summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:10:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:10:09 +0000
commit28e0365bc884ef0aac5f1f984de707491dbf80e9 (patch)
treede63b23e2cb2fcd055f6d2cbc96b6906a3b28a8b /debian
parentAdding upstream version 3.20230808.1.1~deb12u1. (diff)
downloadamd64-microcode-debian.tar.xz
amd64-microcode-debian.zip
Adding debian version 3.20230808.1.1~deb12u1.debian/3.20230808.1.1_deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian')
-rw-r--r--debian/NEWS36
-rw-r--r--debian/README.Debian100
-rw-r--r--debian/amd64-microcode.default13
-rw-r--r--debian/amd64-microcode.dirs4
-rw-r--r--debian/amd64-microcode.docs1
-rw-r--r--debian/amd64-microcode.install2
-rw-r--r--debian/amd64-microcode.modprobe-blacklist3
-rw-r--r--debian/amd64-microcode.postinst46
-rw-r--r--debian/amd64-microcode.postrm42
-rw-r--r--debian/changelog420
-rw-r--r--debian/compat1
-rw-r--r--debian/control24
-rw-r--r--debian/copyright89
-rwxr-xr-xdebian/initramfs.hook127
-rwxr-xr-xdebian/rules33
-rw-r--r--debian/source/format1
16 files changed, 942 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..0780d06
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,36 @@
+amd64-microcode (3.20230808.1) unstable; urgency=high
+
+ This release requires *either* new-enough system firmware, *or* a
+ recent-enough Linux kernel to properly work on AMD Genoa and Bergamo
+ processors.
+
+ The firmware requirement is AGESA 1.0.0.8 or newer.
+
+ The Linux kernel requirement is a group of patches that are already
+ present in the Linux stable/LTS trees since versions: v4.19.289,
+ v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These
+ patches are also present in Linux v6.5-rc1.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 10 Aug 2023 09:32:37 -0300
+
+amd64-microcode (2.20141028.1) unstable; urgency=medium
+
+ This release drops support for automatically applying microcode updates
+ without a reboot. The microcode updates can still be applied without a
+ reboot through manual action of the system administrator.
+
+ This is a defensive measure. At this time, there are no reported
+ issues caused by the AMD microcode update itself when done outside of
+ the boot process.
+
+ However, updating only on boot works around a very elusive issue in
+ the Linux kernel microcode update driver for AMD processors, which
+ may or may not have been fixed in the latest stable/long-term
+ kernels.
+
+ It is now possible to configure how the amd64-microcode package should
+ behave through the /etc/default/amd64-microcode file. By default, it
+ will install microcode update support to the initramfs only when
+ running in a system with an AMD processor.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 17 Dec 2014 19:17:30 -0200
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..b0116a4
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,100 @@
+amd64-microcode for Debian
+--------------------------
+
+Introduction:
+
+AMD AMD64 processors are capable of field-upgrading their control program
+(microcode). These microcode updates correct processor errata, and are
+often important for safe, correct system operation.
+
+While most of the microcode updates fix problems that happen extremely
+rarely, there are enough updates fixing issues that would cause system
+lockup, memory corruption, or unpredictable system behavior, to warrant
+taking it seriously.
+
+Microcode updates are ephemeral: they will be lost after a processor hard
+reset or after the processor is powered off. They must be reapplied at
+every boot and after the system wakes up from suspend to RAM or disk.
+
+Updating the processor microcode is the responsibility of the system
+firmware (BIOS or EFI). However, not all vendors will release timely
+updates for their firmware when AMD releases updated microcode, and most
+users don't update their system firmware in a timely fashion (or at all)
+anyway.
+
+The end result is that, unless some other method of distributing microcode
+updates is in place, the processor in many systems will be running with
+outdated microcode, increasing the chances of incorrect system operation.
+
+Debian can apply microcode updates to the system processors during the
+operating system boot automatically. This requires the use of a suitably
+configured Linux kernel 3.14 or later, and an initramfs.
+
+
+Installing microcode updates:
+
+For the Debian default kernel, it is enough to install the amd64-microcode
+package as well as the initramfs-tools package and the microcode update
+will be applied automatically at the next reboot.
+
+It is also possible to use "dracut" instead of initramfs-tools, but the
+support for early microcode updates must be enabled manually in
+dracut.conf (set the option "early_microcode=yes"). Force an update of
+the initramfs using dracut, and reboot. Note that since Linux kernel 4.4,
+one must use dracut 044 or later.
+
+Applying the microcode updates without the use of an early initramfs is
+not automatically supported anymore, due to future safety concerns.
+However, the local administrator may trigger an immediate microcode update
+attempt at any time, at her own risk:
+
+ USING AN INITRAMFS+REBOOT IS SAFER. DO THIS ONLY WHEN YOU KNOW BETTER:
+ as root:
+ echo 1 > /sys/devices/system/cpu/microcode/reload
+
+
+RECOVERY PROCEDURE:
+
+It is possible for a microcode update to not work well, or to not work at
+all on specific system models. This is very rare when using the safe
+microcode update procedure described above and an up-to-date Linux kernel,
+but it has happened at least once.
