intel-ucode files. +It is simpler to just use the .dat format file for now, so remove +the intel-ucode/ directory. Note: before removal, it was verified +that there were no discrepancies between the two microcode sets +(.dat and intel-ucode/) + * source: remove superseded upstream data file: 20161104 + + -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 15 May 2017 15:12:25 -0300 + intel-microcode (3.20161104.1) unstable; urgency=medium * New upstream microcode datafile 20161104 diff -Nru intel-microcode-3.20161104.1/releasenote intel-microcode-3.20170511.1/releasenote --- intel-microcode-3.20161104.1/releasenote1969-12-31 21:00:00.0 -0300 +++ intel-microcode-3.20170511.1/releasenote2017-05-13 20:09:28.0 -0300 @@ -0,0 +1,41 @@ +Intel Processor Microcode Package for Linux +20170511 Release + +-- Updates -- +BDX-ML B0/M0/R0 (06-4f-01:ef) b1f->b21 +Skylake D0 (06-4e-03:c0) 9e->ba +Broadwell ULT/ULX E/F-step (06-3d-04:c0) 24->25 +ULT Cx/Dx (06-45-01:72) 1f->20 +Crystalwell Cx (06-46-01:32) 16->17 +Broadwell Halo E/G-step (06-47-01:22) 16->17 +HSX EX E0 (06-3f-04:80) d->f +Skylake R0 (06-5e-03:36) 9e->ba +Haswell Cx/Dx (06-3c-03:32) 20->22 +HSX C0 (06-3f-02:6f) 39->3a + +-- Microcode update instructions -- +This package contains Intel microcode files in two formats: +* microcode.dat +* intel-ucode directory + +microcode.dat is in a traditional text format. It is still used in some +Linux distributions. It can be updated to the system through the old microcode +update interface which is avaialble in the kernel with +CONFIG_MICROCODE_OLD_INTERFACE=y. + +To update the microcode.dat to the system, one need: +1. Ensure the existence of /dev/cpu/microcode +2. Write microcode.dat to the file, e.g. + dd if=microcode.dat of=/dev/cpu/microcode bs=1M + +intel-ucode dirctory contains binary microcode files named in +family-model-stepping pattern. The file is supported in most modern Linux +distributions. It's generally located in the /lib/firmware directory, +and can be updated throught the microcode reload interface. + +To update the intel-ucode package to the system, one need: +1. Ensure the existence of /sys/devices/system/cpu/microcode/reload +2. Copy intel-ucode directory to /lib/firmware, overwrite the files in +/lib/firmware/intel-ucode/ +3. Write the reload interface to 1 to reload the microcode files, e.g. + echo 1 > /sys/devices/system/cpu/microcode/reload
Bug#848341: jessie-pu: package intel-microcode/3.20161104.1~deb8u1
On Thu, 05 Jan 2017, Adam D. Barratt wrote: > On Fri, 2016-12-16 at 10:17 -0200, Henrique de Moraes Holschuh wrote: > > I would like to update the intel-microcode packages in stable to address > > several critical errata in newer Intel processors. > > > > The updated packages being proposed in this bug report are identical to > > the ones in unstable/testing and jessie-backports, other than > > debian/changelog and version numbering. > > > > These changes have been tested in unstable since 2016-11-09, in testing > > since 2016-11-15, and in jessie-backports since 2016-11-17, without any > > issues being reported. > > Please go ahead. Uploaded. Thank you! -- Henrique Holschuh
Bug#848341: jessie-pu: package intel-microcode/3.20161104.1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I would like to update the intel-microcode packages in stable to address several critical errata in newer Intel processors. The updated packages being proposed in this bug report are identical to the ones in unstable/testing and jessie-backports, other than debian/changelog and version numbering. These changes have been tested in unstable since 2016-11-09, in testing since 2016-11-15, and in jessie-backports since 2016-11-17, without any issues being reported. The large change in the "upstream" changelog reflects a change on iucode-tool v2.0 output when listing microcodes: the "pf mask" field was renamed to "pf_mask" to get rid of the embedded space. Relevant information from debian/changelog: + Supposed to fix critical Intel TSX erratum BDE85 on Xeon-D 1500 Y0 + Known to fix critical errata on several Xeon-D 1500 models which will crash vmware (KB2146388) and likely cause problems for Linux as well + Fixes likely critical errata (which ones unknown) on Broadwell-E (Core extreme edition 5th gen, Xeon E5v4, Xeon E7v4) + Removes (very likely outdated) microcode for the C3500 and C5500 family of embedded Xeon (Jasper Forest). These embedded Xeons are typically found on (older) network equipment appliances such as firewalls/IPS/IDS, and also on data storage devices, and thus are supposed to receive microcode updates through their vendors This microcode update is important to get Debian to run in a more stable way on the Xeon-D 1500, and on the Broadwell-E processors. As usual, you will find attached the debdiff output with the changes in the microcode data files removed for brevity. Note that an older microcode data file (20101123) that was *not* used by the build process anymore was also removed. Diffstat: Makefile | 21 changelog | 726 debian/changelog | 56 debian/compat |2 debian/control |4 microcode-20101123.dat |27048 - microcode-20160714.dat |59389 --- microcode-20161104.dat |61630 + 8 files changed, 62079 insertions(+), 86797 deletions(-) (diffstat of the abridged debdiff, for better resolution): Makefile | 21 + changelog| 726 +++ debian/changelog | 56 debian/compat|2 debian/control |4 5 files changed, 449 insertions(+), 360 deletions(-) Thank you! -- Henrique Holschuh diff -Nru intel-microcode-3.20160714.1~deb8u1/changelog intel-microcode-3.20161104.1~deb8u1/changelog --- intel-microcode-3.20160714.1~deb8u1/changelog 2016-07-31 18:11:41.0 -0300 +++ intel-microcode-3.20161104.1~deb8u1/changelog 2016-12-16 08:53:58.0 -0200 @@ -1,496 +1,508 @@ +2016-11-04: + * New Microcodes: +sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x70d, size 20480 +sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf0a, size 21504 + + * Updated Microcodes: +sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 +sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb1f, size 25600 + + * Removed Microcodes: +sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + 2016-07-14: * Updated Microcodes: -sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 -sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 -sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb1d, size 25600 -sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 +sig 0x000306f4, pf_mask 0x80, 2016-06-07, rev 0x000d, size 15360 +sig 0x000406e3, pf_mask 0xc0, 2016-06-22, rev 0x009e, size 97280 +sig 0x000406f1, pf_mask 0xef, 2016-06-06, rev 0xb1d, size 25600 +sig 0x000506e3, pf_mask 0x36, 2016-06-22, rev 0x009e, size 97280 2016-06-07: * New Microcodes: -sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 -sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb1c, size 25600 -sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 -sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 +sig 0x000406e3, pf_mask 0xc0, 2016-04-06, rev 0x008a, size 96256 +sig 0x000406f1, pf_mask 0xef, 2016-05-20, rev 0xb1c, size 25600 +sig 0x00050662, pf_mask 0x10, 2015-12-12, rev 0x000f, size 28672 +sig 0x000506e3, pf_mask 0x36, 2016-04-06, rev 0x008a, size 96256 * Updated Microcodes: -sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 -sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 -sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 -sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 -sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 -sig 0x00040661,
Bug#834261: jessie-pu: package intel-microcode/3.20160714.1~deb8u1
On Sun, 28 Aug 2016, Adam D. Barratt wrote: > On Sat, 2016-08-13 at 18:27 -0300, Henrique de Moraes Holschuh wrote: > > I would like to update the intel-microcode packages in stable to address > > several critical errata in newer Intel processors, as well as to > > properly support the Linux kernel 4.4 and later. > > > > The updated packages being proposed in this bug report are identical to > > the ones in unstable/testing and jessie-backports, other than > > debian/changelog and version numbering. > > > > These changes have been tested in unstable since 2016-07-22 and in > > testing and jessie-backports since 2016-07-28, without any issues being > > reported. > > > > This microcode update is very important to get Debian to run in a more > > stable way on the newer processors that have TSX enabled, but as usual, > > it also fixes other unspecified errata, so it is important even for > > processors without TSX. > > Please go ahead. Thank you! Uploaded. -- Henrique Holschuh
Bug#834261: jessie-pu: package intel-microcode/3.20160714.1~deb8u1
Due to new information, I have now high confidence that this proposed update fixes a regression currently present in jessie (stable): Debian bug #815990. -- Henrique Holschuh
Bug#834261: jessie-pu: package intel-microcode/3.20160714.1~deb8u1
Broadwell-DE (Xeon-D 1500) errata (incomplete list): + Stepping V-1: BDE58, BDE56, BDE55, BDE50, BDE44, BDE41, BDE38, +BDE10, BDE9, BDE8, BDE7 + Stepping Y-0: LAN1, BDE67, BDE68 ++ Might fix Haswell-EP Xeon E5-v3 power management regression + which is already present in the packages currently in jessie + (#815990) ++ Fixes undisclosed errata on Xeon E7-v3 48xx/88xx + + -- Henrique de Moraes Holschuh <h...@debian.org> Sun, 07 Aug 2016 21:48:59 -0300 + +intel-microcode (3.20160714.1~bpo8+1) jessie-backports; urgency=medium + + * Rebuild for jessie-backports (no changes) + + -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 22 Jul 2016 20:39:26 -0300 + +intel-microcode (3.20160714.1) unstable; urgency=medium + + * New upstream microcode datafile 20160714 ++ Updated Microcodes: + sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 + sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 + sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb1d, size 25600 + sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 ++ This release hopefully fixes a hang when updating the microcode on + some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems + * source: remove superseded upstream data file: 20160607 + + -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 21 Jul 2016 19:04:09 -0300 + +intel-microcode (3.20160607.2~bpo8+1) jessie-backports; urgency=medium + + * Rebuild for jessie-backports (no changes) + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 16 Jul 2016 15:24:40 -0300 + +intel-microcode (3.20160607.2) unstable; urgency=low + + * REMOVE microcode: +sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 +(closes: #828819) + * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, +sig=0x406e3, pf=0x80) may hang while attempting an early microcode +update to revision 0x8a, apparently due to some sort of firmware +dependency. On affected systems, the only way to avoid the issue is +to get a firmware update that includes microcode revision 0x8a or +later. At this time, there are reports of both sucessful and failed +updates on the m3-6Y30, and only of failed updates on the i7-6500U. +There are no reports about Skylake-U K-1 (pf=0x40). + + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y +processor with microcode earlier than revision 0x8a, due to several +critical errata that cause unpredictable behavior, data corruption, +and other problems. Users *must* update their firmware to get +microcode 0x8a or newer, and keep it up-to-date. + + -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 08 Jul 2016 22:54:26 -0300 + +intel-microcode (3.20160607.1~bpo8+1) jessie-backports; urgency=medium + + * Rebuild for jessie-backports (no changes) + + -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 23 Jun 2016 16:13:20 -0300 + +intel-microcode (3.20160607.1) unstable; urgency=medium + + * New upstream microcode data file 20160607 ++ New Microcodes: + sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 + sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb1c, size 25600 + sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 + sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 ++ Updated Microcodes: + sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 + sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 + sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 + sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 + sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 + sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 + sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 + * source: remove superseded upstream data file: 20151106. + * control: change upstream URL to a search for "linux microcode" +Unfortunately, many of the per-processor-model feeds have not been +updated for microcode release 20160607. Switch to the general search +page as the upstream URL. + * README.Debian: fix duplicated word 'to' + + -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 23 Jun 2016 12:17:03 -0300 + +intel-microcode (3.20151106.2) unstable; urgency=medium + + * Makefile: make the build less verbose. + * debian/changelog: fix error in past entry. +Correct the version of the microcode that caused bug #776431, +in the entry for version 3.20150121.1. + * initramfs: don't force_load microcode.ko when missing. +Detect a missing microcode.ko and don't attempt to force_load() it, +otherwise we get spurious warnings at boot. In verbose mode, log the +fact that the microcode driver is modular. For Linux 4.4 and lat
