diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:10:09 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:10:09 +0000 |
commit | 28e0365bc884ef0aac5f1f984de707491dbf80e9 (patch) | |
tree | de63b23e2cb2fcd055f6d2cbc96b6906a3b28a8b /debian | |
parent | Adding upstream version 3.20230808.1.1~deb12u1. (diff) | |
download | amd64-microcode-28e0365bc884ef0aac5f1f984de707491dbf80e9.tar.xz amd64-microcode-28e0365bc884ef0aac5f1f984de707491dbf80e9.zip |
Adding debian version 3.20230808.1.1~deb12u1.debian/3.20230808.1.1_deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | debian/NEWS | 36 | ||||
-rw-r--r-- | debian/README.Debian | 100 | ||||
-rw-r--r-- | debian/amd64-microcode.default | 13 | ||||
-rw-r--r-- | debian/amd64-microcode.dirs | 4 | ||||
-rw-r--r-- | debian/amd64-microcode.docs | 1 | ||||
-rw-r--r-- | debian/amd64-microcode.install | 2 | ||||
-rw-r--r-- | debian/amd64-microcode.modprobe-blacklist | 3 | ||||
-rw-r--r-- | debian/amd64-microcode.postinst | 46 | ||||
-rw-r--r-- | debian/amd64-microcode.postrm | 42 | ||||
-rw-r--r-- | debian/changelog | 420 | ||||
-rw-r--r-- | debian/compat | 1 | ||||
-rw-r--r-- | debian/control | 24 | ||||
-rw-r--r-- | debian/copyright | 89 | ||||
-rwxr-xr-x | debian/initramfs.hook | 127 | ||||
-rwxr-xr-x | debian/rules | 33 | ||||
-rw-r--r-- | debian/source/format | 1 |
16 files changed, 942 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..0780d06 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,36 @@ +amd64-microcode (3.20230808.1) unstable; urgency=high + + This release requires *either* new-enough system firmware, *or* a + recent-enough Linux kernel to properly work on AMD Genoa and Bergamo + processors. + + The firmware requirement is AGESA 1.0.0.8 or newer. + + The Linux kernel requirement is a group of patches that are already + present in the Linux stable/LTS trees since versions: v4.19.289, + v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These + patches are also present in Linux v6.5-rc1. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 10 Aug 2023 09:32:37 -0300 + +amd64-microcode (2.20141028.1) unstable; urgency=medium + + This release drops support for automatically applying microcode updates + without a reboot. The microcode updates can still be applied without a + reboot through manual action of the system administrator. + + This is a defensive measure. At this time, there are no reported + issues caused by the AMD microcode update itself when done outside of + the boot process. + + However, updating only on boot works around a very elusive issue in + the Linux kernel microcode update driver for AMD processors, which + may or may not have been fixed in the latest stable/long-term + kernels. + + It is now possible to configure how the amd64-microcode package should + behave through the /etc/default/amd64-microcode file. By default, it + will install microcode update support to the initramfs only when + running in a system with an AMD processor. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 17 Dec 2014 19:17:30 -0200 diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..b0116a4 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,100 @@ +amd64-microcode for Debian +-------------------------- + +Introduction: + +AMD AMD64 processors are capable of field-upgrading their control program +(microcode). These microcode updates correct processor errata, and are +often important for safe, correct system operation. + +While most of the microcode updates fix problems that happen extremely +rarely, there are enough updates fixing issues that would cause system +lockup, memory corruption, or unpredictable system behavior, to warrant +taking it seriously. + +Microcode updates are ephemeral: they will be lost after a processor hard +reset or after the processor is powered off. They must be reapplied at +every boot and after the system wakes up from suspend to RAM or disk. + +Updating the processor microcode is the responsibility of the system +firmware (BIOS or EFI). However, not all vendors will release timely +updates for their firmware when AMD releases updated microcode, and most +users don't update their system firmware in a timely fashion (or at all) +anyway. + +The end result is that, unless some other method of distributing microcode +updates is in place, the processor in many systems will be running with +outdated microcode, increasing the chances of incorrect system operation. + +Debian can apply microcode updates to the system processors during the +operating system boot automatically. This requires the use of a suitably +configured Linux kernel 3.14 or later, and an initramfs. + + +Installing microcode updates: + +For the Debian default kernel, it is enough to install the amd64-microcode +package as well as the initramfs-tools package and the microcode update +will be applied automatically at the next reboot. + +It is also possible to use "dracut" instead of initramfs-tools, but the +support for early microcode updates must be enabled