+
+Should you experience problems because of the microcode update, you will
+have to bypass the microcode update process that happens during operating
+system startup (boot), and remove the amd64-microcode package until the
+underlying issue is fixed.
+
+To bypass the microcode update during system startup, you must instruct the
+boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter
+(without the quotes) to the kernel.
+
+If your system uses grub (the default bootloader in Debian):
+
+ 1. Access the grub menu during boot (press and hold the left "Shift"
+ key right after starting the system up if you don't see a grub menu
+ during boot);
+
+ 2. Move the highlight/cursor to the kernel/boot option you want to
+ use, and press the "e" key to edit it;
+
+ 3. Locate the line that starts with "linux" using the cursor
+ keys. You must add the word "dis_ucode_ldr" (without the quotes) to
+ the end of that line;
+
+ 4. Press "Ctrl+X" to start (boot) the system. The microcode updates
+ will be skipped.
+
+After the system is running, remove or purge the amd64-microcode package.
+
+If removing/purging the package doesn't do it automatically for some
+reason, refresh the initramfs using the "update-initramfs -u" command (as
+the root user), and possibly "update-initramfs -u -k <kernel version>".
+
+"dracut" users, please refer to the dracut documentation on how to update
+the initramfs images for every installed kernel.
+
+Please report any issues caused by microcode updates to the mailing-list or
+to the Debian bug tracker.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>, 2016-04-05
diff --git a/debian/amd64-microcode.default b/debian/amd64-microcode.default
new file mode 100644
index 0000000..7254c01
--- /dev/null
+++ b/debian/amd64-microcode.default
@@ -0,0 +1,13 @@
+# Configuration script for amd64-microcode version 3
+
+#
+# initramfs helper
+#
+
+#
+# Set this to "no" to disable automatic microcode updates on boot;
+# Set this to "early" to always install microcode updates to the early initramfs
+# Set this to "auto" to autodetect mode for current system (default);
+#
+#AMD64UCODE_INITRAMFS=auto
+
diff --git a/debian/amd64-microcode.dirs b/debian/amd64-microcode.dirs
new file mode 100644
index 0000000..0790bdb
--- /dev/null
+++ b/debian/amd64-microcode.dirs
@@ -0,0 +1,4 @@
+etc/default
+etc/modprobe.d
+lib/firmware/amd-ucode
+lib/firmware/amd
diff --git a/debian/amd64-microcode.docs b/debian/amd64-microcode.docs
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/debian/amd64-microcode.docs
@@ -0,0 +1 @@
+README
diff --git a/debian/amd64-microcode.install b/debian/amd64-microcode.install
new file mode 100644
index 0000000..40d0e9c
--- /dev/null
+++ b/debian/amd64-microcode.install
@@ -0,0 +1,2 @@
+amd-ucode/*bin lib/firmware/amd-ucode
+amd/*sev*bin lib/firmware/amd
diff --git a/debian/amd64-microcode.modprobe-blacklist b/debian/amd64-microcode.modprobe-blacklist
new file mode 100644
index 0000000..1dc2c23
--- /dev/null
+++ b/debian/amd64-microcode.modprobe-blacklist
@@ -0,0 +1,3 @@
+# The microcode module attempts to apply a microcode update when
+# it autoloads. This is not always safe, so we block it by default.
+blacklist microcode
diff --git a/debian/amd64-microcode.postinst b/debian/amd64-microcode.postinst
new file mode 100644
index 0000000..453fd98
--- /dev/null
+++ b/debian/amd64-microcode.postinst
@@ -0,0 +1,46 @@
+#!/bin/sh
+# postinst script for amd64-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ configure)
+ # do it like udev and firmware-linux-*
+ if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+ update-initramfs -u && {
+ echo "amd64-microcode: microcode will be updated at next boot" >&2
+ }
+ else
+ echo "amd64-microcode: initramfs support missing" >&2
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/amd64-microcode.postrm b/debian/amd64-microcode.postrm
new file mode 100644
index 0000000..c775b42
--- /dev/null
+++ b/debian/amd64-microcode.postrm
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postrm script for amd64-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <overwriter>
+# <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ purge|remove)
+ if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
+ update-initramfs -u
+ fi
+ ;;
+
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..fd5fbd3
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,420 @@
+amd64-microcode (3.20230808.1.1~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for bookworm (no changes)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 02 Sep 2023 19:49:26 -0300
+
+amd64-microcode (3.20230808.1.1) unstable; urgency=high
+
+ * Update package data from linux-firmware 20230804-6-gf2eb058a
+ * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
+ (closes: #1043381)
+ * WARNING: for proper operation on AMD Genoa and Bergamo processors,
+ either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date
+ Linux kernels (minimal versions on each active Linux stable branch:
+ v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1)
+ are *required*
+ * New Microcode patches:
+ + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e
+ + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
+ + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
+ + Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
+ * README: update for new release
+ * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions
+ * debian/changelog: update entry for release 3.20230719.1, noting
+ that it included fixes for "AMD Inception" for Zen3 processors.