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Mon, Mar 21, 2016, at 19:29, Adam D. Barratt wrote > Flagged for acceptance. Thank you! -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique de Moraes Holschuh <h...@debian.org>
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Sun, 20 Mar 2016, Adam D. Barratt wrote: > On Sun, 2016-03-20 at 12:20 -0300, Henrique de Moraes Holschuh wrote: > > I have uploaded it through the ftp queue about one hour ago, but I have > > still not received any email back either from the upload queue daemon, or > > from dak (and the packages disappeared from the ftp upload queue). > > > > I will try to reupload. > > dinstall's running, hence the lack of response from dak combined with > the "disappearing" packages (although I'm not sure why you've not had a > response from the queued). > > I can confirm that the packages have reached the "unchecked" queue so > should get processed by dak once dinstall finishes; there's no need to > re-upload. Thanks! I did try to re-upload before I got your reply, and promptly got an email from the upload queue daemon about an existing previous upload. So, the first try was processed normaly, but the email reply from the queue daemon got lost in the MTA network. I assume it will arrive eventually, due to graylisting or something else of that sort. If it does, I will look at the received headers to try to understand where it got delayed... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
On Sun, 20 Mar 2016, Adam D. Barratt wrote: > On Sat, 2016-03-19 at 19:23 -0300, Henrique de Moraes Holschuh wrote: > > This is the non-free oldstable companion update for the same issue reported > > in #818689: > > > > Unfortunately, the microcode for the earlier AMD Piledriver processors being > > distributed in the amd64-microcode packages currently in non-free oldstable, > > stable, testing and unstable has been found to be extremely dangerous. > > Please go ahead. I have uploaded it through the ftp queue about one hour ago, but I have still not received any email back either from the upload queue daemon, or from dak (and the packages disappeared from the ftp upload queue). I will try to reupload. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#818710: wheezy-pu: package amd64-microcode/1.20160316.1
Package: release.debian.org Severity: normal Tags: wheezy security User: release.debian@packages.debian.org Usertags: pu This is the non-free oldstable companion update for the same issue reported in #818689: Unfortunately, the microcode for the earlier AMD Piledriver processors being distributed in the amd64-microcode packages currently in non-free oldstable, stable, testing and unstable has been found to be extremely dangerous. More details: http://seclists.org/oss-sec/2016/q1/450 http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/ https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/ I would like to update the packages in oldstable with the new microcode. Thank you! debdiff output: diffstat for amd64-microcode-1.20141028.1 amd64-microcode-1.20160316.1 README | 14 ++ debian/changelog | 27 +++ microcode_amd_fam15h.bin |binary microcode_amd_fam15h.bin.asc | 14 +++--- 4 files changed, 48 insertions(+), 7 deletions(-) diff -Nru amd64-microcode-1.20141028.1/debian/changelog amd64-microcode-1.20160316.1/debian/changelog --- amd64-microcode-1.20141028.1/debian/changelog 2015-01-20 11:05:42.0 -0200 +++ amd64-microcode-1.20160316.1/debian/changelog 2016-03-19 19:10:26.0 -0300 @@ -1,3 +1,30 @@ +amd64-microcode (1.20160316.1) oldstable; urgency=critical + + * Upstream release 20160316 built from linux-firmware: ++ Updated Microcodes: + sig 0x00600f20, patch id 0x0600084f, 2016-01-25 ++ This microcode updates fixes a critical erratum on NMI handling + introduced by microcode patch id 0x6000832 from the 20141028 update. + The erratum is also present on microcode patch id 0x6000836. ++ THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER + AMD PILEDRIVER PROCESSORS, including: + + AMD Opteron 3300, 4300, 6300 + + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + + AMD processors with family 21, model 2, stepping 0 + * Robert Święcki, while fuzzing the kernel using the syzkaller tool, +uncovered very strange behavior on an AMD FX-8320, later reproduced on +other AMD Piledriver model 2, stepping 0 processors including the Opteron +6300. Robert discovered, using his proof-of-concept exploit code, that +the incorrect behavior allows an unpriviledged attacker on an unpriviledged +VM to corrupt the return stack of the host kernel's NMI handler. At best, +this results in unpredictable host behavior. At worst, it allows for an +unpriviledged user on unpriviledged VM to carry a sucessful host-kernel +ring 0 code injection attack. + * The erratum is timing-dependant, easily triggered by workloads that +cause a high number of NMIs, such as running the "perf" tool. + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 19 Mar 2016 19:10:20 -0300 + amd64-microcode (1.20141028.1) stable; urgency=medium * Upstream release 20141028 built from linux-firmware Binary files /tmp/LkCOI20qcl/amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin and /tmp/SRBRsoU9Tp/amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin differ diff -Nru amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin.asc amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin.asc --- amd64-microcode-1.20141028.1/microcode_amd_fam15h.bin.asc 2015-01-14 11:56:07.0 -0200 +++ amd64-microcode-1.20160316.1/microcode_amd_fam15h.bin.asc 2016-03-19 19:06:27.0 -0300 @@ -1,11 +1,11 @@ -BEGIN PGP SIGNATURE- Version: GnuPG v1 -iQEcBAABAgAGBQJUTqLvAAoJEOS+UznzKK5zyaIIAKZcXmU+sBO4YGH5Aq2SdRYe -rlwE5oeYNh+AdzzLm9EqHwSC+MciFI7HqQz8PvKAsfaoD17mQjonIXga8l2/w3OW -/vIJjJnu9QB2C9XpjAiQCxS5QaMtIfEEjVld+MeHs6Ld3PwGuAXCkxKcJ2sHLZd3 -UcwwHxcm98KYouogjVZoJeb226cjz6fzUVJK9t9yi2S+SWmIvkjSZEI6W0WFoFCL -x0jM7lFNcusGtg5K6UsyAdwPwvfbBN5FoV29/DaP+/HA4GP/W/cgbQxS72skDJg5 -c/icP0ntAND2iprtTQXF9//mWdX2FLYD55eu+pShZmO8t4Qvq4tJgiVz3hJiK+U= -=KBP3 +iQEcBAABAgAGBQJW6d1MAAoJEOS+UznzKK5zSxkH+gJLffKGRM9BHe0D0/fkb0Gs +FZVp0eUNREOQoYwHJq9Ms1RebaZJkaUnd8SXCODJrqxDsxqUgunUtP6Qfh3Ru6fV +n0wgFVISKSQVLDP+I/ANFbWA2KhV5e4LuLQp5cDSItv6916kmNlM5kxtJ5QBrNXu +kr5bNReYgYTl7PSoCPuPfVILToG0ltZQMdKI1GImRCMVrYjGMbv8EyUC3r8ZbChG +Lv6K0AsULA81lXBAW0JYlxu6cNv1MJ3mxttwCswaJNcd+Y11ZQA8r2sjJoWbNSlS +nsDPLsUKE/RsW9MlMxiI2Jqo9PrZz923bu/cWMU1FPp+cJII0T7idWGUTVhQjc8= +=MTxP -END PGP SIGNATURE- diff -Nru amd64-microcode-1.20141028.1/README amd64-microcode-1.20160316.1/README --- amd64-microcode-1.20141028.1/README 2015-01-14 11:56:07.0 -0200 +++ amd64-microcode-1.20160316.1/README 2016-03-19 19:06:27.0 -0300 @@ -1,5 +1,19 @@ This amd64-microcode release was based on the linux-firmware tree. +From: Sherry Hurwitz <sherry.hurw...@amd.com> +Subject: [PATCH 1/1] linux-firmware: Update AMD microcode patch firmware +Date: 2016-03-17 06:56:11 GMT +
Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1
On Sat, 19 Mar 2016, Adam D. Barratt wrote: > On Sat, 2016-03-19 at 15:50 -0300, Henrique de Moraes Holschuh wrote: > > Unfortunately, the microcode for the earlier AMD Piledriver processors being > > distributed in the amd64-microcode packages currently in non-free oldstable, > > stable, testing and unstable has been found to be extremely dangerous. > [...] > > I would like to update the packages in stable, with basically the same > > package that was already uploaded to unstable. The only difference is an > > extra debian/changelog entry for the stable upload. > > Please go ahead. Thank you Adam! Uploaded! -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#818689: jessie-pu: package amd64-microcode/2.20160316.1~deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie security
User: release.debian@packages.debian.org
Usertags: pu
Unfortunately, the microcode for the earlier AMD Piledriver processors being
distributed in the amd64-microcode packages currently in non-free oldstable,
stable, testing and unstable has been found to be extremely dangerous.
More details:
http://seclists.org/oss-sec/2016/q1/450
http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/
https://www.reddit.com/r/linux/comments/47s8a8/new_amd_microcode_vulnerability_from_unprivileged/
An urgency=critical upload to unstable is already installed, and waiting for
the next mirror pulse.
I would like to update the packages in stable, with basically the same
package that was already uploaded to unstable. The only difference is an
extra debian/changelog entry for the stable upload.
Thank you!
debdiff output:
diffstat for amd64-microcode-2.20141028.1 amd64-microcode-2.20160316.1~deb8u1
README | 14 ++
debian/changelog | 33 +
debian/control |2 +-
microcode_amd_fam15h.bin |binary
microcode_amd_fam15h.bin.asc | 14 +++---
5 files changed, 55 insertions(+), 8 deletions(-)
diff -Nru amd64-microcode-2.20141028.1/debian/changelog
amd64-microcode-2.20160316.1~deb8u1/debian/changelog
--- amd64-microcode-2.20141028.1/debian/changelog 2014-12-18
13:36:29.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/changelog2016-03-19
14:22:44.0 -0300
@@ -1,3 +1,36 @@
+amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical
+
+ * This is exactly the same release as 2.20160316.1
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 19 Mar 2016 14:21:54
-0300
+
+amd64-microcode (2.20160316.1) unstable; urgency=critical
+
+ * Upstream release 20160316 built from linux-firmware:
++ Updated Microcodes:
+ sig 0x00600f20, patch id 0x0600084f, 2016-01-25
++ This microcode updates fixes a critical erratum on NMI handling
+ introduced by microcode patch id 0x6000832 from the 20141028 update.
+ The erratum is also present on microcode patch id 0x6000836.
++ THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
+ AMD PILEDRIVER PROCESSORS, including:
+ + AMD Opteron 3300, 4300, 6300
+ + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
+ + AMD processors with family 21, model 2, stepping 0
+ * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
+uncovered very strange behavior on an AMD FX-8320, later reproduced on
+other AMD Piledriver model 2, stepping 0 processors including the Opteron
+6300. Robert discovered, using his proof-of-concept exploit code, that
+the incorrect behavior allows an unpriviledged attacker on an unpriviledged
+VM to corrupt the return stack of the host kernel's NMI handler. At best,
+this results in unpredictable host behavior. At worst, it allows for an
+unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
+ring 0 code injection attack.
