summaryrefslogtreecommitdiffstats
path: root/debian
diff options
context:
space:
mode:
Diffstat (limited to 'debian')
-rw-r--r--debian/README.Debian239
-rw-r--r--debian/README.source218
-rw-r--r--debian/changelog1948
-rw-r--r--debian/compat1
-rw-r--r--debian/control24
-rw-r--r--debian/copyright63
-rwxr-xr-xdebian/diff-latest-pack.sh25
-rwxr-xr-xdebian/initramfs.hook168
-rw-r--r--debian/intel-microcode.NEWS91
-rw-r--r--debian/intel-microcode.default26
-rw-r--r--debian/intel-microcode.dirs3
-rw-r--r--debian/intel-microcode.docs3
-rw-r--r--debian/intel-microcode.kpreinst17
-rw-r--r--debian/intel-microcode.modprobe-blacklist3
-rw-r--r--debian/intel-microcode.postinst50
-rw-r--r--debian/intel-microcode.postrm42
-rwxr-xr-xdebian/rules62
-rw-r--r--debian/source/format1
-rw-r--r--debian/source/options1
-rw-r--r--debian/ucode-blacklist.txt24
20 files changed, 3009 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..220932d
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,239 @@
+intel-microcode for Debian
+--------------------------
+
+Introduction:
+
+IntelĀ® 64 and IA-32 processors (x86_64 and i686 processors) are capable of
+field-upgrading their control program (microcode) as well as parameters
+for other on-chip subsystems (power management, interconnects, etc).
+These microcode updates correct processor errata, and are important for
+safe, stable and correct system operation.
+
+While most of the microcode updates fix problems that happen extremely
+rarely, they also fix high-profile, high-hitting issues. There are enough
+microcode updates fixing processor errata that would cause system lockup,
+memory corruption, or unpredictable system behavior, to warrant taking
+firmware updates and microcode updates seriously.
+
+Microcode updates are ephemeral: they will be lost after a processor hard
+reset or after the processor is powered off. They must be reapplied at
+every boot, as well as after the system wakes up from suspend to RAM or
+disk.
+
+Updating the processor microcode is the responsibility of the system
+firmware (BIOS, UEFI). However, not all vendors will release timely
+updates for their firmware when Intel releases updated microcode, and most
+users don't update their system firmware in a timely fashion (or at all)
+anyway.
+
+The end result is that, unless the operating system picks up the slack and
+tries to deliver microcode updates, the processor in many systems will be
+running with outdated microcode, increasing the chances of incorrect
+system operation.
+
+
+Using Debian to apply microcode updates:
+
+Debian can apply microcode updates to the system processors during the
+operating system boot when a correctly configured Linux kernel (such as
+the standard Debian Linux kernels), and a small set of extra packages from
+"non-free" and "contrib" are installed.
+
+You must have "contrib" and "non-free" repositories enabled in apt's
+sources list (either in /etc/apt/sources.list, or in a file inside
+/etc/apt/sources.list.d/).
+
+On a default Debian system (which uses a Debian kernel, the grub
+bootloader, and initramfs-tools to create the initramfs for the kernel),
+install the "intel-microcode" package and its dependencies, and reboot.
+
+Users of custom configurations should note that microcode update support
+for Debian 8 "Jessie" changed from previous Debian stable releases.
+
+Custom Linux kernels must be built with initramfs support enabled (Kconfig
+option CONFIG_BLK_DEV_INITRD=y), as well as early microcode support
+enabled (Kconfig options CONFIG_MICROCODE=y, CONFIG_MICROCODE_INTEL=y,
+CONFIG_MICROCODE_INTEL_EARLY=y). An initramfs image *must* be used.
+
+The use of "dracut" to generate the initramfs is not yet supported, but it
+should work if you have a new enough version of dracut that is compatible
+with the kernel you are using (i.e. it might require the use of
+backports). Dracut will have to be manually configured to enable early
+microcode updates. Better dracut support is planned for a future version
+of the intel-microcode package.
+
+NOTE: It is not impossible for an operating-system supplied microcode
+update to cause boot issues. Should that happen, please refer to the
+"RECOVERY PROCEDURE" section of this document.
+
+
+Caveats:
+
+Please keep your UEFI/BIOS up-to-date. Assuming your motherboard vendor
+does a good job of updating system firmware components, an up-to-date
+version of the firmware will negate most of the caveats listed here.
+
+Some features added to the processor post-launch, such as Intel SGX for
+"Skylake", are likely to require a full firmware update to work. Some
+issues and errata can only be fixed by a full firmware update should they
+require fixes and workarounds outside of the processor microcode update
+(typically: ME firmware, SMM code, platform MSR setup, ACPI data, Intel
+TXT/SGX modules).
+
+A microcode update may enable functionality or change the behavior of
+weakly-defined functionality (such as the effect of model-dependent CPU
+power-management MSRs). This can (very rarely) interact badly with
+outdated BIOS/UEFI.
+
+A microcode update can revoke the signatures of vulnerable Intel TXT ACMs
+(refer to security advisory INTEL-SA-00035) and Intel SGX system modules.
+This will disable Intel TXT and Intel SGX in a system that still has the
+vulnerable components in firmware (the only way to really fix the
+vulnerabilities is to update the firmware).
+
+Microcode updates often do not go well with overclocking and similar
+tuning (such as underclocking, "undervolting", etc). Reset the system to
+Intel's *up-to-date* recommended values should a microcode update seem to
+be causing trouble, and search for a less aggressive, stable operating
+point for the new microcode.
+
+A microcode update can (very rarely) interact badly with, or expose
+software bugs in the kernel and on frequency/thermal control daemons.
+
+
+RECOVERY PROCEDURE:
+
+It is possible for a microcode update to not work well, or to not work at
+all on specific system models. This is very rare when using early
+microcode updates, but it has happened at least once.
+
+Should you experience problems because of the microcode update, you will
+have to bypass the microcode update process that happens during operating
+system startup (boot), and remove (or install an older version of) the
+intel-microcode package.
+
+To bypass the microcode update during system startup, you must instruct the
+boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter
+(without the quotes) to the kernel.
+
+If your system uses grub (the default bootloader in Debian):
+
+ 1. Access the grub menu during boot (press and hold the left "Shift"
+ key right after starting the system up if you don't see a grub menu
+ during boot);
+
+ 2. Move the highlight/cursor to the kernel/boot option you want to
+ use, and press the "e" key to edit it;
+
+ 3. Locate the line that starts with "linux" using the cursor
+ keys. You must add the word "dis_ucode_ldr" (without the quotes) to
+ the end of that line;
+
+ 4. Press "Ctrl+X" to start (boot) the system. The microcode updates
+ will be skipped.
+
+After the system is running, remove or purge the intel-microcode package,
+or alternatively install an older version of the intel-microcode package.
+
+If removing or purging the intel-microcode package fails to do it for some
+reason, please refresh the initramfs using the "update-initramfs -u"
+command (as the root user), and possibly "update-initramfs -u -k <desired
+kernel version>" or "update-initramfs -u -k all".
+
+Please report any issues caused by microcode updates to the Debian bug
+tracker, e.g. using the "reportbug" tool.
+
+
+Microcode update details:
+
+The "early mode" of the Linux kernel microcode update driver will apply
+the microcode updates as soon as possible, before making use of the more
+complex modes and functionality of the system processors. This greatly
+reduces the chances of system malfunction due to any issues that are
+corrected by the microcode update.
+
+It will update the CPU core that boots the system (known as BSP, for
+"bootstrap processor") as one of the first things it does. It will also
+update the microcode on the other CPU cores (known as AP, for "application
+processor") while enabling them, before they can be used.
+
+In some cases, early microcode updates will allow the kernel to sidestep
+the need to disable functionality, as an example, there's the "Atom PSE
+erratum".
+
+In other cases, it will be the only safe way to apply a microcode update.
+For example, the Intel TSX errata in Intel Haswell and Broadwell processors
+required a microcode update that entirely disables Intel TSX. Applying the
+microcode update will crash anything that might be using Intel TSX at that
+time.
+
+The initramfs helpers will attempt to restrict the number of microcode
+updates added to the initramfs to the bare minimum through the use of
+iucode_tool. This behavior can be changed and fine-tuned through the
+/etc/default/intel-microcode file.
+
+Also, microcode from files matching /usr/share/misc/intel-microcode* will
+be considered. This allows the easy use of microcode.dat files distributed
+directly by Intel. Be careful to not leave old files there, or you may end
+up using microcode that Intel stopped distributing on purpose for unknown
+reasons.
+
+
+Downloading new microcode data from Intel:
+
+A new version of the microcode bundle can be downloaded directly from
+Intel (through their GitHub project):
+https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+
+
+To manually install the downloaded microcode bundle, unpack the archive you
+got from Intel and copy the microcode-*.dat file from the archive to
+/usr/share/misc/intel-microcode.dat.
+
+You should make sure the microcode data file is owned by root, and that it
+can only be written to by root (e.g. mode 0644) for security reasons:
+
+ chown root:root /usr/share/misc/intel-microcode.dat
+ chmod 0644 /usr/share/misc/intel-microcode.dat
+
+After you install the updated intel-microcode.dat file, run as root:
+
+ update-initramfs -u
+
+The intel-microcode package supports "extra" microcode data in the
+following files (and will warn you if it detects and use them):
+
+ /usr/share/misc/intel-microcode*
+
+both .dat and .bin formats are supported.
+
+
+Triggering an immediate microcode update (without a reboot):
+
+ **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING ****
+
+ This procedure used to be safe before microcode update 20140913.
+ It is not safe anymore in the general case.
+
+ While it is likely to continue to be safe for the Intel micro-
+ architectures that preceded Haswell and Silvermont, this is not
+ in any way assured.
+
+ You have been warned. Do not do this unless you really know
+ what you are doing.
+
+ **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING ****
+
+The microcode kernel module will attempt to apply a microcode update when
+loaded by "modprobe". If the module is already loaded or compiled-in (it
+cannot be a module anymore in recent Linux kernels), run this command (as
+root):
+
+ echo -n 1 >/sys/devices/system/cpu/microcode/reload
+
+For kernels before Linux v3.6, refer to the iucode_tool(8) manpage.
+
+
+* Note: Intel is a registered trademark of Intel Corporation.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Apr 2016 16:32:09 -0300
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..adad784
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,218 @@
+intel-microcode for Debian
+--------------------------
+
+Adding new microcodes to the package:
+
+* Regular microcode bundles (upstream releases):
+
+ Add them to the top-level dir, names must match the patterns:
+
+ * microcode-<id>.dat for Intel text format bundles;
+ * microcode-<id>.bin for Intel binary bundles.
+ * microcode-<id>.d/ for directories with split binary microcode.
+
+ <id> should be the upstream release date in YYYYMMDD format.
+ If it is not, you must make sure microcode files that have
+ been released later also come later in C collating order.
+
+ Some upstream releases contain the microcode update data twice:
+ in .dat, and as a directory with several binary files. In that
+ case, you must compare the contents (e.g. using iucode_tool -L)
+ to ensure that they match. Don't add both copies of the update
+ data to the package: it is a waste of mirror space, and only one
+ copy (the one that sorts last) would be used to generate the
+ final microcode pack (so you would still have to ensure both
+ formats had the same contents anyway).
+
+ Hint: iucode_tool will compare two "supposedly identical"
+ microcodes to ensure they are just that: identical. So, it is
+ enough to do something like this:
+
+ iucode_tool --write-all-named-to=/tmp/dir1 file1.dat ;
+ iucode_tool --write-all-named-to=/tmp/dir2 intel-ucode/ ;
+ diff -R /tmp/dir1 /tmp/dir2 && echo ok ;
+ iucode_tool -v /tmp/dir1 /tmp/dir2
+
+ Later regular microcode bundles have precedence over older regular
+ microcode bundles, and may downgrade microcode revisions. This
+ implements the automatic "revision rollback" mechanism.
+
+ The "oldies" and the IUC_INCLUDE mechanisms of the main Makefile may
+ select microcodes from any of the regular microcode bundles.
+ Otherwise, only microcodes in the latest regular microcode bundle will
+ be selected. This logic implements the "automatic removal" mechanism
+ to handle microcode recalls.
+
+ Directories of microcodes must not have nested subdirectories. The
+ contents of the directory will be processed into a temporary ".dbin"
+ binary microcode file, to allow the automatic "revision rollback"
+ mechanism to work in a predictable way. Due to sorting order,
+ ".dbin" files are preferred over ".dat" files when deciding which
+ would be used to generate the final microcode pack.
+
+ Supplementary microcode bundles and microcode overrides can select
+ additional microcode (see below).
+
+* Latest available version of a microcode that is not being shipped
+ anymore, but which is present in an older microcode bundle:
+
+ Add "-s <signature>" to IUC_INCLUDE in the Makefile.
+
+* Supplementary microcode bundles:
+
+ The intended usage for this feature is to ship microcode updates that
+ fix important errata before they are available through a regular Intel
+ microcode bundle release.
+
+ Add them to the top-level dir, names must match the pattern:
+
+ * supplementary-ucode-<id>.bin
+ * supplementary-ucode-<id>.d/
+
+ <id> should be a descriptive name, sorting order does not
+ matter. It must not have spaces or tabs.
+
+ These bundles have the same precedence as the newest regular microcode
+ bundle: microcodes with the highest revision among the newest regular
+ microcode bundle and every supplementary microcode bundles will be
+ selected.
+
+ Supplementary microcode bundles must be in binary format.
+
+ Use "iucode_tool -w" to create supplementary microcode bundles.
+ The bundles may have any number of microcodes inside, and should be
+ described in the "upstream" changelog.
+
+ Directories of supplementary microcode updates must not have nested
+ subdirectories. The data files inside the directory should be in
+ binary format, and may contain more than one microcode update. They
+ should be descriptively named, and should be described in the
+ "upstream" changelog.
+
+ WARNING: microcodes added through supplementary bundles cannot be
+ "recalled" (excluded or downgraded) automatically by the latest
+ regular microcode bundle, only by overrides and IUC_EXCLUDE.
+
+* Individual microcode overrides (at a specific revision):
+
+ The intended usage for this feature is to ship microcode at a specific
+ revision. For microcode that should be superseded by a newer version
+ when available, use a supplementary bundle (see above), instead.
+
+ These overrides have the highest precedence, and will override
+ (possibly downgrading) microcodes in the other bundles, regular or
+ supplementary.
+
+ Add them to the top-level dir, names should be in the format:
+
+ * s<sig>_m<pfmask>_r<revision>.fw
+
+ <sig> is the CPU signature, <pfmask> is the processor flags
+ mask, and revision is the microcode revision level. All
+ values in hexadecimal using uppercase letters, no leading
+ prefixes, with left padding with zeroes, field length 8, as
+ in the printf mask: s%08X_m%08X_r%08X.fw
+
+ The files must be in binary format, and should contain only a single
+ microcode (to ensure maintainer sanity).
+
+ "iucode_tool -s <signature> -W" can be used to easily extract
+ microcodes and create (and name) .fw override files.
+
+* Excluding microcodes, no matter where they were sourced from:
+
+ Add "-s !<signature>" to IUC_EXCLUDE in the Makefile.
+
+ This will remove from the final microcode distribution even microcodes
+ that were sourced from override files.
+
+
+
+When you add a new microcode (bundle or otherwise):
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!! Always verify if you do not have to remove microcodes from the !!!
+!!! exclusion list in the top Makefile. !!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+Please avoid shipping microcodes "recalled" by Intel, unless you DO know
+better (i.e. you know the reason why it was "recalled", and you consider
+that Debian users would be best served by its inclusion). Always
+document why you're doing this as much as you are allowed to in the
+package changelog. Microcode override files (.fw files) can be used to
+make sure a specific microcode is shipped, however, should you want to
+ship the latest available version of a microcode from older bundles, you
+must use IUC_INCLUDE.