manually in +dracut.conf (set the option "early_microcode=yes"). Force an update of +the initramfs using dracut, and reboot. Note that since Linux kernel 4.4, +one must use dracut 044 or later. + +Applying the microcode updates without the use of an early initramfs is +not automatically supported anymore, due to future safety concerns. +However, the local administrator may trigger an immediate microcode update +attempt at any time, at her own risk: + + USING AN INITRAMFS+REBOOT IS SAFER. DO THIS ONLY WHEN YOU KNOW BETTER: + as root: + echo 1 > /sys/devices/system/cpu/microcode/reload + + +RECOVERY PROCEDURE: + +It is possible for a microcode update to not work well, or to not work at +all on specific system models. This is very rare when using the safe +microcode update procedure described above and an up-to-date Linux kernel, +but it has happened at least once. + +Should you experience problems because of the microcode update, you will +have to bypass the microcode update process that happens during operating +system startup (boot), and remove the amd64-microcode package until the +underlying issue is fixed. + +To bypass the microcode update during system startup, you must instruct the +boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter +(without the quotes) to the kernel. + +If your system uses grub (the default bootloader in Debian): + + 1. Access the grub menu during boot (press and hold the left "Shift" + key right after starting the system up if you don't see a grub menu + during boot); + + 2. Move the highlight/cursor to the kernel/boot option you want to + use, and press the "e" key to edit it; + + 3. Locate the line that starts with "linux" using the cursor + keys. You must add the word "dis_ucode_ldr" (without the quotes) to + the end of that line; + + 4. Press "Ctrl+X" to start (boot) the system. The microcode updates + will be skipped. + +After the system is running, remove or purge the amd64-microcode package. + +If removing/purging the package doesn't do it automatically for some +reason, refresh the initramfs using the "update-initramfs -u" command (as +the root user), and possibly "update-initramfs -u -k <kernel version>". + +"dracut" users, please refer to the dracut documentation on how to update +the initramfs images for every installed kernel. + +Please report any issues caused by microcode updates to the mailing-list or +to the Debian bug tracker. + + -- Henrique de Moraes Holschuh <hmh@debian.org>, 2016-04-05 diff --git a/debian/amd64-microcode.default b/debian/amd64-microcode.default new file mode 100644 index 0000000..7254c01 --- /dev/null +++ b/debian/amd64-microcode.default @@ -0,0 +1,13 @@ +# Configuration script for amd64-microcode version 3 + +# +# initramfs helper +# + +# +# Set this to "no" to disable automatic microcode updates on boot; +# Set this to "early" to always install microcode updates to the early initramfs +# Set this to "auto" to autodetect mode for current system (default); +# +#AMD64UCODE_INITRAMFS=auto + diff --git a/debian/amd64-microcode.dirs b/debian/amd64-microcode.dirs new file mode 100644 index 0000000..0790bdb --- /dev/null +++ b/debian/amd64-microcode.dirs @@ -0,0 +1,4 @@ +etc/default +etc/modprobe.d +lib/firmware/amd-ucode +lib/firmware/amd diff --git a/debian/amd64-microcode.docs b/debian/amd64-microcode.docs new file mode 100644 index 0000000..e845566 --- /dev/null +++ b/debian/amd64-microcode.docs @@ -0,0 +1 @@ +README diff --git a/debian/amd64-microcode.install b/debian/amd64-microcode.install new file mode 100644 index 0000000..40d0e9c --- /dev/null +++ b/debian/amd64-microcode.install @@ -0,0 +1,2 @@ +amd-ucode/*bin lib/firmware/amd-ucode +amd/*sev*bin lib/firmware/amd diff --git a/debian/amd64-microcode.modprobe-blacklist b/debian/amd64-microcode.modprobe-blacklist new file mode 100644 index 0000000..1dc2c23 --- /dev/null +++ b/debian/amd64-microcode.modprobe-blacklist @@ -0,0 +1,3 @@ +# The microcode module attempts to apply a microcode update when +# it autoloads. This is not always safe, so we block it by default. +blacklist microcode diff --git a/debian/amd64-microcode.postinst b/debian/amd64-microcode.postinst new file mode 100644 index 0000000..453fd98 --- /dev/null +++ b/debian/amd64-microcode.postinst @@ -0,0 +1,46 @@ +#!/bin/sh +# postinst script for amd64-microcode +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + # do it like udev and firmware-linux-* + if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then + update-initramfs -u && { + echo "amd64-microcode: microcode will be updated at next boot" >&2 + } + else + echo "amd64-microcode: initramfs support missing" >&2 + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/amd64-microcode.postrm b/debian/amd64-microcode.postrm new file mode 100644 index 0000000..c775b42 --- /dev/null +++ b/debian/amd64-microcode.postrm @@ -0,0 +1,42 @@ +#!