+ * The erratum is timing-dependant, easily triggered by workloads that cause
+a high number of NMIs, such as running the "perf" tool.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 19 Mar 2016 14:02:44
-0300
+
amd64-microcode (2.20141028.1) unstable; urgency=medium
* Upstream release 20141028 built from linux-firmware:
diff -Nru amd64-microcode-2.20141028.1/debian/control
amd64-microcode-2.20160316.1~deb8u1/debian/control
--- amd64-microcode-2.20141028.1/debian/control 2014-12-18 13:29:09.0
-0200
+++ amd64-microcode-2.20160316.1~deb8u1/debian/control 2016-03-19
14:21:48.0 -0300
@@ -10,7 +10,7 @@
XS-Autobuild: yes
Package: amd64-microcode
-Architecture: i386 amd64
+Architecture: i386 amd64 x32
Depends: ${misc:Depends}
Breaks: intel-microcode (<< 2)
Description: Processor microcode firmware for AMD CPUs
Binary files
/tmp/fBt3hF3hZL/amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin and
/tmp/Xa6pgjObby/amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin
differ
diff -Nru amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc
amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-2.20141028.1/microcode_amd_fam15h.bin.asc 2014-12-17
18:30:04.0 -0200
+++ amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc
2016-03-19 14:21:48.0 -0300
@@ -1,11 +1,11 @@
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
-iQEcBAABAgAGBQJUTqLvAAoJEOS+UznzKK5zyaIIAKZcXmU+sBO4YGH5Aq2SdRYe
-rlwE5oeYNh+AdzzLm9EqHwSC+MciFI7HqQz8PvKAsfaoD17mQjonIXga8l2/w3OW
-/vIJjJnu9QB2C9XpjAiQCxS5QaMtIfEEjVld+MeHs6Ld3PwGuAXCkxKcJ2sHLZd3
-UcwwHxcm98KYouogjVZoJeb226cjz6fzUVJK9t9yi2S+SWmIvkjSZEI6W0WFoFCL
-x0jM7lFNcusGtg5K6UsyAdwPwvfbBN5FoV29/DaP+/HA4GP/W/cgbQxS72skDJg5
Bug#809255: jessie-pu: package intel-microcode/3.20151106.1~deb8u1
On Mon, 28 Dec 2015, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2015-12-28 19:12, Henrique de Moraes Holschuh wrote: > >I would like to update the intel-microcode package in Debian stable > >(jessie), to the microcode that is already being shipped in unstable since > >2015-11-10, in testing since 2015-11-15, and in jessie-backports since > >2015-11-28. > > > >In fact, I'd like to update Debian stable to the same package that is > >already in unstable/testing *and* in jessie-backports, with changes only > >to > >the version numbering (and related changelog entry). > > Please go ahead. Thank you for the extremely fast reply! Uploading now. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Bug#809255: jessie-pu: package intel-microcode/3.20151106.1~deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I would like to update the intel-microcode package in Debian stable (jessie), to the microcode that is already being shipped in unstable since 2015-11-10, in testing since 2015-11-15, and in jessie-backports since 2015-11-28. In fact, I'd like to update Debian stable to the same package that is already in unstable/testing *and* in jessie-backports, with changes only to the version numbering (and related changelog entry). This update fixes several critical Intel processor errata on widely used Intel processors (Haswell and Broadwell, as well as their related Xeons). Without this microcode update, Intel Broadwell systems [running outdated firmware] have a very high chance of crashing or locking up. It fixes a number of nasty issues on Intel Haswell Refresh and Intel Haswell processors as well. Please refer to https://bugzilla.kernel.org/show_bug.cgi?id=103351 for a comprehensive crash report that is fixed by this microcode update. The debdiff is a bit bigger than usual because I kept all the changes from the intel-microcode package in unstable / testing / jessie-backports. These changes cover documentation updates, and also an improved Makefile to allow for a safer (against human error) way to add "emergency" microcode updates, which are likely to be needed soon. The Makefile changes only affect the build, and they have been extensively tested. As usual, you will find attached the debdiff output with the changes in the two microcode data files removed for brevity... Diffstat below: Makefile | 119 changelog | 12 debian/README.source | 190 debian/changelog | 44 debian/control |2 debian/rules |6 debian/ucode-blacklist.txt |5 microcode-20150121.dat |41591 --- microcode-20151106.dat |43449 + 9 files changed, 43726 insertions(+), 41692 deletions(-) (diffstat of the abridged debdiff, for better resolution): Makefile | 119 +++- changelog | 12 ++ debian/README.source | 190 ++--- debian/changelog | 44 ++ debian/control |2 debian/rules |6 - debian/ucode-blacklist.txt |5 + 7 files changed, 277 insertions(+), 101 deletions(-) Thank you! -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh diff -Nru intel-microcode-3.20150121.1/changelog intel-microcode-3.20151106.1~deb8u1/changelog --- intel-microcode-3.20150121.1/changelog 2015-01-29 20:57:13.0 -0200 +++ intel-microcode-3.20151106.1~deb8u1/changelog 2015-12-28 11:54:52.0 -0200 @@ -1,3 +1,15 @@ +2015-11-06: + * New Microcodes: +sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 +sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + + * Updated Microcodes: +sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 +sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 +sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 +sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 +sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 + 2015-01-21: * Downgraded microcodes (to a previously shipped revision): sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 diff -Nru intel-microcode-3.20150121.1/debian/changelog intel-microcode-3.20151106.1~deb8u1/debian/changelog --- intel-microcode-3.20150121.1/debian/changelog 2015-01-29 20:57:19.0 -0200 +++ intel-microcode-3.20151106.1~deb8u1/debian/changelog2015-12-28 16:06:24.0 -0200 @@ -1,3 +1,47 @@ +intel-microcode (3.20151106.1~deb8u1) stable; urgency=medium + + * Rebuild for jessie (stable update), no changes required + * This is the same package as 3.20151106.1~bpo8+1 (jessie-backports) +and 3.20151106.1 (unstable, stretch) + + -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 28 Dec 2015 15:57:14 -0200 + +intel-microcode (3.20151106.1) unstable; urgency=medium + + * New upstream microcode data file 20151106 ++ New Microcodes: + sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 + sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 ++ Updated Microcodes: + sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 + sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 + sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 + sig 0x000306f2, pf
Bug#779926: pu: package intel-microcode/1.20150121.1
On Sat, 07 Mar 2015, Adam D. Barratt wrote: Control: tags -1 + pending On Fri, 2015-03-06 at 17:19 -0300, Henrique de Moraes Holschuh wrote: On Fri, Mar 6, 2015, at 15:49, Adam D. Barratt wrote: Control: tags -1 + wheezy confirmed Uploaded. and flagged for acceptance. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150308135810.gb9...@khazad-dum.debian.net
Bug#779926: pu: package intel-microcode/1.20150121.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu I'd like to update the intel-microcode package in Wheezy to the latest available public Intel microcode. This intel-microcode release (20150121) has been tested in unstable and also Debian jessie for one month, without any error reports. It updates only the microcode for Intel Desktop/mobile Broadwell E0/F0 processors, such as the Core i7-5500U and a few others. It also updates the initramfs scripts, to decouple the intel-microcode and amd64-microcode packages. I will need this for a future stable update of amd64-microcode. These changes have been tested for oven one year in Debian unstable and Debian jessie, without issues. I've attached the abridged debdiff, without the upstream microcode changes. diffstat: changelog | 11 debian/changelog | 47 debian/initramfs.hook |2 debian/initramfs.init-premount | 19 microcode-20140913.dat |40694 microcode-20150121.dat |41591 + 6 files changed, 41663 insertions(+), 40701 deletions(-) Thank you. diff -Nru intel-microcode-1.20140913.1/changelog intel-microcode-1.20150121.1/changelog --- intel-microcode-1.20140913.1/changelog 2014-10-30 16:14:19.0 -0200 +++ intel-microcode-1.20150121.1/changelog 2015-02-11 20:32:44.0 -0200 @@ -1,3 +1,14 @@ +2015-01-21: + * Downgraded microcodes (to a previously shipped revision): +sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 + +2015-01-07: + * New Microcodes: +sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336 + + * Updated Microcodes (this update is known to cause issues): +sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672 + 2014-09-13: * New Microcodes: sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 diff -Nru intel-microcode-1.20140913.1/debian/changelog intel-microcode-1.20150121.1/debian/changelog --- intel-microcode-1.20140913.1/debian/changelog 2014-12-18 16:31:28.0 -0200 +++ intel-microcode-1.20150121.1/debian/changelog 2015-03-01 23:33:19.0 -0300 @@ -1,3 +1,50 @@ +intel-microcode (1.20150121.1) stable; urgency=high + + * New upstream microcode data file 20150121 ++ Downgraded microcodes (to a previously shipped revision): + sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 +* The microcode downgrade fixes a very nasty regression on Xeon E5v3 + processors (closes: #776431) + * critical urgency: the broken sig 0x306f2, rev 0x2b microcode shipped +in release 20150107 caused CPU core hangs and Linux boot failures. +The upstream fix was to downgrade it to the same microcode revision +that was shipped in release 20140913 + * source: remove superseded upstream data file: 20150107. + + -- Henrique de Moraes Holschuh h...@debian.org Fri, 30 Jan 2015 08:41:20 -0200 + +intel-microcode (1.20150107.1) stable; urgency=high + + * New upstream microcode data file 20150107 ++ New Microcodes: + sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336 ++ Updated Microcodes: + sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672 ++ High urgency: there are fast-tracked microcode updates in this + release which imply that critical errata are being fixed + (Broadwell Core i3/i5/i7 5th gen, Core M-5Y, Pentium 3805U, + Celeron 3755U, maybe others) + * source: remove superseded upstream data file: 20140913 + * initramfs: decouple from amd64-microcode: +Update the initramfs init-premount boot script to the script used in +intel-microcode 1.20130222.6 to 1.20130808.2, as well as all +intel-microcode 2.x packages. It has been throughoutly tested for +more than one year in unstable, testing (jessie), and +wheezy-backports. This new version of the boot script decouples +intel-microcode from amd64-microcode's boot script, and will trigger +a microcode update only when an Intel processor is installed. +amd64-microcode's boot script runs earlier, so this change will at +most cause a microcode update to be triggered twice (the kernel will +ignore the second attempt). Therefore, it is compatible with any +version of the amd64-microcode package. This change allows +amd64-microcode's boot script to also be updated to decouple itself +from intel-microcode. + * initramfs.hook: do not mix arrays and lists. +Avoid echo foo $@, use echo foo $* instead. This is unlikely +to be expĺoitable, but it makes ShellCheck happier. + + -- Henrique de Moraes Holschuh h...@debian.org Sun, 18 Jan 2015 19:17:01 -0200 + intel-microcode (1.20140913.1) stable; urgency=low * New upstream microcode data file 20140913 diff -Nru intel-microcode-1.20140913.1/debian/initramfs.hook intel-microcode-1.20150121.1/debian
Bug#779926: pu: package intel-microcode/1.20150121.1
On Fri, Mar 6, 2015, at 15:49, Adam D. Barratt wrote: Control: tags -1 + wheezy confirmed Uploaded. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique de Moraes Holschuh h...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1425673159.1756017.236638593.66310...@webmail.messagingengine.com
Bug#775825: pu: package amd64-microcode/1.20141028.1
On Mon, Feb 9, 2015, at 16:12, Adam D. Barratt wrote: Control: tags -1 + pending On Sun, 2015-02-08 at 20:50 -0200, Henrique de Moraes Holschuh wrote: On Fri, 06 Feb 2015, Adam D. Barratt wrote: On Tue, 2015-01-20 at 11:28 -0200, Henrique de Moraes Holschuh wrote: I'd like to update the amd64-microcode package in wheezy. Please go ahead. Uploaded. Flagged for acceptance. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique de Moraes Holschuh h...@debian.org -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1423505836.3160145.22557.6db4e...@webmail.messagingengine.com
Bug#775825: pu: package amd64-microcode/1.20141028.1
On Fri, 06 Feb 2015, Adam D. Barratt wrote: On Tue, 2015-01-20 at 11:28 -0200, Henrique de Moraes Holschuh wrote: I'd like to update the amd64-microcode package in wheezy. Please go ahead. Uploaded. Thank you very much! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150208225004.ga22...@khazad-dum.debian.net
Bug#776787: unblock: intel-microcode/3.20150121.1
On Fri, 06 Feb 2015, Adam D. Barratt wrote: On Sun, 2015-02-01 at 16:06 -0200, Henrique de Moraes Holschuh wrote: Please unblock package intel-microcode Intel botched a microcode update in the 20150107 release, currently in Debian jessie (testing). This broken microcode update causes core hangs and boot issues on boxes with Intel Xeon E5v3 processors (Debian bug #776431). Unblocked. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150207204713.ga19...@khazad-dum.debian.net
Bug#776787: unblock: intel-microcode/3.20150121.1
Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package intel-microcode
Intel botched a microcode update in the 20150107 release, currently in
Debian jessie (testing). This broken microcode update causes core hangs
and boot issues on boxes with Intel Xeon E5v3 processors (Debian
bug #776431).
Updated packages were uploaded to Debian unstable a few days ago which
fix the grave issue with the Xeon E5v3 microcode, as well as a very
minor shell scripting issue found by ShellCheck. This upload was done
by Paul Tagliamonte (also a Debian Developer) as I was unable to do it
in a short timeframe due to an unfortunate hardware issue on my Debian
build box.
The new upstream microcode release (20150121) fixed the broken microcode
update by reverting that specific microcode to an older release that had
been previously distributed (in upstream 20140913). This older (known
good) release of the Xeon E5v3 microcode was in Debian unstable/testing
for four months, without any reported issues. The known-good microcode
is currently in Debian stable.
There were no other changes to the upstream microcode data file, just
the revert of the problematic microcode update.
Other Haswell-E based Intel processors with family 6, model 63, stepping
2 (such as hexa/octa-core Core i7 desktop parts) might also be affected
by the broken microcode update, so it could hit desktop users as well,
not just servers and workstations.
This package update fixes Debian bug #776431 (severity grave).
diffstat:
changelog |6
debian/changelog | 18
debian/initramfs.hook |2
microcode-20150107.dat |41591 -
microcode-20150121.dat |41591 +
5 files changed, 41615 insertions(+), 41593 deletions(-)
Abridged debdiff attached (with the upstream microcode data file changes
removed, for clarity).
Thank you.
unblock intel-microcode/3.20150121.1
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie. -- The Silicon Valley Tarot
Henrique Holschuh
diff -Nru intel-microcode-3.20150107.1/changelog intel-microcode-3.20150121.1/changelog
--- intel-microcode-3.20150107.1/changelog 2015-01-17 23:58:43.0 -0200
+++ intel-microcode-3.20150121.1/changelog 2015-01-29 20:57:13.0 -0200
@@ -1,8 +1,12 @@
+2015-01-21:
+ * Downgraded microcodes (to a previously shipped revision):
+sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+
2015-01-07:
* New Microcodes:
sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336
- * Updated Microcodes:
+ * Updated Microcodes (this update is known to cause issues):
sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672
2014-09-13:
diff -Nru intel-microcode-3.20150107.1/debian/changelog intel-microcode-3.20150121.1/debian/changelog
--- intel-microcode-3.20150107.1/debian/changelog 2015-01-18 00:30:13.0 -0200
+++ intel-microcode-3.20150121.1/debian/changelog 2015-01-29 20:57:19.0 -0200
@@ -1,3 +1,21 @@
+intel-microcode (3.20150121.1) unstable; urgency=critical
+
+ * New upstream microcode data file 20150121
+* Downgraded microcodes (to a previously shipped revision):
+ sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+* The microcode downgrade fixes a very nasty regression on Xeon E5v3
+ processors (closes: #776431)
+ * critical urgency: the broken sig 0x306f2, rev 0x2b microcode shipped
+in release 20150107 caused CPU core hangs and Linux boot failures.
+The upstream fix was to downgrade it to the same microcode revision
+that was shipped in release 20140913
+ * source: remove superseded upstream data file: 20150107.
+ * initramfs.hook: do not mix arrays and lists.
+Avoid echo foo $@, use echo foo $* instead. This is unlikely
+to be expĺoitable, but it makes ShellCheck happier.
