diff options
Diffstat (limited to '')
-rw-r--r-- | debian/README.Debian | 239 | ||||
-rw-r--r-- | debian/README.source | 218 | ||||
-rw-r--r-- | debian/changelog | 2018 | ||||
-rw-r--r-- | debian/compat | 1 | ||||
-rw-r--r-- | debian/control | 24 | ||||
-rw-r--r-- | debian/copyright | 63 | ||||
-rwxr-xr-x | debian/diff-latest-pack.sh | 25 | ||||
-rwxr-xr-x | debian/initramfs.hook | 168 | ||||
-rw-r--r-- | debian/intel-microcode.NEWS | 91 | ||||
-rw-r--r-- | debian/intel-microcode.default | 26 | ||||
-rw-r--r-- | debian/intel-microcode.dirs | 3 | ||||
-rw-r--r-- | debian/intel-microcode.docs | 3 | ||||
-rw-r--r-- | debian/intel-microcode.kpreinst | 17 | ||||
-rw-r--r-- | debian/intel-microcode.modprobe-blacklist | 3 | ||||
-rw-r--r-- | debian/intel-microcode.postinst | 50 | ||||
-rw-r--r-- | debian/intel-microcode.postrm | 42 | ||||
-rwxr-xr-x | debian/rules | 62 | ||||
-rw-r--r-- | debian/source/format | 1 | ||||
-rw-r--r-- | debian/source/options | 1 | ||||
-rw-r--r-- | debian/ucode-blacklist.txt | 24 |
20 files changed, 3079 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..220932d --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,239 @@ +intel-microcode for Debian +-------------------------- + +Introduction: + +IntelĀ® 64 and IA-32 processors (x86_64 and i686 processors) are capable of +field-upgrading their control program (microcode) as well as parameters +for other on-chip subsystems (power management, interconnects, etc). +These microcode updates correct processor errata, and are important for +safe, stable and correct system operation. + +While most of the microcode updates fix problems that happen extremely +rarely, they also fix high-profile, high-hitting issues. There are enough +microcode updates fixing processor errata that would cause system lockup, +memory corruption, or unpredictable system behavior, to warrant taking +firmware updates and microcode updates seriously. + +Microcode updates are ephemeral: they will be lost after a processor hard +reset or after the processor is powered off. They must be reapplied at +every boot, as well as after the system wakes up from suspend to RAM or +disk. + +Updating the processor microcode is the responsibility of the system +firmware (BIOS, UEFI). However, not all vendors will release timely +updates for their firmware when Intel releases updated microcode, and most +users don't update their system firmware in a timely fashion (or at all) +anyway. + +The end result is that, unless the operating system picks up the slack and +tries to deliver microcode updates, the processor in many systems will be +running with outdated microcode, increasing the chances of incorrect +system operation. + + +Using Debian to apply microcode updates: + +Debian can apply microcode updates to the system processors during the +operating system boot when a correctly configured Linux kernel (such as +the standard Debian Linux kernels), and a small set of extra packages from +"non-free" and "contrib" are installed. + +You must have "contrib" and "non-free" repositories enabled in apt's +sources list (either in /etc/apt/sources.list, or in a file inside +/etc/apt/sources.list.d/). + +On a default Debian system (which uses a Debian kernel, the grub +bootloader, and initramfs-tools to create the initramfs for the kernel), +install the "intel-microcode" package and its dependencies, and reboot. + +Users of custom configurations should note that microcode update support +for Debian 8 "Jessie" changed from previous Debian stable releases. + +Custom Linux kernels must be built with initramfs support enabled (Kconfig +option CONFIG_BLK_DEV_INITRD=y), as well as early microcode support +enabled (Kconfig options CONFIG_MICROCODE=y, CONFIG_MICROCODE_INTEL=y, +CONFIG_MICROCODE_INTEL_EARLY=y). An initramfs image *must* be used. + +The use of "dracut" to generate the initramfs is not yet supported, but it +should work if you have a new enough version of dracut that is compatible +with the kernel you are using (i.e. it might require the use of +backports). Dracut will have to be manually configured to enable early +microcode updates. Better dracut support is planned for a future version +of the intel-microcode package. + +NOTE: It is not impossible for an operating-system supplied microcode +update to cause boot issues. Should that happen, please refer to the +"RECOVERY PROCEDURE" section of this document. + + +Caveats: + +Please keep your UEFI/BIOS up-to-date. Assuming your motherboard vendor +does a good job of updating system firmware components, an up-to-date +version of the firmware will negate most of the caveats listed here. + +Some features added to the processor post-launch, such as Intel SGX for +"Skylake", are likely to require a full firmware update to work. Some +issues and errata can only be fixed by a full firmware update should they +require fixes and workarounds outside of the processor microcode update +(typically: ME firmware, SMM code, platform MSR setup, ACPI data, Intel +TXT/SGX modules). + +A microcode update may enable functionality or change the behavior of +weakly-defined functionality (such as the effect of model-dependent CPU +power-management MSRs). This can (very rarely) interact badly with +outdated BIOS/UEFI. + +A microcode update can revoke the signatures of vulnerable Intel TXT ACMs +(refer to security advisory INTEL-SA-00035) and Intel SGX system modules. +This will disable Intel TXT and Intel SGX in a system that still has the +vulnerable components in firmware (the only way to really fix the +vulnerabilities is to update the firmware). + +Microcode updates often do not go well with overclocking and similar +tuning (such as underclocking, "undervolting", etc). Reset the system to +Intel's *up-to-date* recommended values should a microcode update seem to +be causing trouble, and search for a less aggressive, stable operating +point for the new microcode. + +A microcode update can (very rarely) interact badly with, or expose +software bugs in the kernel and on frequency/thermal control daemons. + + +RECOVERY PROCEDURE: + +It is possible for a microcode update to not work well, or to not work at +all on specific system models. This is very rare when using early +microcode updates, but it has happened at least once. + +Should you experience problems because of the microcode update, you will +have to bypass the microcode update process that happens during operating +system startup (boot), and remove (or install an older version of) the +intel-microcode package. + +To bypass the microcode update during system startup, you must instruct the +boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter +(without the quotes) to the kernel. + +If your system uses grub (the default bootloader in Debian): + + 1. Access the grub menu during boot (press and hold the left "Shift" + key right after starting the system up if you don't see a grub menu + during boot); + + 2. Move the highlight/cursor to the kernel/boot option you want to + use, and press the "e" key to edit it; + + 3. Locate the line that starts with "linux" using the cursor + keys. You must add the word "dis_ucode_ldr" (without the quotes) to + the end of that line; + + 4. Press "Ctrl+X" to start (boot) the system. The microcode updates + will be skipped. + +After the system is running, remove or purge the intel-microcode package, +or alternatively install an older version of the intel-microcode package. + +If removing or purging the intel-microcode package fails to do it for some +reason, please refresh the initramfs using the "update-initramfs -u" +command (as the root user), and possibly "update-initramfs -u -k <desired +kernel version>" or "update-initramfs -u -k all". + +Please report any issues caused by microcode updates to the Debian bug +tracker, e.g. using the "reportbug" tool. + + +Microcode update details: + +The "early mode" of the Linux kernel microcode update driver will apply +the microcode updates as soon as possible, before making use of the more +complex modes and functionality of the system processors. This greatly +reduces the chances of system malfunction due to any issues that are +corrected by the microcode update. + +It will update the CPU core that boots the system (known as BSP, for +"bootstrap processor") as one of the first things it does. It will also +update the microcode on the other CPU cores (known as AP, for "application +processor") while enabling them, before they can be used. + +In some cases, early microcode updates will allow the kernel to sidestep +the need to disable functionality, as an example, there's the "Atom PSE +erratum". + +In other cases, it will be the only safe way to apply a microcode update. +For example, the Intel TSX errata in Intel Haswell and Broadwell processors +required a microcode update that entirely disables Intel TSX. Applying the +microcode update will crash anything that might be using Intel TSX at that +time. + +The initramfs helpers will attempt to restrict the number of microcode +updates added to the initramfs to the bare minimum through the use of +iucode_tool. This behavior can be changed and fine-tuned through the +/etc/default/intel-microcode file. + +Also, microcode from files matching /usr/share/misc/intel-microcode* will +be considered. This allows the easy use of microcode.dat files distributed +directly by Intel. Be careful to not leave old files there, or you may end +up using microcode that Intel stopped distributing on purpose for unknown +reasons. + + +Downloading new microcode data from Intel: + +A new version of the microcode bundle can be downloaded directly from +Intel (through their GitHub project): +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files + + +To manually install the downloaded microcode bundle, unpack the archive you +got from Intel and copy the microcode-*.dat file from the archive to +/usr/share/misc/intel-microcode.dat. + +You should make sure the microcode data file is owned by root, and that it +can only be written to by root (e.g. mode 0644) for security reasons: + + chown root:root /usr/share/misc/intel-microcode.dat + chmod 0644 /usr/share/misc/intel-microcode.dat + +After you install the updated intel-microcode.dat file, run as root: + + update-initramfs -u + +The intel-microcode package supports "extra" microcode data in the +following files (and will warn you if it detects and use them): + + /usr/share/misc/intel-microcode* + +both .dat and .bin formats are supported. + + +Triggering an immediate microcode update (without a reboot): + + **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** + + This procedure used to be safe before microcode update 20140913. + It is not safe anymore in the general case. + + While it is likely to continue to be safe for the Intel micro- + architectures that preceded Haswell and Silvermont, this is not + in any way assured. + + You have been warned. Do not do this unless you really know + what you are doing. + + **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** + +The microcode kernel module will attempt to apply a microcode update when +loaded by "modprobe". If the module is already loaded or compiled-in (it +cannot be a module anymore in recent Linux kernels), run this command (as +root): + + echo -n 1 >/sys/devices/system/cpu/microcode/reload + +For kernels before Linux v3.6, refer to the iucode_tool(8) manpage. + + +* Note: Intel is a registered trademark of Intel Corporation. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 10 Apr 2016 16:32:09 -0300 diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..adad784 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,218 @@ +intel-microcode for Debian +-------------------------- + +Adding new microcodes to the package: + +* Regular microcode bundles (upstream releases): + + Add them to the top-level dir, names must match the patterns: + + * microcode-<id>.dat for Intel text format bundles; + * microcode-<id>.bin for Intel binary bundles. + * microcode-<id>.d/ for directories with split binary microcode. + + <id> should be the upstream release date in YYYYMMDD format. + If it is not, you must make sure microcode files that have + been released later also come later in C collating order. + + Some upstream releases contain the microcode update data twice: + in .dat, and as a directory with several binary files. In that + case, you must compare the contents (e.g. using iucode_tool -L) + to ensure that they match. Don't add both copies of the update + data to the package: it is a waste of mirror space, and only one + copy (the one that sorts last) would be used to generate the + final microcode pack (so you would still have to ensure both + formats had the same contents anyway). + + Hint: iucode_tool will compare two "supposedly identical" + microcodes to ensure they are just that: identical. So, it is + enough to do something like this: + + iucode_tool --write-all-named-to=/tmp/dir1 file1.dat ; + iucode_tool --write-all-named-to=/tmp/dir2 intel-ucode/ ; + diff -R /tmp/dir1 /tmp/dir2 && echo ok ; + iucode_tool -v /tmp/dir1 /tmp/dir2 + + Later regular microcode bundles have precedence over older regular + microcode bundles, and may downgrade microcode revisions. This + implements the automatic "revision rollback" mechanism. + + The "oldies" and the IUC_INCLUDE mechanisms of the main Makefile may + select microcodes from any of the regular microcode bundles. + Otherwise, only microcodes in the latest regular microcode bundle will + be selected. This logic implements the "automatic removal" mechanism + to handle microcode recalls. + + Directories of microcodes must not have nested subdirectories. The + contents of the directory will be processed into a temporary ".dbin" + binary microcode file, to allow the automatic "revision rollback" + mechanism to work in a predictable way. Due to sorting order, + ".dbin" files are preferred over ".dat" files when deciding which + would be used to generate the final microcode pack. + + Supplementary microcode bundles and microcode overrides can select + additional microcode (see below). + +* Latest available version of a microcode that is not being shipped + anymore, but which is present in an older microcode bundle: + + Add "-s <signature>" to IUC_INCLUDE in the Makefile. + +* Supplementary microcode bundles: + + The intended usage for this feature is to ship microcode updates that + fix important errata before they are available through a regular Intel + microcode bundle release. + + Add them to the top-level dir, names must match the pattern: + + * supplementary-ucode-<id>.bin + * supplementary-ucode-<id>.d/ + + <id> should be a descriptive name, sorting order does not + matter. It must not have spaces or tabs. + + These bundles have the same precedence as the newest regular microcode + bundle: microcodes with the highest revision among the newest regular + microcode bundle and every supplementary microcode bundles will be + selected. + + Supplementary microcode bundles must be in binary format. + + Use "iucode_tool -w" to create supplementary microcode bundles. + The bundles may have any number of microcodes inside, and should be + described in the "upstream" changelog. + + Directories of supplementary microcode updates must not have nested + subdirectories. The data files inside the directory should be in + binary format, and may contain more than one microcode update. They + should be descriptively named, and should be described in the + "upstream" changelog. + + WARNING: microcodes added through supplementary bundles cannot be + "recalled" (excluded or downgraded) automatically by the latest + regular microcode bundle, only by overrides and IUC_EXCLUDE. + +* Individual microcode overrides (at a specific revision): + + The intended usage for this feature is to ship microcode at a specific + revision. For microcode that should be superseded by a newer version + when available, use a supplementary bundle (see above), instead. + + These overrides have the highest precedence, and will override + (possibly downgrading) microcodes in the other bundles, regular or + supplementary. + + Add them to the top-level dir, names should be in the format: + + * s<sig>_m<pfmask>_r<revision>.fw + + <sig> is the CPU signature, <pfmask> is the processor flags + mask, and revision is the microcode revision level. All + values in hexadecimal using uppercase letters, no leading + prefixes, with left padding with zeroes, field length 8, as + in the printf mask: s%08X_m%08X_r%08X.fw + + The files must be in binary format, and should contain only a single + microcode (to ensure maintainer sanity). + + "iucode_tool -s <signature> -W" can be used to easily extract + microcodes and create (and name) .fw override files. + +* Excluding microcodes, no matter where they were sourced from: + + Add "-s !<signature>" to IUC_EXCLUDE in the Makefile. + + This will remove from the final microcode distribution even microcodes + that were sourced from override files. + + + +When you add a new microcode (bundle or otherwise): + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!!! Always verify if you do not have to remove microcodes from the !!! +!!! exclusion list in the top Makefile. !!! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +Please avoid shipping microcodes "recalled" by Intel, unless you DO know +better (i.e. you know the reason why it was "recalled", and you consider +that Debian users would be best served by its inclusion). Always +document why you're doing this as much as you are allowed to in the +package changelog. Microcode override files (.fw files) can be used to +make sure a specific microcode is shipped, however, should you want to +ship the latest available version of a microcode from older bundles, you +must use IUC_INCLUDE. + +If you are adding a microcode bundle made available directly by Intel in +their public site, please update the "upstream changelog". There is no +fully automated way to do it yet, but you can use "iucode_tool -l" to +list the contents of the bundles, and apply some sed magic, sort, and +"diff -u" to find out which microcodes were added, deleted, updated, or +downgraded. The debian/diff-latest-pack.sh script should be of help. + +Please check all additions against the changelog, and annotate them as +appropriate when the microcode was present in a previous release. Intel +has done a "delete in one release, add back with a downgraded revision +in the next release" once in the past. Annotations should say when the +microcode was updated or downgraded, or just re-added with the same +revision. + +Please check all deletions. When very recent microcode is deleted, it +could well mean an unfriendly "microcode revision recall" is happening +(someone at Intel decided to remove it instead of directly marking it a +downgrade by publishing the previously known-good revision). When +microcodes for older processors are deleted, it is probably safe to +assume it is just the regular housekeeping cleanups, and the microcode +should still be shipped by distros that have users running 10-15 +year-old boxes, like Debian. + +If you know that a microcode signature belongs to alpha or beta hardware +(engineering samples), you may remove the microcodes for that signature +by adding them to IUC_EXCLUDE in the Makefile, on the grounds that such +microcodes just waste space on everyone's system. Unfortunately, a list +of the CPU signatures of such unsupported processors is hard to come by. + + +Keeping useless microcode out of amd64 and x32 binary packages: + +It is useless to ship microcode that targets processors not capable of +Intel64 (X86-64) on the amd64 and x32 arch-specific binary packages. + +The top-level Makefile tries to avoid this by parsing cpu-signatures.txt +and ignoring anything listed as i?86 when building intel-microcode-64.bin, +which debian/rules will use instead of intel-microcode.bin for non-i386. + +Failure to update cpu-signatures.txt should be mostly harmless (it is +engineered to fail safe, and distribute unlisted microcode so that at +most it will waste some space). It is unlikely that new i686 microcode +signatures will show up, but it may be useful to know to which +processors a microcode update apply even for newer processors, just in +case we have to issue a critical update and warn users. + + +Where to find processor signature information: + +They appear to be listed only in the Specification Updates for each +processor, you'll have to locate and download them all from Intel's site +(this is _not_ easy to do, some of these documents are hard to track +down). Better information is likely to available (possibly under NDA) +on the Intel developer channels. + +As for non-canonical sources, there is a CPUID database in the Internet +and a memory/latency timings database used by HPC people which are of +some help. Search engines will often find a BIOS/UEFI firmware upgrade +changelog that names the particular core of a microcode update +signature. + +Cross-check by searching the S-SPEC numbers in the Intel ARK directory +(e.g. to verify whether it supports X86-64 or not). + + +Backport notes: + +1. Only kernels 3.10 and above are supported in the 3.x branch of + intel-microcode. To support older kernels, you will have to backport + the 2.x or 1.x branches of intel-microcode, instead. + +-- Henrique de Moraes Holschuh <hmh@debian.org> diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..bb758d4 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,2018 @@ +intel-microcode (3.20240312.1) unstable; urgency=medium + + * New upstream microcode datafile 20240312 (closes: #1066108) + - Mitigations for INTEL-SA-INTEL-SA-00972 (CVE-2023-39368): + Protection mechanism failure of bus lock regulator for some Intel + Processors may allow an unauthenticated user to potentially enable + denial of service via network access. + - Mitigations for INTEL-SA-INTEL-SA-00982 (CVE-2023-38575): + Non-transparent sharing of return predictor targets between contexts in + some Intel Processors may allow