/bin/sh +# postrm script for amd64-microcode +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <overwriter> +# <overwriter-version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + purge|remove) + if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then + update-initramfs -u + fi + ;; + + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..fd5fbd3 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,420 @@ +amd64-microcode (3.20230808.1.1~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm (no changes) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 02 Sep 2023 19:49:26 -0300 + +amd64-microcode (3.20230808.1.1) unstable; urgency=high + + * Update package data from linux-firmware 20230804-6-gf2eb058a + * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors + (closes: #1043381) + * WARNING: for proper operation on AMD Genoa and Bergamo processors, + either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date + Linux kernels (minimal versions on each active Linux stable branch: + v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1) + are *required* + * New Microcode patches: + + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e + + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e + + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 + + Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 + * README: update for new release + * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions + * debian/changelog: update entry for release 3.20230719.1, noting + that it included fixes for "AMD Inception" for Zen3 processors. + We did not know about AMD Inception at the time, but we always + include all available microcode updates when issuing a new + package, so we lucked out. + * debian/changelog: correct some information in 3.20230808.1 + entry and reupload as 3.20230808.1.1. There's no Zenbleed + for Zen4... oops! + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 10 Aug 2023 10:18:38 -0300 + +amd64-microcode (3.20230719.1~deb12u1) bookworm-security; urgency=high + + * Rebuild for bookworm-security (no changes) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 24 Jul 2023 13:55:18 -0300 + +amd64-microcode (3.20230719.1) unstable; urgency=high + + * Update package data from linux-firmware 20230625-39-g59fbffa9: + * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors + (closes: #1041863) + * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors + (this changelog entry time-travelled from the future, we were + lucky we always include all microcode updates available) + * New Microcode patches: + + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008 + * Updated Microcode patches: + + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107a + + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 + + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 + + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 24 Jul 2023 13:07:34 -0300 + +amd64-microcode (3.20230414.1) unstable; urgency=medium + + * Update package data from linux-firmware 20230404-38-gfab14965: + (closes: #1031103) + * Updated Microcode patches: + + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x08301072 + + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001078 + + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011ce + + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001231 + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 28 Apr 2023 17:24:39 -0300 + +amd64-microcode (3.20220411.2) unstable; urgency=medium + + * Move source and binary from non-free/admin to non-free-firmware/admin + following the 2022 General Resolution about non-free firmware. + + -- Cyril Brulebois <kibi@debian.org> Fri, 17 Feb 2023 01:19:05 +0100 + +amd64-microcode (3.20220411.1) unstable; urgency=medium + + * Update package data from linux-firmware 20220411: + * New microcode updates from AMD upstream (20220408) + (closes: #1006444, #1009333) + + New Microcode patches: + sig 0x00830f10, patch id 0x08301055, 2022-02-15 + sig 0x00a00f10, patch id 0x0a001058, 2022-02-10 + sig 0x00a00f11, patch id 0x0a001173, 2022-01-31 + sig 0x00a00f12, patch id 0x0a001229, 2022-02-10 + + Updated Microcode patches: + sig 0x00800f12, patch id 0x0800126e, 2021/11/11 + * New AMD-SEV firmware from AMD upstream (20220308) + Fixes: CVE-2019-9836 (closes: #970395) + + New SEV firmware: + Family 17h models 00h-0fh: version 0.17 build 48 + Family 17h models 30h-3fh: version 0.24 build 15 + Family 19h models 00h-0fh: version 1.51 build 3 + * README: update for new release + * debian: ship AMD-SEV firmware. + Upstream license is the same license used for amd-ucode + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 15 Apr 2022 18:27:36 -0300 + +amd64-microcode (3.20191218.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: + + Removed Microcode updates (known to cause issues): + sig 0x00830f10, patch id 0x08301025, 2019-07-11 + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 20 Dec 2019 18:36:27 -0300 + +amd64-microcode (3.20191021.