+
+ -- Henrique de Moraes Holschuh h...@debian.org Wed, 28 Jan 2015 20:03:20 -0200
+
intel-microcode (3.20150107.1) unstable; urgency=high
* New upstream microcode data file 20150107
diff -Nru intel-microcode-3.20150107.1/debian/initramfs.hook intel-microcode-3.20150121.1/debian/initramfs.hook
--- intel-microcode-3.20150107.1/debian/initramfs.hook 2015-01-17 23:58:33.0 -0200
+++ intel-microcode-3.20150121.1/debian/initramfs.hook 2015-01-29 20:57:13.0 -0200
@@ -29,7 +29,7 @@
verbose()
{
if [ ${verbose} = y ] ; then
- echo intel-microcode: $@
+ echo intel-microcode: $*
fi
:
}
diff -Nru intel-microcode-3.20150107.1/microcode-20150107.dat intel-microcode-3.20150121.1/microcode-20150107.dat
diff -Nru intel-microcode-3.20150107.1/microcode-20150121.dat intel-microcode-3.20150121.1/microcode-20150121.dat
Bug#775762: unblock: intel-microcode/3.20150107.1
On Tue, 20 Jan 2015, Ivo De Decker wrote: On Mon, Jan 19, 2015 at 04:14:21PM -0200, Henrique de Moraes Holschuh wrote: Please unblock package intel-microcode Unblocked. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150121110216.gc10...@khazad-dum.debian.net
Bug#775762: unblock: intel-microcode/3.20150107.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package intel-microcode Intel released a new public microcode update. It includes new microcode for very recent desktop/notebook/embedded Broadwell processors, and updated the microcode for the Haswell-EP Xeon processors (Xeon E5v3) and Haswell-E Hexacore 4th gen Haswell Core processors. The microcode update for the 5th-gen Core/Core M-5Y broadwell processors was fast-tracked (~1 month old). Coreboot also updated this very same microcode (although they have an even newer revision), so this is a strong hint that the update fixes critical errata. No microcodes were removed, so the risk of regression is low. There were no other changes to the package other than the intel-provided microcode data, and changelog documentation. debdiff diffstat: changelog |7 debian/changelog | 13 microcode-20140913.dat |40694 --- microcode-20150107.dat |41591 + 4 files changed, 41611 insertions(+), 40694 deletions(-) abridged debdiff diffstat: changelog|7 +++ debian/changelog | 13 + 2 files changed, 20 insertions(+) abridged debdiff (microcode-*.dat hunks removed) attached. Thank you. unblock intel-microcode/3.20150107.1 -- System Information: Debian Release: 7.8 APT prefers proposed-updates APT policy: (990, 'proposed-updates'), (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10.65+ (SMP w/8 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh diff -Nru intel-microcode-3.20140913.1/changelog intel-microcode-3.20150107.1/changelog --- intel-microcode-3.20140913.1/changelog 2014-10-19 14:02:08.0 -0200 +++ intel-microcode-3.20150107.1/changelog 2015-01-17 23:58:43.0 -0200 @@ -1,3 +1,10 @@ +2015-01-07: + * New Microcodes: +sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336 + + * Updated Microcodes: +sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672 + 2014-09-13: * New Microcodes: sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 diff -Nru intel-microcode-3.20140913.1/debian/changelog intel-microcode-3.20150107.1/debian/changelog --- intel-microcode-3.20140913.1/debian/changelog 2014-10-19 18:32:10.0 -0200 +++ intel-microcode-3.20150107.1/debian/changelog 2015-01-18 00:30:13.0 -0200 @@ -1,3 +1,16 @@ +intel-microcode (3.20150107.1) unstable; urgency=high + + * New upstream microcode data file 20150107 ++ New Microcodes: + sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336 ++ Updated Microcodes: + sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672 ++ High urgency: there are fast-tracked microcode updates in this + release which imply that critical errata are being fixed + * source: remove superseded upstream data file: 20140913 + + -- Henrique de Moraes Holschuh h...@debian.org Sun, 18 Jan 2015 00:30:11 -0200 + intel-microcode (3.20140913.1) unstable; urgency=low * New upstream microcode data file 20140913 diff -Nru intel-microcode-3.20140913.1/microcode-20140913.dat intel-microcode-3.20150107.1/microcode-20140913.dat diff -Nru intel-microcode-3.20140913.1/microcode-20150107.dat intel-microcode-3.20150107.1/microcode-20150107.dat
Bug#773458: unblock: amd64-microcode/2.20141028.1
On Fri, 19 Dec 2014, Jonathan Wiltshire wrote: Unblocked, thanks. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141219210047.gb15...@khazad-dum.debian.net
Bug#773479: pu: package intel-microcode/1.20140913.1
On Fri, 19 Dec 2014, Jonathan Wiltshire wrote: Please go ahead. Thank you. Uploading now! Package uploaded and accepted by dinstall, it is in the queue waiting for the unblock. Flagged for acceptance. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141219205941.ga15...@khazad-dum.debian.net
Bug#773458: unblock: amd64-microcode/2.20141028.1
/debian/initramfs.hook
index 513a161..269f701 100755
--- a/debian/initramfs.hook
+++ b/debian/initramfs.hook
@@ -1,6 +1,6 @@
#!/bin/sh
# amd64-microcode initramfs-tools hook script
-# Copyright (C) 2012,2013 Henrique de Moraes Holschuh h...@debian.org
+# Copyright (C) 2012-2014 Henrique de Moraes Holschuh h...@debian.org
# Released under the GPL v2 or later license
#
# Generates a copy of the minimal microcode for the current system if
@@ -8,6 +8,7 @@
#
PREREQ=
+AMD64UCODE_CONFIG=/etc/default/amd64-microcode
prereqs()
{
@@ -26,19 +27,45 @@ esac
verbose()
{
if [ ${verbose} = y ] ; then
- echo amd64-microcode: $@
+ echo amd64-microcode: $*
fi
:
}
AUCODE_FW_DIR=/lib/firmware/amd-ucode
+AMD64UCODE_INITRAMFS=auto
+[ -r ${AMD64UCODE_CONFIG} ] . ${AMD64UCODE_CONFIG}
+
+[ -z ${AMD64UCODE_INITRAMFS} ] AMD64UCODE_INITRAMFS=no
if [ ! -d ${AUCODE_FW_DIR} ] ; then
verbose no AMD64 processor microcode datafiles to install
exit 0;
fi
-if grep -q ^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD /proc/cpuinfo;
then
+case ${AMD64UCODE_INITRAMFS} in
+no|0)
+verbose disabled by ${AMD64UCODE_CONFIG}
+exit 0
+;;
+early)
+ echo W: amd64-microcode: early mode not supported, forcing late
initramfs mode 2
+AMD64UCODE_INITRAMFS=yes
+;;
+yes|1|auto)
+;;
+*)
+echo E: amd64-microcode: invalid AMD64UCODE_INITRAMFS, using
automatic mode 2
+AMD64UCODE_INITRAMFS=auto
+esac
+
+if [ ${AMD64UCODE_INITRAMFS} = auto ] ; then
+grep -q ^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD
/proc/cpuinfo || {
+verbose no AMD processors detected, nothing to do
+exit 0
+}
+fi
+
# See Debian bug #716917. Blacklist all non-LTS/non-Debian kernel versions
# before kernel 3.4 Only known-bad kernel is 2.6.38.
#
@@ -46,11 +73,11 @@ if grep -q
^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD /proc/cpuinfo; th
# information at the initramfs-tools layer, due to the way Debian and Ubuntu
version
# kernel packages.
- if dpkg --compare-versions ${version} le 3.4 \
-{ dpkg --compare-versions ${version} lt 2.6.32 || \
- { dpkg --compare-versions ${version} ge 2.6.33 dpkg
--compare-versions ${version} lt 3.0 ; } || \
- { dpkg --compare-versions ${version} ge 3.1 dpkg
--compare-versions ${version} lt 3.2 ; } || \
- dpkg --compare-versions ${version} ge 3.3 ; \
+if dpkg --compare-versions ${version} le 3.4 \
+ { dpkg --compare-versions ${version} lt 2.6.32 || \
+ { dpkg --compare-versions ${version} ge 2.6.33 dpkg
--compare-versions ${version} lt 3.0 ; } || \
+ { dpkg --compare-versions ${version} ge 3.1 dpkg --compare-versions
${version} lt 3.2 ; } || \
+ dpkg --compare-versions ${version} ge 3.3 ; \
}; then
echo E: amd64-microcode: unsupported kernel version! 2
exit 0
@@ -67,6 +94,5 @@ if grep -q
^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD /proc/cpuinfo; th
verbose installing AMD64 processor microcode update support into
initramfs...
force_load microcode
fi
-fi
:
diff -Nru amd64-microcode-2.20131007.1+really20130710.1/debian/changelog amd64-microcode-2.20141028.1/debian/changelog
--- amd64-microcode-2.20131007.1+really20130710.1/debian/changelog 2013-09-07 22:42:46.0 -0300
+++ amd64-microcode-2.20141028.1/debian/changelog 2014-12-18 13:36:29.0 -0200
@@ -1,3 +1,43 @@
+amd64-microcode (2.20141028.1) unstable; urgency=medium
+
+ * Upstream release 20141028 built from linux-firmware:
++ Updated microcode patches for family 0x15 processors
++ Added microcode patches for family 0x16 processors
+ * AMD did not update the relevant microcode documentation (errata fixed,
+microcode patch levels, etc), so there is no documentation for the
+family 0x16 microcode patches, and the documentation for family 0x15 is
+stale.
+ * postinst: do not update microcode on upgrades:
+Remove code that triggers a microcode update on package upgrade. The
+resulting postinst script is now identical to the one in Debian jessie's
+intel-microcode, and thus known-good.
+NOTE: this code was already disabled for the majority of the users due
+to Debian bug #723975 (closes: #723975, #723081)
+ * kpreinst: remove, we don't update microcode on postinst anymore
+ * blacklist automated loading of the microcode module:
+This is in line with the desired behavior of only updating microcode
+*automatically* during system boot, when it is safer to do so. The
+local admin can still load the microcode module and update the microcode
+manually at any time, of course. This is in sync with the intel-microcode
+packages in Debian jessie, which will also blacklist the microcode module.
+Note that the initramfs will force-load the microcode module in a safe
Bug#773479: pu: package intel-microcode/1.20140913.1
+ * add a microcode best-effort blacklist. This is a reactive blacklist
+which renames problematic microcode data files in such a way they
+will only be used for the initramfs. Use it to blacklist all
+Haswell microcode updates
+ * source: remove superseded upstream data file: 20140624
+
+ -- Henrique de Moraes Holschuh h...@debian.org Fri, 24 Oct 2014 19:01:18 -0200
+
intel-microcode (1.20140624.1) stable; urgency=high
* New upstream microcode data file 20140624
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.kpreinst intel-microcode-1.20140913.1/debian/intel-microcode.kpreinst
--- intel-microcode-1.20140624.1/debian/intel-microcode.kpreinst 2014-06-27 16:34:37.0 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.kpreinst 2014-12-18 16:31:28.0 -0200
@@ -1,19 +1,17 @@
#!/bin/sh
#
-# /etc/kernel/preinst.d intel-microcode script
-# Copyright (C) 2012 Henrique de Moraes Holschuh h...@hmh.eng.br
+# /etc/kernel/preinst.d script for intel-microcode version 1
+# Copyright (C) 2014 Henrique de Moraes Holschuh h...@debian.org
# Released under the GPL v2 or later license
#
-# This script makes sure the microcode and cpuid modules are
-# loaded, before the kernel image has a chance to replace them
-# with new ones that might not be compatible with the current
-# kernel.
+# This script makes sure the cpuid module is loaded, before the
+# kernel image has a chance to replace it with a new one that
+# might not be compatible with the current kernel.
#
-# We need the microcode module to update microcode on postinst,
-# and the cpuid module for iucode_tool --scan-system.
+# We need the cpuid module for iucode_tool --scan-system,
+# which is used by the initramfs hook.
#
-modprobe -q microcode || true
grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true
:
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.NEWS intel-microcode-1.20140913.1/debian/intel-microcode.NEWS
--- intel-microcode-1.20140624.1/debian/intel-microcode.NEWS 2014-06-27 16:57:16.0 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.NEWS 2014-12-18 16:31:28.0 -0200
@@ -1,3 +1,19 @@
+intel-microcode (1.20140913.1) stable; urgency=low
+
+This release drops support for automatically applying microcode
+updates without a reboot. The microcode updates can still be applied
+without a reboot through manual action of the system administrator,
+but this operation is not considered safe anymore.
+
+Microcodes known to be dangerous have been renamed so that they will
+not be found by the microcode module, except inside the initramfs.
+This is a reactive blacklisting: it is unlikely to be complete at any
+point in time.
+
+Refer to /usr/share/doc/intel-microcode/README.Debian for details.
+
+ -- Henrique de Moraes Holschuh h...@debian.org Fri, 10 Oct 2014 12:27:57 -0300
+
intel-microcode (1.20120606.4) unstable; urgency=low
The initramfs logic to automatically restrict the microcodes that have
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.postinst intel-microcode-1.20140913.1/debian/intel-microcode.postinst
--- intel-microcode-1.20140624.1/debian/intel-microcode.postinst 2014-06-27 16:57:16.0 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.postinst 2014-10-30 16:14:19.0 -0200
@@ -19,36 +19,18 @@
case $1 in
configure)
- # try to load the microcode module just in case. If we succeed,
- # it will trigger a microcode update by itself
- if modprobe -q --first-time microcode ; then
- echo Updating microcode on all online processors... 2
- else
- # we have to trigger the microcode update manually
- if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
- echo Updating microcode on all online processors... 2
- echo 1 /sys/devices/system/cpu/microcode/reload || {
- echo Kernel reported failure while updating microcode! 2
- }
- else
- # Try all online processors, broken kernels need this,
- # fixed kernels will accept it only on the BSP and update
- # all processors anyway, and -EINVAL all others... but we
- # don't know which one is the BSP, so we try all of them
- # and hide errors, the kernel will log any real problem.