an authorized user to potentially + enable information disclosure via local access. Affects SGX as well. + - Mitigations for INTEL-SA-INTEL-SA-00898 (CVE-2023-28746), aka RFDS: + Information exposure through microarchitectural state after transient + execution from some register files for some Intel Atom Processors and + E-cores of Intel Core Processors may allow an authenticated user to + potentially enable information disclosure via local access. Enhances + VERW instruction to clear stale register buffers. Affects SGX as well. + Requires kernel update to be effective. + - Mitigations for INTEL-SA-INTEL-SA-00960 (CVE-2023-22655), aka TECRA: + Protection mechanism failure in some 3rd and 4th Generation Intel Xeon + Processors when using Intel SGX or Intel TDX may allow a privileged + user to potentially enable escalation of privilege via local access. + NOTE: effective only when loaded by firmware. Allows SMM firmware to + attack SGX/TDX. + - Mitigations for INTEL-SA-INTEL-SA-01045 (CVE-2023-43490): + Incorrect calculation in microcode keying mechanism for some Intel + Xeon D Processors with Intel SGX may allow a privileged user to + potentially enable information disclosure via local access. + * Fixes for other unspecified functional issues on many processors + * Updated microcodes: + sig 0x00050653, pf_mask 0x97, 2023-07-28, rev 0x1000191, size 36864 + sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 + sig 0x00050657, pf_mask 0xbf, 2023-07-28, rev 0x5003605, size 37888 + sig 0x0005065b, pf_mask 0xbf, 2023-08-03, rev 0x7002802, size 30720 + sig 0x00050665, pf_mask 0x10, 2023-08-03, rev 0xe000015, size 23552 + sig 0x000506f1, pf_mask 0x01, 2023-10-05, rev 0x003e, size 11264 + sig 0x000606a6, pf_mask 0x87, 2023-09-14, rev 0xd0003d1, size 307200 + sig 0x000606c1, pf_mask 0x10, 2023-12-05, rev 0x1000290, size 299008 + sig 0x000706a1, pf_mask 0x01, 2023-08-25, rev 0x0040, size 76800 + sig 0x000706a8, pf_mask 0x01, 2023-08-25, rev 0x0024, size 76800 + sig 0x000706e5, pf_mask 0x80, 2023-09-14, rev 0x00c4, size 114688 + sig 0x000806c1, pf_mask 0x80, 2023-09-13, rev 0x00b6, size 111616 + sig 0x000806c2, pf_mask 0xc2, 2023-09-13, rev 0x0036, size 98304 + sig 0x000806d1, pf_mask 0xc2, 2023-09-13, rev 0x0050, size 104448 + sig 0x000806ec, pf_mask 0x94, 2023-07-16, rev 0x00fa, size 106496 + sig 0x000806f8, pf_mask 0x87, 2024-01-03, rev 0x2b000590, size 579584 + sig 0x000806f7, pf_mask 0x87, 2024-01-03, rev 0x2b000590 + sig 0x000806f6, pf_mask 0x87, 2024-01-03, rev 0x2b000590 + sig 0x000806f5, pf_mask 0x87, 2024-01-03, rev 0x2b000590 + sig 0x000806f4, pf_mask 0x87, 2024-01-03, rev 0x2b000590 + sig 0x00090661, pf_mask 0x01, 2023-09-26, rev 0x0019, size 20480 + sig 0x00090672, pf_mask 0x07, 2023-09-19, rev 0x0034, size 224256 + sig 0x00090675, pf_mask 0x07, 2023-09-19, rev 0x0034 + sig 0x000b06f2, pf_mask 0x07, 2023-09-19, rev 0x0034 + sig 0x000b06f5, pf_mask 0x07, 2023-09-19, rev 0x0034 + sig 0x000906a3, pf_mask 0x80, 2023-09-19, rev 0x0432, size 222208 + sig 0x000906a4, pf_mask 0x80, 2023-09-19, rev 0x0432 + sig 0x000906c0, pf_mask 0x01, 2023-09-26, rev 0x24000026, size 20480 + sig 0x000906e9, pf_mask 0x2a, 2023-09-28, rev 0x00f8, size 108544 + sig 0x000906ea, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 105472 + sig 0x000906ec, pf_mask 0x22, 2023-07-26, rev 0x00f6, size 106496 + sig 0x000906ed, pf_mask 0x22, 2023-07-27, rev 0x00fc, size 106496 + sig 0x000a0652, pf_mask 0x20, 2023-07-16, rev 0x00fa, size 97280 + sig 0x000a0653, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 + sig 0x000a0655, pf_mask 0x22, 2023-07-16, rev 0x00fa, size 97280 + sig 0x000a0660, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 97280 + sig 0x000a0661, pf_mask 0x80, 2023-07-16, rev 0x00fa, size 96256 + sig 0x000a0671, pf_mask 0x02, 2023-09-14, rev 0x005e, size 108544 + sig 0x000b0671, pf_mask 0x32, 2023-12-14, rev 0x0122, size 215040 + sig 0x000b06a2, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 + sig 0x000b06a3, pf_mask 0xe0, 2023-12-07, rev 0x4121 + sig 0x000b06e0, pf_mask 0x11, 2023-09-25, rev 0x0015, size 138240 + * New microcodes: + sig 0x000a06a4, pf_mask 0xe6, 2024-01-03, rev 0x001c, size 136192 + sig 0x000b06a8, pf_mask 0xe0, 2023-12-07, rev 0x4121, size 220160 + sig 0x000c06f2, pf_mask 0x87, 2023-11-20, rev 0x21000200, size 549888 + sig 0x000c06f1, pf_mask 0x87, 2023-11-20, rev 0x21000200 + * source: update symlinks to reflect id of the latest release, 20240312 + * changelog, debian/changelog: fix typos + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 12 Mar 2024 20:28:17 -0300 + +intel-microcode (3.20231114.1) unstable; urgency=medium + + * New upstream microcode datafile 20231114 (closes: #1055962) + Mitigations for "reptar", INTEL-SA-00950 (CVE-2023-23583) + Sequence of processor instructions leads to unexpected behavior for some + Intel(R) Processors, may allow an authenticated user to potentially enable + escalation of privilege and/or information disclosure and/or denial of + service via local access. + Note: "reptar" on 4th gen Xeon Scalable (sig 0x806f8 pfm 0x87), 12th gen + Core mobile (sig 0x906a4 pfm 0x80), 13th gen Core desktop (sig 0xb0671 pfm + 0x01) were already mitigated by a previous microcode update. + * Fixes for unspecified functional issues + * Updated microcodes: + sig 0x000606a6, pf_mask 0x87, 2023-09-01, rev 0xd0003b9, size 299008 + sig 0x000606c1, pf_mask 0x10, 2023-09-08, rev 0x1000268, size 290816 + sig 0x000706e5, pf_mask 0x80, 2023-09-03, rev 0x00c2, size 113664 + sig 0x000806c1, pf_mask 0x80, 2023-09-07, rev 0x00b4, size 111616 + sig 0x000806c2, pf_mask 0xc2, 2023-09-07, rev 0x0034, size 98304 + sig 0x000806d1, pf_mask 0xc2, 2023-09-07, rev 0x004e, size 104448 + sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0, size 572416 + sig 0x000806f8, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0 + sig 0x000806f7, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0 + sig 0x000806f6, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0 + sig 0x000806f5, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0 + sig 0x000806f4, pf_mask 0x87, 2023-06-16, rev 0x2b0004d0 + sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290, size 605184 + sig 0x000806f8, pf_mask 0x10, 2023-06-26, rev 0x2c000290 + sig 0x000806f6, pf_mask 0x10, 2023-06-26, rev 0x2c000290 + sig 0x000806f5, pf_mask 0x10, 2023-06-26, rev 0x2c000290 + sig 0x000806f4, pf_mask 0x10, 2023-06-26, rev 0x2c000290 + sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032, size 222208 + sig 0x00090672, pf_mask 0x07, 2023-06-07, rev 0x0032 + sig 0x00090675, pf_mask 0x07, 2023-06-07, rev 0x0032 + sig 0x000b06f2, pf_mask 0x07, 2023-06-07, rev 0x0032 + sig 0x000b06f5, pf_mask 0x07, 2023-06-07, rev 0x0032 + sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430, size 220160 + sig 0x000906a3, pf_mask 0x80, 2023-06-07, rev 0x0430 + sig 0x000906a4, pf_mask 0x80, 2023-06-07, rev 0x0430 + sig 0x000906a4, pf_mask 0x40, 2023-05-05, rev 0x0005, size 117760 + sig 0x000a0671, pf_mask 0x02, 2023-09-03, rev 0x005d, size 104448 + sig 0x000b0671, pf_mask 0x32, 2023-08-29, rev 0x011d, size 210944 + sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c, size 216064 + sig 0x000b06a2, pf_mask 0xe0, 2023-08-30, rev 0x411c + sig 0x000b06a3, pf_mask 0xe0, 2023-08-30, rev 0x411c + sig 0x000b06e0, pf_mask 0x11, 2023-06-26, rev 0x0012, size 136192 + * Updated 2023-08-08 changelog entry with reptar information + * source: update symlinks to reflect id of the latest release, 20231114 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 16 Nov 2023 08:09:43 -0300 + +intel-microcode (3.20230808.1) unstable; urgency=high + + * New upstream microcode datafile 20230808 (closes: #1043305) + * Mitigations for "Downfall" INTEL-SA-00828 (CVE-2022-40982), + INTEL-SA-00836 (CVE-2023-23908) and INTEL-SA-00837 (CVE-2022-41804) + * Mitigations for "reptar" on a few processors, refer to the 2023-11-14 + entry for details. This information was disclosed in 2023-11-14. + * Updated microcodes: + sig 0x00050653, pf_mask 0x97, 2023-03-23, rev 0x1000181, size 36864 + sig 0x00050654, pf_mask 0xb7, 2023-03-06, rev 0x2007006, size 44032 + sig 0x00050656, pf_mask 0xbf, 2023-03-17, rev 0x4003604, size 38912 + sig 0x00050657, pf_mask 0xbf, 2023-03-17, rev 0x5003604, size 38912 + sig 0x0005065b, pf_mask 0xbf, 2023-03-21, rev 0x7002703, size 30720 + sig 0x000606a6, pf_mask 0x87, 2023-03-30, rev 0xd0003a5, size 297984 + sig 0x000706e5, pf_mask 0x80, 2023-02-26, rev 0x00bc, size 113664 + sig 0x000806c1, pf_mask 0x80, 2023-02-27, rev 0x00ac, size 111616 + sig 0x000806c2, pf_mask 0xc2, 2023-02-27, rev 0x002c, size 98304 + sig 0x000806d1, pf_mask 0xc2, 2023-02-27, rev 0x0046, size 103424 + sig 0x000806e9, pf_mask 0xc0, 2023-02-22, rev 0x00f4, size 106496 + sig 0x000806e9, pf_mask 0x10, 2023-02-23, rev 0x00f4, size 105472 + sig 0x000806ea, pf_mask 0xc0, 2023-02-23, rev 0x00f4, size 105472 + sig 0x000806eb, pf_mask 0xd0, 2023-02-23, rev 0x00f4, size 106496 + sig 0x000806ec, pf_mask 0x94, 2023-02-26, rev 0x00f8, size 106496 + sig 0x000806f8, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1, size 572416 + sig 0x000806f7, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1 + sig 0x000806f6, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1 + sig 0x000806f5, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1 + sig 0x000806f4, pf_mask 0x87, 2023-05-09, rev 0x2b0004b1 + sig 0x000806f8, pf_mask 0x10, 2023-05-15, rev 0x2c000271, size 605184 + sig 0x000806f6, pf_mask 0x10, 2023-05-15, rev 0x2c000271 + sig 0x000806f5, pf_mask 0x10, 2023-05-15, rev 0x2c000271 + sig 0x000806f4, pf_mask 0x10, 2023-05-15, rev 0x2c000271 + sig 0x00090672, pf_mask 0x07, 2023-04-18, rev 0x002e, size 220160 + sig 0x00090675, pf_mask 0x07, 2023-04-18, rev 0x002e + sig 0x000b06f2, pf_mask 0x07, 2023-04-18, rev 0x002e + sig 0x000b06f5, pf_mask 0x07, 2023-04-18, rev 0x002e + sig 0x000906a3, pf_mask 0x80, 2023-04-18, rev 0x042c, size 219136 + sig 0x000906a4, pf_mask 0x80, 2023-04-18, rev 0x042c + sig 0x000906e9, pf_mask 0x2a, 2023-02-23, rev 0x00f4, size 108544 + sig 0x000906ea, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 104448 + sig 0x000906eb, pf_mask 0x02, 2023-02-23, rev 0x00f4, size 106496 + sig 0x000906ec, pf_mask 0x22, 2023-02-23, rev 0x00f4, size 105472 + sig 0x000906ed, pf_mask 0x22, 2023-02-27, rev 0x00fa, size 106496 + sig 0x000a0652, pf_mask 0x20, 2023-02-23, rev 0x00f8, size 97280 + sig 0x000a0653, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280 + sig 0x000a0655, pf_mask 0x22, 2023-02-23, rev 0x00f8, size 97280 + sig 0x000a0660, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 97280 + sig 0x000a0661, pf_mask 0x80, 2023-02-23, rev 0x00f8, size 96256 + sig 0x000a0671, pf_mask 0x02, 2023-02-26, rev 0x0059, size 104448 + sig 0x000b0671, pf_mask 0x32, 2023-06-06, rev 0x0119, size 210944 + sig 0x000b06a2, pf_mask 0xe0, 2023-06-06, rev 0x4119, size 216064 + sig 0x000b06a3, pf_mask 0xe0, 2023-06-06, rev 0x4119 + sig 0x000b06e0, pf_mask 0x11, 2023-04-12, rev 0x0011, size 136192 + * source: update symlinks to reflect id of the latest release, 20230808 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 08 Aug 2023 17:25:56 -0300 + +intel-microcode (3.20230512.1) unstable; urgency=medium + + * New upstream microcode datafile 20230512 (closes: #1036013) + * New microcodes: + sig 0x000906a4, pf_mask 0x40, 2022-10-12, rev 0x0004, size 115712 + sig 0x000b06e0, pf_mask 0x01, 2022-12-19, rev 0x0010, size 134144 + * Updated microcodes: + sig 0x00050653, pf_mask 0x97, 2022-12-21, rev 0x1000171, size 36864 + sig 0x00050654, pf_mask 0xb7, 2022-12-21, rev 0x2006f05, size 44032 + sig 0x00050656, pf_mask 0xbf, 2022-12-21, rev 0x4003501, size 37888 + sig 0x00050657, pf_mask 0xbf, 2022-12-21, rev 0x5003501, size 37888 + sig 0x0005065b, pf_mask 0xbf, 2022-12-21, rev 0x7002601, size 29696 + sig 0x000606a6, pf_mask 0x87, 2022-12-28, rev 0xd000390, size 296960 + sig 0x000706e5, pf_mask 0x80, 2022-12-25, rev 0x00ba, size 113664 + sig 0x000806a1, pf_mask 0x10, 2023-01-13, rev 0x0033, size 34816 + sig 0x000806c1, pf_mask 0x80, 2022-12-28, rev 0x00aa, size 110592 + sig 0x000806c2, pf_mask 0xc2, 2022-12-28, rev 0x002a, size 97280 + sig 0x000806d1, pf_mask 0xc2, 2022-12-28, rev 0x0044, size 102400 + sig 0x000806e9, pf_mask 0xc0, 2022-12-26, rev 0x00f2, size 105472 + sig 0x000806e9, pf_mask 0x10, 2023-01-02, rev 0x00f2, size 105472 + sig 0x000806ea, pf_mask 0xc0, 2022-12-26, rev 0x00f2, size 105472 + sig 0x000806eb, pf_mask 0xd0, 2022-12-26, rev 0x00f2, size 105472 + sig 0x000806ec, pf_mask 0x94, 2022-12-26, rev 0x00f6, size 105472 + sig 0x000806f8, pf_mask 0x87, 2023-03-13, rev 0x2b000461, size 564224 + sig 0x000806f7, pf_mask 0x87, 2023-03-13, rev 0x2b000461 + sig 0x000806f6, pf_mask 0x87, 2023-03-13, rev 0x2b000461 + sig 0x000806f5, pf_mask 0x87, 2023-03-13, rev 0x2b000461 + sig 0x000806f4, pf_mask 0x87, 2023-03-13, rev 0x2b000461 + sig 0x000806f8, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1, size 595968 + sig 0x000806f6, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1 + sig 0x000806f5, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1 + sig 0x000806f4, pf_mask 0x10, 2023-02-14, rev 0x2c0001d1 + sig 0x000906a3, pf_mask 0x80, 2023-02-14, rev 0x042a, size 218112 + sig 0x000906a4, pf_mask 0x80, 2023-02-14, rev 0x042a + sig 0x000906e9, pf_mask 0x2a, 2022-12-26, rev 0x00f2, size 108544 + sig 0x000906ea, pf_mask 0x22, 2023-01-12, rev 0x00f2, size 104448 + sig 0x000906eb, pf_mask 0x02, 2022-12-26, rev 0x00f2, size 105472 + sig 0x000906ec, pf_mask 0x22, 2023-01-12, rev 0x00f2, size 104448 + sig 0x000906ed, pf_mask 0x22, 2023-02-05, rev 0x00f8, size 104448 + sig 0x000a0652, pf_mask 0x20, 2022-12-27, rev 0x00f6, size 96256 + sig 0x000a0653, pf_mask 0x22, 2023-01-01, rev 0x00f6, size 97280 + sig 0x000a0655, pf_mask 0x22, 2022-12-26, rev 0x00f6, size 96256 + sig 0x000a0660, pf_mask 0x80, 2022-12-26, rev 0x00f6, size 97280 + sig 0x000a0661, pf_mask 0x80, 2022-12-26, rev 0x00f6, size 96256 + sig 0x000a0671, pf_mask 0x02, 2022-12-25, rev 0x0058, size 103424 + sig 0x000b0671, pf_mask 0x32, 2023-02-06, rev 0x0113, size 207872 + sig 0x000b06a2, pf_mask 0xc0, 2023-02-22, rev 0x4112, size 212992 + sig 0x000b06a3, pf_mask 0xc0, 2023-02-22, rev 0x4112 + * source: update symlinks to reflect id of the latest release, 20230512 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 16 May 2023 00:13:02 -0300 + +intel-microcode (3.20230214.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream microcode datafile 20230214 + - Includes Fixes for: (Closes: #1031334) + - INTEL-SA-00700: CVE-2022-21216 + - INTEL-SA-00730: CVE-2022-33972 + - INTEL-SA-00738: CVE-2022-33196 + - INTEL-SA-00767: CVE-2022-38090 + * New Microcodes: + sig 0x000806f4, pf_mask 0x10, 2022-12-19, rev 0x2c000170 + sig 0x000806f4, pf_mask 0x87, 2022-12-27, rev 0x2b000181 + sig 0x000806f5, pf_mask 0x10, 2022-12-19, rev 0x2c000170 + sig 0x000806f5, pf_mask 0x87, 2022-12-27, rev 0x2b000181 + sig 0x000806f6, pf_mask 0x10, 2022-12-19, rev 0x2c000170 + sig 0x000806f6, pf_mask 0x87, 2022-12-27, rev 0x2b000181 + sig 0x000806f7, pf_mask 0x87, 2022-12-27, rev 0x2b000181 + sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170 + sig 0x000806f8, pf_mask 0x10, 2022-12-19, rev 0x2c000170, size 600064 + sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181 + sig 0x000806f8, pf_mask 0x87, 2022-12-27, rev 0x2b000181, size 561152 + sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e + sig 0x000b06a2, pf_mask 0xc0, 2022-12-08, rev 0x410e, size 212992 + sig 0x000b06a3, pf_mask 0xc0, 2022-12-08, rev 0x410e + * Updated Microcodes: + sig 0x00050653, pf_mask 0x97, 2022-08-30, rev 0x1000161, size 36864 + sig 0x00050656, pf_mask 0xbf, 2022-08-26, rev 0x4003303, size 37888 + sig 0x00050657, pf_mask 0xbf, 2022-08-26, rev 0x5003303, size 37888 + sig 0x0005065b, pf_mask 0xbf, 2022-08-26, rev 0x7002503, size 29696 + sig 0x000606a6, pf_mask 0x87, 2022-10-09, rev 0xd000389, size 296960 + sig 0x000606c1, pf_mask 0x10, 2022-09-23, rev 0x1000211, size 289792 + sig 0x000706a1, pf_mask 0x01, 2022-09-16, rev 0x003e, size 75776 + sig 0x000706a8, pf_mask 0x01, 2022-09-20, rev 0x0022, size 76800 + sig 0x000706e5, pf_mask 0x80, 2022-08-31, rev 0x00b8, size 113664 + sig 0x000806a1, pf_mask 0x10, 2022-09-07, rev 0x0032, size 34816 + sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c + sig 0x00090672, pf_mask 0x07, 2023-01-04, rev 0x002c, size 219136 + sig 0x00090675, pf_mask 0x07, 2023-01-04, rev 0x002c + sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429 + sig 0x000906a3, pf_mask 0x80, 2023-01-11, rev 0x0429, size 218112 + sig 0x000906a4, pf_mask 0x80, 2023-01-11, rev 0x0429 + sig 0x000906c0, pf_mask 0x01, 2022-09-02, rev 0x24000024, size 20480 + sig 0x000a0671, pf_mask 0x02, 2022-08-31, rev 0x0057, size 103424 + sig 0x000b0671, pf_mask 0x32, 2022-12-19, rev 0x0112, size 207872 + sig 0x000b06f2, pf_mask 0x07, 2023-01-04, rev 0x002c + sig 0x000b06f5, pf_mask 0x07, 2023-01-04, rev 0x002c + + -- Tobias Frost <tobi@debian.org> Sun, 12 Mar 2023 18:16:50 +0100 + +intel-microcode (3.20221108.2) unstable; urgency=medium + + * Move source and binary from non-free/admin to non-free-firmware/admin + following the 2022 General Resolution about non-free firmware. + + -- Cyril Brulebois <kibi@debian.org> Fri, 17 Feb 2023 01:12:52 +0100 + +intel-microcode (3.20221108.1) unstable; urgency=medium + + * New upstream microcode datafile 20221108 + * New Microcodes: + sig 0x000606c1, pf_mask 0x10, 2022-08-07, rev 0x1000201, size 286720 + sig 0x000b0671, pf_mask 0x32, 2022-09-07, rev 0x010e, size 204800 + * Updated Microcodes: + sig 0x000706e5, pf_mask 0x80, 2022-08-02, rev 0x00b6, size 113664 + sig 0x000806c1, pf_mask 0x80, 2022-06-28, rev 0x00a6, size 110592 + sig 0x000806d1, pf_mask 0xc2, 2022-06-28, rev 0x0042, size 102400 + sig 0x000806ec, pf_mask 0x94, 2022-07-31, rev 0x00f4, size 105472 + sig 0x00090661, pf_mask 0x01, 2022-07-15, rev 0x0017, size 20480 + sig 0x00090672, pf_mask 0x07, 2022-09-19, rev 0x0026, size 218112 + sig 0x00090675, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000b06f2, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000b06f5, pf_mask 0x07, 2022-09-19, rev 0x0026 + sig 0x000906a3, pf_mask 0x80, 2022-09-19, rev 0x0424, size 217088 + sig 0x000906a4, pf_mask 0x80, 2022-09-19, rev 0x0424 + sig 0x000906ed, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 104448 + sig 0x000a0652, pf_mask 0x20, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0653, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 97280 + sig 0x000a0655, pf_mask 0x22, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0660, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 97280 + sig 0x000a0661, pf_mask 0x80, 2022-07-31, rev 0x00f4, size 96256 + sig 0x000a0671, pf_mask 0x02, 2022-08-02, rev 0x0056, size 103424 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 03 Dec 2022 17:21:08 -0300 + +intel-microcode (3.20220809.1) unstable; urgency=medium + + * New upstream microcode datafile 20220809 + * Fixes INTEL-SA-00657, CVE-2022-21233 + Stale data from APIC leaks SGX memory (AEPIC leak) + * Fixes unspecified errata (functional issues) on Xeon Scalable + * Updated Microcodes: + sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816 + sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032 + sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888 + sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776 + sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776 + sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640 + sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280 + sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400 + sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064 + sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064 + sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424 + sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064 + * source: update symlinks to reflect id of the latest release, 20220809 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 19 Aug 2022 14:21:20 -0300 + +intel-microcode (3.20220510.1) unstable; urgency=medium + + * New upstream microcode datafile 20220510 + * Fixes INTEL-SA-000617, CVE-2022-21151: + Processor optimization removal or modification of security-critical + code may allow an authenticated user to potentially enable information + disclosure via local access (closes: #1010947) + * Fixes several errata (functional issues) on Xeon Scalable, Atom C3000, + Atom E3900 + * New Microcodes: + sig 0x00090672, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 + sig 0x00090675, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 + sig 0x000906a3, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992 + sig 0x000906a4, pf_mask 0x80, 2022-03-24, rev 0x041c, size 212992 + sig 0x000b06f2, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 + sig 0x000b06f5, pf_mask 0x03, 2022-03-03, rev 0x001f, size 212992 + * Updated Microcodes: + sig 0x00030679, pf_mask 0x0f, 2019-07-10, rev 0x090d, size 52224 + sig 0x000406e3, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 106496 + sig 0x00050653, pf_mask 0x97, 2021-11-13, rev 0x100015d, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-11-13, rev 0x2006d05, size 43008 + sig 0x00050656, pf_mask 0xbf, 2021-12-10, rev 0x4003302, size 37888 + sig 0x00050657, pf_mask 0xbf, 2021-12-10, rev 0x5003302, size 37888 + sig 0x0005065b, pf_mask 0xbf, 2021-11-19, rev 0x7002501, size 29696 + sig 0x000506c9, pf_mask 0x03, 2021-11-16, rev 0x0048, size 17408 + sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568 + sig 0x000506f1, pf_mask 0x01, 2021-12-02, rev 0x0038, size 11264 + sig 0x000606a6, pf_mask 0x87, 2022-03-30, rev 0xd000363, size 294912 + sig 0x000706a1, pf_mask 0x01, 2021-11-22, rev 0x003a, size 75776 + sig 0x000706a8, pf_mask 0x01, 2021-11-22, rev 0x001e, size 75776 + sig 0x000706e5, pf_mask 0x80, 2022-03-09, rev 0x00b0, size 112640 + sig 0x000806a1, pf_mask 0x10, 2022-03-26, rev 0x0031, size 34816 + sig 0x000806c1, pf_mask 0x80, 2022-02-01, rev 0x00a4, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-12-07, rev 