+
+If you are adding a microcode bundle made available directly by Intel in
+their public site, please update the "upstream changelog". There is no
+fully automated way to do it yet, but you can use "iucode_tool -l" to
+list the contents of the bundles, and apply some sed magic, sort, and
+"diff -u" to find out which microcodes were added, deleted, updated, or
+downgraded. The debian/diff-latest-pack.sh script should be of help.
+
+Please check all additions against the changelog, and annotate them as
+appropriate when the microcode was present in a previous release. Intel
+has done a "delete in one release, add back with a downgraded revision
+in the next release" once in the past. Annotations should say when the
+microcode was updated or downgraded, or just re-added with the same
+revision.
+
+Please check all deletions. When very recent microcode is deleted, it
+could well mean an unfriendly "microcode revision recall" is happening
+(someone at Intel decided to remove it instead of directly marking it a
+downgrade by publishing the previously known-good revision). When
+microcodes for older processors are deleted, it is probably safe to
+assume it is just the regular housekeeping cleanups, and the microcode
+should still be shipped by distros that have users running 10-15
+year-old boxes, like Debian.
+
+If you know that a microcode signature belongs to alpha or beta hardware
+(engineering samples), you may remove the microcodes for that signature
+by adding them to IUC_EXCLUDE in the Makefile, on the grounds that such
+microcodes just waste space on everyone's system. Unfortunately, a list
+of the CPU signatures of such unsupported processors is hard to come by.
+
+
+Keeping useless microcode out of amd64 and x32 binary packages:
+
+It is useless to ship microcode that targets processors not capable of
+Intel64 (X86-64) on the amd64 and x32 arch-specific binary packages.
+
+The top-level Makefile tries to avoid this by parsing cpu-signatures.txt
+and ignoring anything listed as i?86 when building intel-microcode-64.bin,
+which debian/rules will use instead of intel-microcode.bin for non-i386.
+
+Failure to update cpu-signatures.txt should be mostly harmless (it is
+engineered to fail safe, and distribute unlisted microcode so that at
+most it will waste some space). It is unlikely that new i686 microcode
+signatures will show up, but it may be useful to know to which
+processors a microcode update apply even for newer processors, just in
+case we have to issue a critical update and warn users.
+
+
+Where to find processor signature information:
+
+They appear to be listed only in the Specification Updates for each
+processor, you'll have to locate and download them all from Intel's site
+(this is _not_ easy to do, some of these documents are hard to track
+down). Better information is likely to available (possibly under NDA)
+on the Intel developer channels.
+
+As for non-canonical sources, there is a CPUID database in the Internet
+and a memory/latency timings database used by HPC people which are of
+some help. Search engines will often find a BIOS/UEFI firmware upgrade
+changelog that names the particular core of a microcode update
+signature.
+
+Cross-check by searching the S-SPEC numbers in the Intel ARK directory
+(e.g. to verify whether it supports X86-64 or not).
+
+
+Backport notes:
+
+1. Only kernels 3.10 and above are supported in the 3.x branch of
+ intel-microcode. To support older kernels, you will have to backport
+ the 2.x or 1.x branches of intel-microcode, instead.
+
+-- Henrique de Moraes Holschuh <hmh@debian.org>
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..c2aeefe
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1948 @@
+intel-microcode (3.20231114.1~deb12u1) bookworm-security; urgency=high
+
+ * Build for bookworm (no changes)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 18 Nov 2023 16:13:39 -0300
+
+intel-microcode (3.20231114.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20231114 (closes: #1055962)
+ Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583)
+ Sequence of processor instructions leads to unexpected behavior for some
+ Intel(R) Processors, may allow an authenticated user to potentially enable
+ escalation of privilege and/or information disclosure and/or denial of
+ service via local access.
+ Note: "reptar" on 4th gen Xeon Scalable (sig 0x806f8 pfm 0x87), 12th gen
+ Core mobile (sig 0x906a4 pfm 0x80), 13th gen Core desktop (sig 0xb0671 pfm
+ 0x01) were already mitigated by a previous microcode update.
+ * Fixes for unspecified functional issues
+ * Updated microcodes:
+ sig 0x000606a6, pf_mask 0x87, 2023-09-01, rev 0xd0003b9, size 299008
+ sig 0x000606c1, pf_mask 0x10, 2023-09-08, rev 0x1000268, size 290816
+ sig 0x000706e5, pf_mask 0x80, 2023-09-03, rev 0x00c2, size 113664
+ sig 0x000806c1, pf_mask 0x80, 2023-09-07, rev 0x00b4, size 111616
+ sig 0x000806c2, pf_mask 0xc2, 2023-09-07, rev 0x0034, size 98304
+ sig 0x000806d1, pf_mask 0xc2, 2023-09-07, rev 0x004e, size 104448
+ sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0, size 572416
+ sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
+ sig 0x000806f7, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
+ sig 0x000806f6, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
+ sig 0x000806f5, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
+ sig 0x000806f4, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0
+ sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290, size 605184
+ sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290
+ sig 0x000806f6, pf_mask 0x10, 2023-06-26, rev 0x2c000290
+ sig 0x000806f5, pf_mask 0x10, 2023-06-26, rev 0x2c000290
+ sig 0x000806f4, pf_mask 0x10, 2023-06-26, rev 0x2c000290
+ sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032, size 222208
+ sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032
+ sig 0x00090675, pf_mask 0x07, 2023-06-07, rev 0x0032
+ sig 0x000b06f2, pf_mask 0x07, 2023-06-07, rev 0x0032
+ sig 0x000b06f5, pf_mask 0x07, 2023-06-07, rev 0x0032
+ sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430, size 220160
+ sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430
+ sig 0x000906a4, pf_mask 0x80, 2023-06-07, rev 0x0430
+ sig 0x000906a4, pf_mask 0x40, 2023-05-05, rev 0x0005, size 117760
+ sig 0x000a0671, pf_mask 0x02, 2023-09-03, rev 0x005d, size 104448
+ sig 0x000b0671, pf_mask 0x32, 2023-08-29, rev 0x011d, size 210944
+ sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c, size 216064
+ sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c
+ sig 0x000b06a3, pf_mask 0xe0, 2023-08-30, rev 0x411c
+ sig 0x000b06e0, pf_mask 0x11, 2023-06-26, rev 0x0012, size 136192
+ * Updated 2023-08-08 changelog entry with reptar information
+ * source: update symlinks to reflect id of the latest release, 20231114
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 16 Nov 2023 08:09:43 -0300
+
+intel-microcode (3.20230808.1~deb12u1) bookworm-security; urgency=high
+
+ * Build for bookworm (no changes)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 08 Aug 2023 20:08:03 -0300
+
+intel-microcode (3.20230808.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20230808 (closes: #1043305)
+ * Mitigations for "Downfall" INTEL-SA-00828 (CVE-2022-40982),
+ INTEL-SA-00836 (CVE-2023-23908) and INTEL-SA-00837 (CVE-2022-41804)
+ * Mitigations for "reptar" on a few processors, refer to the 2023-11-14
+ entry for details. This information was disclosed in 2023-11-14.
+ * Updated microcodes:
+ sig 0x00050653, pf_mask 0x97, 2023-03-23, rev 0x1000181, size 36864
+ sig 0x00050654, pf_mask 0xb7, 2023-03-06, rev 0x2007006, size 44032
+ sig 0x00050656, pf_mask 0xbf, 2023-03-17, rev 0x4003604, size 38912
+ sig 0x00050657, pf_mask 0xbf, 2023-03-17, rev 0x5003604, size 38912
+ sig 0x0005065b, pf_mask 0xbf, 2023-03-21, rev 0x7002703, size 30720
+ sig 0x000606a6, pf_mask 0x87, 2023-03-30, rev 0xd0003a5, size 297984
+ sig 0x000706e5, pf_mask 0x80, 2023-02-26, rev 0x00bc, size 113664
+ sig 0x000806c1, pf_mask 0x80, 2023-02-27, rev 0x00ac, size 111616
+ sig 0x000806c2, pf_mask 0xc2, 2023-02-27, rev 0x002c, size 98304
+ sig 0x000806d1, pf_mask 0xc2, 2023-02-27, rev 0x0046, size 103424
+ sig 0x000806e9, pf_mask 0xc0, 2023-02-22, rev 0x00f4, size 106496
+ sig 0x000806e9, pf_mask 0x10, 2023-02-23, rev 0x00f4, size 105472
+ sig 0x000806ea, pf_mask 0xc0, 2023-02-23, rev 0x00f4, size 105472
+ sig 0x000806eb, pf_mask 0xd0, 2023-02-23, rev 0x00f4, size 106496
+ sig 0x000806ec, pf_mask 0x94, 2023-02-26, rev 0x00f8, size 106496
+ sig 0x000806f8, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1, size 572416
+ sig 0x000806f7, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
+ sig 0x000806f6, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
+ sig 0x000806f5, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
+ sig 0x000806f4, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1
+ sig 0x000806f8, pf_mask 0x10, 2023-05-15, rev 0x2c000271, size 605184
+ sig 0x000806f6, pf_mask 0x10, 2023-05-15, rev 0x2c000271
+ sig 0x000806f5, pf_mask 0x10, 2023-05-15, rev 0x2c000271
+ sig 0x000806f4, pf_mask 0x10, 2023-05-15, rev 0x2c000271
+ sig 0x00090672, pf_mask 0x07, 2023-04-18, rev 0x002e, size 220160
+ sig 0x00090675, pf_mask 0x07, 2023-04-18, rev 0x002e
+ sig 0x000b06f2, pf_mask 0x07, 2023-04-18, rev 0x002e
+ sig 0x000b06f5, pf_mask 0x07, 2023-04-18, rev 0x002e
+ sig 0x000906a3, pf_mask 0x80, 2023-04-18, rev 0x042c, size 219136
+ sig 0x000906a4, pf_mask 0x80, 2023-04-18, rev 0x042c
+ sig 0x000906e9, pf_mask 0x2a, 2023-02-23, rev 0x00f4, size 108544
+ sig 0x000906ea, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 104448
+ sig 0x000906eb, pf_mask 0x02, 2023-02-23, rev 0x00f4, size 106496
+ sig 0x000906ec, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 105472
+ sig 0x000906ed, pf_mask 0x22, 2023-02-27, rev 0x00fa, size 106496
+ sig 0x000a0652, pf_mask 0x20, 2023-02-23, rev 0x00f8, size 97280
+ sig 0x000a0653, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280
+ sig 0x000a0655, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280
+ sig 0x000a0660, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 97280
+ sig 0x000a0661, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 96256
+ sig 0x000a0671, pf_mask 0x02, 2023-02-26, rev 0x0059, size 104448
+ sig 0x000b0671, pf_mask 0x32, 2023-06-06, rev 0x0119, size 210944
+ sig 0x000b06a2, pf_mask 0xe0, 2023-06-06, rev 0x4119, size 216064
+ sig 0x000b06a3, pf_mask 0xe0, 2023-06-06, rev 0x4119
+ sig 0x000b06e0, pf_mask 0x11, 2023-04-12, rev 0x0011, size 136192
+ * source: update symlinks to reflect id of the latest release, 20230808
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 08 Aug 2023 17:25:56 -0300
+
+intel-microcode (3.20230512.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20230512 (closes: #1036013)
+ * New microcodes:
+ sig 0x000906a4, pf_mask 0x40, 2022-10-12, rev 0x0004, size 115712
+ sig 0x000b06e0, pf_mask 0x01, 2022-12-19, rev 0x0010, size 134144
+ * Updated microcodes:
+ sig 0x00050653, pf_mask 0x97, 2022-12-21, rev 0x1000171, size 36864
+ sig 0x00050654, pf_mask 0xb7, 2022-12-21, rev 0x2006f05, size 44032
+ sig 0x00050656, pf_mask 0xbf, 2022-12-21, rev 0x4003501, size 37888
+ sig 0x00050657, pf_mask 0xbf, 2022-12-21, rev 0x5003501, size 37888
+ sig 0x0005065b, pf_mask 0xbf, 2022-12-21, rev 0x7002601, size 29696
+ sig 0x000606a6, pf_mask 0x87, 2022-12-28, rev 0xd000390, size 296960
+ sig 0x000706e5, pf_mask 0x80, 2022-12-25, rev 0x00ba, size 113664
+ sig 0x000806a1, pf_mask 0x10, 2023-01-13, rev 0x0033, size 34816
+ sig 0x000806c1, pf_mask 0x80, 2022-12-28, rev 0x00aa, size 110592
+ sig 0x000806c2, pf_mask 0xc2, 2022-12-28, rev 0x002a, size 97280
+ sig 0x000806d1, pf_mask 0xc2, 2022-12-28, rev 0x0044, size 102400
+ sig 0x000806e9, pf_mask 0xc0, 2022-12-26, rev 0x00f2, size 105472
+ sig 0x000806e9, pf_mask 0x10, 2023-01-02, rev 0x00f2, size 105472
+ sig 0x000806ea, pf_mask 0xc0, 2022-12-26, rev 0x00f2, size 105472
+ sig 0x000806eb, pf_mask 0xd0, 2022-12-26, rev 0x00f2, size 105472
+ sig 0x000806ec, pf_mask 0x94, 2022-12-26, rev 0x00f6, size 105472
+ sig 0x000806f8, pf_mask 0x87, 2023-03-13, rev 0x2b000461, size 564224
+ sig 0x000806f7, pf_mask 0x87, 2023-03-13, rev 0x2b000461
+ sig 0x000806f6, pf_mask 0x87, 2023-03-13, rev 0x2b000461
+ sig 0x000806f5, pf_mask 0x87, 2023-03-13, rev 0x2b000461
+ sig 0x000806f4, pf_mask 0x87, 2023-03-13, rev 0x2b000461
+ sig 0x000806f8, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1, size 595968
+ sig 0x000806f6, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1
+ sig 0x000806f5, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1
+ sig 0x000806f4, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1
+ sig 0x000906a3, pf_mask 0x80, 2023-02-14, rev 0x042a, size 218112
+ sig 0x000906a4, pf_mask 0x80, 2023-02-14, rev 0x042a
+ sig 0x000906e9, pf_mask 0x2a, 2022-12-26, rev 0x00f2, size 108544
+ sig 0x000906ea, pf_mask 0x22, 2023-01-12, rev 0x00f2, size 104448
+ sig 0x000906eb, pf_mask 0x02, 2022-12-26, rev 0x00f2, size 105472
+ sig 0x000906ec, pf_mask 0x22, 2023-01-12, rev 0x00f2, size 104448
+ sig 0x000906ed, pf_mask 0x22, 2023-02-05, rev 0x00f8, size 104448
+ sig 0x000a0652, pf_mask 0x20, 2022-12-27, rev 0x00f6, size 96256
+ sig 0x000a0653, pf_mask 0x22, 2023-01-01, rev 0x00f6, size 97280
+ sig 0x000a0655, pf_mask 0x22, 2022-12-26, rev 0x00f6, size 96256
+ sig 0x000a0660, pf_mask 0x80, 2022-12-26, rev 0x00f6, size 97280
+ sig 0x000a0661, pf_mask 0x80, 2022-12-26, rev 0x00f6, size 96256
+ sig 0x000a0671, pf_mask 0x02, 2022-12-25, rev 0x0058, size 103424
+ sig 0x000b0671, pf_mask 0x32, 2023-02-06, rev 0x0113, size 207872
+ sig 0x000b06a2, pf_mask 0xc0, 2023-02-22, rev 0x4112, size 212992
+ sig 0x000b06a3, pf_mask 0xc0, 2023-02-22, rev 0x4112
+ * source: update symlinks to reflect id of the latest release, 20230512
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 16 May 2023 00:13:02 -0300
+
+intel-microcode (3.20230214.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream microcode datafile 20230214
+ - Includes Fixes for: (Closes: #1031334)
+ - INTEL-SA-00700: CVE-2022-21216
+ - INTEL-SA-00730: CVE-2022-33972
+ - INTEL-SA-00738: CVE-2022-33196
+ - INTEL-SA-00767: CVE-2022-38090
+ * New Microcodes:
+ sig 0x000806f4, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+ sig 0x000806f4, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+ sig 0x000806f5, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+ sig 0x000806f5, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+ sig 0x000806f6, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+ sig 0x000806f6, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+ sig 0x000806f7, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+ sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170
+ sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064
+ sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181
+ sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152
+ sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e
+ sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992
+ sig 0x000b06a3, pf_mask 0xc0, 2022-12-08, rev 0x410e
+ * Updated Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2022-08-30, rev 0x1000161, size 36864
+ sig 0x00050656, pf_mask 0xbf, 2022-08-26, rev 0x4003303, size 37888
+ sig 0x00050657, pf_mask 0xbf, 2022-08-26, rev 0x5003303, size 37888
+ sig 0x0005065b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696
+ sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960
+ sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792
+ sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776
+ sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800
+ sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664
+ sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816
+ sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c
+ sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136
+ sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c
+ sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429
+ sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112
+ sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429
+ sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x24000024, size 20480
+ sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424
+ sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872
+ sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c
+ sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c
+
+ -- Tobias Frost <tobi@debian.org> Sun, 12 Mar 2023 18:16:50 +0100
+
+intel-microcode (3.20221108.2) unstable; urgency=medium
+
+ * Move source and binary from non-free/admin to non-free-firmware/admin
+ following the 2022 General Resolution about non-free firmware.