- echo Using per-core interface to update microcode on online processors... 2
- find /sys/devices/system/cpu -noleaf -type f -path '/sys/devices/system/cpu/cpu*/microcode/reload' | \
- while read i ; do echo -n 1 2/dev/null $i || true ; done
- fi
- fi
# do it like udev and firmware-linux-*
- if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
- update-initramfs -u
+ if [ -x /usr/sbin/update-initramfs ] [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+ update-initramfs -u {
+ echo intel-microcode: microcode will be updated at next boot 2
+ ls /usr/share/misc/intel-microcode* /dev/null 21 {
+ echo intel-microcode: possibly old microcode files from /usr
Bug#773458: unblock: amd64-microcode/2.20141028.1
On Thu, 18 Dec 2014, Adam D. Barratt wrote: Control: tags -1 + confirmed moreinfo On Thu, 2014-12-18 at 14:44 -0200, Henrique de Moraes Holschuh wrote: Please unblock package amd64-microcode This is a freeze policy exception request, for which I apologise. The package is in non-free, it is a leaf package, and it is system firmware. This is a pre-approval request, I have not uploaded the updated package to non-free unstable yet. The changes look a bit more extensive than one would like, however they: 1. Have been tested in the sister intel-microcode package that is in jessie already. In fact, the maintainer scripts are now nearly identical between the two packages. The code that runs inside the initramfs *was not changed* (so it is also known good and there is no chance of regressions). The code that runs when building the initramfs is simple, and tested. [...] As long as the upload can be made soon, I'd be okay with accepting this. Please remove the moreinfo tag once the package has been accepted. Uploading now. As soon as I get the return mail from dinstall I will remove the moreinfo tag. Half the changes in the initramfs.hook are noise because a large block of code was unindented (it was inside an if clause that was removed), which doesn't play well with debdiff's non-whitespace-ignoring use of diff/wdiff. debdiff has a -w switch. :-) And so it does. I wonder how I missed that when I read the manpage :-( -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218224428.ga5...@khazad-dum.debian.net
Bug#773479: pu: package intel-microcode/1.20140913.1
On Thu, 18 Dec 2014, Adam D. Barratt wrote: Control: tags -1 + confirmed wheezy On Thu, 2014-12-18 at 17:59 -0200, Henrique de Moraes Holschuh wrote: Please approve an update of intel-microcode in non-free stable (wheezy), to version 1.20140913.1. Intel released in 2014-09-13 a new microcode update package, which targets their Haswell processors (server, mobile and desktop). The 2014-09-13 microcode update is in unstable since 2014-10-19, and in jessie since 2014-10-30. No issues were reported. This update, among other errata fixes we know nothing about (as usual), disables Intel TSX instructions. As it was widely published, Intel TSX instructions in the Haswell microarchitecture are subject to a critical errata that can cause unpredictable system behavior once they're used. Please go ahead. Thank you. Uploading now! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218224455.gb5...@khazad-dum.debian.net
Bug#773458: unblock: amd64-microcode/2.20141028.1
tag 773458 - moreinfo thanks On Thu, 18 Dec 2014, Henrique de Moraes Holschuh wrote: On Thu, 18 Dec 2014, Adam D. Barratt wrote: Control: tags -1 + confirmed moreinfo On Thu, 2014-12-18 at 14:44 -0200, Henrique de Moraes Holschuh wrote: Please unblock package amd64-microcode This is a freeze policy exception request, for which I apologise. The package is in non-free, it is a leaf package, and it is system firmware. This is a pre-approval request, I have not uploaded the updated package to non-free unstable yet. The changes look a bit more extensive than one would like, however they: 1. Have been tested in the sister intel-microcode package that is in jessie already. In fact, the maintainer scripts are now nearly identical between the two packages. The code that runs inside the initramfs *was not changed* (so it is also known good and there is no chance of regressions). The code that runs when building the initramfs is simple, and tested. [...] As long as the upload can be made soon, I'd be okay with accepting this. Please remove the moreinfo tag once the package has been accepted. Uploading now. As soon as I get the return mail from dinstall I will remove the moreinfo tag. Package uploaded, and accepted email from dinstall received. It will be pushed out to unstable in the next archive run. Removing moreinfo tag... Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218225251.ga5...@khazad-dum.debian.net
Bug#773479: pu: package intel-microcode/1.20140913.1
On Thu, 18 Dec 2014, Henrique de Moraes Holschuh wrote: On Thu, 18 Dec 2014, Adam D. Barratt wrote: Control: tags -1 + confirmed wheezy On Thu, 2014-12-18 at 17:59 -0200, Henrique de Moraes Holschuh wrote: Please approve an update of intel-microcode in non-free stable (wheezy), to version 1.20140913.1. Intel released in 2014-09-13 a new microcode update package, which targets their Haswell processors (server, mobile and desktop). The 2014-09-13 microcode update is in unstable since 2014-10-19, and in jessie since 2014-10-30. No issues were reported. This update, among other errata fixes we know nothing about (as usual), disables Intel TSX instructions. As it was widely published, Intel TSX instructions in the Haswell microarchitecture are subject to a critical errata that can cause unpredictable system behavior once they're used. Please go ahead. Thank you. Uploading now! Package uploaded and accepted by dinstall, it is in the queue waiting for the unblock. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141218225423.gb5...@khazad-dum.debian.net
Bug#771610: pu: package iucode-tool/0.8.3-2
On Mon, 01 Dec 2014, Adam D. Barratt wrote: On 2014-11-30 23:49, Henrique de Moraes Holschuh wrote: I'd like to update the iucode-tool package in Debian stable with cherry-picked fixes from upstrean iucode-tool v1.1.1. These changes fix issues found by Coverity scan, including a buffer overrun which causes an out-of-bounds dword write to an array, and some issues on error paths. Please go ahead, thanks. Thank you, uploaded. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141201170800.ga4...@khazad-dum.debian.net
Bug#771610: pu: package iucode-tool/0.8.3-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu
I'd like to update the iucode-tool package in Debian stable with
cherry-picked fixes from upstrean iucode-tool v1.1.1.
These changes fix issues found by Coverity scan, including a buffer overrun
which causes an out-of-bounds dword write to an array, and some issues on
error paths.
debdiff diffstat:
debian/changelog
| 17 ++
debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch
| 29 +
debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch
| 25
debian/patches/0003-iucode_tool-avoid-closing-already-closed-file-handle.patch
| 29 +
debian/patches/0004-iucode_tool-simplify-fd-tracking-in-scan_system_proc.patch
| 57 ++
debian/patches/0005-iucode_tool-cosmetic-fix-for-CID-72164.patch
| 25
debian/patches/0006-iucode_tool-fix-memory-leak-in-load_intel_microcode_.patch
| 39 ++
debian/patches/0007-iucode_tool-rework-error-path-of-load_intel_microcod.patch
| 38 ++
debian/patches/0008-iucode_tool-fix-out-of-bounds-array-access-in-load_i.patch
| 31 +
debian/patches/series
|8 +
10 files changed, 298 insertions(+)
I've attached the full debdiff output.
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie. -- The Silicon Valley Tarot
Henrique Holschuh
diff -Nru iucode-tool-0.8.3/debian/changelog iucode-tool-0.8.3/debian/changelog
--- iucode-tool-0.8.3/debian/changelog 2012-08-27 21:29:36.0 -0300
+++ iucode-tool-0.8.3/debian/changelog 2014-11-30 16:32:41.0 -0200
@@ -1,3 +1,20 @@
+iucode-tool (0.8.3-2) stable; urgency=medium
+
+ * cherry-pick fixes from upstream v1.1.1
+* Add eight new patches cherry-picked from upstream iucode-tool
+ version 1.1.1, fixing several issues found by Coverity scan,
+ including one for an out-of-bounds array write to the heap:
+ + 0001-iucode_tool-cosmetic-fix-for-CID-72168.patch
+ + 0002-iucode_tool-cosmetic-fix-for-CID-72166.patch
+ + 0003-iucode_tool-avoid-closing-already-closed-file-handle.patch
+ + 0004-iucode_tool-simplify-fd-tracking-in-scan_system_proc.patch
+ + 0005-iucode_tool-cosmetic-fix-for-CID-72164.patch
+ + 0006-iucode_tool-fix-memory-leak-in-load_intel_microcode_.patch
+ + 0007-iucode_tool-rework-error-path-of-load_intel_microcod.patch
+ + 0008-iucode_tool-fix-out-of-bounds-array-access-in-load_i.patch
+
+ -- Henrique de Moraes Holschuh h...@debian.org Sun, 30 Nov 2014 16:28:33 -0200
+
iucode-tool (0.8.3-1) unstable; urgency=low
* New upstream release
diff -Nru iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch
--- iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch 1969-12-31 21:00:00.0 -0300
+++ iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch 2014-11-30 16:21:33.0 -0200
@@ -0,0 +1,29 @@
+From: Henrique de Moraes Holschuh h...@hmh.eng.br
+Date: Tue, 28 Oct 2014 11:07:14 -0200
+Subject: iucode_tool: cosmetic fix for CID 72168
+
+Remove test for !arg. The argument to -t is not optional and argp will
+abort before we reach that branch, so the test is not going to trigger.
