I have repackaged this again based on the discussion from the ubuntu- release mailing list discussion. I have avoided any other changes that didn't appear absolutely necessary. I have uploaded the resulting packages to my ppa available here
https://launchpad.net/~chiluk/+archive/ubuntu/1700373 I would appreciate any additional testing I can get on these packages. Please keep your testing succinct to the following information. I have tested Skylake with signature 0x506e3 + 4.8.0-58-generic kernel + xenial = revision 0xba Kabylake with signature 0x906e9 + 4.10.0.27 kernel + xenial = revision 0x5e Ivybridge with signature 0x000306a9 + 4.4.0-83-generic + xenial = revision 0x1c Ivybridge with signature 0x000306a9 + 4.8.0-58-generic + yakkety = revision 0x1c I have also again uploaded the correctly versioned packages to the Upload queues for X and Y. I'll be updating the SRU template shortly as well. ** Description changed: [Impact] * A security fix has been made available as part of intel-microcode * It is advisable to apply it * Thus an SRU of the latest intel-microcode is desirable for all stable releases [Test Case] * Upgrade intel-microcode package, if it is already installed / one is running on Intel CPUs * Reboot and verify no averse results, and/or that microcode for your cpu was loaded as expected. [Test case reporting] * Please paste the output of: dpkg-query -W intel-microcode grep -E 'model|stepping' /proc/cpuinfo | sort -u journalctl -k | grep microcode [Regression Potential] Microcode are proprietary blobs, and can cause any number of new errors and regressions. Microcode bugs have been reported before, therefore longer than usual phasing and monitoring of intel-microcode bugs should be done with extra care. [Other] caml discussion describing test case to reproduce the crash. https://caml.inria.fr/mantis/view.php?id=7452 + + * I did not backport the full debian/changelog, as some of the changes + were ommitted for SRU purposes, and I don't like the idea of modifying + the changelog of others. + + * I did not backport this below change but I feel as though the SRU team should evaluate including it. I left it out due to the change as little as possible guidance from the SRU team. Additionally the microcode version that included this change was somewhere around 20111205. More information here + https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&languageid=en-fr + + ''' + # 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen). + # + # When Intel released a fix for Intel SA-00030, they issued a MCU that + # bumps the minimum acceptable version of the Intel TXT ACMs in the + # TPM persistent storage. This permanently blacklists the vulnerable + # ACMs *even on older microcode* in order to make it somewhat harder + # to work around the security fix through a BIOS downgrade attack. + # + # It is possible that such a microcode update, when peformed by the + # operating system, could sucessfully trigger the TPM persistent + # storage update Intel intended to happen during firmware boot: we + # simply don't know enough to rule it out. Should that happen, Intel + # TXT will be permanently disabled. This could easily interact very + # badly with the firmware, rendering the system unbootable. If *that* + # happens, it would likely require either a TPM module replacement + # (rendering sealed data useless) or a direct flash of a new BIOS with + # updated ACMs, to repair. + # + # Blacklist updates for signature 0x206c2 as a safety net. + IUC_EXCLUDE += -s !0x206c2 + ''' + + * I versioned the packages 3.20170511.1~ubuntu<release> as I feel this + more appropriately reflects the contents of each package rather than + simply incrementing the ubuntu version number. + ========================================================================= [Original bug report] NB: I am *not* directly affected by this bug. Henrique emailed a warning to Debian devel today [1] on a potentially serious issue with (sky|kaby)lake processors. Excerpt: "This warning advisory is relevant for users of systems with the Intel processors code-named "Skylake" and "Kaby Lake". These are: the 6th and 7th generation Intel Core processors (desktop, embedded, mobile and HEDT), their related server processors (such as Xeon v5 and Xeon v6), as well as select Intel Pentium processor models. TL;DR: unfixed Skylake and Kaby Lake processors could, in some situations, dangerously misbehave when hyper-threading is enabled. Disable hyper-threading immediately in BIOS/UEFI to work around the problem. Read this advisory for instructions about an Intel-provided fix." It is probably a good idea to: (1) issue a warning to our users about this; (2) update intel-microcode on all our supported releases I leave the discussion on whether this can have security implications to others. [1] https://lists.debian.org/debian-devel/2017/06/msg00308.html ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: intel-microcode 3.20161104.1 ProcVersionSignature: Ubuntu 4.10.0-24.28-generic 4.10.15 Uname: Linux 4.10.0-24-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.1 Architecture: amd64 CurrentDesktop: Unity:Unity7 Date: Sun Jun 25 10:14:19 2017 InstallationDate: Installed on 2017-05-26 (30 days ago) InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) SourcePackage: intel-microcode UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1700373 Title: intel-microcode is out of date, version 20170511 fixes errata on 6th and 7th generation platforms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