+
+ -- Cyril Brulebois <kibi@debian.org> Fri, 17 Feb 2023 01:12:52 +0100
+
+intel-microcode (3.20221108.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20221108
+ * New Microcodes:
+ sig 0x000606c1, pf_mask 0x10, 2022-08-07, rev 0x1000201, size 286720
+ sig 0x000b0671, pf_mask 0x32, 2022-09-07, rev 0x010e, size 204800
+ * Updated Microcodes:
+ sig 0x000706e5, pf_mask 0x80, 2022-08-02, rev 0x00b6, size 113664
+ sig 0x000806c1, pf_mask 0x80, 2022-06-28, rev 0x00a6, size 110592
+ sig 0x000806d1, pf_mask 0xc2, 2022-06-28, rev 0x0042, size 102400
+ sig 0x000806ec, pf_mask 0x94, 2022-07-31, rev 0x00f4, size 105472
+ sig 0x00090661, pf_mask 0x01, 2022-07-15, rev 0x0017, size 20480
+ sig 0x00090672, pf_mask 0x07, 2022-09-19, rev 0x0026, size 218112
+ sig 0x00090675, pf_mask 0x07, 2022-09-19, rev 0x0026
+ sig 0x000b06f2, pf_mask 0x07, 2022-09-19, rev 0x0026
+ sig 0x000b06f5, pf_mask 0x07, 2022-09-19, rev 0x0026
+ sig 0x000906a3, pf_mask 0x80, 2022-09-19, rev 0x0424, size 217088
+ sig 0x000906a4, pf_mask 0x80, 2022-09-19, rev 0x0424
+ sig 0x000906ed, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 104448
+ sig 0x000a0652, pf_mask 0x20, 2022-07-31, rev 0x00f4, size 96256
+ sig 0x000a0653, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 97280
+ sig 0x000a0655, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 96256
+ sig 0x000a0660, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 97280
+ sig 0x000a0661, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 96256
+ sig 0x000a0671, pf_mask 0x02, 2022-08-02, rev 0x0056, size 103424
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 03 Dec 2022 17:21:08 -0300
+
+intel-microcode (3.20220809.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20220809
+ * Fixes INTEL-SA-00657, CVE-2022-21233
+ Stale data from APIC leaks SGX memory (AEPIC leak)
+ * Fixes unspecified errata (functional issues) on Xeon Scalable
+ * Updated Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
+ sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
+ sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
+ sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
+ sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
+ sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
+ sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
+ sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
+ sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+ sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+ sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
+ sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
+ sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
+ sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+ sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
+ * source: update symlinks to reflect id of the latest release, 20220809
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 19 Aug 2022 14:21:20 -0300
+
+intel-microcode (3.20220510.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20220510
+ * Fixes INTEL-SA-000617, CVE-2022-21151:
+ Processor optimization removal or modification of security-critical
+ code may allow an authenticated user to potentially enable information
+ disclosure via local access (closes: #1010947)
+ * Fixes several errata (functional issues) on Xeon Scalable, Atom C3000,
+ Atom E3900
+ * New Microcodes:
+ sig 0x00090672, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
+ sig 0x00090675, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
+ sig 0x000906a3, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992
+ sig 0x000906a4, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992
+ sig 0x000b06f2, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
+ sig 0x000b06f5, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992
+ * Updated Microcodes:
+ sig 0x00030679, pf_mask 0x0f, 2019-07-10, rev 0x090d, size 52224
+ sig 0x000406e3, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 106496
+ sig 0x00050653, pf_mask 0x97, 2021-11-13, rev 0x100015d, size 34816
+ sig 0x00050654, pf_mask 0xb7, 2021-11-13, rev 0x2006d05, size 43008
+ sig 0x00050656, pf_mask 0xbf, 2021-12-10, rev 0x4003302, size 37888
+ sig 0x00050657, pf_mask 0xbf, 2021-12-10, rev 0x5003302, size 37888
+ sig 0x0005065b, pf_mask 0xbf, 2021-11-19, rev 0x7002501, size 29696
+ sig 0x000506c9, pf_mask 0x03, 2021-11-16, rev 0x0048, size 17408
+ sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568
+ sig 0x000506f1, pf_mask 0x01, 2021-12-02, rev 0x0038, size 11264
+ sig 0x000606a6, pf_mask 0x87, 2022-03-30, rev 0xd000363, size 294912
+ sig 0x000706a1, pf_mask 0x01, 2021-11-22, rev 0x003a, size 75776
+ sig 0x000706a8, pf_mask 0x01, 2021-11-22, rev 0x001e, size 75776
+ sig 0x000706e5, pf_mask 0x80, 2022-03-09, rev 0x00b0, size 112640
+ sig 0x000806a1, pf_mask 0x10, 2022-03-26, rev 0x0031, size 34816
+ sig 0x000806c1, pf_mask 0x80, 2022-02-01, rev 0x00a4, size 109568
+ sig 0x000806c2, pf_mask 0xc2, 2021-12-07, rev 0x0026, size 97280
+ sig 0x000806d1, pf_mask 0xc2, 2021-12-07, rev 0x003e, size 102400
+ sig 0x000806e9, pf_mask 0x10, 2021-11-12, rev 0x00f0, size 105472
+ sig 0x000806e9, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472
+ sig 0x000806ea, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472
+ sig 0x000806eb, pf_mask 0xd0, 2021-11-15, rev 0x00f0, size 105472
+ sig 0x000806ec, pf_mask 0x94, 2021-11-17, rev 0x00f0, size 105472
+ sig 0x00090661, pf_mask 0x01, 2022-02-03, rev 0x0016, size 20480
+ sig 0x000906c0, pf_mask 0x01, 2022-02-19, rev 0x24000023, size 20480
+ sig 0x000906e9, pf_mask 0x2a, 2021-11-12, rev 0x00f0, size 108544
+ sig 0x000906ea, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448
+ sig 0x000906eb, pf_mask 0x02, 2021-11-12, rev 0x00f0, size 105472
+ sig 0x000906ec, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448
+ sig 0x000906ed, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 104448
+ sig 0x000a0652, pf_mask 0x20, 2021-11-16, rev 0x00f0, size 96256
+ sig 0x000a0653, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 97280
+ sig 0x000a0655, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 96256
+ sig 0x000a0660, pf_mask 0x80, 2021-11-15, rev 0x00f0, size 96256
+ sig 0x000a0661, pf_mask 0x80, 2021-11-16, rev 0x00f0, size 96256
+ sig 0x000a0671, pf_mask 0x02, 2022-03-09, rev 0x0053, size 103424
+ * source: update symlinks to reflect id of the latest release, 20220510
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 15 May 2022 20:09:05 -0300
+
+intel-microcode (3.20220419.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20220419
+ * Fixes errata APLI-11 in Atom E3900 series processors
+ * Updated Microcodes:
+ sig 0x000506ca, pf_mask 0x03, 2021-11-16, rev 0x0028, size 16384
+ * source: update symlinks to reflect id of the latest release, 20220419
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 Apr 2022 17:25:05 -0300
+
+intel-microcode (3.20220207.1) unstable; urgency=medium
+
+ * upstream changelog: new upstream datafile 20220207
+ * Mitigates (*only* when loaded from UEFI firmware through the FIT)
+ CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through
+ debug port, on Pentium, Celeron and Atom processors with signatures
+ 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8
+ https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145
+ * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint
+ may cause a system hang, on many processors.
+ * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due
+ to improper sanitization of shared resources (fast-store forward
+ predictor), on many processors.
+ * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some
+ Atom Processors may allow information disclosure or denial of service
+ via network access.
+ * Fixes critical errata (functional issues) on many processors
+ * Adds a MSR switch to enable RAPL filtering (default off, once enabled
+ it can only be disabled by poweroff or reboot). Useful to protect
+ SGX and other threads from side-channel info leak. Improves the
+ mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many
+ processors.
+ * Disables TSX in more processor models.
+ * Fixes issue with WBINDV on multi-socket (server) systems which could
+ cause resets and unpredictable system behavior.
+ * Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket
+ Lake) processors, to control a fix for (hopefully rare) unpredictable
+ processor behavior when HyperThreading is enabled. This MSR switch
+ is enabled by default on *server* processors. On other processors,
+ it needs to be explicitly enabled by an updated UEFI/BIOS (with added
+ configuration logic). An updated operating system kernel might also
+ be able to enable it. When enabled, this fix can impact performance.
+ * Updated Microcodes:
+ sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912
+ sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552
+ sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472
+ sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816
+ sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008
+ sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840
+ sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864
+ sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672
+ sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672
+ sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648
+ sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552
+ sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408
+ sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384
+ sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544
+ sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264
+ sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840
+ sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752
+ sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776
+ sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592
+ sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816
+ sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568
+ sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256
+ sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376
+ sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448
+ sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448
+ sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424
+ sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448
+ sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448
+ sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480
+ sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480
+ sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496
+ sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400
+ sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448
+ sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
+ sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
+ sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184
+ sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208
+ sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208
+ sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208
+ sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184
+ sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400
+ * Removed Microcodes:
+ sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+ sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+ * update .gitignore and debian/.gitignore.
+ Add some missing items from .gitignore and debian/.gitignore.
+ * ucode-blacklist: do not late-load 0x406e3 and 0x506e3.
+ When the BIOS microcode is older than revision 0x7f (and perhaps in some
+ other cases as well), the latest microcode updates for 0x406e3 and
+ 0x506e3 must be applied using the early update method. Otherwise, the
+ system might hang. Also: there must not be any other intermediate
+ microcode update attempts [other than the one done by the BIOS itself],
+ either. It must go from the BIOS microcode update directly to the
+ latest microcode update.
+ * source: update symlinks to reflect id of the latest release, 20220207
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 25 Feb 2022 05:36:55 -0300
+
+intel-microcode (3.20210608.2) unstable; urgency=high
+
+ * Correct INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and
+ debian/changelog (3.20210608.1).
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 23 Jun 2021 13:42:19 -0300
+
+intel-microcode (3.20210608.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20210608 (closes: #989615)
+ * Implements mitigations for CVE-2020-24511 CVE-2020-24512
+ (INTEL-SA-00464), information leakage through shared resources,
+ and timing discrepancy sidechannels
+ * Implements mitigations for CVE-2020-24513 (INTEL-SA-00465),
+ Domain-bypass transient execution vulnerability in some Intel Atom
+ Processors, affects Intel SGX.
+ * Implements mitigations for CVE-2020-24489 (INTEL-SA-00442), Intel
+ VT-d privilege escalation
+ * Fixes critical errata on several processors
+ * New Microcodes:
+ sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104
+ sig 0x000606a5, pf_mask 0x87, 2021-03-08, rev 0xc0002f0, size 283648
+ sig 0x000606a6, pf_mask 0x87, 2021-04-25, rev 0xd0002a0, size 283648
+ sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+ sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
+ sig 0x000806c1, pf_mask 0x80, 2021-03-31, rev 0x0088, size 109568
+ sig 0x000806c2, pf_mask 0xc2, 2021-04-07, rev 0x0016, size 94208
+ sig 0x000806d1, pf_mask 0xc2, 2021-04-23, rev 0x002c, size 99328
+ sig 0x00090661, pf_mask 0x01, 2021-02-04, rev 0x0011, size 19456
+ sig 0x000906c0, pf_mask 0x01, 2021-03-23, rev 0x001d, size 19456
+ sig 0x000a0671, pf_mask 0x02, 2021-04-11, rev 0x0040, size 100352
+ * Updated Microcodes:
+ sig 0x000306f2, pf_mask 0x6f, 2021-01-27, rev 0x0046, size 34816
+ sig 0x000306f4, pf_mask 0x80, 2021-02-05, rev 0x0019, size 19456
+ sig 0x000406e3, pf_mask 0xc0, 2021-01-25, rev 0x00ea, size 105472
+ sig 0x000406f1, pf_mask 0xef, 2021-02-06, rev 0xb00003e, size 31744
+ sig 0x00050653, pf_mask 0x97, 2021-03-08, rev 0x100015b, size 34816
+ sig 0x00050654, pf_mask 0xb7, 2021-03-08, rev 0x2006b06, size 36864
+ sig 0x00050656, pf_mask 0xbf, 2021-03-08, rev 0x4003102, size 30720
+ sig 0x00050657, pf_mask 0xbf, 2021-03-08, rev 0x5003102, size 30720
+ sig 0x0005065b, pf_mask 0xbf, 2021-04-23, rev 0x7002302, size 27648
+ sig 0x00050663, pf_mask 0x10, 2021-02-04, rev 0x700001b, size 24576
+ sig 0x00050664, pf_mask 0x10, 2021-02-04, rev 0xf000019, size 24576
+ sig 0x00050665, pf_mask 0x10, 2021-02-04, rev 0xe000012, size 19456
+ sig 0x000506c9, pf_mask 0x03, 2020-10-23, rev 0x0044, size 17408
+ sig 0x000506ca, pf_mask 0x03, 2020-10-23, rev 0x0020, size 15360
+ sig 0x000506e3, pf_mask 0x36, 2021-01-25, rev 0x00ea, size 105472
+ sig 0x000506f1, pf_mask 0x01, 2020-10-23, rev 0x0034, size 11264
+ sig 0x000706a1, pf_mask 0x01, 2020-10-23, rev 0x0036, size 74752
+ sig 0x000706a8, pf_mask 0x01, 2020-10-23, rev 0x001a, size 75776
+ sig 0x000706e5, pf_mask 0x80, 2020-11-01, rev 0x00a6, size 110592
+ sig 0x000806a1, pf_mask 0x10, 2020-11-06, rev 0x002a, size 32768
+ sig 0x000806e9, pf_mask 0x10, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000806e9, pf_mask 0xc0, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000806ea, pf_mask 0xc0, 2021-01-06, rev 0x00ea, size 103424
+ sig 0x000806eb, pf_mask 0xd0, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000806ec, pf_mask 0x94, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000906e9, pf_mask 0x2a, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000906ea, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 102400
+ sig 0x000906eb, pf_mask 0x02, 2021-01-05, rev 0x00ea, size 104448
+ sig 0x000906ec, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424
+ sig 0x000906ed, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424
+ sig 0x000a0652, pf_mask 0x20, 2021-02-07, rev 0x00ea, size 93184
+ sig 0x000a0653, pf_mask 0x22, 2021-03-08, rev 0x00ea, size 94208
+ sig 0x000a0655, pf_mask 0x22, 2021-03-08, rev 0x00ec, size 94208
+ sig 0x000a0660, pf_mask 0x80, 2020-12-08, rev 0x00e8, size 94208
+ sig 0x000a0661, pf_mask 0x80, 2021-02-07, rev 0x00ea, size 93184
+ * source: update symlinks to reflect id of the latest release, 20210608
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 08 Jun 2021 22:37:57 -0300
+
+intel-microcode (3.20210216.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20210216
+ * Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx,
+ and Cascade Lake Server (B0/B1) when using an active JTAG
+ agent like In Target Probe (ITP), Direct Connect Interface
+ (DCI) or a Baseboard Management Controller (BMC) to take the
+ CPU JTAG/TAP out of reset and then returning it to reset.