+ We did not know about AMD Inception at the time, but we always
+ include all available microcode updates when issuing a new
+ package, so we lucked out.
+ * debian/changelog: correct some information in 3.20230808.1
+ entry and reupload as 3.20230808.1.1. There's no Zenbleed
+ for Zen4... oops!
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 10 Aug 2023 10:18:38 -0300
+
+amd64-microcode (3.20230719.1~deb12u1) bookworm-security; urgency=high
+
+ * Rebuild for bookworm-security (no changes)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 24 Jul 2023 13:55:18 -0300
+
+amd64-microcode (3.20230719.1) unstable; urgency=high
+
+ * Update package data from linux-firmware 20230625-39-g59fbffa9:
+ * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors
+ (closes: #1041863)
+ * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors
+ (this changelog entry time-travelled from the future, we were
+ lucky we always include all microcode updates available)
+ * New Microcode patches:
+ + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008
+ * Updated Microcode patches:
+ + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107a
+ + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079
+ + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1
+ + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 24 Jul 2023 13:07:34 -0300
+
+amd64-microcode (3.20230414.1) unstable; urgency=medium
+
+ * Update package data from linux-firmware 20230404-38-gfab14965:
+ (closes: #1031103)
+ * Updated Microcode patches:
+ + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x08301072
+ + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001078
+ + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011ce
+ + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001231
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 28 Apr 2023 17:24:39 -0300
+
+amd64-microcode (3.20220411.2) unstable; urgency=medium
+
+ * Move source and binary from non-free/admin to non-free-firmware/admin
+ following the 2022 General Resolution about non-free firmware.
+
+ -- Cyril Brulebois <kibi@debian.org> Fri, 17 Feb 2023 01:19:05 +0100
+
+amd64-microcode (3.20220411.1) unstable; urgency=medium
+
+ * Update package data from linux-firmware 20220411:
+ * New microcode updates from AMD upstream (20220408)
+ (closes: #1006444, #1009333)
+ + New Microcode patches:
+ sig 0x00830f10, patch id 0x08301055, 2022-02-15
+ sig 0x00a00f10, patch id 0x0a001058, 2022-02-10
+ sig 0x00a00f11, patch id 0x0a001173, 2022-01-31
+ sig 0x00a00f12, patch id 0x0a001229, 2022-02-10
+ + Updated Microcode patches:
+ sig 0x00800f12, patch id 0x0800126e, 2021/11/11
+ * New AMD-SEV firmware from AMD upstream (20220308)
+ Fixes: CVE-2019-9836 (closes: #970395)
+ + New SEV firmware:
+ Family 17h models 00h-0fh: version 0.17 build 48
+ Family 17h models 30h-3fh: version 0.24 build 15
+ Family 19h models 00h-0fh: version 1.51 build 3
+ * README: update for new release
+ * debian: ship AMD-SEV firmware.
+ Upstream license is the same license used for amd-ucode
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 15 Apr 2022 18:27:36 -0300
+
+amd64-microcode (3.20191218.1) unstable; urgency=medium
+
+ * New microcode update packages from AMD upstream:
+ + Removed Microcode updates (known to cause issues):
+ sig 0x00830f10, patch id 0x08301025, 2019-07-11
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 20 Dec 2019 18:36:27 -0300
+
+amd64-microcode (3.20191021.1) unstable; urgency=medium
+
+ * New microcode update packages from AMD upstream:
+ + New Microcodes:
+ sig 0x00830f10, patch id 0x08301025, 2019-07-11
+ + Updated Microcodes:
+ sig 0x00800f12, patch id 0x08001250, 2019-04-16
+ sig 0x00800f82, patch id 0x0800820d, 2019-04-16
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 22 Oct 2019 21:00:17 -0300
+
+amd64-microcode (3.20181128.1) unstable; urgency=medium
+
+ * New microcode update packages from AMD upstream:
+ + New Microcodes:
+ sig 0x00800f82, patch id 0x0800820b, 2018-06-20
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 15 Dec 2018 18:42:12 -0200
+
+amd64-microcode (3.20180524.1) unstable; urgency=high
+
+ * New microcode update packages from AMD upstream:
+ + Re-added Microcodes:
+ sig 0x00610f01, patch id 0x06001119, 2012-07-13
+ * This update avoids regressing sig 0x610f01 processors on systems with
+ outdated firmware by adding back exactly the same microcode patch that was
+ present before [for these processors]. It does not implement Spectre-v2
+ mitigation for these processors.
+ * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 25 May 2018 15:38:22 -0300
+
+amd64-microcode (3.20180515.1) unstable; urgency=high
+
+ * New microcode update packages from AMD upstream:
+ + New Microcodes:
+ sig 0x00800f12, patch id 0x08001227, 2018-02-09
+ + Updated Microcodes:
+ sig 0x00600f12, patch id 0x0600063e, 2018-02-07
+ sig 0x00600f20, patch id 0x06000852, 2018-02-06
+ + Removed Microcodes:
+ sig 0x00610f01, patch id 0x06001119, 2012-07-13
+ * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
+ plus other unspecified fixes/updates.
+ * README, debian/copyright: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 19 May 2018 13:51:06 -0300
+
+amd64-microcode (3.20171205.2) unstable; urgency=medium
+
+ * debian/control: update Vcs-* fields for salsa.debian.org
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 04 May 2018 07:51:40 -0300
+
+amd64-microcode (3.20171205.1) unstable; urgency=high
+
+ * New microcode updates (closes: #886382):
+ sig 0x00800f12, patch id 0x08001213, 2017-12-05
+ Thanks to SuSE for distributing these ahead of AMD's official release!
+ * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+ * README: describe source for faml17h microcode update
+ * Upload to unstable to match IBPB microcode support on Intel in Debian
+ unstable.
+ * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a
+ backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf
+ "x86/microcode/AMD: Add support for fam17h microcode loading") otherwise
+ it will not be applied to the processor.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 08 Jan 2018 12:19:57 -0200
+
+amd64-microcode (3.20160316.3) unstable; urgency=medium
+
+ * initramfs: Make the early initramfs reproducible (closes: #845194)
+ * rules: switch to simplified dh-based build (debhelper v9)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 29 Nov 2016 23:54:53 -0200
+
+amd64-microcode (3.20160316.2) unstable; urgency=medium
+
+ * NEWS.debian: fix minor typo
+ * debian/control, debian/compat: bump debhelper compat mode to 9
+ * debian/control: bump standards version to 3.9.8 (no changes needed)
+ * debian/: prefix binary-package control files with package name
+ * debian/control: recommend tiny-initramfs as an alternative to
+ initramfs-tools tiny-initramfs specifically supports early microcode
+ updates, so it is a viable alternative to initramfs-tools
+ (closes: #839882)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 09 Oct 2016 15:43:16 -0300
+
+amd64-microcode (3.20160316.1) unstable; urgency=low
+
+ * Bump major version number to 3: early-initramfs support
+ * Support is now restricted to Linux kernel 3.14 and later. For older
+ kernels, please use the version 2 (older) branch of the package.
+ * Implement early-initramfs mode, and remove normal mode
+ * debian/control: add versioned recommends for initramfs-tools and
+ dracut. Note that dracut 044 is required for Linux 4.4 and later,
+ otherwise dracut 040 would be enough
+ * debian/default: add early mode, remove normal mode from comments
+ * initramfs hook: use cpio to generate an early-initramfs with
+ microcode for all processors, blacklist kernels older than 3.14,
+ and remove normal mode support.
+ * initramfs.init-premount: remove, not needed for early-initramfs
+ * debian/rules: don't install init-premount initramfs script.
+ * initramfs.hook: detect a missing microcode.ko and don't attempt to
+ force_load() it. In verbose mode, log when the microcode driver is
+ modular. For Linux 4.4 and later, skip the module loading logic
+ (closes: #809444)
+ * README.Debian: update for early initramfs support, and add information
+ on how to disable early updates using the dis_ucode_ldr kernel boot
+ parameter
+ * Support for x32 was enabled in debian/control for the 2.20160316.1
+ upload, but the changelog did not record this by mistake. The missing
+ entry was retroactively added to debian/changelog by this upload
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Apr 2016 16:31:23 -0300
+
+amd64-microcode (2.20160316.1) unstable; urgency=critical
+
+ * Upstream release 20160316 built from linux-firmware:
+ + Updated Microcodes:
+ sig 0x00600f20, patch id 0x0600084f, 2016-01-25
+ + This microcode updates fixes a critical erratum on NMI handling
+ introduced by microcode patch id 0x6000832 from the 20141028 update.
+ The erratum is also present on microcode patch id 0x6000836.
+ + THIS IS A CRITICAL STABILITY AND SECURITY UPDATE FOR THE EARLIER
+ AMD PILEDRIVER PROCESSORS, including:
+ + AMD Opteron 3300, 4300, 6300
+ + AMD FX "Vishera" (43xx, 63xx, 83xx, 93xx, 95xx)
+ + AMD processors with family 21, model 2, stepping 0
+ * Robert Święcki, while fuzzing the kernel using the syzkaller tool,
+ uncovered very strange behavior on an AMD FX-8320, later reproduced on
+ other AMD Piledriver model 2, stepping 0 processors including the Opteron
+ 6300. Robert discovered, using his proof-of-concept exploit code, that
+ the incorrect behavior allows an unpriviledged attacker on an unpriviledged
+ VM to corrupt the return stack of the host kernel's NMI handler. At best,
+ this results in unpredictable host behavior. At worst, it allows for an
+ unpriviledged user on unpriviledged VM to carry a sucessful host-kernel
+ ring 0 code injection attack.