0x0026, size 97280 + sig 0x000806d1, pf_mask 0xc2, 2021-12-07, rev 0x003e, size 102400 + sig 0x000806e9, pf_mask 0x10, 2021-11-12, rev 0x00f0, size 105472 + sig 0x000806e9, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472 + sig 0x000806ea, pf_mask 0xc0, 2021-11-12, rev 0x00f0, size 105472 + sig 0x000806eb, pf_mask 0xd0, 2021-11-15, rev 0x00f0, size 105472 + sig 0x000806ec, pf_mask 0x94, 2021-11-17, rev 0x00f0, size 105472 + sig 0x00090661, pf_mask 0x01, 2022-02-03, rev 0x0016, size 20480 + sig 0x000906c0, pf_mask 0x01, 2022-02-19, rev 0x24000023, size 20480 + sig 0x000906e9, pf_mask 0x2a, 2021-11-12, rev 0x00f0, size 108544 + sig 0x000906ea, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448 + sig 0x000906eb, pf_mask 0x02, 2021-11-12, rev 0x00f0, size 105472 + sig 0x000906ec, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 104448 + sig 0x000906ed, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 104448 + sig 0x000a0652, pf_mask 0x20, 2021-11-16, rev 0x00f0, size 96256 + sig 0x000a0653, pf_mask 0x22, 2021-11-15, rev 0x00f0, size 97280 + sig 0x000a0655, pf_mask 0x22, 2021-11-16, rev 0x00f0, size 96256 + sig 0x000a0660, pf_mask 0x80, 2021-11-15, rev 0x00f0, size 96256 + sig 0x000a0661, pf_mask 0x80, 2021-11-16, rev 0x00f0, size 96256 + sig 0x000a0671, pf_mask 0x02, 2022-03-09, rev 0x0053, size 103424 + * source: update symlinks to reflect id of the latest release, 20220510 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 15 May 2022 20:09:05 -0300 + +intel-microcode (3.20220419.1) unstable; urgency=medium + + * New upstream microcode datafile 20220419 + * Fixes errata APLI-11 in Atom E3900 series processors + * Updated Microcodes: + sig 0x000506ca, pf_mask 0x03, 2021-11-16, rev 0x0028, size 16384 + * source: update symlinks to reflect id of the latest release, 20220419 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 Apr 2022 17:25:05 -0300 + +intel-microcode (3.20220207.1) unstable; urgency=medium + + * upstream changelog: new upstream datafile 20220207 + * Mitigates (*only* when loaded from UEFI firmware through the FIT) + CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through + debug port, on Pentium, Celeron and Atom processors with signatures + 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 + * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint + may cause a system hang, on many processors. + * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due + to improper sanitization of shared resources (fast-store forward + predictor), on many processors. + * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some + Atom Processors may allow information disclosure or denial of service + via network access. + * Fixes critical errata (functional issues) on many processors + * Adds a MSR switch to enable RAPL filtering (default off, once enabled + it can only be disabled by poweroff or reboot). Useful to protect + SGX and other threads from side-channel info leak. Improves the + mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many + processors. + * Disables TSX in more processor models. + * Fixes issue with WBINDV on multi-socket (server) systems which could + cause resets and unpredictable system behavior. + * Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket + Lake) processors, to control a fix for (hopefully rare) unpredictable + processor behavior when HyperThreading is enabled. This MSR switch + is enabled by default on *server* processors. On other processors, + it needs to be explicitly enabled by an updated UEFI/BIOS (with added + configuration logic). An updated operating system kernel might also + be able to enable it. When enabled, this fix can impact performance. + * Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912 + sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552 + sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472 + sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008 + sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840 + sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864 + sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672 + sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672 + sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648 + sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552 + sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408 + sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384 + sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544 + sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264 + sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840 + sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752 + sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776 + sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592 + sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816 + sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256 + sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376 + sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448 + sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480 + sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480 + sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496 + sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208 + sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208 + sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184 + sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400 + * Removed Microcodes: + sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + * update .gitignore and debian/.gitignore. + Add some missing items from .gitignore and debian/.gitignore. + * ucode-blacklist: do not late-load 0x406e3 and 0x506e3. + When the BIOS microcode is older than revision 0x7f (and perhaps in some + other cases as well), the latest microcode updates for 0x406e3 and + 0x506e3 must be applied using the early update method. Otherwise, the + system might hang. Also: there must not be any other intermediate + microcode update attempts [other than the one done by the BIOS itself], + either. It must go from the BIOS microcode update directly to the + latest microcode update. + * source: update symlinks to reflect id of the latest release, 20220207 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 25 Feb 2022 05:36:55 -0300 + +intel-microcode (3.20210608.2) unstable; urgency=high + + * Correct INTEL-SA-00442 CVE id to CVE-2020-24489 in changelog and + debian/changelog (3.20210608.1). + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 23 Jun 2021 13:42:19 -0300 + +intel-microcode (3.20210608.1) unstable; urgency=high + + * New upstream microcode datafile 20210608 (closes: #989615) + * Implements mitigations for CVE-2020-24511 CVE-2020-24512 + (INTEL-SA-00464), information leakage through shared resources, + and timing discrepancy sidechannels + * Implements mitigations for CVE-2020-24513 (INTEL-SA-00465), + Domain-bypass transient execution vulnerability in some Intel Atom + Processors, affects Intel SGX. + * Implements mitigations for CVE-2020-24489 (INTEL-SA-00442), Intel + VT-d privilege escalation + * Fixes critical errata on several processors + * New Microcodes: + sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104 + sig 0x000606a5, pf_mask 0x87, 2021-03-08, rev 0xc0002f0, size 283648 + sig 0x000606a6, pf_mask 0x87, 2021-04-25, rev 0xd0002a0, size 283648 + sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 + sig 0x000806c1, pf_mask 0x80, 2021-03-31, rev 0x0088, size 109568 + sig 0x000806c2, pf_mask 0xc2, 2021-04-07, rev 0x0016, size 94208 + sig 0x000806d1, pf_mask 0xc2, 2021-04-23, rev 0x002c, size 99328 + sig 0x00090661, pf_mask 0x01, 2021-02-04, rev 0x0011, size 19456 + sig 0x000906c0, pf_mask 0x01, 2021-03-23, rev 0x001d, size 19456 + sig 0x000a0671, pf_mask 0x02, 2021-04-11, rev 0x0040, size 100352 + * Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2021-01-27, rev 0x0046, size 34816 + sig 0x000306f4, pf_mask 0x80, 2021-02-05, rev 0x0019, size 19456 + sig 0x000406e3, pf_mask 0xc0, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000406f1, pf_mask 0xef, 2021-02-06, rev 0xb00003e, size 31744 + sig 0x00050653, pf_mask 0x97, 2021-03-08, rev 0x100015b, size 34816 + sig 0x00050654, pf_mask 0xb7, 2021-03-08, rev 0x2006b06, size 36864 + sig 0x00050656, pf_mask 0xbf, 2021-03-08, rev 0x4003102, size 30720 + sig 0x00050657, pf_mask 0xbf, 2021-03-08, rev 0x5003102, size 30720 + sig 0x0005065b, pf_mask 0xbf, 2021-04-23, rev 0x7002302, size 27648 + sig 0x00050663, pf_mask 0x10, 2021-02-04, rev 0x700001b, size 24576 + sig 0x00050664, pf_mask 0x10, 2021-02-04, rev 0xf000019, size 24576 + sig 0x00050665, pf_mask 0x10, 2021-02-04, rev 0xe000012, size 19456 + sig 0x000506c9, pf_mask 0x03, 2020-10-23, rev 0x0044, size 17408 + sig 0x000506ca, pf_mask 0x03, 2020-10-23, rev 0x0020, size 15360 + sig 0x000506e3, pf_mask 0x36, 2021-01-25, rev 0x00ea, size 105472 + sig 0x000506f1, pf_mask 0x01, 2020-10-23, rev 0x0034, size 11264 + sig 0x000706a1, pf_mask 0x01, 2020-10-23, rev 0x0036, size 74752 + sig 0x000706a8, pf_mask 0x01, 2020-10-23, rev 0x001a, size 75776 + sig 0x000706e5, pf_mask 0x80, 2020-11-01, rev 0x00a6, size 110592 + sig 0x000806a1, pf_mask 0x10, 2020-11-06, rev 0x002a, size 32768 + sig 0x000806e9, pf_mask 0x10, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2021-01-06, rev 0x00ea, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000806ec, pf_mask 0x94, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906e9, pf_mask 0x2a, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ea, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 102400 + sig 0x000906eb, pf_mask 0x02, 2021-01-05, rev 0x00ea, size 104448 + sig 0x000906ec, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000906ed, pf_mask 0x22, 2021-01-05, rev 0x00ea, size 103424 + sig 0x000a0652, pf_mask 0x20, 2021-02-07, rev 0x00ea, size 93184 + sig 0x000a0653, pf_mask 0x22, 2021-03-08, rev 0x00ea, size 94208 + sig 0x000a0655, pf_mask 0x22, 2021-03-08, rev 0x00ec, size 94208 + sig 0x000a0660, pf_mask 0x80, 2020-12-08, rev 0x00e8, size 94208 + sig 0x000a0661, pf_mask 0x80, 2021-02-07, rev 0x00ea, size 93184 + * source: update symlinks to reflect id of the latest release, 20210608 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 08 Jun 2021 22:37:57 -0300 + +intel-microcode (3.20210216.1) unstable; urgency=medium + + * New upstream microcode datafile 20210216 + * Mitigates an issue on Skylake Server (H0/M0/U0), Xeon-D 21xx, + and Cascade Lake Server (B0/B1) when using an active JTAG + agent like In Target Probe (ITP), Direct Connect Interface + (DCI) or a Baseboard Management Controller (BMC) to take the + CPU JTAG/TAP out of reset and then returning it to reset. + * This issue is related to the INTEL-SA-00381 mitigation. + * Updated Microcodes: + sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864 + sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248 + sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248 + * source: update symlinks to reflect id of