+ * This issue is related to the INTEL-SA-00381 mitigation.
+ * Updated Microcodes:
+ sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864
+ sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248
+ sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248
+ * source: update symlinks to reflect id of the latest release, 20210216
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 17 Feb 2021 11:26:06 -0300
+
+intel-microcode (3.20201118.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20201118
+ * Removes a faulty microcode update from release 2020-11-10 for Tiger Lake
+ processors. Note that Debian already had removed this specific falty
+ microcode update on the 3.20201110.1 release
+ * Add a microcode update for the Pentium Silver N/J5xxx and Celeron
+ N/J4xxx which didn't make it to release 20201110, fixing security issues
+ (INTEL-SA-00381, INTEL-SA-00389)
+ * Updated Microcodes:
+ sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752
+ * Removed Microcodes:
+ sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 27 Dec 2020 15:59:32 -0300
+
+intel-microcode (3.20201110.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20201110 (closes: #974533)
+ * Implements mitigation for CVE-2020-8696 and CVE-2020-8698,
+ aka INTEL-SA-00381: AVX register information leakage;
+ Fast-Forward store predictor information leakage
+ * Implements mitigation for CVE-2020-8695, Intel SGX information
+ disclosure via RAPL, aka INTEL-SA-00389
+ * Fixes critical errata on several processor models
+ * Reintroduces SRBDS mitigations(CVE-2020-0543, INTEL-SA-00320)
+ for Skylake-U/Y, Skylake Xeon E3
+ * New Microcodes
+ sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x700001e, size 27648
+ sig 0x000806a1, pf_mask 0x10, 2020-06-26, rev 0x0028, size 32768
+ sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520
+ sig 0x000a0652, pf_mask 0x20, 2020-07-08, rev 0x00e0, size 93184
+ sig 0x000a0653, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 94208
+ sig 0x000a0655, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 93184
+ sig 0x000a0661, pf_mask 0x80, 2020-07-02, rev 0x00e0, size 93184
+ * Updated Microcodes
+ sig 0x000306f2, pf_mask 0x6f, 2020-05-27, rev 0x0044, size 34816
+ sig 0x000406e3, pf_mask 0xc0, 2020-07-14, rev 0x00e2, size 105472
+ sig 0x00050653, pf_mask 0x97, 2020-06-18, rev 0x1000159, size 33792
+ sig 0x00050654, pf_mask 0xb7, 2020-06-16, rev 0x2006a08, size 35840
+ sig 0x00050656, pf_mask 0xbf, 2020-06-18, rev 0x4003003, size 52224
+ sig 0x00050657, pf_mask 0xbf, 2020-06-18, rev 0x5003003, size 52224
+ sig 0x000506c9, pf_mask 0x03, 2020-02-27, rev 0x0040, size 17408
+ sig 0x000506ca, pf_mask 0x03, 2020-02-27, rev 0x001e, size 15360
+ sig 0x000506e3, pf_mask 0x36, 2020-07-14, rev 0x00e2, size 105472
+ sig 0x000706a8, pf_mask 0x01, 2020-06-09, rev 0x0018, size 75776
+ sig 0x000706e5, pf_mask 0x80, 2020-07-30, rev 0x00a0, size 109568
+ sig 0x000806e9, pf_mask 0x10, 2020-05-27, rev 0x00de, size 104448
+ sig 0x000806e9, pf_mask 0xc0, 2020-05-27, rev 0x00de, size 104448
+ sig 0x000806ea, pf_mask 0xc0, 2020-06-17, rev 0x00e0, size 104448
+ sig 0x000806eb, pf_mask 0xd0, 2020-06-03, rev 0x00de, size 104448
+ sig 0x000806ec, pf_mask 0x94, 2020-05-18, rev 0x00de, size 104448
+ sig 0x000906e9, pf_mask 0x2a, 2020-05-26, rev 0x00de, size 104448
+ sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424
+ sig 0x000906eb, pf_mask 0x02, 2020-05-25, rev 0x00de, size 104448
+ sig 0x000906ec, pf_mask 0x22, 2020-06-03, rev 0x00de, size 103424
+ sig 0x000906ed, pf_mask 0x22, 2020-05-24, rev 0x00de, size 103424
+ sig 0x000a0660, pf_mask 0x80, 2020-07-08, rev 0x00e0, size 94208
+ * 0x806c1: remove the new Tiger Lake update: causes hang on cold/warm boot
+ https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
+ INTEL-SA-00381 AND INTEL-SA-00389 MITIGATIONS ARE THEREFORE NOT INSTALLED
+ FOR 0x806c1 TIGER LAKE PROCESSORS by this package update. Contact your
+ system vendor for a firmware update, or wait fo a possible fix in a future
+ Intel microcode release.
+ * source: update symlinks to reflect id of the latest release, 20201110
+ * source: ship new upstream documentation (security.md, releasenote.md)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 12 Nov 2020 15:03:36 -0300
+
+intel-microcode (3.20200616.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20200616
+ + Downgraded microcodes (to a previously shipped revision):
+ sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+ sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3,
+ https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * This update *removes* the SRBDS mitigations from the above processors
+ * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 28 Jun 2020 18:38:57 -0300
+
+intel-microcode (3.20200609.2) unstable; urgency=medium
+
+ * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression
+ * Microcode rollbacks (closes: LP#1883002)
+ sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+ * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS
+ * Avoid hangs on boot on (some?) Skylake-U/Y processors,
+ https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+ * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading,
+ just in case. Note that Debian does not do late loading by itself.
+ Refer to LP#1883002 for the report, 0x806ec hangs upon late load.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 11 Jun 2020 08:55:07 -0300
+
+intel-microcode (3.20200609.1) unstable; urgency=high
+
+ * SECURITY UPDATE
+ * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending
+ on the processor model
+ * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and
+ L1DCES mitigations, plus mitigations described in the changelog entry
+ for package release 3.20191112.1.
+ * Expect some performance impact, the mitigations are enabled by
+ default. A Linux kernel update will be issued that allows one to
+ selectively disable the mitigations.
+ * New upstream microcode datafile 20200609
+ * Implements mitigation for CVE-2020-0543 Special Register Buffer Data
+ Sampling (SRBDS), INTEL-SA-00320, CROSSTalk
+ * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling
+ (VRDS), INTEL-SA-00329
+ * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling
+ (L1DCES), INTEL-SA-00329
+ * Known to fix the regression introduced in release 2019-11-12 (sig
+ 0x50564, rev. 0x2000065), which would cause several systems with
+ Skylake Xeon, Skylake HEDT processors to hang while rebooting
+ * Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456
+ sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528
+ sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600
+ sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336
+ sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448
+ sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768
+ sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816
+ sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224
+ sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224
+ sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448
+ sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424
+ sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424
+ sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424
+ sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424
+ sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424
+ sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424
+ sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400
+ sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424
+ sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400
+ sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424
+ * Restores the microcode-level fixes that were reverted by release
+ 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Jun 2020 17:16:46 -0300
+
+intel-microcode (3.20200520.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20200520
+ + Updated Microcodes:
+ sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 May 2020 11:44:00 -0300
+
+intel-microcode (3.20200508.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20200508
+ + Updated Microcodes:
+ sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520
+ * Likely fixes several critical errata on IceLake-U/Y causing system
+ hangs
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 09 May 2020 23:30:43 -0300
+
+intel-microcode (3.20191115.2) unstable; urgency=medium
+
+ * Microcode rollbacks (closes: #946515, LP#1854764):
+ sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792
+ * Avoids hangs on warm reboots (cold boots work fine) on HEDT and
+ Xeon processors with signature 0x50654.
+ https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 10 Dec 2019 23:10:19 -0300
+
+intel-microcode (3.20191115.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20191115
+ + Updated Microcodes:
+ sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376
+ sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376
+ sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352
+ sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352
+ sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328
+ sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328
+ sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352
+ sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 16 Nov 2019 23:14:58 -0300
+
+intel-microcode (3.20191113.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20191113
+ + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details
+ Adds microcode update for CFL-S (Coffe Lake Desktop)
+ INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117
+ + Updated Microcodes (previously removed):
+ sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 15 Nov 2019 00:43:54 -0300
+
+intel-microcode (3.20191112.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20191112
+ + SECURITY UPDATE
+ - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135
+ - Implements TA Indirect Sharing mitigation, and improves the
+ MDS mitigation (VERW)
+ - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271,
+ CVE-2019-11139
+ - Fixes SGX vulnerabilities and errata (including CVE-2019-0117)
+ + CRITICAL ERRATA FIXES
+ - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except
+ Ice Lake), causes a 0-3% typical perforance hit (can be as bad
+ as 10%). But ensures the processor will actually jump where it
+ should, so don't even *dream* of not applying this fix.
+ - Fixes AVX SHUF* instruction implementation flaw erratum
+ + Removed Microcodes:
+ sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304
+ + New Microcodes:
+ sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992
+ sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200
+ sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040
+ sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752
+ sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400
+ sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136
+ + Updated Microcodes:
+ sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376
+ sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816
+ sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200
+ sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376
+ sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728
+ sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328
+ sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352
+ sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328
+ sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352
+ sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352
+ sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352
+ sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328
+ sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352
+ sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328
+ + Updated Microcodes (previously removed):
+ sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 12 Nov 2019 23:21:54 -0300
+
+intel-microcode (3.20190918.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20190918
+ + SECURITY UPDATE
+ *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given
+ the set of processors being updated.
+ + Updated Microcodes:
+ sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456
+ sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432
+ sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336
+ sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720
+ sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792
+ sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200
+ sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768
+ sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576
+ sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576
+ sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 19 Sep 2019 00:38:50 -0300
+
+intel-microcode (3.20190618.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20190618
+ + SECURITY UPDATE
+ Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223
+ CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ for Sandybridge server and Core-X processors
+ + Updated Microcodes:
+ sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456
+ * Add some missing (minor) changelog entries to 3.20190514.1
+ * Reformat 3.20190514.1 changelog entry to match rest of changelog
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2019 09:05:54 -0300
+
+intel-microcode (3.20190514.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20190514
+ + SECURITY UPDATE
+ Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223
+ CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ + New Microcodes:
+ sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224
+ sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224
+ sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224
+ sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632
+ sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608
+ sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104
+ + Updated Microcodes:
+ sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288
+ sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336
+ sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456
+ sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384
+ sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408
+ sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816
+ sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432
+ sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504
+ sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600
+ sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336
+ sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352
+ sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720
+ sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768
+ sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768
+ sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576
+ sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552
+ sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456
+ sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408
+ sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360
+ sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352
+ sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264
+ sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728
+ sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304
+ sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328
+ sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328
+ sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304
+ sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280
+ sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328
+ sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304
+ sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328
+ sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304
+ sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280
+ * README.Debian, control: update download/homepage URLs
+ * copyright: update download URL and date range
+ * source: update symlinks to reflect id of the latest release, 20190514
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 14 May 2019 21:49:08 -0300
+
+intel-microcode (3.20190312.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20190312
+ + Removed Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
+ + New Microcodes:
+ sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304
+ sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328
+ sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304
+ sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304
+ sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280
+ + Updated Microcodes:
+ sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816
+ sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408
+ sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x200005a, size 33792
+ sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768
+ sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x7000016, size 23552
+ sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf000014, size 23552
+ sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe00000c, size 19456
+ sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408
+ sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360
+ sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728
+ sig 0x000806e9, pf_mask 0xc0, 2018-07-16, rev 0x009a, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-10-18, rev 0x009e, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2018-07-16, rev 0x009a, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-12-12, rev 0x00aa, size 98304
+ sig 0x000906eb, pf_mask 0x02, 2018-12-12, rev 0x00aa, size 99328
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 16 Mar 2019 21:07:54 -0300
+
+intel-microcode (3.20180807a.2) unstable; urgency=medium
+
+ * Makefile: unblacklist 0x206c2 (Westmere EP)
+ According to pragyansri.pathi@intel.com, on message to LP#1795594
+ on 2018-10-09, we can ship 0x206c2 updates without restrictions.
+ Also, there are no reports in the field about this update causing
+ issues (closes: #907402) (LP: #1795594)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 23 Oct 2018 19:52:40 -0300
+
+intel-microcode (3.20180807a.1) unstable; urgency=high
+
+ [ Henrique de Moraes Holschuh ]
+ * New upstream microcode datafile 20180807a
+ (closes: #906158, #906160, #903135, #903141)
+ + New Microcodes:
+ sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
+ sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216
+ sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360
+ sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336
+ sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240
+ + Updated Microcodes:
+ sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
+ sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216
+ sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216
+ sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096
+ sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288
+ sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336
+ sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312
+ sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432
+ sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528
+ sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600
+ sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312
+ sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328
+ sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744
+ sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528
+ sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528
+ sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384
+ sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
+ sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728
+ sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280
+ sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304
+ + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation)
+ Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
+ + Implements SSBD support (Spectre v4 mitigation),
+ Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix)
+ Intel SA-00115, CVE-2018-3639, CVE-2018-3640
+ + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older
+ processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655.
+ Intel SA-0088, CVE-2017-5753, CVE-2017-5754
+ * source: update symlinks to reflect id of the latest release, 20180807a
+ * debian/intel-microcode.docs: ship license and releasenote upstream files.
+ * debian/changelog: update entry for 3.20180703.1 with L1TF information
+
+ [ Julian Andres Klode ]
+ * initramfs: include all microcode for MODULES=most.
+ Default to early instead of auto, and install all of the microcode,
+ not just the one matching the current CPU, if MODULES=most is set
+ in the initramfs-tools config (LP: #1778738)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 24 Aug 2018 08:53:53 -0300
+
+intel-microcode (3.20180703.2) unstable; urgency=medium
+
+ * source: fix badly named symlink that resulted in most microcode
+ updates not being shipped in the binary package. Oops!
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 05 Jul 2018 14:26:36 -0300
+
+intel-microcode (3.20180703.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20180703 (closes: #903018)
+ + Updated Microcodes:
+ sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456
+ sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360
+ sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408
+ sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408
+ sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672
+ sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744
+ sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432
+ + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640,
+ Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
+ + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation),
+ SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for:
+ Sandybridge server, Ivy Bridge server, Haswell server, Skylake server,
+ Broadwell server, a few HEDT Core i7/i9 models that are actually gimped
+ server dies.
+ * source: update symlinks to reflect id of the latest release, 20180703
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 05 Jul 2018 10:03:53 -0300
+
+intel-microcode (3.20180425.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20180425 (closes: #897443, #895878)
+ + Updated Microcodes:
+ sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+ + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
+ + Note that sig 0x000604f1 has been blacklisted from late-loading
+ since Debian release 3.20171117.1.