+ * The erratum is timing-dependant, easily triggered by workloads that cause
+ a high number of NMIs, such as running the "perf" tool.
+ * debian/control: enable buiding on x32 (closes: #777233)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 19 Mar 2016 14:02:44 -0300
+
+amd64-microcode (2.20141028.1) unstable; urgency=medium
+
+ * Upstream release 20141028 built from linux-firmware:
+ + Updated microcode patches for family 0x15 processors
+ + Added microcode patches for family 0x16 processors
+ * AMD did not update the relevant microcode documentation (errata fixed,
+ microcode patch levels, etc), so there is no documentation for the
+ family 0x16 microcode patches, and the documentation for family 0x15 is
+ stale.
+ * postinst: do not update microcode on upgrades:
+ Remove code that triggers a microcode update on package upgrade. The
+ resulting postinst script is now identical to the one in Debian jessie's
+ intel-microcode, and thus known-good.
+ NOTE: this code was already disabled for the majority of the users due
+ to Debian bug #723975 (closes: #723975, #723081)
+ * kpreinst: remove, we don't update microcode on postinst anymore
+ * blacklist automated loading of the microcode module:
+ This is in line with the desired behavior of only updating microcode
+ *automatically* during system boot, when it is safer to do so. The
+ local admin can still load the microcode module and update the microcode
+ manually at any time, of course. This is in sync with the intel-microcode
+ packages in Debian jessie, which will also blacklist the microcode module.
+ Note that the initramfs will force-load the microcode module in a safe
+ condition, the blacklist avoids module autoloading outside the initramfs
+ * control: bump standards version (no changes required)
+ * copyright: update upstream URL and upstream copyright date
+ (closes: #753593)
+ * docs: future-proof by using a glob pattern for per-family README files
+ * initramfs hook: support forced installation of amd64-microcode:
+ Add a config file (/etc/default/amd64-microcode) to select the mode of
+ operation: do nothing, force install to initramfs, install only when
+ running on an amd64 processor (closes: #726854)
+ * initramfs hook: fix (likely unexploitable) issues found by shellcheck
+ * Add a NEWS.Debian file to warn users we will no longer update the
+ microcode on package upgrade (note that we were not doing it on any
+ Debian kernels anyway). Also document the existence of the new
+ /etc/default/amd64-microcode file
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 18 Dec 2014 13:36:27 -0200
+
+amd64-microcode (2.20131007.1+really20130710.1) unstable; urgency=low
+
+ * Fix M-D-Y issue that leaked to the package version number
+ * The real upstream release date is 2013-07-10
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 22:22:00 -0300
+
+amd64-microcode (2.20131007.1) unstable; urgency=low
+
+ * New upstream release, received through linux-firmware and LKML
+ + updated microcode:
+ sig 0x00500F10, id 0x05000029: erratum (+) 784;
+ sig 0x00500F20, id 0x05000119: erratum (+) 784;
+ sig 0x00600F12, id 0x0600063D: errata (-) 668, (+) 759, 778;
+ + new microcode:
+ sig 0x00200F31, id 0x02000032: errata 311, 316;
+ sig 0x00600F20, id 0x06000822: errata 691, 699, 704, 708, 709, 734,
+ 740, 778;
+ + This update fixes important processor bugs that cause data corruption
+ or unpredictable system behaviour. It also fixes a performance issue
+ and several issues that cause system lockup.
+ * Switch to native package, since there is no upstream tarball
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 07 Sep 2013 15:22:09 -0300
+
+amd64-microcode (2.20120910-1) unstable; urgency=high
+
+ * debian/control: update Breaks for new intel-microcode version scheme
+ * Bump major version number, this will allow us to also update the stable
+ branch of amd64-microcode in the future without clashing with the stable
+ branch of intel-microcode. The real issue is that amd64-microcode
+ 1.20120910-3 and intel-microcode 1.20130222.6 have changed (in lockstep)
+ to a different initramfs cooperation protocol, but I failed to bump the
+ major version at that time
+ * Urgency high to avoid delaying a series of high-priority intel-microcode
+ updates being done at the moment: we need this version in testing before
+ I can upload stable backports of intel-microcode or amd64-microcode
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 18 Aug 2013 16:19:42 -0300
+
+amd64-microcode (1.20120910-3) unstable; urgency=low
+
+ * control: remove homepage and update standards-version
+ * initramfs: update copyright information
+ * initramfs, postinst: don't do anything on non-AMD systems (Closes: #715518)
+ * initramfs, postinst: blacklist several kernel versions (Closes: #717185)
+ * control: add breaks: intel-microcode (<< 1.20130222.6~)
+ * load microcode module on package install/upgrade
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 20 Jul 2013 12:45:04 -0300
+
+amd64-microcode (1.20120910-2) unstable; urgency=medium
+
+ * initramfs: work around initramfs-tools bug #688794.