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: + + New Microcodes: + sig 0x00830f10, patch id 0x08301025, 2019-07-11 + + Updated Microcodes: + sig 0x00800f12, patch id 0x08001250, 2019-04-16 + sig 0x00800f82, patch id 0x0800820d, 2019-04-16 + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 22 Oct 2019 21:00:17 -0300 + +amd64-microcode (3.20181128.1) unstable; urgency=medium + + * New microcode update packages from AMD upstream: + + New Microcodes: + sig 0x00800f82, patch id 0x0800820b, 2018-06-20 + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 15 Dec 2018 18:42:12 -0200 + +amd64-microcode (3.20180524.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: + + Re-added Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * This update avoids regressing sig 0x610f01 processors on systems with + outdated firmware by adding back exactly the same microcode patch that was + present before [for these processors]. It does not implement Spectre-v2 + mitigation for these processors. + * README: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 25 May 2018 15:38:22 -0300 + +amd64-microcode (3.20180515.1) unstable; urgency=high + + * New microcode update packages from AMD upstream: + + New Microcodes: + sig 0x00800f12, patch id 0x08001227, 2018-02-09 + + Updated Microcodes: + sig 0x00600f12, patch id 0x0600063e, 2018-02-07 + sig 0x00600f20, patch id 0x06000852, 2018-02-06 + + Removed Microcodes: + sig 0x00610f01, patch id 0x06001119, 2012-07-13 + * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support, + plus other unspecified fixes/updates. + * README, debian/copyright: update for new release + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 19 May 2018 13:51:06 -0300 + +amd64-microcode (3.20171205.2) unstable; urgency=medium + + * debian/control: update Vcs-* fields for salsa.debian.org + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 04 May 2018 07:51:40 -0300 + +amd64-microcode (3.20171205.1) unstable; urgency=high + + * New microcode updates (closes: #886382): + sig 0x00800f12, patch id 0x08001213, 2017-12-05 + Thanks to SuSE for distributing these ahead of AMD's official release! + * Add IBPB support for family 17h AMD processors (CVE-2017-5715) + * README: describe source for faml17h microcode update + * Upload to unstable to match IBPB microcode support on Intel in Debian + unstable. + * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a + backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf + "x86/microcode/AMD: Add support for fam17h microcode loading") otherwise + it will not be applied to the processor. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 08 Jan 2018 12:19:57 -0200 + +amd64-microcode (3.20160316.3) unstable; urgency=medium + + * initramfs: Make the early initramfs reproducible (closes: #845194) + * rules: switch to simplified dh-based build (debhelper v9) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 29 Nov 2016 23:54:53 -0200 + +amd64-microcode (3.20160316.2) unstable; urgency=medium + + * NEWS.debian: fix minor typo + * debian/control, debian/compat: bump debhelper compat mode to 9 + * debian/control: bump standards version to 3.9.8 (no changes needed) + * debian/: prefix binary-package control files with package name + * debian/control: recommend tiny-initramfs as an alternative to + initramfs-tools tiny-initramfs specifically supports early microcode + updates, so it is a viable alternative to initramfs-tools + (closes: #839882) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 09 Oct 2016 15:43:16 -0300 + +amd64-microcode (3.20160316.1) unstable; urgency=low + + * Bump major version number to 3: early-initramfs support + * Support is now restricted to Linux kernel 3.14 and later. For older + kernels, please use the version 2 (older) branch of the package. + * Implement early-initramfs mode, and remove normal mode + * debian/control: add versioned recommends for initramfs-tools and + dracut. Note that dracut 044 is required for Linux 4.4 and later, + otherwise dracut 040 would be enough + * debian/default: add early mode, remove normal mode from comments + * initramfs hook: use cpio to generate an early-initramfs with + microcode for all processors, blacklist kernels older than 3.14, + and remove normal mode support. + * initramfs.init-premount: remove, not needed for early-initramfs + * debian/rules: don't install init-premount initramfs script. + * initramfs.hook: detect a missing microcode.ko and don't attempt to + force_load() it. In verbose mode, log when the microcode driver is + modular. For Linux 4.4 and later, skip the module loading logic + (closes: #809444) + * README.Debian: update for early initramfs support, and add information + on how to disable early updates using the dis_ucode_ldr kernel boot + parameter + * Support for x32 was enabled in debian/control for the 2.20160316.1 + upload, but the changelog did not record this by mistake. The missing + entry was retroactively added to debian/changelog by this upload + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Apr 2016 16:31:23 -0300 + +amd64-microcode (2.20160316.1) unstable; urgency=critical + + * Upstream