+ * source: remove undesired list files from microcode directories
+ * source: switch to microcode-<id>.d/ since Intel dropped .dat
+ support.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 02 May 2018 16:48:44 -0300
+
+intel-microcode (3.20180312.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20180312 (closes: #886367)
+ + New Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
+ sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432
+ + Updated Microcodes:
+ sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
+ sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
+ sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
+ sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
+ sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
+ sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
+ sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
+ sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
+ sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672
+ sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744
+ sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528
+ sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256
+ sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304
+ + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for:
+ Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake,
+ Coffee Lake
+ + Missing production updates:
+ + Broadwell-E/EX Xeons (sig 0x406f1)
+ + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell,
+ Gemini Lake, Denverton
+ * Update past changelog entries with new information:
+ Intel already had all necessary semanthics in LFENCE, so the
+ Spectre-related Intel microcode changes did not need to enhance LFENCE.
+ * debian/control: update Vcs-* fields for the move to salsa.debian.org
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 14 Mar 2018 09:21:24 -0300
+
+intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical
+
+ * Revert to release 20171117, as per Intel instructions issued to
+ the public in 2018-01-22 (closes: #886998)
+ * This effectively removes IBRS/IBPB/STIPB microcode support for
+ Spectre variant 2 mitigation.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 22 Jan 2018 23:01:59 -0200
+
+intel-microcode (3.20180108.1) unstable; urgency=high
+
+ * New upstream microcode data file 20180108 (closes: #886367)
+ + Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+ sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
+ sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
+ sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
+ sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
+ sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715)
+ + Very likely fixes several other errata on some of the processors
+ * supplementary-ucode-CVE-2017-5715.d/: remove.
+ + Downgraded microcodes:
+ sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624
+ sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+ + Recall related to bug #886998
+ * source: remove superseded upstream data file: 20171117
+ * README.Debian, copyright: update download URLs (closes: #886368)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 10 Jan 2018 00:23:44 -0200
+
+intel-microcode (3.20171215.1) unstable; urgency=high
+
+ * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367)
+ New upstream microcodes to partially address CVE-2017-5715
+ + Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
+ sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
+ sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
+ sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
+ * Implements IBRS and IBPB support via new MSR (Spectre variant 2
+ mitigation, indirect branches). Support is exposed through cpuid(7).EDX.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 04 Jan 2018 23:04:38 -0200
+
+intel-microcode (3.20171117.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20171117
+ + New Microcodes:
+ sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+ sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704
+ sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232
+ sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280
+ + Updated Microcodes:
+ sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624
+ sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256
+ * source: remove superseded upstream data file: 20170707.
+ * source: remove unneeded intel-ucode/ directory for 20171117.
+ * debian/control: bump standards version to 4.1.1 (no changes)
+ * Makefile: rename microcode-extras.pbin to microcode-includes.pbin.
+ * README.source: fix IUC_EXCLUDE example and minor issues.
+ * Makefile, README.souce: support loading ucode from directories.
+ * debian/rules: switch to dh mode (debhelper v9)
+ * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late
+ loading.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 18 Nov 2017 18:55:09 -0200
+
+intel-microcode (3.20170707.1) unstable; urgency=high
+
+ * New upstream microcode datafile 20170707
+ + New Microcodes:
+ sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600
+ sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280
+ sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232
+ sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280
+ + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/
+ SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby
+ Lake and Skylake processors: Skylake D0/R0 were fixed since the
+ previous upstream release (20170511). This new release adds the
+ fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X).
+ + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0
+ (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9)
+ * source: remove unneeded intel-ucode/ directory
+ * source: remove superseded upstream data file: 20170511
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 08 Jul 2017 19:04:27 -0300
+
+intel-microcode (3.20170511.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20170511
+ + Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
+ sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408
+ sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768
+ sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384
+ sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480
+ sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576
+ sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264
+ sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304
+ sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624
+ sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304
+ + This release fixes undisclosed errata on the desktop, mobile and
+ server processor models from the Haswell, Broadwell, and Skylake
+ families, including even the high-end multi-socket server Xeons
+ + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and
+ similar) on several processor families
+ + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606)
+ + Likely fix serious or critical Skylake errata: SKL138/144,
+ SKL137/145, SLK149
+ * Likely fix nightmare-level Skylake erratum SKL150. Fortunately,
+ either this erratum is very-low-hitting, or gcc/clang/icc/msvc
+ won't usually issue the affected opcode pattern and it ends up
+ being rare.
+ SKL150 - Short loops using both the AH/BH/CH/DH registers and
+ the corresponding wide register *may* result in unpredictable
+ system behavior. Requires both logical processors of the same
+ core (i.e. sibling hyperthreads) to be active to trigger, as
+ well as a "complex set of micro-architectural conditions"
+ * source: remove unneeded intel-ucode/ directory
+ Since release 20170511, upstream ships the microcodes both in .dat
+ format, and as Linux-style split /lib/firmware/intel-ucode files.
+ It is simpler to just use the .dat format file for now, so remove
+ the intel-ucode/ directory. Note: before removal, it was verified
+ that there were no discrepancies between the two microcode sets
+ (.dat and intel-ucode/)
+ * source: remove superseded upstream data file: 20161104
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 15 May 2017 15:12:25 -0300
+
+intel-microcode (3.20161104.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20161104
+ + New Microcodes:
+ sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480
+ sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504
+ + Updated Microcodes:
+ sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768
+ sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600
+ + Removed Microcodes:
+ sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144
+ + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon
+ D-1500 family), including one that can crash VMWare ESXi 6 with
+ #PF (VMWare KB2146388), and could affect Linux as well. This same
+ issue was fixed for the E5v4 Xeons in release 20160607
+ + This update fixes undisclosed (and likely critical) errata on
+ Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0
+ Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3
+ + This release deletes the microcode update for the Jasper Forest
+ embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed
+ reasons. The deleted microcode is outdated when compared with the
+ updates for the other Nehalem Xeons
+ * Makefile: always exclude microcode sig 0x206c2 just in case
+ Intel is quite clear in the Intel SA-00030 advisory text that recent
+ revisions (0x14 and later?) of the 0x206c2 microcode updates must be
+ installed along with updated SINIT ACM on vPro systems (i.e. through
+ an UEFI/BIOS firmware update). This is a defensive change so that we
+ don't ship such a microcode update in the future by mistake
+ * source: remove partially superseded upstream data file: 20160714
+ * source: remove superseded upstream data file: 20101123
+ * changelog: replace "pf mask" with "pf_mask"
+ * control, compat: switch debhelper compatibility level to 9
+ * control: bump standards-version, no changes required
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 09 Nov 2016 20:35:57 -0200
+
+intel-microcode (3.20160714.1) unstable; urgency=medium
+
+ * New upstream microcode datafile 20160714
+ + Updated Microcodes:
+ sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360
+ sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280
+ sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600
+ sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280
+ + This release hopefully fixes a hang when updating the microcode on
+ some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems
+ * source: remove superseded upstream data file: 20160607
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 Jul 2016 19:04:09 -0300
+
+intel-microcode (3.20160607.2) unstable; urgency=low
+
+ * REMOVE microcode:
+ sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256
+ (closes: #828819)
+ * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1,
+ sig=0x406e3, pf=0x80) may hang while attempting an early microcode
+ update to revision 0x8a, apparently due to some sort of firmware
+ dependency. On affected systems, the only way to avoid the issue is
+ to get a firmware update that includes microcode revision 0x8a or
+ later. At this time, there are reports of both sucessful and failed
+ updates on the m3-6Y30, and only of failed updates on the i7-6500U.
+ There are no reports about Skylake-U K-1 (pf=0x40).
+ + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y
+ processor with microcode earlier than revision 0x8a, due to several
+ critical errata that cause unpredictable behavior, data corruption,
+ and other problems. Users *must* update their firmware to get
+ microcode 0x8a or newer, and keep it up-to-date.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 08 Jul 2016 22:54:26 -0300
+
+intel-microcode (3.20160607.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20160607
+ + New Microcodes:
+ sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256
+ sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600
+ sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672
+ sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256
+ + Updated Microcodes:
+ sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528
+ sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408
+ sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768
+ sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360
+ sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480
+ sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576
+ sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264
+ * source: remove superseded upstream data file: 20151106.
+ * control: change upstream URL to a search for "linux microcode"
+ Unfortunately, many of the per-processor-model feeds have not been
+ updated for microcode release 20160607. Switch to the general search
+ page as the upstream URL.
+ * README.Debian: fix duplicated word 'to'
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 23 Jun 2016 12:17:03 -0300
+
+intel-microcode (3.20151106.2) unstable; urgency=medium
+
+ * Makefile: make the build less verbose.
+ * debian/changelog: fix error in past entry.
+ Correct the version of the microcode that caused bug #776431,
+ in the entry for version 3.20150121.1.
+ * initramfs: don't force_load microcode.ko when missing.
+ Detect a missing microcode.ko and don't attempt to force_load() it,
+ otherwise we get spurious warnings at boot. In verbose mode, log the
+ fact that the microcode driver is modular. For Linux 4.4 and later,
+ skip the entire module loading logic, since the microcode driver cannot
+ be modular for those kernels (closes: #814301).
+ * initramfs: update copyright notice
+ * initramfs: use iucode_tool -l for verbose mode
+ * README.Debian: enhance and add recovery instructions.
+ Rewrite large parts of the README.Debian document, and add recovery
+ instructions (use of the "dis_ucode_ldr" kernel parameter).
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 17 Apr 2016 12:38:12 -0300
+
+intel-microcode (3.20151106.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20151106
+ + New Microcodes:
+ sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336
+ sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264
+ + Updated Microcodes:
+ sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288
+ sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504
+ sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384
+ sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720
+ sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480
+ * This massive Haswell + Broadwell (and related Xeons) update fixes
+ several critical errata, including the high-hitting BDD86/BDM101/
+ HSM153(?) which triggers an MCE and locks the processor core
+ (LP: #1509764)
+ * Might fix critical errata BDD51, BDM53 (TSX-related)
+ * source: remove superseded upstream data file: 20150121
+ * Add support for supplementary microcode bundles:
+ + README.source: update and mention supplementary microcode
+ + Makefile: support supplementary microcode
+ Add support for supplementary microcode bundles, which (unlike .fw
+ microcode override files) can be superseded by a higher revision
+ microcode from the latest regular microcode bundle. Also, fix the
+ "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE)
+ * Add support for x32 arch:
+ + README.source: mention x32
+ + control,rules: enable building on x32 arch (Closes: #777356)
+ * ucode-blacklist: add Broadwell and Haswell-E signatures
+ Add a missing signature for Haswell Refresh (Haswell-E) to the "must
+ be updated only by the early microcode update driver" list. There is
+ at least one report of one of the Broadwell microcode updates disabling
+ TSX-NI, so add them as well just in case
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Nov 2015 23:07:32 -0200
+
+intel-microcode (3.20150121.1) unstable; urgency=critical
+
+ * New upstream microcode data file 20150121
+ * Downgraded microcodes (to a previously shipped revision):
+ sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+ * The microcode downgrade fixes a very nasty regression on Xeon E5v3
+ processors (closes: #776431)
+ * critical urgency: the broken sig 0x306f2, rev 0x2d microcode shipped
+ in release 20150107 caused CPU core hangs and Linux boot failures.
+ The upstream fix was to downgrade it to the same microcode revision
+ that was shipped in release 20140913
+ * source: remove superseded upstream data file: 20150107.
+ * initramfs.hook: do not mix arrays and lists.