the latest release, 20210216 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 17 Feb 2021 11:26:06 -0300 + +intel-microcode (3.20201118.1) unstable; urgency=medium + + * New upstream microcode datafile 20201118 + * Removes a faulty microcode update from release 2020-11-10 for Tiger Lake + processors. Note that Debian already had removed this specific falty + microcode update on the 3.20201110.1 release + * Add a microcode update for the Pentium Silver N/J5xxx and Celeron + N/J4xxx which didn't make it to release 20201110, fixing security issues + (INTEL-SA-00381, INTEL-SA-00389) + * Updated Microcodes: + sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752 + * Removed Microcodes: + sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 27 Dec 2020 15:59:32 -0300 + +intel-microcode (3.20201110.1) unstable; urgency=medium + + * New upstream microcode datafile 20201110 (closes: #974533) + * Implements mitigation for CVE-2020-8696 and CVE-2020-8698, + aka INTEL-SA-00381: AVX register information leakage; + Fast-Forward store predictor information leakage + * Implements mitigation for CVE-2020-8695, Intel SGX information + disclosure via RAPL, aka INTEL-SA-00389 + * Fixes critical errata on several processor models + * Reintroduces SRBDS mitigations(CVE-2020-0543, INTEL-SA-00320) + for Skylake-U/Y, Skylake Xeon E3 + * New Microcodes + sig 0x0005065b, pf_mask 0xbf, 2020-08-20, rev 0x700001e, size 27648 + sig 0x000806a1, pf_mask 0x10, 2020-06-26, rev 0x0028, size 32768 + sig 0x000806c1, pf_mask 0x80, 2020-10-02, rev 0x0068, size 107520 + sig 0x000a0652, pf_mask 0x20, 2020-07-08, rev 0x00e0, size 93184 + sig 0x000a0653, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 94208 + sig 0x000a0655, pf_mask 0x22, 2020-07-08, rev 0x00e0, size 93184 + sig 0x000a0661, pf_mask 0x80, 2020-07-02, rev 0x00e0, size 93184 + * Updated Microcodes + sig 0x000306f2, pf_mask 0x6f, 2020-05-27, rev 0x0044, size 34816 + sig 0x000406e3, pf_mask 0xc0, 2020-07-14, rev 0x00e2, size 105472 + sig 0x00050653, pf_mask 0x97, 2020-06-18, rev 0x1000159, size 33792 + sig 0x00050654, pf_mask 0xb7, 2020-06-16, rev 0x2006a08, size 35840 + sig 0x00050656, pf_mask 0xbf, 2020-06-18, rev 0x4003003, size 52224 + sig 0x00050657, pf_mask 0xbf, 2020-06-18, rev 0x5003003, size 52224 + sig 0x000506c9, pf_mask 0x03, 2020-02-27, rev 0x0040, size 17408 + sig 0x000506ca, pf_mask 0x03, 2020-02-27, rev 0x001e, size 15360 + sig 0x000506e3, pf_mask 0x36, 2020-07-14, rev 0x00e2, size 105472 + sig 0x000706a8, pf_mask 0x01, 2020-06-09, rev 0x0018, size 75776 + sig 0x000706e5, pf_mask 0x80, 2020-07-30, rev 0x00a0, size 109568 + sig 0x000806e9, pf_mask 0x10, 2020-05-27, rev 0x00de, size 104448 + sig 0x000806e9, pf_mask 0xc0, 2020-05-27, rev 0x00de, size 104448 + sig 0x000806ea, pf_mask 0xc0, 2020-06-17, rev 0x00e0, size 104448 + sig 0x000806eb, pf_mask 0xd0, 2020-06-03, rev 0x00de, size 104448 + sig 0x000806ec, pf_mask 0x94, 2020-05-18, rev 0x00de, size 104448 + sig 0x000906e9, pf_mask 0x2a, 2020-05-26, rev 0x00de, size 104448 + sig 0x000906ea, pf_mask 0x22, 2020-05-25, rev 0x00de, size 103424 + sig 0x000906eb, pf_mask 0x02, 2020-05-25, rev 0x00de, size 104448 + sig 0x000906ec, pf_mask 0x22, 2020-06-03, rev 0x00de, size 103424 + sig 0x000906ed, pf_mask 0x22, 2020-05-24, rev 0x00de, size 103424 + sig 0x000a0660, pf_mask 0x80, 2020-07-08, rev 0x00e0, size 94208 + * 0x806c1: remove the new Tiger Lake update: causes hang on cold/warm boot + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + INTEL-SA-00381 AND INTEL-SA-00389 MITIGATIONS ARE THEREFORE NOT INSTALLED + FOR 0x806c1 TIGER LAKE PROCESSORS by this package update. Contact your + system vendor for a firmware update, or wait fo a possible fix in a future + Intel microcode release. + * source: update symlinks to reflect id of the latest release, 20201110 + * source: ship new upstream documentation (security.md, releasenote.md) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 12 Nov 2020 15:03:36 -0300 + +intel-microcode (3.20200616.1) unstable; urgency=high + + * New upstream microcode datafile 20200616 + + Downgraded microcodes (to a previously shipped revision): + sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 + sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 + * Works around hangs on boot on Skylake-U/Y and Skylake Xeon E3, + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + * This update *removes* the SRBDS mitigations from the above processors + * Note that Debian had already downgraded 0x406e3 in release 3.20200609.2 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 28 Jun 2020 18:38:57 -0300 + +intel-microcode (3.20200609.2) unstable; urgency=medium + + * REGRESSION FIX: 0x406e3: rollback to rev 0xd6 and document regression + * Microcode rollbacks (closes: LP#1883002) + sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 + * THIS REMOVES THE SECURITY FIXES FOR SKYLAKE-U/Y PROCESSORS + * Avoid hangs on boot on (some?) Skylake-U/Y processors, + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 + * ucode-blacklist: blacklist models 0x8e and 0x9e from late-loading, + just in case. Note that Debian does not do late loading by itself. + Refer to LP#1883002 for the report, 0x806ec hangs upon late load. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 11 Jun 2020 08:55:07 -0300 + +intel-microcode (3.20200609.1) unstable; urgency=high + + * SECURITY UPDATE + * For most processors: SRBDS and/or VRDS, L1DCES mitigations depending + on the processor model + * For Skylake HEDT and Skylake Xeons with signature 0x50654: VRDS and + L1DCES mitigations, plus mitigations described in the changelog entry + for package release 3.20191112.1. + * Expect some performance impact, the mitigations are enabled by + default. A Linux kernel update will be issued that allows one to + selectively disable the mitigations. + * New upstream microcode datafile 20200609 + * Implements mitigation for CVE-2020-0543 Special Register Buffer Data + Sampling (SRBDS), INTEL-SA-00320, CROSSTalk + * Implements mitigation for CVE-2020-0548 Vector Register Data Sampling + (VRDS), INTEL-SA-00329 + * Implements mitigation for CVE-2020-0549 L1D Cache Eviction Sampling + (L1DCES), INTEL-SA-00329 + * Known to fix the regression introduced in release 2019-11-12 (sig + 0x50564, rev. 0x2000065), which would cause several systems with + Skylake Xeon, Skylake HEDT processors to hang while rebooting + * Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2019-11-12, rev 0x0028, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2019-11-12, rev 0x002f, size 19456 + sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528 + sig 0x00040661, pf_mask 0x32, 2019-11-12, rev 0x001c, size 25600 + sig 0x00040671, pf_mask 0x22, 2019-11-12, rev 0x0022, size 14336 + sig 0x000406e3, pf_mask 0xc0, 2020-04-27, rev 0x00dc, size 104448 + sig 0x00050653, pf_mask 0x97, 2020-04-24, rev 0x1000157, size 32768 + sig 0x00050654, pf_mask 0xb7, 2020-04-24, rev 0x2006906, size 34816 + sig 0x00050656, pf_mask 0xbf, 2020-04-23, rev 0x4002f01, size 52224 + sig 0x00050657, pf_mask 0xbf, 2020-04-23, rev 0x5002f01, size 52224 + sig 0x000506e3, pf_mask 0x36, 2020-04-27, rev 0x00dc, size 104448 + sig 0x000806e9, pf_mask 0x10, 2020-04-27, rev 0x00d6, size 103424 + sig 0x000806e9, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 + sig 0x000806ea, pf_mask 0xc0, 2020-04-27, rev 0x00d6, size 103424 + sig 0x000806eb, pf_mask 0xd0, 2020-04-27, rev 0x00d6, size 103424 + sig 0x000806ec, pf_mask 0x94, 2020-04-23, rev 0x00d6, size 103424 + sig 0x000906e9, pf_mask 0x2a, 2020-04-23, rev 0x00d6, size 103424 + sig 0x000906ea, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 + sig 0x000906eb, pf_mask 0x02, 2020-04-23, rev 0x00d6, size 103424 + sig 0x000906ec, pf_mask 0x22, 2020-04-27, rev 0x00d6, size 102400 + sig 0x000906ed, pf_mask 0x22, 2020-04-23, rev 0x00d6, size 103424 + * Restores the microcode-level fixes that were reverted by release + 3.20191115.2 for sig 0x50654 (Skylake Xeon, Skylake HEDT) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Jun 2020 17:16:46 -0300 + +intel-microcode (3.20200520.1) unstable; urgency=medium + + * New upstream microcode datafile 20200520 + + Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2020-03-04, rev 0x0621, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2020-03-24, rev 0x071a, size 19456 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 May 2020 11:44:00 -0300 + +intel-microcode (3.20200508.1) unstable; urgency=medium + + * New upstream microcode datafile 20200508 + + Updated Microcodes: + sig 0x000706e5, pf_mask 0x80, 2020-03-12, rev 0x0078, size 107520 + * Likely fixes several critical errata on IceLake-U/Y causing system + hangs + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 09 May 2020 23:30:43 -0300 + +intel-microcode (3.20191115.2) unstable; urgency=medium + + * Microcode rollbacks (closes: #946515, LP#1854764): + sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 + * Avoids hangs on warm reboots (cold boots work fine) on HEDT and + Xeon processors with signature 0x50654. + https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 10 Dec 2019 23:10:19 -0300 + +intel-microcode (3.20191115.1) unstable; urgency=high + + * New upstream microcode datafile 20191115 + + Updated Microcodes: + sig 0x000406e3, pf_mask 0xc0, 2019-10-03, rev 0x00d6, size 101376 + sig 0x000506e3, pf_mask 0x36, 2019-10-03, rev 0x00d6, size 101376 + sig 0x000806e9, pf_mask 0x10, 2019-10-15, rev 0x00ca, size 100352 + sig 0x000806e9, pf_mask 0xc0, 2019-09-26, rev 0x00ca, size 100352 + sig 0x000806ea, pf_mask 0xc0, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000806eb, pf_mask 0xd0, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000806ec, pf_mask 0x94, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000906e9, pf_mask 0x2a, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000906ea, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 + sig 0x000906eb, pf_mask 0x02, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000906ec, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 99328 + sig 0x000906ed, pf_mask 0x22, 2019-10-03, rev 0x00ca, size 100352 + sig 0x000a0660, pf_mask 0x80, 2019-10-03, rev 0x00ca, size 91136 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 16 Nov 2019 23:14:58 -0300 + +intel-microcode (3.20191113.1) unstable; urgency=high + + * New upstream microcode datafile 20191113 + + SECURITY UPDATE, refer to the 3.20191112.1 changelog entry for details + Adds microcode update for CFL-S (Coffe Lake Desktop) + INTEL-SA-00270, CVE-2019-11135, CVE-2019-0117 + + Updated Microcodes (previously removed): + sig 0x000906ec, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 15 Nov 2019 00:43:54 -0300 + +intel-microcode (3.20191112.1) unstable; urgency=medium + + * New upstream microcode datafile 20191112 + + SECURITY UPDATE + - Implements MDS mitigation (TSX TAA), INTEL-SA-00270, CVE-2019-11135 + - Implements TA Indirect Sharing mitigation, and improves the + MDS mitigation (VERW) + - Fixes FIVR (Xeon Voltage