release 20160316 built from linux-firmware: + + Updated Microcodes: + sig 0x00600f20, patch id 0x0600084f, 2016-01-25 + + This microcode updates fixes a critical erratum on NMI handling + introduced by microcode patch id 0x6000832 from the 20141028 update. + The erratum is also present on microcode patch id 0x6000836. + + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER + AMD PILEDRIVER PROCESSORS, including: + + AMD Opteron 3300, 4300, 6300 + + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx) + + AMD processors with family 21, model 2, stepping 0 + * Robert Święcki, while fuzzing the kernel using the syzkaller tool, + uncovered very strange behavior on an AMD FX-8320, later reproduced on + other AMD Piledriver model 2, stepping 0 processors including the Opteron + 6300. Robert discovered, using his proof-of-concept exploit code, that + the incorrect behavior allows an unpriviledged attacker on an unpriviledged + VM to corrupt the return stack of the host kernel's NMI handler. At best, + this results in unpredictable host behavior. At worst, it allows for an + unpriviledged user on unpriviledged VM to carry a sucessful host-kernel + ring 0 code injection attack. + * The erratum is timing-dependant, easily triggered by workloads that cause + a high number of NMIs, such as running the "perf" tool. + * debian/control: enable buiding on x32 (closes: #777233) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 19 Mar 2016 14:02:44 -0300 + +amd64-microcode (2.20141028.1) unstable; urgency=medium + + * Upstream release 20141028 built from linux-firmware: + + Updated microcode patches for family 0x15 processors + + Added microcode patches for family 0x16 processors + * AMD did not update the relevant microcode documentation (errata fixed, + microcode patch levels, etc), so there is no documentation for the + family 0x16 microcode patches, and the documentation for family 0x15 is + stale. + * postinst: do not update microcode on upgrades: + Remove code that triggers a microcode update on package upgrade. The + resulting postinst script is now identical to the one in Debian jessie's + intel-microcode, and thus known-good. + NOTE: this code was already disabled for the majority of the users due + to Debian bug #723975 (closes: #723975, #723081) + * kpreinst: remove, we don't update microcode on postinst anymore + * blacklist automated loading of the microcode module: + This is in line with the desired behavior of only updating microcode + *automatically* during system boot, when it is safer to do so. The + local admin can still load the microcode module and update the microcode + manually at any time, of course. This is in sync with the intel-microcode + packages in Debian jessie, which will also blacklist the microcode module. + Note that the initramfs will force-load the microcode module in a safe + condition, the blacklist avoids module autoloading outside the initramfs + * control: bump standards version (no changes required) + * copyright: update upstream URL and upstream copyright date + (closes: #753593) + * docs: future-proof by using a glob pattern for per-family README files + * initramfs hook: support forced installation of amd64-microcode: + Add a config file (/etc/default/amd64-microcode) to select the mode of + operation: do nothing, force install to initramfs, install only when + running on an amd64 processor (closes: #726854) + * initramfs hook: fix (likely unexploitable) issues found by shellcheck + * Add a NEWS.Debian file to warn users we will no longer update the + microcode on package upgrade (note that we were not doing it on any + Debian kernels anyway). Also document the existence of the new + /etc/default/amd64-microcode file + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 18 Dec 2014 13:36:27 -0200 + +amd64-microcode (2.20131007.1+really20130710.1) unstable; urgency=low + + * Fix M-D-Y issue that leaked to the package version number + * The real upstream release date is 2013-07-10 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 22:22:00 -0300 + +amd64-microcode (2.20131007.1) unstable; urgency=low + + * New upstream release, received through linux-firmware and LKML + + updated microcode: + sig 0x00500F10, id 0x05000029: erratum (+) 784; + sig 0x00500F20, id 0x05000119: erratum (+) 784; + sig 0x00600F12, id 0x0600063D: errata (-) 668, (+) 759, 778; + + new microcode: + sig 0x00200F31, id 0x02000032: errata 311, 316; + sig 0x00600F20, id 0x06000822: errata 691, 699, 704, 708, 709, 734, + 740, 778; + + This update fixes important processor bugs that cause data corruption + or unpredictable system behaviour. It also fixes a performance issue + and several issues that cause system lockup. + * Switch to native package, since there is no upstream tarball + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 15:22:09 -0300 + +amd64-microcode (2.20120910-1) unstable; urgency=high + + * debian/control: update Breaks for new intel-microcode version scheme + * Bump major version number, this