+ Avoid echo "foo $@", use echo "foo $*" instead. This is unlikely
+ to be expÄŗoitable, but it makes ShellCheck happier.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 28 Jan 2015 20:03:20 -0200
+
+intel-microcode (3.20150107.1) unstable; urgency=high
+
+ * New upstream microcode data file 20150107
+ + New Microcodes:
+ sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336
+ + Updated Microcodes:
+ sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672
+ + High urgency: there are fast-tracked microcode updates in this
+ release which imply that critical errata are being fixed
+ * source: remove superseded upstream data file: 20140913
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 18 Jan 2015 00:30:11 -0200
+
+intel-microcode (3.20140913.1) unstable; urgency=low
+
+ * New upstream microcode data file 20140913
+ + New Microcodes:
+ sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+ + Updated Microcodes:
+ sig 0x000306c3, pf mask 0x32, 2014-07-03, rev 0x001c, size 21504
+ sig 0x00040651, pf mask 0x72, 2014-07-03, rev 0x001c, size 20480
+ sig 0x00040661, pf mask 0x32, 2014-07-03, rev 0x0012, size 23552
+ + WARNING: UNSAFE TO BE APPLIED AT RUNTIME (lp#1370352)
+ * Microcode updates are now applied only through the early initramfs
+ + Bump major version number
+ + Requires Linux kernel v3.10 or later, other kernels unsupported
+ + postinst: don't apply microcode update
+ + kernel preinst: stop loading microcode module
+ + modprobe.d: blacklist microcode module from autoloading outside
+ of the initramfs. Still load it inside the initramfs for logging
+ + initramfs: always use early initramfs mode, reject kernels before
+ v3.10
+ + README.Debian, NEWS.Debian: update
+ * add a microcode best-effort blacklist. This is a reactive blacklist
+ which renames problematic microcode data files in such a way they
+ will only be used for the [early] initramfs. Use it to blacklist
+ all Haswell microcode updates
+ * Allow a non-Intel box to generate an early initramfs with microcode
+ for an Intel box if the /etc/default/intel-microcode defaults are
+ changed:
+ + postinst: always attempt to update the initramfs
+ + initramfs: on auto mode, do nothing in a non-intel box. In
+ forced "early" mode, attempt to run iucode-tool. This will do
+ nothing (add no microcode) unless the default configuration is
+ changed in /etc/default/intel-microcode
+ + default: update comments
+ * source: remove superseded upstream data file: 20140624
+ * README.source: remove information about lenny, oldstable
+ * debian/control: bump standards vesion to 3.9.6
+ * lintian-overrides: remove
+ * debian/copyright: update upstream copyright dates
+ * postrm: avoid use of test -a
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 19 Oct 2014 15:23:13 -0200
+
+intel-microcode (2.20140624.1) unstable; urgency=high
+
+ * New upstream microcode data file 20140624
+ + Updated Microcodes:
+ sig 0x000306a9, pf mask 0x12, 2014-05-29, rev 0x001b, size 12288
+ sig 0x000306c3, pf mask 0x32, 2014-05-23, rev 0x001a, size 20480
+ sig 0x000306e4, pf mask 0xed, 2014-05-29, rev 0x0428, size 13312
+ sig 0x000306e7, pf mask 0xed, 2014-05-29, rev 0x070d, size 15360
+ sig 0x00040651, pf mask 0x72, 2014-05-23, rev 0x0018, size 19456
+ sig 0x00040661, pf mask 0x32, 2014-05-23, rev 0x0010, size 23552
+ + High urgency: there are fast-tracked microcode updates in this
+ release which imply that critical errata are being fixed
+ * Intel strongly suggests that this CPU microcode update be applied
+ to all Ivy Bridge, Haswell, and Broadwell processors (thanks to
+ Canonical for the warning, refer to LP#1335156)
+ * This update is reported to better fix the errata addressed by the
+ 20140430 update (refer to LP#1335156)
+ * source: remove superseded upstream data file: 20140430
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 27 Jun 2014 16:35:12 -0300
+
+intel-microcode (2.20140430.1) unstable; urgency=low
+
+ * New upstream microcode data file 20140430
+ + New microcodes:
+ sig 0x000306e7, pf mask 0xed, 2014-04-14, rev 0x070c, size 15360
+ + Updated microcodes:
+ sig 0x000306e4, pf mask 0xed, 2014-04-10, rev 0x0427, size 12288
+ * source: remove superseded upstream data file: 20140122
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 03 May 2014 14:21:27 -0300
+
+intel-microcode (2.20140122.1) unstable; urgency=low
+
+ * New upstream microcode data file 20140122
+ + New Microcodes:
+ sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552
+ + Updated Microcodes:
+ sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168
+ sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480
+ sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264
+ sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456
+ * source: remove superseded upstream data file: 20130906
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 01 Feb 2014 15:39:03 -0200
+
+intel-microcode (2.20130906.1) unstable; urgency=high
+
+ * New upstream microcode data file 20130906
+ + Updated Microcodes:
+ sig 0x000306c3, pf mask 0x32, 2013-08-07, rev 0x0016, size 20480
+ sig 0x00040651, pf mask 0x72, 2013-08-08, rev 0x0016, size 19456
+ + Updated Microcodes (recently removed):
+ sig 0x000106e4, pf mask 0x09, 2013-07-01, rev 0x0003, size 6144
+ * This microcode release *likely* fixes the security issues addressed by
+ the 20130808 update for signature 0x106e4 (Xeon EC3500/EC5500/LC3500/
+ LC5500, Jasper Forest core), which was missing from the 20130808 update
+ * upstream changelog: trim down, sunrise now at 20080220, the first
+ microcode pack with a license that allows redistribution
+ * debian/control: recommend initramfs-tools (>= 0.113~) for backports
+ * cpu-signatures.txt: Xeon nocona cores are 64-bit, ship for amd64 arch
+ * source: remove superseded upstream data file: 20130808
+ * postinst: fix kernel version check for blacklist
+ Distro kernels have version strings that make it hard to get the real
+ kernel version, so we have to blacklist by branches only. We were
+ refusing to update the kernel on postinst for users of Debian stable's
+ kernel because of this issue
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 21 Sep 2013 20:35:47 -0300
+
+intel-microcode (2.20130808.1) unstable; urgency=high
+
+ * Reupload, high severity, no changes
+ * Bump major version number. I will need this so that I can track two
+ separate branches for Wheezy: branch 1.x will target stable-updates (no
+ early firmware support), while branch 2.x will target stable-backports,
+ testing and unstable. This major version bump should have been done for
+ the 1.20130222.3 upload in hindsight.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 17 Aug 2013 10:56:45 -0300
+
+intel-microcode (1.20130808.2) unstable; urgency=high
+
+ * Reupload with high severity. This microcode update has been documented
+ by Intel to fix a severe security issue (refer to LP bug 1212497);
+ This update is known to fix several nasty errata on 3rd-gen and
+ 4th-gen Core i3/i5/i7, and Xeon 5500 and later, including but not
+ limited to:
+ + AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
+ may cause system crash
+ + AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used
+ with 32-bit paging
+ * Erratum AAK167/BT248 is nasty: "If a logical processor has EPT (Extended
+ Page Tables) enabled, is using 32-bit PAE paging, and accesses the
+ virtual-APIC page then a complex sequence of internal processor
+ micro-architectural events may cause an incorrect address translation or
+ machine check on either logical processor. This erratum may result in
+ unexpected faults, an uncorrectable TLB error logged in
+ IA32_MCi_STATUS.MCACOD (bits [15:0]), a guest or hypervisor crash, or
+ other unpredictable system behavior"
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 16 Aug 2013 21:10:12 -0300
+
+intel-microcode (1.20130808.1) unstable; urgency=low
+
+ * New upstream microcode data file 20130808
+ + New Microcodes:
+ sig 0x000306c3, pf mask 0x32, 2013-07-02, rev 0x0012, size 19456
+ sig 0x000306e4, pf mask 0xed, 2013-06-13, rev 0x0415, size 11264
+ sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264
+ sig 0x00040651, pf mask 0x72, 2013-07-02, rev 0x0015, size 18432
+ + Updated Microcodes (removed in the past):
+ sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240
+ + Updated Microcodes:
+ sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336
+ sig 0x000106e5, pf mask 0x13, 2013-07-01, rev 0x0006, size 7168
+ sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192
+ sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072
+ sig 0x000206a7, pf mask 0x12, 2013-06-12, rev 0x0029, size 10240
+ sig 0x000206d7, pf mask 0x6d, 2013-06-17, rev 0x0710, size 17408
+ sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312
+ sig 0x000306a9, pf mask 0x12, 2013-06-13, rev 0x0019, size 12288
+ + Removed Microcodes:
+ sig 0x000106e4, pf mask 0x09, 2010-03-08, rev 0x0002, size 5120
+ * Remove from the source package an unused upstream microcode bundle,
+ which has been completely superseded by later bundles:
+ microcode-20130222.dat
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 15 Aug 2013 20:18:32 -0300
+
+intel-microcode (1.20130222.6) unstable; urgency=low
+
+ * initramfs, postinst: don't do anything on non-Intel systems
+ * initramfs, postinst: blacklist several kernel versions (closes: #716917)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 20 Jul 2013 10:46:59 -0300
+
+intel-microcode (1.20130222.5) unstable; urgency=low
+
+ * debian/control: depend on iucode-tool, and shorten description
+ * initramfs hook: several auto mode fixes
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 03 Jul 2013 19:55:13 -0300
+
+intel-microcode (1.20130222.4) unstable; urgency=low
+
+ * initramfs: fix xargs error when iucode-tool is not installed
+ in the early firmware update mode code path (closes: #712943)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 20 Jun 2013 22:07:04 -0300
+
+intel-microcode (1.20130222.3) unstable; urgency=low
+
+ * initramfs: add support for early firmware update
+ Add support to update microcode during early kernel startup, requires
+ Linux 3.9 or later with CONFIG_MICROCODE_INTEL_EARLY enabled.
+ This also requires initramfs-tools 0.113 or later, as well as iucode-tool
+ 1.0 or later. We fallback to late initramfs mode if outdated versions of
+ initramfs-tools or iucode-tool are installed.
+ * Update README.Debian and NEWS.Debian for early updates
+ * debian/control: update recommends for early-fw support
+ Recommend iucode-tool v1.0 or later and initramfs-tools 0.113, and
+ update the explanation in the package description accordingly.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2013 22:15:46 -0300
+
+intel-microcode (1.20130222.2) unstable; urgency=low
+
+ * kernel preinst: simplify and load microcode and cpuid modules
+ * postinst: attempt to load microcode module (closes: #692535)
+ * Makefile: Use the -s! and --loose-date-filtering facilities added to
+ iucode_tool v0.9 to better implement the selection of legacy microcode,
+ and to fix the support for IUC_INCLUDE, which was non-functional.
+ * debian/control: build-depend on iucode-tool (>= 0.9)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 27 Mar 2013 16:39:06 -0300
+
+intel-microcode (1.20130222.1) unstable; urgency=low
+
+ * New upstream microcode data file 20130222 (closes: #702152)
+ + Updated Microcodes:
+ sig 0x000306a9, pf mask 0x12, 2013-01-09, rev 0x0017, size 11264
+ * Remove from the source package an unused microcode data file, which
+ was completely superseded by later ones: microcode-20120606-v2.dat
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 03 Mar 2013 16:59:35 -0300
+
+intel-microcode (1.20120606.v2.2) unstable; urgency=medium
+
+ * initramfs: work around initramfs-tools bug #688794.
+ Use "_" in place of "+-." for the initramfs script name. This works
+ around a PANIC during boot when the initramfs was created in a system
+ with noexec $TMPDIR.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Oct 2012 07:43:37 -0300
+
+intel-microcode (1.20120606.v2.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20120606-v2 (2012-10-01)
+ + Updated Microcodes:
+ sig 0x000206d6, pf mask 0x6d, 2012-05-22, rev 0x0619, size 16384
+ sig 0x000206d7, pf mask 0x6d, 2012-05-22, rev 0x070d, size 16384
+ sig 0x000306a9, pf mask 0x12, 2012-07-16, rev 0x0013, size 11264
+ + Updated Microcodes (recently removed):
+ sig 0x000206f2, pf mask 0x05, 2012-04-12, rev 0x0036, size 12288
+ * Remove from the source package some unused upstream microcode bundles,
+ which were completely superseded by later ones: microcode-20080401.dat,
+ microcode-20090330.dat, microcode-20090927.dat, microcode-20100209.dat,
+ microcode-20110428.dat, microcode-20111110.dat.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 08 Oct 2012 14:56:17 -0300
+
+intel-microcode (1.20120606.6) unstable; urgency=medium
+
+ * debian/control: conflicts with microcode.ctl (<< 1.18~0)
+ microcode.ctl (1.18~0+nmu1) is a transitional package.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 02 Sep 2012 17:46:39 -0300
+
+intel-microcode (1.20120606.5) unstable; urgency=low
+
+ * debian/copyright: correct statement.
+ * debian/control: use i686 instead of IA32 in package description.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 29 Aug 2012 19:33:14 -0300
+
+intel-microcode (1.20120606.4) unstable; urgency=low
+
+ * README.Debian: mention module-init-tools, not just kmod. This
+ is useful when backporting to Debian Squeeze.
+ * initramfs: make sure we modprobe cpuid early.
+ Provide an /etc/kernel/preinst.d hook to modprobe the cpuid module
+ before an in-place kernel upgrade makes it impossible to do so at
+ initramfs rebuild time. This is only done when dev/cpuid is not yet
+ available, IUCODE_TOOL_SCANCPUS is active, and iucode-tool is
+ installed. Thanks to Philipp Kern for the report.
+ * NEWS.Debian: document failures with in-place kernel upgrades
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 11 Aug 2012 19:35:46 -0300
+
+intel-microcode (1.20120606.3) unstable; urgency=low
+
+ * initramfs: while creating the initramfs, if we need to iucode_tool
+ --scan-system, attempt to modprobe cpuid if cpu/cpuid device is missing,
+ and report an error if it doesn't work. Thanks to Sebastian Andrzej
+ Siewior for a good suggestion on how to fix it (closes: #683161)
+ * README.Debian: add "modprobe cpuid" to example
+ * debian/control: use better Vcs-browser URI that is properly
+ handled by the current alioth redirector.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 29 Jul 2012 11:09:44 -0300
+
+intel-microcode (1.20120606.2) unstable; urgency=low
+
+ * Fix README.source to reflect that cpu-signatures.txt processing
+ was moved to the toplevel Makefile
+ * Update diff-latest-pack.sh to really find iucode_tool
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 21 Jul 2012 18:10:47 -0300
+
+intel-microcode (1.20120606.1) unstable; urgency=low
+
+ * Change to ABI 1:
+ + Ship binary microcode in /lib/firmware
+ + Add initramfs helpers to install and load binary microcode on boot
+ + Call update-initramfs on package upgrades and removals
+ + Use non-deprecated kernel interface to interact with kernel
+ (sysfs+fw loader)
+ * Include microcode for older processors. This should help some
+ older boxes for which microcode was not being shipped by Intel
+ anymore but which still have users, with the trade-off that we
+ will also ship some useless and mostly useless microcode
+ * Do not ship i686-only microcode in the amd64 binary package. We
+ still ship all microcode in the i386 binary package, to support
+ 64bit processors running i?86 userspace transparently
+ * Switch myself to maintainer, and Giacomo to uploader to better
+ reflect who is responsible for any bugs this could cause...