+
+Alternatively, we could keep the defensive programming, but we'd have to
+add a bug guard arg in argp_error with a (arg)? arg:none;
+
+Fixes: Coverity CID 72168
+(cherry picked from commit a3919ad8a238ba2453770dd6681ac757854461f7)
+---
+ iucode_tool.c |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iucode_tool.c b/iucode_tool.c
+index d40e3a2..4bfa167 100644
+--- a/iucode_tool.c
b/iucode_tool.c
+@@ -1917,7 +1917,7 @@ static error_t cmdline_do_parse_arg(int key, char *arg,
+ break;
+
+ case 't':
+- if (!arg || strlen(arg) 1)
++ if (strlen(arg) 1)
+ argp_error(state, unknown file type: %s\n, arg);
+ switch (*arg) {
+ case 'd': /* .dat */
diff -Nru iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch
--- iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch 1969-12-31 21:00:00.0 -0300
+++ iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch 2014-11-30 16:21:33.0 -0200
@@ -0,0 +1,25 @@
+From: Henrique de Moraes Holschuh h...@hmh.eng.br
+Date: Tue, 28 Oct 2014 11:11:57 -0200
+Subject: iucode_tool: cosmetic fix for CID 72166
+
+argp_state_help() will not return, as we do NOT use ARGP_NO_EXIT,
+still, add a break after it to keep Coverity happy
Bug#771214: unblock: iucode-tool/1.1.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package iucode-tool Coverity scan found a few issues in iucode-tool v1.1. I fixed them in iucode-tool v1.1.1. These fixes are the only changes between v1.1 and v1.1.1. While many of the fixes are to error paths, one of them is for an off-by-one overflow in a heap-allocated buffer (which writes an entire extra dword past the end of the allocated memory region). This new upstream release was uploaded to unstable in 2014-10-28. Unfortunately, it did not migrate to testing before the first freeze deadline. It has been in use in unstable since then, and no bugs were reported. Here's the diffstat for the debdiff: ChangeLog| 13 + README |4 aclocal.m4 |7 config.sub |9 - configure| 24 +- configure.ac |2 debian/changelog | 16 + debian/control |2 depcomp | 453 --- install-sh | 14 - iucode_tool.c| 34 ++-- missing | 412 +- 12 files changed, 495 insertions(+), 495 deletions(-) Most of that is useless noise, caused by autoconf and automake. I have attached the debdiff with the hunks caused by autoconf/automake removed by filterdiff (i.e. with aclocal.m4, config.sub, configure, depcomp, instal-sh and missing removed). I'd really appreciate if iucode-tool 1.1.1's migration to testing could be approved by the release team. Thank you! unblock iucode-tool/1.1.1-1 -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh diff -Nru iucode-tool-1.1/aclocal.m4 iucode-tool-1.1.1/aclocal.m4 diff -Nru iucode-tool-1.1/ChangeLog iucode-tool-1.1.1/ChangeLog --- iucode-tool-1.1/ChangeLog 2014-09-09 14:47:27.0 -0300 +++ iucode-tool-1.1.1/ChangeLog 2014-10-28 16:28:51.0 -0200 @@ -1,3 +1,16 @@ +2014-10-28, iucode_tool v1.1.1 + + * Fix issues found by the Coverity static checker: ++ CID 72165: An off-by-one error caused an out-of-bounds write to a + buffer while loading large microcode data files in ascii format + (will not be triggered by the data files currently issued by Intel) ++ CID 72163: The code could attempt to close an already closed file + descriptor in certain conditions when processing directories ++ CID 72161: Stop memory leak in error path when loading microcode + data files ++ CID 72159, 72164, 72166, 72167, 72168, 72169: Cosmetic issues + that could not cause problems at runtime. + 2014-09-09, iucode_tool v1.1 * Don't output duplicates for microcodes with extended signatures diff -Nru iucode-tool-1.1/config.sub iucode-tool-1.1.1/config.sub diff -Nru iucode-tool-1.1/configure iucode-tool-1.1.1/configure diff -Nru iucode-tool-1.1/configure.ac iucode-tool-1.1.1/configure.ac --- iucode-tool-1.1/configure.ac 2014-09-09 14:47:27.0 -0300 +++ iucode-tool-1.1.1/configure.ac 2014-10-28 16:28:51.0 -0200 @@ -16,7 +16,7 @@ dnl along with this program; if not, write to the Free Software dnl Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -AC_INIT([iucode_tool], [1.1]) +AC_INIT([iucode_tool], [1.1.1]) AC_PREREQ([2.61]) AC_CONFIG_SRCDIR([iucode_tool.c]) diff -Nru iucode-tool-1.1/debian/changelog iucode-tool-1.1.1/debian/changelog --- iucode-tool-1.1/debian/changelog 2014-09-12 08:56:35.0 -0300 +++ iucode-tool-1.1.1/debian/changelog 2014-10-28 17:02:45.0 -0200 @@ -1,3 +1,19 @@ +iucode-tool (1.1.1-1) unstable; urgency=medium + + * New upstream release ++ Fix issues found by the Coverity static checker: ++ CID 72165: An off-by-one error caused an out-of-bounds write to a + buffer while loading large microcode data files in ascii format ++ CID 72163: The code could attempt to close an already closed file + descriptor in certain conditions when processing directories ++ CID 72161: Stop memory leak in error path when loading microcode + data files ++ CID 72159, 72164, 72166, 72167, 72168, 72169: Cosmetic issues + that could not cause problems at runtime + * debian/control: bump standards version to 3.9.6 + + -- Henrique de Moraes Holschuh h...@debian.org Tue, 28 Oct 2014 17:02:42 -0200 + iucode-tool (1.1-1) unstable; urgency=medium * New upstream release diff -Nru iucode-tool-1.1/debian/control iucode-tool-1.1.1/debian/control --- iucode-tool-1.1/debian/control 2014-09-11 20:48:49.0 -0300 +++ iucode-tool-1.1.1/debian/control 2014-10-28 17:02:09.0 -0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Henrique de Moraes Holschuh h...@debian.org Build-Depends: debhelper (= 7), autotools-dev, automake (= 1:1.10), autoconf (= 2.61) -Standards-Version
Bug#771214: unblock: iucode-tool/1.1.1-1
On Thu, 27 Nov 2014, Niels Thykier wrote: On 2014-11-27 17:43, Henrique de Moraes Holschuh wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package iucode-tool [...] I'd really appreciate if iucode-tool 1.1.1's migration to testing could be approved by the release team. Thank you! unblock iucode-tool/1.1.1-1 Unblocked, thanks. Thank you! And kudos to the release team for the extremely fast reply! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141127181804.ga27...@khazad-dum.debian.net
Bug#753370: pu: package intel-microcode/1.20140624.1
On Fri, 04 Jul 2014, Adam D. Barratt wrote: Control: tags -1 + pending On 2014-07-01 11:25, Henrique de Moraes Holschuh wrote: On Tue, 01 Jul 2014, Adam D. Barratt wrote: On Mon, 2014-06-30 at 21:15 -0300, Henrique de Moraes Holschuh wrote: Please approve a fast-track upload of intel-microcode to non-free stable (Wheezy). [...] Please go ahead; thanks. Uploaded. Thank you very much! (slightly belatedly) flagged for acceptance; thanks. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140704105107.ga8...@khazad-dum.debian.net
Bug#753370: pu: package intel-microcode/1.20140624.1
On Tue, 01 Jul 2014, Adam D. Barratt wrote: On Mon, 2014-06-30 at 21:15 -0300, Henrique de Moraes Holschuh wrote: Please approve a fast-track upload of intel-microcode to non-free stable (Wheezy). What do you mean by a fast-track upload? It can't get into stable any more quickly than the point release. As in don't wait 1 month in testing before you upload to stable... The next point release is fine, I figure anyone that cares can get the packages from stable-proposed-updates. Intel has issued a high-priority microcode update, which better addresses the critical errata already fixed by the microcode update currently in wheezy-proposed-updates. [...] I've attached the proposed diff, with the microcode data hunks removed for brevity. Actually, you didn't. :-) Oops. Attached it this time. Diffstat below: b/changelog |9 b/debian/changelog | 21 b/microcode-20140624.dat |38773 +++ microcode-20140430.dat |38709 -- 4 files changed, 38803 insertions(+), 38709 deletions(-) Please go ahead; thanks. Uploaded. Thank you very much! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh diff --git a/changelog b/changelog index ae6a9c2..234efa5 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,12 @@ +2014-06-24: + * Updated Microcodes: +sig 0x000306a9, pf mask 0x12, 2014-05-29, rev 0x001b, size 12288 +sig 0x000306c3, pf mask 0x32, 2014-05-23, rev 0x001a, size 20480 +sig 0x000306e4, pf mask 0xed, 2014-05-29, rev 0x0428, size 13312 +sig 0x000306e7, pf mask 0xed, 2014-05-29, rev 0x070d, size 15360 +sig 0x00040651, pf mask 0x72, 2014-05-23, rev 0x0018, size 19456 +sig 0x00040661, pf mask 0x32, 2014-05-23, rev 0x0010, size 23552 + 2014-04-30: * New microcodes: sig 0x000306e7, pf mask 0xed, 2014-04-14, rev 0x070c, size 15360 diff --git a/debian/changelog b/debian/changelog index 0b01412..072c11b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,24 @@ +intel-microcode (1.20140624.1) stable; urgency=high + + * New upstream microcode data file 20140624 ++ Updated Microcodes: + sig 0x000306a9, pf mask 0x12, 2014-05-29, rev 0x001b, size 12288 + sig 0x000306c3, pf mask 0x32, 2014-05-23, rev 0x001a, size 20480 + sig 0x000306e4, pf mask 0xed, 2014-05-29, rev 0x0428, size 13312 + sig 0x000306e7, pf mask 0xed, 2014-05-29, rev 0x070d, size 15360 + sig 0x00040651, pf mask 0x72, 2014-05-23, rev 0x0018, size 19456 + sig 0x00040661, pf mask 0x32, 2014-05-23, rev 0x0010, size 23552 ++ High urgency: there are fast-tracked microcode updates in this + release which imply that critical errata are being fixed + * Intel strongly suggests that this CPU microcode update be applied +to all Ivy Bridge, Haswell, and Broadwell processors (thanks to +Canonical for the warning, refer to LP#1335156) + * This update is reported to better fix the errata addressed by the +20140430 update (refer to LP#1335156) + * source: remove superseded upstream data file: 20140430 + + -- Henrique de Moraes Holschuh h...@debian.org Fri, 27 Jun 2014 17:00:53 -0300 + intel-microcode (1.20140430.1) stable; urgency=low * New upstream microcode data file 20140430 diff --git a/microcode-20140430.dat b/microcode-20140624.dat similarity index 84% rename from microcode-20140430.dat rename to microcode-20140624.dat index 0c83366..85cb04c 100644 --- a/microcode-20140430.dat +++ b/microcode-20140624.dat
Bug#753370: pu: package intel-microcode/1.20140624.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Please approve a fast-track upload of intel-microcode to non-free stable (Wheezy). Intel has issued a high-priority microcode update, which better addresses the critical errata already fixed by the microcode update currently in wheezy-proposed-updates. I have also reason to believe it extends the fixes on the previous microcode update to the other Ivy Bridge processors, but unfortunately I cannot verify this at this time because updated releases of the Processor Specification Updates were not published yet. I have also reason to believe this update enables RDRAND support on at least some of the Xeon E5-v2, so it enhances system security (unfortunately I don't have any at hand to verify this). It also probably fixes a very nasty erratum that can cause immediate system failure (emergency thermal poweroff of the processor) too early, while the processor was still well within its thermal envelope and there was no reason to cause data loss. These errata are listed for the Xeon E5v2, which has the most up-to-date specification update. For Haswell processors, it probably fixes a nasty erratum on features that are not yet on any released kernel (Intel PT and Intel TMX used at the same time will cause unpredictable system behaviour)... but it could also fix other undisclosed errata that are active on current kernels. The update is believed safe from regressions, as no microcodes were removed. Canonical, which has access to better information from Intel than we do, has fast tracked this update to all currently supported Ubuntu releases, including their LTS releases. In fact, it was Canonical that hinted that this update enhanced the fixes present on the previous update. I've attached the proposed diff, with the microcode data hunks removed for brevity. Diffstat below: b/changelog |9 b/debian/changelog | 21 b/microcode-20140624.dat |38773 +++ microcode-20140430.dat |38709 -- 4 files changed, 38803 insertions(+), 38709 deletions(-) Thank you. -- System Information: Debian Release: 7.5 APT prefers proposed-updates APT policy: (990, 'proposed-updates'), (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10.45+ (SMP w/8 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140701001509.ga14...@khazad-dum.debian.net
Bug#751420: pu: package intel-microcode/1.20140430.1
On Thu, 2014-06-12 at 15:08 -0300, Henrique de Moraes Holschuh wrote: As usual, we don't know what fixes were made by Intel. The new release of the microcode updates two recent Intel server CPUs: Xeon E5-v2 and Xeon E7-v2. As usual, I find out the damn thing is _really_ important well after the fact... The microcode update is reported to fix hangs and memory corruption of guest VMs on the Xeon E5v2 and E7v2 processors. Likely this is errata CA135 (from the Xeon e5-v2 specification update). Anyway, with this stable update we have covered almost everything. I will send a package update also towards Squeeze LTS, given the above. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140614200243.ga18...@khazad-dum.debian.net
Bug#751420: pu: package intel-microcode/1.20140430.1
On Fri, 13 Jun 2014, Adam D. Barratt wrote: Control: tags -1 + confirmed On Thu, 2014-06-12 at 15:08 -0300, Henrique de Moraes Holschuh wrote: I'd like to update the intel-microcode package in stable non-free with the current version of the intel-microcode. There is no regression risk, as no microcodes were removed and all other changes are to documentation (changelogs). The new microcode has been in unstable since 2014-05-03, and in testing and wheezy-backports since 2014-05-14, without any bug reports. As usual, we don't know what fixes were made by Intel. The new release of the microcode updates two recent Intel server CPUs: Xeon E5-v2 and Xeon E7-v2. Please go ahead; thanks. Thank you! I've just uploaded the package. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140613232829.ga16...@khazad-dum.debian.net