+ Use "_" in place of "+-." for the initramfs script name. This works
+ around a PANIC during boot when the initramfs was created in a system
+ with noexec $TMPDIR.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Oct 2012 08:18:01 -0300
+
+amd64-microcode (1.20120910-1) unstable; urgency=medium
+
+ * AMD microcode release 20120910
+ + updated microcode:
+ sig 0x00600F12, id 0x06000629: errata (+) 691, 709, 740;
+ + new microcode:
+ sig 0x00610F01, id 0x06001119: errata 671, 686, 697, 698, 699, 704, 709,
+ 734, 740;
+ + This update adds critical errata fixes for commonly used features.
+ The hit probability of these errata is unknown to the Debian maintainer.
+ * README.Debian: mention module-init-tools, not just kmod. This is useful
+ when backporting to Debian Squeeze
+ * debian/control: add Vcs-* fields
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 14 Sep 2012 15:39:37 -0300
+
+amd64-microcode (1.20120117-2) unstable; urgency=low
+
+ * debian/control: priority of this package should be standard,
+ not extra. All AMD-based X86 boxes should install this package
+ * debian/control: update package description
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Jul 2012 21:50:35 -0300
+
+amd64-microcode (1.20120117-1) unstable; urgency=low
+
+ * Update ABI (first component of package version) to 1, to match
+ the ABI of intel-microcode packages with /lib/firmware support
+ * Update online processor cores and the initramfs image on package
+ upgrade and the initramfs on package removal
+ * Install initramfs-tools helpers to handle boot-time microcode
+ updates
+ * README.Debian: describe supported mod/built-in configs
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Jul 2012 19:31:47 -0300
+
+amd64-microcode (0.20120117-1) unstable; urgency=medium
+
+ * AMD microcode release 20120117:
+ sig 0x00100F22, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342;
+ sig 0x00100F23, id 0x01000083: errata 244, 260, 280, 302, 308, 315, 342;
+ sig 0x00100F2A, id 0x01000084: errata 244, 260, 280, 302, 308, 315, 342;
+ sig 0x00100F42, id 0x010000DB: errata 342, 440, 573;
+ sig 0x00100F43, id 0x010000C8: errata 407, 440;
+ sig 0x00100F52, id 0x010000DB: errata 342, 440, 573;
+ sig 0x00100F53, id 0x010000C8: errata 407, 440;
+ sig 0x00100F62, id 0x010000C7: errata 407, 440;
+ sig 0x00100F63, id 0x010000C8: errata 407, 440;
+ sig 0x00100F80, id 0x010000DA: errata 419, 440, 573;
+ sig 0x00100F81, id 0x010000D9: errata 406, 407, 440, 573, 669;
+ sig 0x00100F91, id 0x010000D9: errata 406, 407, 440, 573, 669;
+ sig 0x00100FA0, id 0x010000DC: errata 438, 440, 573;
+ sig 0x00300F10, id 0x03000027: errata 564, 573, 662, 686;
+ sig 0x00500F10, id 0x05000028: errata 461, 564, 594, 595;
+ sig 0x00500F20, id 0x0500010D: errata 461, 564, 594, 639, 662, 686;
+ sig 0x00600F12, id 0x06000624: errata 659, 660, 661, 668, 671, 672, 673;
+ * Initial upload to Debian, urgency medium because we need this in Wheezy
+ to properly support AMD processors. Closes: #676921.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Jun 2012 12:22:01 -0300
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..ba0d5ad
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,24 @@
+Source: amd64-microcode
+Section: non-free-firmware/admin
+Priority: standard
+Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
+Uploaders: Giacomo Catenazzi <cate@debian.org>
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.8
+Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode
+XS-Autobuild: yes
+
+Package: amd64-microcode
+Architecture: i386 amd64 x32
+Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
+Depends: ${misc:Depends}
+Breaks: intel-microcode (<< 2)
+Description: Processor microcode firmware for AMD CPUs
+ This package contains microcode patches for all AMD AMD64
+ processors. AMD releases microcode patches to correct
+ processor behavior as documented in the respective processor
+ revision guides. This package includes both AMD CPU microcode
+ patches and AMD SEV firmware updates.
+ .
+ For Intel processors, please refer to the intel-microcode package.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d8aea83
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,89 @@
+This package was debianized by Henrique de Moraes Holschuh <hmh@debian.org> on
+Sun Jun 10 10:54:36 BRT 2012
+
+It was downloaded from http://www.amd64.org/support/microcode.html up to
+version 20120910 (now: http://www.amd64.org/microcode.html). For version
+20131007 onwards, it was built from the linux-firmware git repository at:
+https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
+
+Debian only distributes the AMD64 microcode file in its unaltered form.