Modulation) vulnerability, INTEL-SA-00271, + CVE-2019-11139 + - Fixes SGX vulnerabilities and errata (including CVE-2019-0117) + + CRITICAL ERRATA FIXES + - Fixes Jcc conditional jump macro-fusion erratum (Skylake+, except + Ice Lake), causes a 0-3% typical perforance hit (can be as bad + as 10%). But ensures the processor will actually jump where it + should, so don't even *dream* of not applying this fix. + - Fixes AVX SHUF* instruction implementation flaw erratum + + Removed Microcodes: + sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + + New Microcodes: + sig 0x000406d8, pf_mask 0x01, 2019-09-16, rev 0x012d, size 84992 + sig 0x00050656, pf_mask 0xbf, 2019-09-05, rev 0x400002c, size 51200 + sig 0x00060663, pf_mask 0x80, 2018-04-17, rev 0x002a, size 87040 + sig 0x000706a8, pf_mask 0x01, 2019-08-29, rev 0x0016, size 74752 + sig 0x000706e5, pf_mask 0x80, 2019-09-05, rev 0x0046, size 102400 + sig 0x000a0660, pf_mask 0x80, 2019-08-27, rev 0x00c6, size 91136 + + Updated Microcodes: + sig 0x000406e3, pf_mask 0xc0, 2019-08-14, rev 0x00d4, size 101376 + sig 0x00050654, pf_mask 0xb7, 2019-09-05, rev 0x2000065, size 34816 + sig 0x00050657, pf_mask 0xbf, 2019-09-05, rev 0x500002c, size 51200 + sig 0x000506e3, pf_mask 0x36, 2019-08-14, rev 0x00d4, size 101376 + sig 0x000706a1, pf_mask 0x01, 2019-08-28, rev 0x0032, size 73728 + sig 0x000806e9, pf_mask 0x10, 2019-08-14, rev 0x00c6, size 99328 + sig 0x000806e9, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 100352 + sig 0x000806ea, pf_mask 0xc0, 2019-08-14, rev 0x00c6, size 99328 + sig 0x000806eb, pf_mask 0xd0, 2019-08-14, rev 0x00c6, size 100352 + sig 0x000806ec, pf_mask 0x94, 2019-08-14, rev 0x00c6, size 100352 + sig 0x000906e9, pf_mask 0x2a, 2019-08-14, rev 0x00c6, size 100352 + sig 0x000906ea, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + sig 0x000906eb, pf_mask 0x02, 2019-08-14, rev 0x00c6, size 100352 + sig 0x000906ed, pf_mask 0x22, 2019-08-14, rev 0x00c6, size 99328 + + Updated Microcodes (previously removed): + sig 0x00050653, pf_mask 0x97, 2019-09-09, rev 0x1000151, size 32768 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 12 Nov 2019 23:21:54 -0300 + +intel-microcode (3.20190918.1) unstable; urgency=medium + + * New upstream microcode datafile 20190918 + + SECURITY UPDATE + *Might* contain mitigations for INTEL-SA-00247 (RAMBleed), given + the set of processors being updated. + + Updated Microcodes: + sig 0x000306d4, pf_mask 0xc0, 2019-06-13, rev 0x002e, size 19456 + sig 0x000306f4, pf_mask 0x80, 2019-06-17, rev 0x0016, size 18432 + sig 0x00040671, pf_mask 0x22, 2019-06-13, rev 0x0021, size 14336 + sig 0x000406f1, pf_mask 0xef, 2019-06-18, rev 0xb000038, size 30720 + sig 0x00050654, pf_mask 0xb7, 2019-07-31, rev 0x2000064, size 33792 + sig 0x00050657, pf_mask 0xbf, 2019-08-12, rev 0x500002b, size 51200 + sig 0x00050662, pf_mask 0x10, 2019-06-17, rev 0x001c, size 32768 + sig 0x00050663, pf_mask 0x10, 2019-06-17, rev 0x7000019, size 24576 + sig 0x00050664, pf_mask 0x10, 2019-06-17, rev 0xf000017, size 24576 + sig 0x00050665, pf_mask 0x10, 2019-06-17, rev 0xe00000f, size 19456 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 19 Sep 2019 00:38:50 -0300 + +intel-microcode (3.20190618.1) unstable; urgency=medium + + * New upstream microcode datafile 20190618 + + SECURITY UPDATE + Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + for Sandybridge server and Core-X processors + + Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2019-05-21, rev 0x061f, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2019-05-21, rev 0x0718, size 19456 + * Add some missing (minor) changelog entries to 3.20190514.1 + * Reformat 3.20190514.1 changelog entry to match rest of changelog + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2019 09:05:54 -0300 + +intel-microcode (3.20190514.1) unstable; urgency=high + + * New upstream microcode datafile 20190514 + + SECURITY UPDATE + Implements MDS mitigation (RIDL, Fallout, Zombieload), INTEL-SA-00223 + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + + New Microcodes: + sig 0x00030678, pf_mask 0x02, 2019-04-22, rev 0x0838, size 52224 + sig 0x00030678, pf_mask 0x0c, 2019-04-22, rev 0x0838, size 52224 + sig 0x00030679, pf_mask 0x0f, 2019-04-23, rev 0x090c, size 52224 + sig 0x000406c3, pf_mask 0x01, 2019-04-23, rev 0x0368, size 69632 + sig 0x000406c4, pf_mask 0x01, 2019-04-23, rev 0x0411, size 68608 + sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104 + + Updated Microcodes: + sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 + sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 + sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 + sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 + sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 + sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 + sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 + sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 + sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 + sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 + sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720 + sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768 + sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 + sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576 + sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552 + sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456 + sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 + sig 0x000506ca, pf_mask 0x03, 2019-03-01, rev 0x0016, size 15360 + sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 + sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 + sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 + sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 + sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 + sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 + sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 + sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 + sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 + sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 + sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 + sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280 + * README.Debian, control: update download/homepage URLs + * copyright: update download URL and date range + * source: update symlinks to reflect id of the latest release, 20190514 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 14 May 2019 21:49:08 -0300 + +intel-microcode (3.20190312.1) unstable; urgency=medium + + * New upstream microcode datafile 20190312 + + Removed Microcodes: + sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + + New Microcodes: + sig 0x000806e9, pf_mask 0x10, 2018-10-18, rev 0x009e, size 98304 + sig 0x000806eb, pf_mask 0xd0, 2018-10-25, rev 0x00a4, size 99328 + sig 0x000806ec, pf_mask 0x94, 2019-02-12, rev 0x00b2, size 98304 + sig 0x000906ec, pf_mask 0x22, 2018-09-29, rev 0x00a2, size 98304 + sig 0x000906ed, pf_mask 0x22, 2019-02-04, rev 0x00b0, size 97280 + + Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2018-11-20, rev 0x0041, size 34816 + sig 0x000306f4, pf_mask 0x80, 2018-11-06, rev 0x0013, size 17408 + sig 0x00050654, pf_mask 0xb7, 2019-01-28, rev 0x200005a, size 33792 + sig 0x00050662, pf_mask 0x10, 2018-12-06, rev 0x0019, size 32768 + sig 0x00050663, pf_mask 0x10, 2018-12-06, rev 0x7000016, size 23552 + sig 0x00050664, pf_mask 0x10, 2018-11-17, rev 0xf000014, size 23552 + sig 0x00050665, pf_mask 0x10, 2018-11-17, rev 0xe00000c, size 19456 + sig 0x000506c9, pf_mask 0x03, 2018-09-14, rev 0x0036, size 17408 + sig 0x000506ca, pf_mask 0x03, 2018-09-20, rev 0x0010, size 15360 + sig 0x000706a1, pf_mask 0x01, 2018-09-21, rev 0x002c, size 73728 + sig 0x000806e9, pf_mask 0xc0, 2018-07-16, rev 0x009a, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-10-18, rev 0x009e, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2018-07-16, rev 0x009a, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-12-12, rev 0x00aa, size 98304 + sig 0x000906eb, pf_mask 0x02, 2018-12-12, rev 0x00aa, size 99328 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 16 Mar 2019 21:07:54 -0300 + +intel-microcode (3.20180807a.2) unstable; urgency=medium + + * Makefile: unblacklist 0x206c2 (Westmere EP) + According to pragyansri.pathi@intel.com, on message to LP#1795594 + on 2018-10-09, we can ship 0x206c2 updates without restrictions. + Also, there are no reports in the field about this update causing + issues (closes: #907402) (LP: #1795594) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 23 Oct 2018 19:52:40 -0300 + +intel-microcode (3.20180807a.1) unstable; urgency=high + + [ Henrique de Moraes Holschuh ] + * New upstream microcode datafile 20180807a + (closes: #906158, #906160, #903135, #903141) + + New Microcodes: + sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264 + sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216 + sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360 + sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336 + sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240 + + Updated Microcodes: + sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288 + sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216 + sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216 + sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096 + sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288 + sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336 + sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312 + sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432 + sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528 + sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600 + sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312 + sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328 + sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744 + sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528 + sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528 + sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384 + sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328 + sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728 + sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280 + sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304 + + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation) + Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + + Implements SSBD support (Spectre v4 mitigation), + Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix) + Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation for older + processors with signatures 0x106a5, 0x106e5, 0x20652, 0x20655. + Intel SA-0088, CVE-2017-5753, CVE-2017-5754 + * source: update symlinks to reflect id of the latest release, 20180807a + * debian/intel-microcode.docs: ship license and releasenote upstream files. + * debian/changelog: update entry for 3.20180703.1 with L1TF information + + [ Julian Andres Klode ] + * initramfs: include all microcode for MODULES=most. + Default