will allow us to also update the stable + branch of amd64-microcode in the future without clashing with the stable + branch of intel-microcode. The real issue is that amd64-microcode + 1.20120910-3 and intel-microcode 1.20130222.6 have changed (in lockstep) + to a different initramfs cooperation protocol, but I failed to bump the + major version at that time + * Urgency high to avoid delaying a series of high-priority intel-microcode + updates being done at the moment: we need this version in testing before + I can upload stable backports of intel-microcode or amd64-microcode + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 18 Aug 2013 16:19:42 -0300 + +amd64-microcode (1.20120910-3) unstable; urgency=low + + * control: remove homepage and update standards-version + * initramfs: update copyright information + * initramfs, postinst: don't do anything on non-AMD systems (Closes: #715518) + * initramfs, postinst: blacklist several kernel versions (Closes: #717185) + * control: add breaks: intel-microcode (<< 1.20130222.6~) + * load microcode module on package install/upgrade + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 20 Jul 2013 12:45:04 -0300 + +amd64-microcode (1.20120910-2) unstable; urgency=medium + + * initramfs: work around initramfs-tools bug #688794. + Use "_" in place of "+-." for the initramfs script name. This works + around a PANIC during boot when the initramfs was created in a system + with noexec $TMPDIR. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Oct 2012 08:18:01 -0300 + +amd64-microcode (1.20120910-1) unstable; urgency=medium + + * AMD microcode release 20120910 + + updated microcode: + sig 0x00600F12, id 0x06000629: errata (+) 691, 709, 740; + + new microcode: + sig 0x00610F01, id 0x06001119: errata 671, 686, 697, 698, 699, 704, 709, + 734, 740; + + This update adds critical errata fixes for commonly used features. + The hit probability of these errata is unknown to the Debian maintainer. + * README.Debian: mention module-init-tools, not just kmod. This is useful + when backporting to Debian Squeeze + * debian/control: add Vcs-* fields + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 14 Sep 2012 15:39:37 -0300 + +amd64-microcode (1.20120117-2) unstable; urgency=low + + * debian/control: priority of this package should be standard, + not extra. All AMD-based X86 boxes should install this package + * debian/control: update package description + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Jul 2012 21:50:35 -0300 + +amd64-microcode (1.20120117-1) unstable; urgency=low + + * Update ABI (first component of package version) to 1, to match + the ABI of intel-microcode packages with /lib/firmware support + * Update online processor cores and the initramfs image on package + upgrade and the initramfs on package removal + * Install initramfs-tools helpers to handle boot-time microcode + updates + * README.Debian: describe supported mod/built-in configs + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Jul 2012 19:31:47 -0300 + +amd64-microcode (0.20120117-1) unstable; urgency=medium + + * AMD microcode release 20120117: + sig 0x00100F22, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342; + sig 0x00100F23, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342; + sig 0x00100F2A, id 0x01000084: errata 244, 260, 280, 302, 308, 315, 342; + sig 0x00100F42, id 0x010000DB: errata 342, 440, 573; + sig 0x00100F43, id 0x010000C8: errata 407, 440; + sig 0x00100F52, id 0x010000DB: errata 342, 440, 573; + sig 0x00100F53, id 0x010000C8: errata 407, 440; + sig 0x00100F62, id 0x010000C7: errata 407, 440; + sig 0x00100F63, id 0x010000C8: errata 407, 440; + sig 0x00100F80, id 0x010000DA: errata 419, 440, 573; + sig 0x00100F81, id 0x010000D9: errata 406, 407, 440, 573, 669; + sig 0x00100F91, id 0x010000D9: errata 406, 407, 440, 573, 669; + sig 0x00100FA0, id 0x010000DC: errata 438, 440, 573; + sig 0x00300F10, id 0x03000027: errata 564, 573, 662, 686; + sig 0x00500F10, id 0x05000028: errata 461, 564, 594, 595; + sig 0x00500F20, id 0x0500010D: errata 461, 564, 594, 639, 662, 686; + sig 0x00600F12, id 0x06000624: errata 659, 660, 661, 668, 671, 672, 673; + * Initial upload to Debian, urgency medium because we need this in Wheezy + to properly support AMD processors. Closes: #676921. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Jun 2012 12:22:01 -0300 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..ba0d5ad --- /dev/null +++ b/debian/control @@ -0,0 +1,24 @@ +Source: amd64-microcode +Section: non-free-firmware/admin +Priority: standard +Maintainer: Henrique de Moraes Holschuh <hmh@debian.org> +Uploaders: Giacomo Catenazzi <cate@debian.org> +Build-Depends: debhelper (>= 9) +Standards-Version: 3.9.8 +Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git +Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode +XS-Autobuild: yes + +Package: amd64-microcode +Architecture: i386 amd64 x32 +Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs +Depends: ${misc:Depends} +Breaks: intel-microcode (<< 2) +Description: Processor microcode firmware for AMD CPUs + This package contains microcode patches for all AMD AMD64 + processors. AMD releases microcode patches to correct + processor behavior as documented in the respective processor + revision guides. This package includes both AMD CPU microcode + patches and AMD SEV firmware updates. + . + For Intel processors, please refer to the intel-microcode package. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d8aea83 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,89 @@ +This package was debianized by Henrique de Moraes Holschuh <hmh@debian.org> on +Sun Jun 10 10:54:36 BRT 2012 + +It was downloaded from http://www.amd64.org/support/microcode.html up to +version 20120910 (now: http://www.amd64.org/microcode.html). For version +20131007 onwards, it was built from the linux-firmware git repository at: +https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ + +Debian only distributes the AMD64 microcode file in its unaltered form. + +Upstream Author: + + Advanced Micro Devices, Inc. + +Upstream Copyright (AMD-UCODE): + + Copyright (C) 2010-2018 Advanced Micro Devices, Inc. + All rights reserved. + +Upstream Copyright (AMD_SEV): + + Copyright (C) 2015-2019 Advanced Micro Devices, Inc. + All rights reserved. + +Upstream License: + + Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"), + free of any license fees, to any person obtaining a copy of this + microcode in binary form (the "Software") ("You"), to install, + reproduce, copy and distribute copies of the Software and to permit + persons to whom the Software is provided to do the same, subject to + the following terms and conditions. Your use of any portion of the + Software shall constitute Your acceptance of the following terms and + conditions. If You do not agree to the following terms and conditions, + do not use, retain or redistribute any portion of the Software. + + If You redistribute this Software, You must reproduce the above + copyright notice and this license with the Software. + Without specific, prior, written permission from AMD, You may not + reference AMD or AMD products in the promotion of any product derived + from or incorporating this Software in any manner that implies that + AMD endorses or has certified such product derived from or + incorporating this Software. + + You may not reverse engineer, decompile, or disassemble this Software + or any portion thereof. + + THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED + WARRANTY OF ANY KIND, INCLUDING BUT NOT LIMITED TO WARRANTIES OF + MERCHANTABILITY, NONINFRINGEMENT, TITLE, FITNESS FOR ANY PARTICULAR + PURPOSE, OR WARRANTIES ARISING FROM CONDUCT, COURSE OF DEALING, OR + USAGE OF TRADE. IN NO EVENT SHALL AMD OR ITS LICENSORS BE LIABLE FOR + ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR + LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF DATA OR + INFORMATION) ARISING OUT OF AMD'S NEGLIGENCE, GROSS NEGLIGENCE, THE + USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF AMD HAS BEEN ADVISED + OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS + PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR + INCIDENTAL DAMAGES OR THE EXCLUSION OF IMPLIED WARRANTIES, THE ABOVE + LIMITATION MAY NOT APPLY TO YOU. + + Without limiting the foregoing, the Software may implement third party + technologies for which You must obtain licenses from parties other + than AMD. You agree that AMD has not obtained or conveyed to You, and + that You shall be responsible for obtaining the rights to use and/or + distribute the applicable underlying intellectual property rights + related to the third party technologies. These third party + technologies are not licensed hereunder. + + If You use the Software (in whole or in part), You shall adhere to all + applicable U.S., European, and other export laws, including but not + limited to the U.S. Export Administration Regulations ("EAR"), (15 + C.F.R. Sections 730 through 774), and E.U. Council Regulation (EC) No + 1334/2000 of 22 June 2000. Further, pursuant to Section 740.6 of the + EAR, You hereby certify that, except pursuant to a license granted by + the United States Department of Commerce Bureau of Industry and + Security or as otherwise permitted pursuant to a License Exception + under the U.S. Export Administration Regulations ("EAR"), You will not + (1) export, re-export or release to a national of a country in Country + Groups D:1, E:1 or E:2 any restricted technology, software, or source + code You receive hereunder, or (2) export to Country Groups D:1, E:1 + or E:2 the direct product of such technology or software, if such + foreign produced direct product is subject to national security + controls as identified on the Commerce Control List (currently found + in Supplement 1 to Part 774 of EAR). For the most current Country + Group listings, or for additional information about the EAR or Your + obligations under those regulations, please refer to the U.S. Bureau + of Industry and Security?s website at ttp://www.bis.doc.gov/. + diff --git a/debian/initramfs.hook b/debian/initramfs.hook new file mode 100755 index 0000000..c65d7d4 --- /dev/null +++ b/debian/initramfs.hook @@ -0,0 +1,127 @@ +#!