+
+Upstream Author:
+
+ Advanced Micro Devices, Inc.
+
+Upstream Copyright (AMD-UCODE):
+
+ Copyright (C) 2010-2018 Advanced Micro Devices, Inc.
+ All rights reserved.
+
+Upstream Copyright (AMD_SEV):
+
+ Copyright (C) 2015-2019 Advanced Micro Devices, Inc.
+ All rights reserved.
+
+Upstream License:
+
+ Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"),
+ free of any license fees, to any person obtaining a copy of this
+ microcode in binary form (the "Software") ("You"), to install,
+ reproduce, copy and distribute copies of the Software and to permit
+ persons to whom the Software is provided to do the same, subject to
+ the following terms and conditions. Your use of any portion of the
+ Software shall constitute Your acceptance of the following terms and
+ conditions. If You do not agree to the following terms and conditions,
+ do not use, retain or redistribute any portion of the Software.
+
+ If You redistribute this Software, You must reproduce the above
+ copyright notice and this license with the Software.
+ Without specific, prior, written permission from AMD, You may not
+ reference AMD or AMD products in the promotion of any product derived
+ from or incorporating this Software in any manner that implies that
+ AMD endorses or has certified such product derived from or
+ incorporating this Software.
+
+ You may not reverse engineer, decompile, or disassemble this Software
+ or any portion thereof.
+
+ THE SOFTWARE IS PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED
+ WARRANTY OF ANY KIND, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
+ MERCHANTABILITY, NONINFRINGEMENT, TITLE, FITNESS FOR ANY PARTICULAR
+ PURPOSE, OR WARRANTIES ARISING FROM CONDUCT, COURSE OF DEALING, OR
+ USAGE OF TRADE. IN NO EVENT SHALL AMD OR ITS LICENSORS BE LIABLE FOR
+ ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
+ LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF DATA OR
+ INFORMATION) ARISING OUT OF AMD'S NEGLIGENCE, GROSS NEGLIGENCE, THE
+ USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF AMD HAS BEEN ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS
+ PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
+ INCIDENTAL DAMAGES OR THE EXCLUSION OF IMPLIED WARRANTIES, THE ABOVE
+ LIMITATION MAY NOT APPLY TO YOU.
+
+ Without limiting the foregoing, the Software may implement third party
+ technologies for which You must obtain licenses from parties other
+ than AMD. You agree that AMD has not obtained or conveyed to You, and
+ that You shall be responsible for obtaining the rights to use and/or
+ distribute the applicable underlying intellectual property rights
+ related to the third party technologies. These third party
+ technologies are not licensed hereunder.
+
+ If You use the Software (in whole or in part), You shall adhere to all
+ applicable U.S., European, and other export laws, including but not
+ limited to the U.S. Export Administration Regulations ("EAR"), (15
+ C.F.R. Sections 730 through 774), and E.U. Council Regulation (EC) No
+ 1334/2000 of 22 June 2000. Further, pursuant to Section 740.6 of the
+ EAR, You hereby certify that, except pursuant to a license granted by
+ the United States Department of Commerce Bureau of Industry and
+ Security or as otherwise permitted pursuant to a License Exception
+ under the U.S. Export Administration Regulations ("EAR"), You will not
+ (1) export, re-export or release to a national of a country in Country
+ Groups D:1, E:1 or E:2 any restricted technology, software, or source
+ code You receive hereunder, or (2) export to Country Groups D:1, E:1
+ or E:2 the direct product of such technology or software, if such
+ foreign produced direct product is subject to national security
+ controls as identified on the Commerce Control List (currently found
+ in Supplement 1 to Part 774 of EAR). For the most current Country
+ Group listings, or for additional information about the EAR or Your
+ obligations under those regulations, please refer to the U.S. Bureau
+ of Industry and Security?s website at ttp://www.bis.doc.gov/.