+ * Switch to the 3.0 (native) package format as it doesn't make practical
+ sense to base the source package on the Intel upstream tarball anymore
+ because we use all past Intel microcode releases as source
+ + Use xz to compress the tarball, it does a _much_ better job than
+ bzip2 and gzip for this package
+ + Override lintian warning about switch to native packaging, as it was
+ done on purpose. It can be removed in the future
+ * Drop CDBS, switch to classic (less obfuscated/much better documented)
+ debhelper build
+ * Switch to debhelper v7, which is good enough for Debian Lenny and later
+ don't use a newer mode for now, to facilitate backporting
+ * Document in README.source:
+ + this package must be trivial to backport to oldstable and stable
+ (i.e. Debian Lenny and Debian Squeeze ATM)
+ + how to add new upstream microcode packs and microcode overrides
+ + other relevant details related to the lack of Intel changelogs
+ * Build-Depend on iucode-tool to handle binary microcode, merge
+ microcode packs and overrides, and split into firmware files
+ * Drop support for microcode.ctl, as it cannot handle binary
+ microcode or the non-deprecated kernel interface
+ * Update package short and long descriptions
+ * Add a NEWS file to explain all the behaviour changes
+ * Recommend iucode-tool to support optional selective microcode
+ selection for the initramfs (reduces microcode size greatly)
+ * Change to priority: standard. This package should be installed in
+ every Intel-based Debian system, which is unfortunately impossible
+ since it is non-free, but at least mark it as such
+ * add debian/diff-latest-pack.sh utility (not shipped in the binary
+ package) to help produce the "upstream changelogs"
+ * debian/control: add Vcs-* fields
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 13 Jul 2012 15:23:23 -0300
+
+intel-microcode (0.20120606-1) unstable; urgency=medium
+
+ * New upstream data file: microcode-20120606
+ + New Microcodes:
+ sig 0x00020661, pf mask 0x02, 2011-07-18, rev 0x0105, size 5120
+ sig 0x000206d7, pf mask 0x6d, 2012-04-03, rev 0x070c, size 16384
+ sig 0x000306a9, pf mask 0x12, 2012-04-12, rev 0x0012, size 11264
+ + Updated Microcodes:
+ sig 0x000106e5, pf mask 0x13, 2011-09-01, rev 0x0005, size 6144
+ sig 0x000206a7, pf mask 0x12, 2012-04-24, rev 0x0028, size 9216
+ sig 0x000206d6, pf mask 0x6d, 2012-04-18, rev 0x0618, size 16384
+ + Removed Microcodes (recently updated):
+ sig 0x000206f2, pf mask 0x05, 2011-08-31, rev 0x0034, size 12288
+ * Fixes precise-event based sampling (PEBS) on Sandy Bridge processors
+ (http://lkml.org/lkml/2012/6/7/145)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 09 Jun 2012 00:44:12 -0300
+
+intel-microcode (0.20111110-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20111110
+ + New Microcodes:
+ sig 0x000206d6, pf mask 0x6d, 2011-09-29, rev 0x060c, size 15360
+ + Updated Microcodes:
+ sig 0x00020652, pf mask 0x12, 2011-09-01, rev 0x000d, size 7168
+ sig 0x00020655, pf mask 0x92, 2011-09-01, rev 0x0003, size 2048
+ sig 0x000206a7, pf mask 0x12, 2011-10-11, rev 0x0025, size 9216
+ sig 0x000206f2, pf mask 0x05, 2011-08-31, rev 0x0034, size 12288
+ + Removed Microcodes (recently added):
+ sig 0x00030661, pf mask 0x02, 2011-06-23, rev 0x0106, size 5120
+ sig 0x00030661, pf mask 0x04, 2011-06-23, rev 0x0106, size 5120
+ sig 0x00030661, pf mask 0x08, 2011-06-23, rev 0x0106, size 5120
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 24 Dec 2011 18:17:05 -0200
+
+intel-microcode (0.20110915-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20110915
+ + New Microcodes:
+ sig 0x000206f2, pf mask 0x05, 2011-07-21, rev 0x0032, size 12288
+ sig 0x00030661, pf mask 0x02, 2011-06-23, rev 0x0106, size 5120
+ sig 0x00030661, pf mask 0x04, 2011-06-23, rev 0x0106, size 5120
+ sig 0x00030661, pf mask 0x08, 2011-06-23, rev 0x0106, size 5120
+ + Updated Microcodes:
+ sig 0x000206a7, pf mask 0x12, 2011-07-14, rev 0x001b, size 9216
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 16 Oct 2011 13:10:43 -0200
+
+intel-microcode (0.20110428-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20110428
+ + New Microcodes:
+ sig 0x000206a7, pf mask 0x12, 2011-04-07, rev 0x0017, size 8192
+ + Readded Microcodes:
+ sig 0x00000f12, pf mask 0x04, 2003-05-02, rev 0x002e, size 2048
+ + Removed Microcodes (recently rolled back):
+ sig 0x000106a5, pf mask 0x03, 2009-04-14, rev 0x0011, size 8192
+ * debian/rules: install microcode*.dat, instead of microcode-*.dat
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 26 Jun 2011 18:56:57 -0300
+
+intel-microcode (0.20101123-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20101123
+ + New Microcodes:
+ sig 0x000006fb, pf mask 0x20, 2010-10-03, rev 0x00ba, size 4096
+ + Readded Microcodes (older revision):
+ sig 0x000106a5, pf mask 0x03, 2009-04-14, rev 0x0011, size 8192
+ + Updated Microcodes:
+ sig 0x000006f2, pf mask 0x01, 2010-10-02, rev 0x005d, size 4096
+ sig 0x000006f2, pf mask 0x20, 2010-10-02, rev 0x005c, size 4096
+ sig 0x000006f6, pf mask 0x01, 2010-09-30, rev 0x00d0, size 4096
+ sig 0x000006f6, pf mask 0x04, 2010-10-01, rev 0x00d2, size 4096
+ sig 0x000006f6, pf mask 0x20, 2010-10-01, rev 0x00d1, size 4096
+ sig 0x000006f7, pf mask 0x10, 2010-10-02, rev 0x006a, size 4096
+ sig 0x000006f7, pf mask 0x40, 2010-10-02, rev 0x006b, size 4096
+ sig 0x000006fa, pf mask 0x80, 2010-10-02, rev 0x0095, size 4096
+ sig 0x000006fb, pf mask 0x01, 2010-10-03, rev 0x00ba, size 4096
+ sig 0x000006fb, pf mask 0x04, 2010-10-03, rev 0x00bc, size 4096
+ sig 0x000006fb, pf mask 0x08, 2010-10-03, rev 0x00bb, size 4096
+ sig 0x000006fb, pf mask 0x10, 2010-10-03, rev 0x00ba, size 4096
+ sig 0x000006fb, pf mask 0x40, 2010-10-03, rev 0x00bc, size 4096
+ sig 0x000006fb, pf mask 0x80, 2010-10-03, rev 0x00ba, size 4096
+ sig 0x000006fd, pf mask 0x01, 2010-10-02, rev 0x00a4, size 4096
+ sig 0x000006fd, pf mask 0x20, 2010-10-02, rev 0x00a4, size 4096
+ sig 0x000006fd, pf mask 0x80, 2010-10-02, rev 0x00a4, size 4096
+ sig 0x00010661, pf mask 0x01, 2010-10-04, rev 0x0043, size 4096
+ sig 0x00010661, pf mask 0x02, 2010-10-04, rev 0x0042, size 4096
+ sig 0x00010661, pf mask 0x80, 2010-10-04, rev 0x0044, size 4096
+ sig 0x00010676, pf mask 0x01, 2010-09-29, rev 0x060f, size 4096
+ sig 0x00010676, pf mask 0x04, 2010-09-29, rev 0x060f, size 4096
+ sig 0x00010676, pf mask 0x10, 2010-09-29, rev 0x060f, size 4096
+ sig 0x00010676, pf mask 0x40, 2010-09-29, rev 0x060f, size 4096
+ sig 0x00010676, pf mask 0x80, 2010-09-29, rev 0x060f, size 4096
+ sig 0x00010677, pf mask 0x10, 2010-09-29, rev 0x070a, size 4096
+ sig 0x0001067a, pf mask 0x11, 2010-09-28, rev 0x0a0b, size 8192
+ sig 0x0001067a, pf mask 0x44, 2010-09-28, rev 0x0a0b, size 8192
+ sig 0x0001067a, pf mask 0xa0, 2010-09-28, rev 0x0a0b, size 8192
+ sig 0x000106d1, pf mask 0x08, 2010-09-30, rev 0x0029, size 4096
+ + Removed Microcodes:
+ sig 0x00000612, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048
+ sig 0x00000616, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048
+ sig 0x00000617, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048
+ sig 0x00000619, pf mask 0x00, 1998-02-18, rev 0x00d2, size 2048
+ sig 0x00000633, pf mask 0x00, 1998-09-23, rev 0x0036, size 2048
+ sig 0x00000634, pf mask 0x00, 1998-09-23, rev 0x0037, size 2048
+ sig 0x00000650, pf mask 0x04, 1997-12-12, rev 0x0019, size 2048
+ sig 0x00000650, pf mask 0x20, 1998-02-11, rev 0x002e, size 2048
+ sig 0x00000650, pf mask 0x80, 1998-02-11, rev 0x002f, size 2048
+ sig 0x00000651, pf mask 0x02, 1999-05-25, rev 0x0041, size 2048
+ sig 0x00000651, pf mask 0x08, 1999-05-25, rev 0x0042, size 2048
+ sig 0x00000652, pf mask 0x08, 1999-05-18, rev 0x002d, size 2048
+ sig 0x00000672, pf mask 0x01, 1999-09-22, rev 0x0010, size 2048
+ sig 0x00000673, pf mask 0x01, 1999-09-10, rev 0x000e, size 2048
+ sig 0x00000683, pf mask 0x01, 2001-02-06, rev 0x0013, size 2048
+ sig 0x00000683, pf mask 0x04, 2001-02-06, rev 0x0010, size 2048
+ sig 0x00000683, pf mask 0x10, 2001-02-06, rev 0x0014, size 2048
+ sig 0x000006a4, pf mask 0x04, 2000-06-16, rev 0x0001, size 2048
+ sig 0x00000f12, pf mask 0x01, 2003-05-02, rev 0x002d, size 2048
+ sig 0x00000f12, pf mask 0x02, 2003-05-02, rev 0x002f, size 2048
+ sig 0x00000f12, pf mask 0x04, 2003-05-02, rev 0x002e, size 2048
+ sig 0x00000f13, pf mask 0x04, 2003-05-08, rev 0x0005, size 2048
+ sig 0x00000f24, pf mask 0x08, 2003-06-05, rev 0x0020, size 2048
+ sig 0x000206c2, pf mask 0x03, 2010-09-07, rev 0x0013, size 7168
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 10 Jan 2011 23:25:18 -0200
+
+intel-microcode (0.20100914-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20100914
+ + Updated Microcodes:
+ sig 0x000206c2, pf mask 0x03, 2010-09-07, rev 0x0013, size 7168
+ + Removed Microcodes:
+ sig 0x000006d8, pf mask 0x08, 2006-08-31, rev 0x0021, size 2048
+ sig 0x000006d8, pf mask 0x20, 2004-07-22, rev 0x0020, size 2048
+ sig 0x00000f65, pf mask 0x04, 2007-05-10, rev 0x000b, size 2048
+ sig 0x00010661, pf mask 0x04, 2007-05-01, rev 0x0036, size 4096
+ sig 0x000106a5, pf mask 0x03, 2010-03-03, rev 0x0015, size 8192
+ sig 0x000206e6, pf mask 0x04, 2010-04-21, rev 0x0007, size 6144
+ * Add upstream changelog, with a list of changed microcodes per release
+ * Update debian/copyright to match the latest license
+ * Update documentation on where and how to get an up-to-date microcode
+ file directly from Intel, and how to install it
+ * postinst: run the microcode.ctl initscript on install/upgrades to apply
+ updated microcodes to the processor
+ * Merge changes from version 0.20090927-1, which I lost in the last
+ upload for some stupid reason. The lack of 0.20090927-1 in the
+ changelog upsets the BTS' version tracking, so it is more than just a
+ cosmetic fix
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 26 Sep 2010 19:51:46 -0300
+
+intel-microcode (0.20100826-1) unstable; urgency=low
+
+ * New upstream data file: microcode-20100826 (closes: #571128)
+ * debian/control: Add myself to uploaders
+ * debian/control: bump standards-version to 3.9.1 (no changes required)
+ * debian/control: Change homepage to the only stable URI available,
+ which is that of the RSS feed
+ * debian/source/format: set to 1.0, we gain nothing from the other formats
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 28 Aug 2010 11:25:34 -0300
+
+intel-microcode (0.20090927-1) unstable; urgency=low
+
+ * New upstream version (Closes: #549706)
+
+ -- Giacomo Catenazzi <cate@debian.org> Tue, 06 Oct 2009 07:42:02 +0200
+
+intel-microcode (0.20090330-1) unstable; urgency=low
+
+ * New upstream version. This version replaced 6 and add
+ extra 3 microcode files.
+
+ -- Giacomo Catenazzi <cate@debian.org> Tue, 31 Mar 2009 07:54:00 +0200
+
+intel-microcode (0.20080910-2) unstable; urgency=low
+
+ * Revert architecture change
+
+ -- Giacomo Catenazzi <cate@debian.org> Mon, 13 Oct 2008 19:40:18 +0200
+
+intel-microcode (0.20080910-1) unstable; urgency=low
+
+ * New upstream version.
+ * Set architecture to all: the data is architecture indipendent
+ (and used in i386 and amd64 architectures). Note: this package
+ is "non-free" (i.e. usual manual check), so it should not
+ use space on CD and other medium, on non Intel architectures.
+
+ -- Giacomo Catenazzi <cate@debian.org> Mon, 15 Sep 2008 08:33:19 +0200
+
+intel-microcode (0.20080401-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- Giacomo Catenazzi <cate@debian.org> Fri, 25 Apr 2008 18:59:10 +0200
+
+intel-microcode (0.20080220-1) unstable; urgency=low
+
+ * New upstream version.
+
+ -- Giacomo Catenazzi <cate@debian.org> Mon, 10 Mar 2008 07:48:48 +0100
+
+intel-microcode (0.20080131-1) unstable; urgency=low
+
+ * Initial release. The new license is finally enough good for
+ debian non-free
+ * BTW packing the microcode will solve potential/theoretical
+ man-in-the-middle attack (Closes: #282583)
+
+ -- Giacomo Catenazzi <cate@debian.org> Wed, 20 Feb 2008 19:33:10 +0100
+
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..86659b3
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,24 @@
+Source: intel-microcode
+Section: non-free-firmware/admin
+Priority: standard
+Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
+Uploaders: Giacomo Catenazzi <cate@debian.org>
+Build-Depends: debhelper (>= 9), iucode-tool (>= 0.9)
+Standards-Version: 4.1.1
+Homepage: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+Vcs-Git: https://salsa.debian.org/hmh/intel-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/intel-microcode
+XS-Autobuild: yes
+
+Package: intel-microcode
+Architecture: i386 amd64 x32
+Depends: ${misc:Depends}, iucode-tool (>= 1.0)
+Recommends: initramfs-tools (>= 0.113~)
+Conflicts: microcode.ctl (<< 0.18~0)
+Description: Processor microcode firmware for Intel CPUs
+ This package contains updated system processor microcode for
+ Intel i686 and Intel X86-64 processors. Intel releases microcode
+ updates to correct processor behavior as documented in the
+ respective processor specification updates.
+ .
+ For AMD processors, please refer to the amd64-microcode package.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..47ae680
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,63 @@
+This package was debianized by Giacomo Catenazzi <cate@debian.org> on
+Wed, 20 Feb 2008 07:43:49 +0100, and heavily modified by Henrique de
+Moraes Holschuh <hmh@debian.org> on Fri, 13 Jul 2012 15:23:23 -0300.
+
+It was downloaded through https://downloadcenter.intel.com/search?keyword=linux+microcode
+and later through https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+
+Debian distributes each individual Intel microcode update unmodified, as
+downloaded from Intel. Each individual microcode update is translated to a
+reversible, bit-exact binary representation, and formatted to a conveyance
+format suitable for use in binary form by the Linux kernel.
+
+Upstream Author:
+
+ Intel Corporation
+
+Upstream Copyright:
+
+ Copyright (c) <1995-2019>, Intel Corporation.
+ All rights reserved.
+
+Upstream License:
+
+ Redistribution.
+
+ Redistribution and use in binary form, without modification, are
+ permitted, provided that the following conditions are met:
+
+ 1. Redistributions must reproduce the above copyright notice and the
+ following disclaimer in the documentation and/or other materials
+ provided with the distribution.
+
+ 2. Neither the name of Intel Corporation nor the names of its
+ suppliers may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+
+ 3. No reverse engineering, decompilation, or disassembly of this
+ software is permitted.
+
+ "Binary form" includes any format that is commonly used for electronic
+ conveyance that is a reversible, bit-exact translation of binary
+ representation to ASCII or ISO text, for example "uuencode".
+
+ DISCLAIMER.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+The Debian packaging is Copyright (c) 2008-2012 by Giacomo Catenazzi and
+Copyright (c) 2012 by Henrique de Moraes Holschuh, and is licensed under the
+GPLv2 (or at your option, any later version). Refer to
+`/usr/share/common-licenses/GPL-2' for the full text of the license.
+
diff --git a/debian/diff-latest-pack.sh b/debian/diff-latest-pack.sh
new file mode 100755
index 0000000..613aa95
--- /dev/null
+++ b/debian/diff-latest-pack.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Generate an unified diff of the list of microcodes included in the
+# latest two Intel-supplied Microcode packs (microcode-<date>.dat)
+#
+# Use this to locate updated/removed/added microcodes. Further manual
+# analysis is necessary to identify the deletion of recently-added
+# or recently-updated microcode, and the addition of previously-deleted
+# microcode (often with a version downgrade).
+#
+# Run this from the directory with the Intel microcode packs.
+
+export LC_COLLATE=C
+PATH=${PATH}:/sbin:/usr/sbin
+
+FILES=$(ls -1 microcode-*.dat | tail -n 2 | xargs)
+
+DFILES=
+for i in $FILES ; do
+ fn=$(basename $i)
+ iucode_tool -q -l $i | sed -e 's/^[^:]\+: //' | sort | grep sig > /tmp/$fn.list
+ DFILES="${DFILES} /tmp/$fn.list"
+done
+
+diff --unified=1 ${DFILES} | grep sig | sort -k 2
diff --git a/debian/initramfs.hook b/debian/initramfs.hook
new file mode 100755
index 0000000..a464d09
--- /dev/null
+++ b/debian/initramfs.hook
@@ -0,0 +1,168 @@
+#!/bin/sh
+# intel-microcode initramfs-tools hook script version 3
+# Copyright (C) 2012-2016 Henrique de Moraes Holschuh <hmh@debian.org>
+# Released under the GNU GPL v2 or later license
+#
+# Generates a copy of the Intel microcode (by default tailored to the
+# running system), and installs it in the early initramfs.
+#
+# iucode_tool v1.0 or later is required.