/bin/sh +# amd64-microcode initramfs-tools hook script +# Copyright (C) 2012-2016 Henrique de Moraes Holschuh <hmh@debian.org> +# Released under the GPL v2 or later license +# +# Generates a copy of the minimal microcode for all AMD processors +# and installs it to the early initramfs + +PREREQ="" +AMD64UCODE_CONFIG=/etc/default/amd64-microcode + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +verbose() +{ + if [ "${verbose}" = "y" ] ; then + echo "I: amd64-microcode: $*" + fi + : +} + +AUCODE_FW_DIR=/lib/firmware/amd-ucode +AMD64UCODE_INITRAMFS=auto +[ -r ${AMD64UCODE_CONFIG} ] && . ${AMD64UCODE_CONFIG} + +[ -z "${AMD64UCODE_INITRAMFS}" ] && AMD64UCODE_INITRAMFS=no + +if [ ! -d "${AUCODE_FW_DIR}" ] ; then + verbose "no AMD64 processor microcode datafiles to install" + exit 0 +fi + +case "${AMD64UCODE_INITRAMFS}" in + no|0) + verbose "disabled by ${AMD64UCODE_CONFIG}" + exit 0 + ;; + auto|early) + ;; + yes|1) + echo "W: amd64-microcode: initramfs mode not supported, using early-initramfs mode" >&2 + AMD64UCODE_INITRAMFS=early + ;; + *) + echo "E: amd64-microcode: invalid AMD64UCODE_INITRAMFS, using automatic mode" >&2 + AMD64UCODE_INITRAMFS=auto +esac + +if [ "${AMD64UCODE_INITRAMFS}" = "auto" ] ; then + grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD" /proc/cpuinfo || { + verbose "no AMD processors detected, nothing to do" + exit 0 + } +fi + +# whitelist AMD early updates for kernels 3.14 and later +if dpkg --compare-versions "${version}" lt 3.14 ; then + echo "E: amd64-microcode: unsupported kernel version!" >&2 + exit 0 +fi + +verbose "installing AMD64 microcode into the early initramfs..." + +# set during package build to the date from the package *version* +CHANGELOG_TS=@CHANGELOG_TS@ + +EFWD=$(mktemp -d "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || { + echo "E: amd64-microcode: cannot create temporary directory" >&2 + exit 1 +} +# paranoia +[ ! -d "${EFWD}" ] && { + echo "E: amd64-microcode: mktemp -d malfunction" >&2 + exit 1 +} + +EFWE="${EFWD}/early-initramfs.cpio" + +EFWCD="${EFWD}/d/kernel/x86/microcode" +EFWF="${EFWCD}/AuthenticAMD.bin" + +# note: to build a reproducible early initramfs, we force +# the microcode component ordering inside the microcode +# firmware file, as well as the timestamp and ordering of +# all cpio members. +mkdir -p "${EFWCD}" && \ + find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \ + find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \ + # --reproducible requires cpio >= 2.12 + cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true + } && test -s "${EFWF}" && \ + ( cd "${EFWD}/d" ; find . -print0 | LC_ALL=C sort -z | cpio --null $cpio_reproducible -R 0:0 -H newc -o --quiet > "${EFWE}" ) \ +&& prepend_earlyinitramfs "${EFWE}" || { + # something failed somewhere in that pipeline + [ -d "${EFWD}" ] && rm -fr "${EFWD}" + echo "E: amd64-microcode: failed to create or prepend the early initramfs to the initramfs" >&2 + exit 0 +} + +[ -d "${EFWD}" ] && rm -fr "${EFWD}" + +# attempt to load microcode module to get proper logging. +# microcode support cannot be made modular since Linux 4.4 + +if dpkg --compare-versions "${version}" lt 4.4 ; then + manual_add_modules microcode && { + # force_load has broken semanthics when the .ko file is missing + find "${DESTDIR}/${MODULESDIR}" -type f -print | grep -qc '/microcode\.ko$' && { + verbose "modular microcode driver detected" + force_load microcode + } + } +fi + +: diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..7a4028d --- /dev/null +++ b/debian/rules @@ -0,0 +1,33 @@ +#!/usr/bin/make -f +# debian/rules for amd64-microcode +# Copyright (C) 2012-2016 by Henrique de Moraes Holschuh +# Published under the GNU GPL license version 2 or any later versions + +PACKAGE := amd64-microcode +DEBDIR := $(CURDIR)/debian +PKGDIR := $(DEBDIR)/$(PACKAGE) + +# DebHelper control +export DH_ALWAYS_EXCLUDE=CVS:.svn:.git + +# Work around Debian bug #688794 +INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE)))) + +# For reproducible builds... +CHANGELOG_TS :=$(shell date -u +%s --date=$(shell dpkg-parsechangelog | sed -n -e "/^Version:/ {s/.*\.\([0-9]\{8\}\)\..*/\1/;p}")) + +%: + dh $@ + +override_dh_auto_install: + dh_testdir + dh_install + mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks" + sed -e "s/@CHANGELOG_TS@/$(CHANGELOG_TS)/g" \ + <"$(DEBDIR)/initramfs.hook" \ + >"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)" + chmod 755 "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)" + # We have a /etc/default file, but no initscript + install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)" + # modprobe.d blacklist + install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf" diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) |