+
diff --git a/debian/initramfs.hook b/debian/initramfs.hook
new file mode 100755
index 0000000..c65d7d4
--- /dev/null
+++ b/debian/initramfs.hook
@@ -0,0 +1,127 @@
+#!/bin/sh
+# amd64-microcode initramfs-tools hook script
+# Copyright (C) 2012-2016 Henrique de Moraes Holschuh <hmh@debian.org>
+# Released under the GPL v2 or later license
+#
+# Generates a copy of the minimal microcode for all AMD processors
+# and installs it to the early initramfs
+
+PREREQ=""
+AMD64UCODE_CONFIG=/etc/default/amd64-microcode
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+verbose()
+{
+ if [ "${verbose}" = "y" ] ; then
+ echo "I: amd64-microcode: $*"
+ fi
+ :
+}
+
+AUCODE_FW_DIR=/lib/firmware/amd-ucode
+AMD64UCODE_INITRAMFS=auto
+[ -r ${AMD64UCODE_CONFIG} ] && . ${AMD64UCODE_CONFIG}
+
+[ -z "${AMD64UCODE_INITRAMFS}" ] && AMD64UCODE_INITRAMFS=no
+
+if [ ! -d "${AUCODE_FW_DIR}" ] ; then
+ verbose "no AMD64 processor microcode datafiles to install"
+ exit 0
+fi
+
+case "${AMD64UCODE_INITRAMFS}" in
+ no|0)
+ verbose "disabled by ${AMD64UCODE_CONFIG}"
+ exit 0
+ ;;
+ auto|early)
+ ;;
+ yes|1)
+ echo "W: amd64-microcode: initramfs mode not supported, using early-initramfs mode" >&2
+ AMD64UCODE_INITRAMFS=early
+ ;;
+ *)
+ echo "E: amd64-microcode: invalid AMD64UCODE_INITRAMFS, using automatic mode" >&2
+ AMD64UCODE_INITRAMFS=auto
+esac
+
+if [ "${AMD64UCODE_INITRAMFS}" = "auto" ] ; then
+ grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD" /proc/cpuinfo || {
+ verbose "no AMD processors detected, nothing to do"
+ exit 0
+ }
+fi
+
+# whitelist AMD early updates for kernels 3.14 and later
+if dpkg --compare-versions "${version}" lt 3.14 ; then
+ echo "E: amd64-microcode: unsupported kernel version!" >&2
+ exit 0
+fi
+
+verbose "installing AMD64 microcode into the early initramfs..."
+
+# set during package build to the date from the package *version*
+CHANGELOG_TS=@CHANGELOG_TS@
+
+EFWD=$(mktemp -d "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || {
+ echo "E: amd64-microcode: cannot create temporary directory" >&2
+ exit 1
+}
+# paranoia
+[ ! -d "${EFWD}" ] && {
+ echo "E: amd64-microcode: mktemp -d malfunction" >&2
+ exit 1
+}
+
+EFWE="${EFWD}/early-initramfs.cpio"
+
+EFWCD="${EFWD}/d/kernel/x86/microcode"
+EFWF="${EFWCD}/AuthenticAMD.bin"
+
+# note: to build a reproducible early initramfs, we force
+# the microcode component ordering inside the microcode
+# firmware file, as well as the timestamp and ordering of
+# all cpio members.
+mkdir -p "${EFWCD}" && \
+ find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
+ find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \
+ # --reproducible requires cpio >= 2.12
+ cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true
+ } && test -s "${EFWF}" && \
+ ( cd "${EFWD}/d" ; find . -print0 | LC_ALL=C sort -z | cpio --null $cpio_reproducible -R 0:0 -H newc -o --quiet > "${EFWE}" ) \
+&& prepend_earlyinitramfs "${EFWE}" || {
+ # something failed somewhere in that pipeline
+ [ -d "${EFWD}" ] && rm -fr "${EFWD}"
+ echo "E: amd64-microcode: failed to create or prepend the early initramfs to the initramfs" >&2
+ exit 0
+}
+
+[ -d "${EFWD}" ] && rm -fr "${EFWD}"
+
+# attempt to load microcode module to get proper logging.
+# microcode support cannot be made modular since Linux 4.4
+
+if dpkg --compare-versions "${version}" lt 4.4 ; then
+ manual_add_modules microcode && {
+ # force_load has broken semanthics when the .ko file is missing
+ find "${DESTDIR}/${MODULESDIR}" -type f -print | grep -qc '/microcode\.ko$' && {
+ verbose "modular microcode driver detected"
+ force_load microcode
+ }
+ }
+fi
+
+:
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..7a4028d
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,33 @@
+#!/usr/bin/make -f
+# debian/rules for amd64-microcode
+# Copyright (C) 2012-2016 by Henrique de Moraes Holschuh
+# Published under the GNU GPL license version 2 or any later versions
+
+PACKAGE := amd64-microcode
+DEBDIR := $(CURDIR)/debian
+PKGDIR := $(DEBDIR)/$(PACKAGE)
+
+# DebHelper control
+export DH_ALWAYS_EXCLUDE=CVS:.svn:.git
+
+# Work around Debian bug #688794
+INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE))))
+
+# For reproducible builds...
+CHANGELOG_TS :=$(shell date -u +%s --date=$(shell dpkg-parsechangelog | sed -n -e "/^Version:/ {s/.*\.\([0-9]\{8\}\)\..*/\1/;p}"))
+
+%:
+ dh $@
+
+override_dh_auto_install:
+ dh_testdir
+ dh_install
+ mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks"
+ sed -e "s/@CHANGELOG_TS@/$(CHANGELOG_TS)/g" \
+ <"$(DEBDIR)/initramfs.hook" \
+ >"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+ chmod 755 "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+ # We have a /etc/default file, but no initscript
+ install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)"
+ # modprobe.d blacklist
+ install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf"
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)