+#
+
+PREREQ=""
+IUCODE_CONFIG=/etc/default/intel-microcode
+
+prereqs()
+{
+ echo "$PREREQ"
+}
+
+case $1 in
+prereqs)
+ prereqs
+ exit 0
+ ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+verbose()
+{
+ if [ "${verbose}" = "y" ] ; then
+ echo "intel-microcode: $*"
+ fi
+ :
+}
+
+if [ "${verbose}" = "y" ] ; then
+ IUCODE_TOOL_OPTIONS="-l"
+else
+ IUCODE_TOOL_OPTIONS="-q"
+fi
+
+IUCODE_TOOL=$(command -v iucode_tool)
+if [ -z "${IUCODE_TOOL}" ] && [ -x /usr/sbin/iucode_tool ] ; then
+ IUCODE_TOOL=/usr/sbin/iucode_tool
+fi
+
+IUCODE_FW_DIR=/lib/firmware/intel-ucode
+if [ "$MODULES" = "most" ]; then
+ IUCODE_TOOL_INITRAMFS=early
+ IUCODE_TOOL_SCANCPUS=no
+else
+ IUCODE_TOOL_INITRAMFS=auto
+ IUCODE_TOOL_SCANCPUS=yes
+fi
+IUCODE_TOOL_EXTRA_OPTIONS=
+
+[ -r ${IUCODE_CONFIG} ] && . ${IUCODE_CONFIG}
+
+[ -z "${IUCODE_TOOL_INITRAMFS}" ] && IUCODE_TOOL_INITRAMFS=no
+
+case "${IUCODE_TOOL_INITRAMFS}" in
+ no|0)
+ verbose "intel-microcode: disabled by ${IUCODE_CONFIG}"
+ exit 0
+ ;;
+ auto|early)
+ ;;
+ yes|1)
+ IUCODE_TOOL_INITRAMFS=early
+ echo "W: intel-microcode: initramfs mode not supported, using early initramfs mode" >&2
+ ;;
+ *)
+ echo "E: intel-microcode: invalid IUCODE_TOOL_INITRAMFS, using automatic mode" >&2
+ IUCODE_TOOL_INITRAMFS=auto
+esac
+
+# don't do anything unless there's an Intel processor in the system in auto mode
+if [ "${IUCODE_TOOL_INITRAMFS}" = "auto" ] ; then
+ grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*GenuineIntel" /proc/cpuinfo || {
+ verbose "no Intel processors detected, nothing to do"
+ exit 0
+ }
+fi
+
+# we require iucode_tool, but something is broken
+if [ ! -x "${IUCODE_TOOL}" ] ; then
+ echo "E: intel-microcode: cannot run iucode_tool!" >&2
+ exit 0
+fi
+
+# Blacklist all kernel versions before v3.10, as they don't support early
+# initramfs mode.
+#
+# This doesn't blacklist early 3.10 kernels in the LTS branches, we don't have
+# enough information at the initramfs-tools layer, due to the way Debian and
+# Ubuntu version kernel packages.
+if dpkg --compare-versions "${version}" lt 3.10 ; then
+ echo "E: intel-microcode: unsupported kernel version!" >&2
+ exit 0
+fi
+
+if [ "${IUCODE_TOOL_SCANCPUS}" != "yes" ] ; then
+ verbose "adding microcode for either all or selected Intel processor models"
+else
+ verbose "adding microcode for currently online and selected Intel processors"
+ grep -q cpu/cpuid /proc/devices || modprobe -q cpuid
+ IUCODE_TOOL_OPTIONS="${IUCODE_TOOL_OPTIONS} --scan-system"
+fi
+
+# paranoia
+[ -z "${DESTDIR}" ] && {
+ echo "E: intel-microcode: DESTDIR empty!" >&2
+ exit 1
+}
+[ -z "${IUCODE_FW_DIR}" ] && {
+ echo "E: intel-microcode: IUCODE_FW_DIR empty!" >&2
+ exit 1
+}
+
+# include the microcode module in the initramfs for logging purposes, but
+# ensure it will have no microcode data files to load. This is also a safety
+# net: we don't want it to be acidentally loaded outside the initramfs.
+#
+# This shouldn't be expensive, as the in-kernel firmware loader is quite
+# fast at detecting missing data files and doesn't wait for them.
+#
+# note: force_load will load a blacklisted module. We depend on that behavior.
+#
+# For 4.4 and later kernels, the microcode driver cannot be a module and will
+# be built-in.
+dpkg --compare-versions "${version}" lt 4.4 && {
+ [ -d "${DESTDIR}${IUCODE_FW_DIR}" ] && rm -fr "${DESTDIR}${IUCODE_FW_DIR}"
+
+ manual_add_modules microcode && {
+ # force_load has broken semanthics when the .ko file is missing
+ find "${DESTDIR}/${MODULESDIR}" -type f -print | grep -qc '/microcode\.ko$' && {
+ verbose "modular microcode driver detected"
+ force_load microcode
+ }
+ }
+}
+
+# generate early initramfs image and prepend
+verbose "using early initramfs microcode update mode..."
+EFW=$(mktemp "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || {
+ echo "E: intel-microcode: cannot create temporary file" >&2
+ exit 1
+ }
+( find /usr/share/misc -maxdepth 1 -type f -name 'intel-microcode*' -print0 ;
+ find "${IUCODE_FW_DIR}" -maxdepth 0 -type d -print0 ) 2>/dev/null \
+| xargs -0 -r -x ${IUCODE_TOOL} ${IUCODE_TOOL_OPTIONS} \
+ --write-earlyfw="${EFW}" --overwrite \
+ ${IUCODE_TOOL_EXTRA_OPTIONS} \
+&& prepend_earlyinitramfs "${EFW}" && {
+ rm "${EFW}"
+ exit 0
+}
+
+# usually we get here when initramfs-tools is missing prepend_earlyinitramfs()
+# or when iucode_tool does not support --write-earlyfw, i.e. when old versions
+# of these tools are installed.
+
+rm "${EFW}" || true
+
+echo "E: intel-microcode: failed to create or prepend the early initramfs to the initramfs" >&2
+
+:
diff --git a/debian/intel-microcode.NEWS b/debian/intel-microcode.NEWS
new file mode 100644
index 0000000..9f18b00
--- /dev/null
+++ b/debian/intel-microcode.NEWS
@@ -0,0 +1,91 @@
+intel-microcode (3.20140913.1) unstable; urgency=low
+
+ This release drops support for automatically applying microcode
+ updates without a reboot. The microcode updates can still be applied
+ without a reboot through manual action of the system administrator, at
+ his own risk.
+
+ Microcodes known to be dangerous have been renamed so that they will
+ not be found by the kernel. This is a reactive blacklisting: it is
+ unlikely to be complete at any point in time.
+
+ The 3.x branch of the intel-microcode packages will only support Linux
+ kernels v3.10 and above. For older kernels, you must use the 1.x
+ branch of the intel-microcode packages.
+
+ Refer to /usr/share/doc/intel-microcode/README.Debian for details.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 10 Oct 2014 12:27:57 -0300
+
+intel-microcode (1.20130222.3) unstable; urgency=low
+
+ This release adds support for early microcode updates on Linux kernel
+ v3.9 and later. It requires the kernel support for the feature to be
+ compiled in, the use of an initramfs, and also recent versions of the
+ iucode-tool and initramfs-tools packages.
+
+ Early microcode updates greatly reduce the chances of system
+ malfunction due to any issues that are corrected by the microcode
+ update. The microcode will be updated while the kernel initializes
+ the boot processor, and before any other processors (in a multicore
+ system) are enabled.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2013 22:03:30 -0300
+
+intel-microcode (1.20120606.4) unstable; urgency=low
+
+ The initramfs logic to automatically restrict the microcodes that have
+ to be installed using iucode-tool can fail in a very specific situation
+ when the intel-microcode package is installed for the first time at the
+ same time the _currently running_ kernel is being upgraded.
+
+ intel-microcode will warn you should that happen, and will install all
+ microcodes, resulting in a much larger initramfs image than expected.
+
+ If you did hit this failure mode and you believe the large initramfs
+ will cause problems for your system to reboot, please remove the
+ intel-microcode package to reduce the initramfs size, reboot to load
+ the upgraded kernel, and then reinstall the intel-microcode package.
+
+ Once the intel-microcode package is installed, it will cooperate with
+ the kernel packages and automatically avoid the issue on future
+ upgrades.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 11 Aug 2012 19:02:20 -0300
+
+intel-microcode (1.20120606.1) unstable; urgency=low
+
+ This major release update changes how Debian handles Intel system
+ processor microcode updates. Initscripts and the old microcode.ctl
+ utility are not used to load microcode anymore.
+
+ Previously, microcode.ctl would be used to read the text file
+ distributed by Intel (microcode.dat), convert it to binary, and upload
+ to /dev/cpu/microcode. This functionality has been deprecated in the
+ kernel upstream for a long time, the firmware loader and a sysfs
+ interface should be used instead.
+
+ The Intel microcode.dat file is now preprocessed using iucode-tool when
+ the intel-microcode package is built, and the resulting binary data
+ files for /lib/firmware/intel-ucode are shipped, ready for use by the
+ kernel.
+
+ The intel-microcode package now provides automation for autoloading
+ microcode from the initramfs, instead of relying on any initscripts.
+ Refer to the README files in /usr/share/ doc/intel-microcode for more
+ details; there is some limited support for /usr/share/misc/
+ intel-microcode.dat files.
+
+ If you don't use an initramfs for a custom-built kernel, please make
+ sure the microcode driver is a module, and to load it at a time
+ /lib/firmware is already available. Adding it to /etc/modules is
+ usually enough. In this specific case, /usr/share/misc/
+ intel-microcode.dat is not supported, refer to the README files for
+ more detail.
+
+ WARNING: if you have an old /usr/share/misc/intel-microcode.dat file,
+ it may cause problems because of the way Intel does microcode release
+ management. As a rule, it is best to remove outdated microcode.dat
+ files from the system.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 10 Jul 2012 16:06:06 -0300
diff --git a/debian/intel-microcode.default b/debian/intel-microcode.default
new file mode 100644
index 0000000..b958464
--- /dev/null
+++ b/debian/intel-microcode.default
@@ -0,0 +1,26 @@
+# Configuration script for intel-microcode version 3
+
+#
+# initramfs helper
+#
+
+# Set this to "no" to disable automatic microcode updates on boot;
+# Set this to "auto" to use early initramfs mode automatically (default);
+# Set this to "early" to always attempt to create an early initramfs;
+#IUCODE_TOOL_INITRAMFS=auto
+
+# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
+# the initramfs size bloat, by detecting which Intel processors are active
+# in this system, and installing only their microcodes.
+#
+# Set this to "no" to either include all microcodes, or only the microcodes
+# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
+#
+# WARNING: including all microcodes will increase initramfs size greatly.
+# This can cause boot issues if the initramfs is already large.
+#IUCODE_TOOL_SCANCPUS=yes
+
+# Extra options to pass to iucode_tool, useful to forbid or to
+# force the inclusion of microcode for specific processor signatures.
+# See iucode_tool(8) for details.
+#IUCODE_TOOL_EXTRA_OPTIONS=""
diff --git a/debian/intel-microcode.dirs b/debian/intel-microcode.dirs
new file mode 100644
index 0000000..b0a2588
--- /dev/null
+++ b/debian/intel-microcode.dirs
@@ -0,0 +1,3 @@
+lib/firmware/intel-ucode
+etc/default
+etc/modprobe.d
diff --git a/debian/intel-microcode.docs b/debian/intel-microcode.docs
new file mode 100644
index 0000000..53f29a6
--- /dev/null
+++ b/debian/intel-microcode.docs
@@ -0,0 +1,3 @@
+license
+releasenote*.md
+security*.md
diff --git a/debian/intel-microcode.kpreinst b/debian/intel-microcode.kpreinst
new file mode 100644
index 0000000..d98b40c
--- /dev/null
+++ b/debian/intel-microcode.kpreinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# /etc/kernel/preinst.d script for intel-microcode version 3
+# Copyright (C) 2014 Henrique de Moraes Holschuh <hmh@debian.org>
+# Released under the GPL v2 or later license
+#
+# This script makes sure the cpuid module is loaded, before the
+# kernel image has a chance to replace it with a new one that
+# might not be compatible with the current kernel.
+#
+# We need the cpuid module for iucode_tool --scan-system,
+# which is used by the initramfs hook.
+#
+
+grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true
+
+:
diff --git a/debian/intel-microcode.modprobe-blacklist b/debian/intel-microcode.modprobe-blacklist
new file mode 100644
index 0000000..1dc2c23
--- /dev/null
+++ b/debian/intel-microcode.modprobe-blacklist
@@ -0,0 +1,3 @@
+# The microcode module attempts to apply a microcode update when
+# it autoloads. This is not always safe, so we block it by default.
+blacklist microcode
diff --git a/debian/intel-microcode.postinst b/debian/intel-microcode.postinst
new file mode 100644
index 0000000..71f667a
--- /dev/null
+++ b/debian/intel-microcode.postinst
@@ -0,0 +1,50 @@
+#!/bin/sh
+# postinst script for intel-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ configure)
+ # do it like udev and firmware-linux-*
+ if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+ update-initramfs -u && {
+ echo "intel-microcode: microcode will be updated at next boot" >&2
+ ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && {
+ echo "intel-microcode: possibly old microcode files from /usr/share/misc were used" >&2
+ echo "intel-microcode: remove them if this is not desired and run 'update-initramfs -u'" >&2
+ }
+ }
+ else
+ echo "intel-microcode: initramfs support missing" >&2
+ fi
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/intel-microcode.postrm b/debian/intel-microcode.postrm
new file mode 100644
index 0000000..57791c8
--- /dev/null
+++ b/debian/intel-microcode.postrm
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postrm script for intel-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <overwriter>
+# <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+ purge|remove)
+ if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+ update-initramfs -u
+ fi
+ ;;
+
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..eac0d2e
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,62 @@
+#!/usr/bin/make -f
+# debian/rules for intel-microcode, dh version
+# Copyright (C) 2011,2016 by Henrique de Moraes Holschuh
+# Published under the GNU GPL license version 2 or any later versions
+
+PACKAGE := intel-microcode
+DEBDIR := $(CURDIR)/debian
+PKGDIR := $(DEBDIR)/$(PACKAGE)
+
+DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+export PATH := $(PATH):/sbin:/usr/sbin
+IUCODE_TOOL := iucode_tool
+
+# DebHelper control
+export DH_ALWAYS_EXCLUDE=CVS:.svn:.git
+
+ifneq (,$(filter amd64 x32,$(DEB_HOST_ARCH)))
+IUCODE_FILE := intel-microcode-64.bin
+else
+IUCODE_FILE := intel-microcode.bin
+endif
+
+# Work around Debian bug #688794
+INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE))))
+
+%:
+ dh $@
+
+override_dh_auto_install:
+ dh_testdir
+ dh_install
+
+ # split microcode pack
+ $(IUCODE_TOOL) -q --write-firmware="$(PKGDIR)/lib/firmware/intel-ucode" $(IUCODE_FILE)
+
+ # apply best-effort blacklist
+ if [ -r debian/ucode-blacklist.txt ] ; then \
+ cat debian/ucode-blacklist.txt | while read -r fn crap ; do \
+ if [ -r "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" ] ; then \
+ mv "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}.initramfs" ;\
+ echo "Renaming blacklisted microcode $${fn}" ; \
+ fi ; \
+ done ; \
+ fi
+
+ mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks"
+ install -m 755 "$(DEBDIR)/initramfs.hook" \
+ "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+ mkdir -p "$(PKGDIR)/etc/kernel/preinst.d"
+ install -m 755 "$(DEBDIR)/$(PACKAGE).kpreinst" \
+ "$(PKGDIR)/etc/kernel/preinst.d/$(PACKAGE)"
+
+ # We have a /etc/default file, but no initscript
+ install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)"
+
+ # modprobe.d blacklist
+ install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf"
+
+override_dh_installchangelogs:
+ dh_installchangelogs changelog
+
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 0000000..b7bc1f2
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1 @@
+compression = "xz"
diff --git a/debian/ucode-blacklist.txt b/debian/ucode-blacklist.txt
new file mode 100644
index 0000000..50f194b
--- /dev/null
+++ b/debian/ucode-blacklist.txt
@@ -0,0 +1,24 @@
+06-3a-09
+06-3c-01
+06-3c-02
+06-3c-03
+06-3d-04
+06-3f-01
+06-3f-02
+06-3f-04
+06-45-01
+06-46-01
+06-47-01
+06-56-02
+06-4e-03
+06-4f-01
+06-5e-03
+06-8e-09
+06-8e-0a
+06-8e-0b
+06-8e-0c
+06-9e-09
+06-9e-0a
+06-9e-0b
+06-9e-0c
+06-9e-0d