Bug#751420: pu: package intel-microcode/1.20140430.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Please approve stable upload of package intel-microcode/1.20140430.1 I'd like to update the intel-microcode package in stable non-free with the current version of the intel-microcode. There is no regression risk, as no microcodes were removed and all other changes are to documentation (changelogs). The new microcode has been in unstable since 2014-05-03, and in testing and wheezy-backports since 2014-05-14, without any bug reports. As usual, we don't know what fixes were made by Intel. The new release of the microcode updates two recent Intel server CPUs: Xeon E5-v2 and Xeon E7-v2. diffstat: b/changelog |7 b/debian/changelog | 12 b/microcode-20140430.dat |38709 +++ microcode-20140122.dat |37684 - 4 files changed, 38728 insertions(+), 37684 deletions(-) Attached diff with the hunks for microcode*.dat removed for brevity. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh diff --git a/changelog b/changelog index 201c249..ae6a9c2 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,10 @@ +2014-04-30: + * New microcodes: +sig 0x000306e7, pf mask 0xed, 2014-04-14, rev 0x070c, size 15360 + + * Updated microcodes: +sig 0x000306e4, pf mask 0xed, 2014-04-10, rev 0x0427, size 12288 + 2014-01-22: * New Microcodes: sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552 diff --git a/debian/changelog b/debian/changelog index 415aff6..0b01412 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +intel-microcode (1.20140430.1) stable; urgency=low + + * New upstream microcode data file 20140430 ++ New microcodes: + sig 0x000306e7, pf mask 0xed, 2014-04-14, rev 0x070c, size 15360 ++ Updated microcodes: + sig 0x000306e4, pf mask 0xed, 2014-04-10, rev 0x0427, size 12288 + * source: remove superseded upstream data file: 20140122 + + -- Henrique de Moraes Holschuh h...@debian.org Sat, 03 May 2014 15:05:49 -0300 + intel-microcode (1.20140122.1) stable; urgency=low * New upstream microcode data file 20140122 @@ -8,6 +19,7 @@ intel-microcode (1.20140122.1) stable; urgency=low sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480 sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264 sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456 + * source: remove superseded upstream data file: 20130906 -- Henrique de Moraes Holschuh h...@debian.org Sat, 01 Feb 2014 17:00:53 -0200
Bug#745210: pu: package intel-microcode/1.20140122.1
On Sat, 19 Apr 2014, Adam D. Barratt wrote: Control: tags -1 + pending On 2014-04-19 11:10, Adam D. Barratt wrote: Control: tags -1 + wheezy confirmed On 2014-04-18 23:51, Henrique de Moraes Holschuh wrote: Please aprove an update for wheezy for the intel-microcode package (non-free). This Intel microcode update has been available on non-free testing, unstable and wheezy-backports already for two months without issues. It updates the microcode of very widely-used processors (Ivy-Bridge, Haswell and Crystal Well Core i*, as well as Xeon E5-v2). As usual, I do not know what specific errata these updates fix, Intel did not disclose any information about it to the general public. Please go ahead, bearing in mind that the window for 7.5 closes this weekend. For the record, this was uploaded and I've flagged it for acceptance. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140419171943.ga18...@khazad-dum.debian.net
Bug#745210: pu: package intel-microcode/1.20140122.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu Please aprove an update for wheezy for the intel-microcode package (non-free). This Intel microcode update has been available on non-free testing, unstable and wheezy-backports already for two months without issues. It updates the microcode of very widely-used processors (Ivy-Bridge, Haswell and Crystal Well Core i*, as well as Xeon E5-v2). As usual, I do not know what specific errata these updates fix, Intel did not disclose any information about it to the general public. An update for wheezy stable is required so that: 1. users that have not installed the backports package (which was updated two months ago) can receive up-to-date microcode. 2. an update for squeeze-backports can be uploaded. Here's the changelog of the update: intel-microcode (1.20140122.1) stable; urgency=low * New upstream microcode data file 20140122 + New Microcodes: sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552 + Updated Microcodes: sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168 sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480 sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264 sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456 debdiff Diffstat: changelog | 10 debian/changelog | 13 microcode-20130906.dat |36211 --- microcode-20140122.dat |37684 + I've attached the debdiff for the proposed update, with the changes to the .dat file removed to reduce clutter. -- System Information: Debian Release: 7.4 APT prefers proposed-updates APT policy: (990, 'proposed-updates'), (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10.37+ (SMP w/8 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh diff -Nru intel-microcode-1.20130906.1/changelog intel-microcode-1.20140122.1/changelog --- intel-microcode-1.20130906.1/changelog 2013-09-24 21:48:47.0 -0300 +++ intel-microcode-1.20140122.1/changelog 2014-04-18 16:46:10.0 -0300 @@ -1,3 +1,13 @@ +2014-01-22: + * New Microcodes: +sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552 + + * Updated Microcodes: +sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168 +sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480 +sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264 +sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456 + 2013-09-06: * Updated Microcodes: sig 0x000306c3, pf mask 0x32, 2013-08-07, rev 0x0016, size 20480 diff -Nru intel-microcode-1.20130906.1/debian/changelog intel-microcode-1.20140122.1/debian/changelog --- intel-microcode-1.20130906.1/debian/changelog 2013-09-26 14:43:51.0 -0300 +++ intel-microcode-1.20140122.1/debian/changelog 2014-04-18 16:46:10.0 -0300 @@ -1,3 +1,16 @@ +intel-microcode (1.20140122.1) stable; urgency=low + + * New upstream microcode data file 20140122 ++ New Microcodes: + sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552 ++ Updated Microcodes: + sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168 + sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480 + sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264 + sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456 + + -- Henrique de Moraes Holschuh h...@debian.org Sat, 01 Feb 2014 17:00:53 -0200 + intel-microcode (1.20130906.1) stable; urgency=high * New upstream microcode data file 20130906 diff -Nru intel-microcode-1.20130906.1/microcode-20130906.dat intel-microcode-1.20140122.1/microcode-20130906.dat --- intel-microcode-1.20130906.1/microcode-20130906.dat 2013-09-24 21:48:47.0 -0300 +++ intel-microcode-1.20140122.1/microcode-20130906.dat 1969-12-31 21:00:00.0 -0300
Bug#724861: pu: package intel-microcode/1.20130906.1
On Thu, 05 Dec 2013, Adam D. Barratt wrote: Control: tags -1 + pending On Thu, 2013-12-05 at 09:47 -0200, Henrique de Moraes Holschuh wrote: On Wed, 04 Dec 2013, Adam D. Barratt wrote: Assuming this is still (a|the) version that you'd like to provide via p-u, please go ahead; apologies for the delay. It is, I will upload it shortly. Flagged for acceptance; thanks. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131206095251.ga8...@khazad-dum.debian.net
Bug#724861: pu: package intel-microcode/1.20130906.1
On Wed, 04 Dec 2013, Adam D. Barratt wrote: Control: tags -1 + confirmed On Sun, 2013-09-29 at 03:04 -0300, Henrique de Moraes Holschuh wrote: On Sun, 29 Sep 2013, Cyril Brulebois wrote: There is not much data on what release managers think about rushing upgrades into p-u, but the fact there's no definitive data point on the microcode update, and the fact that it has been available for less than a week seem to point out that letting this update reach p-u before the next point release is highly unlikely. Let it cook for a while if you think its best, it is not like we really know how emergencial these updates are (or are not). wheezy-backports is there to help anyone that requires less latency on microcode updates. Assuming this is still (a|the) version that you'd like to provide via p-u, please go ahead; apologies for the delay. It is, I will upload it shortly. Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131205114742.ge18...@khazad-dum.debian.net
Re: First autoremovals happen in about 8 days
On Tue, 08 Oct 2013, Geoffrey Thomas wrote: Would this be addressed by building some mechanism (making tombstone packages comes to mind, but there are many options) for apt to prompt to remove packages that were removed in the archive? It is already addressed by the user-oriented package management frontends. E.g. aptitude lists them separately. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131008234424.gb...@khazad-dum.debian.net
Bug#724861: pu: package intel-microcode/1.20130906.1
On Sun, 29 Sep 2013, Cyril Brulebois wrote: There is not much data on what release managers think about rushing upgrades into p-u, but the fact there's no definitive data point on the microcode update, and the fact that it has been available for less than a week seem to point out that letting this update reach p-u before the next point release is highly unlikely. Let it cook for a while if you think its best, it is not like we really know how emergencial these updates are (or are not). wheezy-backports is there to help anyone that requires less latency on microcode updates. However, this stable update was not exactly rushed in the sense that the new package really just changes docs and a data file, so it has negligible chance of extra breakage when compared to what is already in p-u. [1] even if we don't know anything about what the Intel datafile changes *do*. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130929060427.ga26...@khazad-dum.debian.net
Bug#724861: pu: package intel-microcode/1.20130906.1
0x0f4a, pf mask 0x5d, 2005-06-10, rev 0x0002, size 2048 +sig 0x0f62, pf mask 0x04, 2005-12-15, rev 0x000f, size 3072 +sig 0x0f64, pf mask 0x01, 2005-12-15, rev 0x0002, size 3072 +sig 0x0f64, pf mask 0x34, 2005-12-23, rev 0x0004, size 3072 +sig 0x0f65, pf mask 0x01, 2006-04-26, rev 0x0008, size 2048 +sig 0x0f65, pf mask 0x04, 2007-05-10, rev 0x000b, size 2048 +sig 0x0f68, pf mask 0x22, 2006-07-14, rev 0x0009, size 2048 sig 0x1632, pf mask 0x00, 1998-06-10, rev 0x0002, size 2048 +sig 0x00010661, pf mask 0x01, 2007-09-19, rev 0x0038, size 4096 +sig 0x00010661, pf mask 0x02, 2007-03-16, rev 0x0031, size 4096 +sig 0x00010661, pf mask 0x04, 2007-05-01, rev 0x0036, size 4096 +sig 0x00010661, pf mask 0x80, 2007-03-16, rev 0x0033, size 4096 +sig 0x00010676, pf mask 0x01, 2008-01-19, rev 0x060b, size 4096 +sig 0x00010676, pf mask 0x04, 2008-01-19, rev 0x060b, size 4096 +sig 0x00010676, pf mask 0x10, 2008-01-19, rev 0x060b, size 4096 +sig 0x00010676, pf mask 0x40, 2008-01-19, rev 0x060b, size 4096 +sig 0x00010677, pf mask 0x10, 2008-01-19, rev 0x0703, size 4096 +sig 0x000106c1, pf mask 0x01, 2007-12-03, rev 0x0109, size 5120 diff --git a/cpu-signatures.txt b/cpu-signatures.txt index 57f1433..e7cb036 100644 --- a/cpu-signatures.txt +++ b/cpu-signatures.txt @@ -51,13 +51,13 @@ i686 0x0f27 # Xeon-DP/M-P4M/P4 i686 0x0f29 # Xeon-DP/M-P4M/P4 i686 0x0f32 # (first seen in 2004, together with P4/Celeron-D, likely step B1) i686 0x0f33 # P4/Celeron D -i686 0x0f34 # Celeron-D 32bit / Xeon 32bit i686 0x1632 # PII overdrive processor i686 0x000106c1 # Atom z5xx/N270 32bit i686 0x00020661 # Atom z6xx 32bit # x86-64/Intel64, also capable of i686 # (may match some i686-only models that share signature with x86-64 models) +Intel64 0x0f34 # Celeron-D 32bit / Xeon 64bit (nocona) Intel64 0x0f43 # Xeon 64bit Intel64 0x0f49 # Xeon MP 64bit Intel64 0x0f4a # Xeon 64bit diff --git a/debian/changelog b/debian/changelog index ce4ce71..ecd28a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,22 @@ +intel-microcode (1.20130906.1) stable; urgency=high + + * New upstream microcode data file 20130906 ++ Updated Microcodes: + sig 0x000306c3, pf mask 0x32, 2013-08-07, rev 0x0016, size 20480 + sig 0x00040651, pf mask 0x72, 2013-08-08, rev 0x0016, size 19456 ++ Updated Microcodes (recently removed): + sig 0x000106e4, pf mask 0x09, 2013-07-01, rev 0x0003, size 6144 + * This microcode release *likely* fixes the security issues addressed by +the 20130808 update for signature 0x106e4 (Xeon EC3500/EC5500/LC3500/ +LC5500, Jasper Forest core), which was missing from the 20130808 update + * upstream changelog: trim down, sunrise now at 20080220, the first +microcode pack with a license that allows redistribution + * cpu-signatures.txt: Xeon nocona cores are 64-bit, ship for amd64 arch +(closes: #722048) + * source: remove superseded upstream data file: 20130808 + + -- Henrique de Moraes Holschuh h...@debian.org Tue, 24 Sep 2013 21:53:17 -0300 + intel-microcode (1.20130808.0+deb7u1) stable; urgency=high * New upstream microcode data file 20130808 diff --git a/microcode-20130808.dat b/microcode-20130906.dat similarity index 92% rename from microcode-20130808.dat rename to microcode-20130906.dat
Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
On Mon, 26 Aug 2013, Adam D. Barratt wrote: + * Use 1.20130808.0+deb7u1 as the Debian version to start a new branch that +sorts before 1.20130808.1, which was uploaded to unstable. Further +updates targeting stable will go into the 1.x branch. Further updates +targeting unstable and stable-backports will go into the 2.x branch Well, 1.20130808.1~deb7u1 would have sorted earlier too, and have been far more obvious. *shrug* True. Sorry about that. Anyway, please go ahead. Thank you. I've uploaded the package to ftp-master, target distribution stable. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130826201619.ga19...@khazad-dum.debian.net
Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
, rev 0x0002, size 5120
++ This microcode update has been documented by Intel to fix a severe
+ security issue (refer to LP bug 1212497); This update is known to fix
+ several nasty errata on 1st to 4th gens of Core i3/i5/i7, and Xeon
+ 5500 and later, including but not limited to:
+ + AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
+may cause system crash
+ + AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used
+with 32-bit paging
++ Erratum AAK167/BT248 is nasty: If a logical processor has EPT (Extended
+ Page Tables) enabled, is using 32-bit PAE paging, and accesses the
+ virtual-APIC page then a complex sequence of internal processor
+ micro-architectural events may cause an incorrect address translation or
+ machine check on either logical processor. This erratum may result in
+ unexpected faults, an uncorrectable TLB error logged in
+ IA32_MCi_STATUS.MCACOD (bits [15:0]), a guest or hypervisor crash, or
+ other unpredictable system behavior
+ * kernel preinst: simplify and load microcode and cpuid modules
+ * postinst: attempt to load microcode module (closes: #692535)
+ * Remove from the source package an unused upstream microcode bundle,
+which has been completely superseded by later bundles:
+microcode-20130222.dat
+ * Use 1.20130808.0+deb7u1 as the Debian version to start a new branch that
+sorts before 1.20130808.1, which was uploaded to unstable. Further
+updates targeting stable will go into the 1.x branch. Further updates
+targeting unstable and stable-backports will go into the 2.x branch
+
+ -- Henrique de Moraes Holschuh h...@debian.org Sat, 17 Aug 2013 22:44:59 -0300
+
intel-microcode (1.20130222.1) unstable; urgency=low
* New upstream microcode data file 20130222 (closes: #702152)
diff --git a/debian/intel-microcode.kpreinst b/debian/intel-microcode.kpreinst
index a4be162..defb6d4 100644
--- a/debian/intel-microcode.kpreinst
+++ b/debian/intel-microcode.kpreinst
@@ -4,26 +4,16 @@
# Copyright (C) 2012 Henrique de Moraes Holschuh h...@hmh.eng.br
# Released under the GPL v2 or later license
#
-# This script makes sure the cpuid module will be loaded before
-# the kernel image replaces it. It is necessary when cpuid is not
-# loaded or built-in, IUCODE_TOOL_SCANCPUS=yes is set, and the
-# kernel is being upgraded in-place.
+# This script makes sure the microcode and cpuid modules are
+# loaded, before the kernel image has a chance to replace them
+# with new ones that might not be compatible with the current
+# kernel.
+#
+# We need the microcode module to update microcode on postinst,
+# and the cpuid module for iucode_tool --scan-system.
#
-IUCODE_CONFIG=/etc/default/intel-microcode
-
-IUCODE_TOOL=$(command -v iucode_tool)
-if [ -z ${IUCODE_TOOL} -a -x /usr/sbin/iucode_tool ] ; then
- IUCODE_TOOL=/usr/sbin/iucode_tool
-fi
-
-IUCODE_TOOL_SCANCPUS=yes
-[ -r ${IUCODE_CONFIG} ] . ${IUCODE_CONFIG}
-
-if [ -z ${IUCODE_TOOL} -o ${IUCODE_TOOL_SCANCPUS} != yes ] ; then
- exit
-else
- grep -q cpu/cpuid /proc/devices || modprobe cpuid
-fi
+modprobe -q microcode || true
+grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true
:
diff --git a/debian/intel-microcode.postinst b/debian/intel-microcode.postinst
index 8ea4ff6..61fa9ca 100644
--- a/debian/intel-microcode.postinst
+++ b/debian/intel-microcode.postinst
@@ -19,20 +19,27 @@ set -e
case $1 in
configure)
- if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
+ # try to load the microcode module just in case. If we succeed,
+ # it will trigger a microcode update by itself
+ if modprobe -q --first-time microcode ; then
echo Updating microcode on all online processors... 2
- echo 1 /sys/devices/system/cpu/microcode/reload || {
- echo Kernel reported failure while updating microcode! 2
-}
else
- # Try all online processors, broken kernels need this,
- # fixed kernels will accept it only on the BSP and update
- # all processors anyway, and -EINVAL all others... but we
- # don't know which one is the BSP, so we try all of them
- # and hide errors, the kernel will log any real problem.
- echo Using per-core interface to update microcode on online processors... 2
- find /sys/devices/system/cpu -noleaf -type f -path '/sys/devices/system/cpu/cpu*/microcode/reload' | \
- while read i ; do echo -n 1 2/dev/null $i || true ; done
+ # we have to trigger the microcode update manually
+ if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
+ echo Updating microcode on all online processors... 2
+ echo 1 /sys/devices/system/cpu/microcode/reload || {
+ echo Kernel reported failure while updating microcode! 2
+ }
+ else
+ # Try all online processors, broken kernels need this,
+ # fixed kernels will accept it only on the BSP and update
+ # all processors anyway, and -EINVAL all others... but we
+ # don't know which
Bug#703241: unblock: intel-microcode/1.20130222.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package intel-microcode Intel released a new version of their microcode dump, which updates the microcode for a widely-used processor family (latest i5/i7: e.g. i5-3570k and i7-3770s, signature 0x306a9). Although I am not privy to any extremely serious bugs this update would solve, it likely deals with enhanced support or stability fixes for PEBS or the on-die memory/PCI controler. Thus, it is probably an important update. It is also not likely to be widely deployed on motherboards on the field, thus being a bit more important that we distribute it. There should be no risk of regression, as the only change was the replacement of the latest microcode data file, and that only changed a single microcode update (verified using per-microcode-update sha256 hashes). The packages have been in unstable for 12 days, without any issues being reported. unblock intel-microcode/1.20130222.1 -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.4.36+ (SMP w/8 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130317145155.ga6...@khazad-dum.debian.net
Bug#703241: Acknowledgement (unblock: intel-microcode/1.20130222.1)
diffstat from debdiff: changelog |4 debian/changelog | 10 microcode-20120606.v2.dat |31086 -- microcode-20130222.dat|31086 ++ 4 files changed, 31100 insertions(+), 31086 deletions(-) Diff (excluding the microcode*.dat changes): diff -Nru intel-microcode-1.20120606.v2.2/changelog intel-microcode-1.20130222.1/changelog --- intel-microcode-1.20120606.v2.2/changelog 2012-10-08 20:57:05.0 -0300 +++ intel-microcode-1.20130222.1/changelog 2013-03-03 19:20:03.0 -0300 @@ -1,3 +1,7 @@ +2013-02-22: + * Updated Microcodes: +sig 0x000306a9, pf mask 0x12, 2013-01-09, rev 0x0017, size 11264 + 2012-06-06-v2 (2012-10-01): * Updated Microcodes: sig 0x000206d6, pf mask 0x6d, 2012-05-22, rev 0x0619, size 16384 diff -Nru intel-microcode-1.20120606.v2.2/debian/changelog intel-microcode-1.20130222.1/debian/changelog --- intel-microcode-1.20120606.v2.2/debian/changelog2012-10-09 08:01:08.0 -0300 +++ intel-microcode-1.20130222.1/debian/changelog 2013-03-03 19:20:03.0 -0300 @@ -1,3 +1,13 @@ +intel-microcode (1.20130222.1) unstable; urgency=low + + * New upstream microcode data file 20130222 (closes: #702152) ++ Updated Microcodes: +sig 0x000306a9, pf mask 0x12, 2013-01-09, rev 0x0017, size 11264 + * Remove from the source package an unused microcode data file, which +was completely superseded by later ones: microcode-20120606-v2.dat + + -- Henrique de Moraes Holschuh h...@debian.org Sun, 03 Mar 2013 16:59:35 -0300 + intel-microcode (1.20120606.v2.2) unstable; urgency=medium * initramfs: work around initramfs-tools bug #688794. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130318004838.gb18...@khazad-dum.debian.net
Updating processor microcode in stable (squeeze)
Please refer to the relevant history at the bottom of this email. Summary for debian-release: 1. We have AMD and Intel microcode update packages in Wheezy and also in stable-backports. These packages have been available for a reasonable amount of time (~two months for AMD, ~three months for Intel), without any relevant issues (i.e. they're field-tested). 2. Uptake of these packages was low, and only picked up a bit after an announcement to some Debian MLs. However, once they started being recommended by the linux-firmware-nonfree packages in Wheeze, there was an extreme increase of uptake, as far as popcon data can tell us[1][2][3]. 3. These packages fix very relevant, system-crash-class issues as well as feature issues (such as perf support, power management) for both Intel and AMD processors. The less tech-savy the user is, the higher the probability of these packages being useful to the user (due to lack of BIOS/EFI updates being applied). 4. The microcode packages in stable (squeeze) only cover Intel processors, and it is also very outdated. Just updating the intel-microcode package in squeeze would not address the issues of AMD users at all. 5. AMD microcode updates are not easily available in any other way than distro packages right now. AMD upstream said in LKML that they will sort it out by the time the next update needs to be published, and likely do it through the linux-firware.git tree now that amd64.org is no more. Therefore, I'd like to propose that the packages in debian-backports (iucode-tool, amd64-microcode, intel-microcode) be uploaded to stable-proposed-updates. This would add one package to contrib stable (iucode-tool), add one package to non-free stable (amd64-microcode), and update one package in non-free stable (intel-microcode). I'd also propose that the firmware-linux-nonfree package in stable be updated to recommends: intel-microcode | amd64-microcode. If this request is approved by the stable release manager, I'll rebuild the backport packages with a stable-compatible version before the upload. They will superseed the backported packages, but still sort before the wheezy packages to not cause issues with the upgrade path. Thank you! [1] http://packages.qa.debian.org/i/intel-microcode.html, http://qa.debian.org/popcon.php?package=intel-microcode [2] http://packages.qa.debian.org/a/amd64-microcode.html, http://qa.debian.org/popcon.php?package=amd64-microcode [3] http://packages.qa.debian.org/i/iucode-tool.html, http://qa.debian.org/popcon.php?package=iucode-tool On Thu, 24 Jan 2013, Ben Hutchings wrote: On Thu, 2013-01-24 at 01:00 -0200, Henrique de Moraes Holschuh wrote: On Wed, 23 Jan 2013, Ben Hutchings wrote: On Wed, Jan 23, 2013 at 11:15:37PM +0200, Touko Korpela wrote: When using squeeze system, with wheezy (backports) of kernel and firmware, recently firmware-linux started to recommend intel-microcode and amd64-microcode packages. I think that intel-microcode recommends can be versioned, so that it prefers reworked versions (1.20120606.1 or newer) instead of old squeeze version. I don't think a versioned Recommends will have the effect you're hoping for. Also if there have been important bug fixes to the microcode then they should be included in stable-updates, not just squeeze-backports. Ideally, we should get iucode-tool (which would be adding *new* package to stable, something that is extremely rarely done) and the new versions of amd64-microcode (also a new package for stable) and intel-microcode to stable-updates. I can certainly create an old-style intel-microcode package for stable-updates, and that will give non-broken hardware counters for stable Intel users [that run with a custom kernel, stable's doesn't support perf AFAIK] It does. and some nasty bugs removed. But AMD users would still run with microcode that screws up power management, has none/broken hardware counter support, and some nasty bugs that hit rarely. BTW, currently you cannot get AMD microcode updates from anywhere else other than the distros and the internet archive. Makes it somewhat more important to add the package to stable proper, IMHO. Should we take this to the stable release manager? Please do. Good, up-to-date packages *are* available in stable-backports, though. Sending word to the users to install those might make more sense and give better results, as people don't install these microcode packages by themselves. I've seen an absurd increase of popcon results for the two microcode packages since the Recommends was added to firmware-linux. Well, perhaps that can also be updated. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique
Re: Freeze exception request for intel-microcode and amd64-microcode
On Sat, 03 Nov 2012, Philipp Kern wrote: On Fri, Nov 02, 2012 at 12:06:38AM -0200, Henrique de Moraes Holschuh wrote: I did! The bug numbers mentioned in the please consider unblocking sentence are the bug numbers of the unblock request bugs (#690285 and #690286). sorry, I mentally took them for references to the bugs in the packages. That mail should then have been sent to the two bugs instead of d-release. Both are now unblocked, thanks for your work! Thank you! -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121103203338.ga6...@khazad-dum.debian.net
Re: Freeze exception request for intel-microcode and amd64-microcode
On Thu, 01 Nov 2012, Philipp Kern wrote:
On Tue, Oct 30, 2012 at 09:14:48PM -0200, Henrique de Moraes Holschuh wrote:
References: bugs #690285 and #690286
The versions of both intel-microcode and amd64-microcode currently in Wheezy
can trigger a nasty bug in initramfs-tools that renders the system
unbootable. The packages in unstable work around this issue.
The bug will only happen when $TMPDIR (usually /tmp) is mounted noexec at
the time update-initramfs is run. While this is quite unusual, it did hit
one user (bug #689301).
In addition to the changes fixing that issue, the intel-microcode package
also contains a new upstream release. Intel issued a microcode hotfix for
all current i5/i7/Xeon processors in 2012-10-01. Due to the very unusual
nature of this microcode update (it is labeled 20120606-v2 by Intel, a
strong hint that it is fixing mishaps in the microcode release currently in
Wheezy), and the inclusion of microcode updates even to very high-end Xeon
E7 processors, it is likely fixing something very relevant.
The packages have been 20 days in unstable already, without any issues
reported.
Please consider unblocking intel-microcode (#690286) and amd64-microcode
(#690285).
Really pretty please file an unblock bug for each package next time, thanks.
I did! The bug numbers mentioned in the please consider unblocking
sentence are the bug numbers of the unblock request bugs (#690285 and #690286).
I am sorry I was not sufficiently clear about it in the message.
@@ -9,7 +9,7 @@
# dependencies: firmware loader, microcode kernel support (built-in/module)
-PREREQ=udev
+PREREQ=
prereqs()
{
If the main problem was in the name of the script, why is this still needed?
Because udev is not present in the hook level intel-microcode and
amd64-microcode runs (init-premount), it belongs to a hook level that runs
BEFORE that (init-top).
Therefore, that PREREQ was an error, and since I was already fixing breakage
in the interaction with initramfs-tools, I decided it was better to remove
the bogus PREREQ in case someone backports the package to a system with a
much older initramfs-tools (which doesn't support missing prereqs), or a
future version of initramfs-tools decides to not ignore the bogus PREREQ
anymore.
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie. -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121102020638.ga3...@khazad-dum.debian.net
Freeze exception request for intel-microcode and amd64-microcode
References: bugs #690285 and #690286 The versions of both intel-microcode and amd64-microcode currently in Wheezy can trigger a nasty bug in initramfs-tools that renders the system unbootable. The packages in unstable work around this issue. The bug will only happen when $TMPDIR (usually /tmp) is mounted noexec at the time update-initramfs is run. While this is quite unusual, it did hit one user (bug #689301). In addition to the changes fixing that issue, the intel-microcode package also contains a new upstream release. Intel issued a microcode hotfix for all current i5/i7/Xeon processors in 2012-10-01. Due to the very unusual nature of this microcode update (it is labeled 20120606-v2 by Intel, a strong hint that it is fixing mishaps in the microcode release currently in Wheezy), and the inclusion of microcode updates even to very high-end Xeon E7 processors, it is likely fixing something very relevant. The packages have been 20 days in unstable already, without any issues reported. Please consider unblocking intel-microcode (#690286) and amd64-microcode (#690285). -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121030231447.ga9...@khazad-dum.debian.net