to early instead of auto, and install all of the microcode, + not just the one matching the current CPU, if MODULES=most is set + in the initramfs-tools config (LP: #1778738) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 24 Aug 2018 08:53:53 -0300 + +intel-microcode (3.20180703.2) unstable; urgency=medium + + * source: fix badly named symlink that resulted in most microcode + updates not being shipped in the binary package. Oops! + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 05 Jul 2018 14:26:36 -0300 + +intel-microcode (3.20180703.1) unstable; urgency=medium + + * New upstream microcode data file 20180703 (closes: #903018) + + Updated Microcodes: + sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 + sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 + sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 + sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 + sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 + + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640, + Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 + + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation), + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: + Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, + Broadwell server, a few HEDT Core i7/i9 models that are actually gimped + server dies. + * source: update symlinks to reflect id of the latest release, 20180703 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 05 Jul 2018 10:03:53 -0300 + +intel-microcode (3.20180425.1) unstable; urgency=medium + + * New upstream microcode data file 20180425 (closes: #897443, #895878) + + Updated Microcodes: + sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + + Note that sig 0x000604f1 has been blacklisted from late-loading + since Debian release 3.20171117.1. + * source: remove undesired list files from microcode directories + * source: switch to microcode-<id>.d/ since Intel dropped .dat + support. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 02 May 2018 16:48:44 -0300 + +intel-microcode (3.20180312.1) unstable; urgency=medium + + * New upstream microcode data file 20180312 (closes: #886367) + + New Microcodes: + sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720 + sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432 + + Updated Microcodes: + sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288 + sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432 + sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456 + sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312 + sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432 + sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360 + sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384 + sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792 + sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408 + sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504 + sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600 + sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672 + sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744 + sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528 + sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280 + sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256 + sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304 + + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: + Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, + Coffee Lake + + Missing production updates: + + Broadwell-E/EX Xeons (sig 0x406f1) + + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, + Gemini Lake, Denverton + * Update past changelog entries with new information: + Intel already had all necessary semanthics in LFENCE, so the + Spectre-related Intel microcode changes did not need to enhance LFENCE. + * debian/control: update Vcs-* fields for the move to salsa.debian.org + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 14 Mar 2018 09:21:24 -0300 + +intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical + + * Revert to release 20171117, as per Intel instructions issued to + the public in 2018-01-22 (closes: #886998) + * This effectively removes IBRS/IBPB/STIPB microcode support for + Spectre variant 2 mitigation. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 22 Jan 2018 23:01:59 -0200 + +intel-microcode (3.20180108.1) unstable; urgency=high + + * New upstream microcode data file 20180108 (closes: #886367) + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 + sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360 + sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 + sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408 + sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 + sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600 + sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648 + sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744 + sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528 + sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 + sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304 + sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280 + sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304 + + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715) + + Very likely fixes several other errata on some of the processors + * supplementary-ucode-CVE-2017-5715.d/: remove. + + Downgraded microcodes: + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 + sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + + Recall related to bug #886998 + * source: remove superseded upstream data file: 20171117 + * README.Debian, copyright: update download URLs (closes: #886368) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 10 Jan 2018 00:23:44 -0200 + +intel-microcode (3.20171215.1) unstable; urgency=high + + * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367) + New upstream microcodes to partially address CVE-2017-5715 + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552 + sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432 + sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792 + sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528 + sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328 + sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648 + sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648 + sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384 + sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304 + sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304 + * Implements IBRS and IBPB support via new MSR (Spectre variant 2 + mitigation, indirect branches). Support is exposed through cpuid(7).EDX. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 04 Jan 2018 23:04:38 -0200 + +intel-microcode (3.20171117.1) unstable; urgency=medium + + * New upstream microcode data file 20171117 + + New Microcodes: + sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384 + sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704 + sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232 + sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280 + + Updated Microcodes: + sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624 + sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256 + * source: remove superseded upstream data file: 20170707. + * source: remove unneeded intel-ucode/ directory for 20171117. + * debian/control: bump standards version to 4.1.1 (no changes) + * Makefile: rename microcode-extras.pbin to microcode-includes.pbin. + * README.source: fix IUC_EXCLUDE example and minor issues. + * Makefile, README.souce: support loading ucode from directories. + * debian/rules: switch to dh mode (debhelper v9) + * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late + loading. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 18 Nov 2017 18:55:09 -0200 + +intel-microcode (3.20170707.1) unstable; urgency=high + + * New upstream microcode datafile 20170707 + + New Microcodes: + sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600 + sig 0x000806e9, pf_mask 0xc0, 2017-04-27, rev 0x0062, size 97280 + sig 0x000806ea, pf_mask 0xc0, 2017-05-23, rev 0x0066, size 95232 + sig 0x000906e9, pf_mask 0x2a, 2017-04-06, rev 0x005e, size 97280 + + This release fixes the nightmare-level errata SKZ7/SKW144/SKL150/ + SKX150 (Skylake) KBL095/KBW095 (Kaby Lake) for all affected Kaby + Lake and Skylake processors: Skylake D0/R0 were fixed since the + previous upstream release (20170511). This new release adds the + fixes for Kaby Lake Y0/B0/H0 and Skylake H0 (Skylake-E/X). + + Fix undisclosed errata in Skylake H0 (0x50654), Kaby Lake Y0 + (0x806ea), Kaby Lake H0 (0x806e9), Kaby Lake B0 (0x906e9) + * source: remove unneeded intel-ucode/ directory + * source: remove superseded upstream data file: 20170511 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 08 Jul 2017 19:04:27 -0300 + +intel-microcode (3.20170511.1) unstable; urgency=medium + + * New upstream microcode datafile 20170511 + + Updated Microcodes: + sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528 + sig 0x000306d4, pf_mask 0xc0, 2017-01-27, rev 0x0025, size 17408 + sig 0x000306f2, pf_mask 0x6f, 2017-01-30, rev 0x003a, size 32768 + sig 0x000306f4, pf_mask 0x80, 2017-01-30, rev 0x000f, size 16384 + sig 0x00040651, pf_mask 0x72, 2017-01-27, rev 0x0020, size 20480 + sig 0x00040661, pf_mask 0x32, 2017-01-27, rev 0x0017, size 24576 + sig 0x00040671, pf_mask 0x22, 2017-01-27, rev 0x0017, size 11264 + sig 0x000406e3, pf_mask 0xc0, 2017-04-09, rev 0x00ba, size 98304 + sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624 + sig 0x000506e3, pf_mask 0x36, 2017-04-09, rev 0x00ba, size 98304 + + This release fixes undisclosed errata on the desktop, mobile and + server processor models from the Haswell, Broadwell, and Skylake + families, including even the high-end multi-socket server Xeons + + Likely fix the TSC-Deadline LAPIC errata (BDF89, SKL142 and + similar) on several processor families + + Fix erratum BDF90 on Xeon E7v4, E5v4(?) (closes: #862606) + + Likely fix serious or critical Skylake errata: SKL138/144, + SKL137/145, SLK149 + * Likely fix nightmare-level Skylake erratum SKL150. Fortunately, + either this erratum is very-low-hitting, or gcc/clang/icc/msvc + won't usually issue the affected opcode pattern and it ends up + being rare. + SKL150 - Short loops using both the AH/BH/CH/DH registers and + the corresponding wide register *may* result in unpredictable + system behavior. Requires both logical processors of the same + core (i.e. sibling hyperthreads) to be active to trigger, as + well as a "complex set of micro-architectural conditions" + * source: remove unneeded intel-ucode/ directory + Since release 20170511, upstream ships the microcodes both in .dat + format, and as Linux-style split /lib/firmware/intel-ucode files. + It is simpler to just use the .dat format file for now, so remove + the intel-ucode/ directory. Note: before removal, it was verified + that there were no discrepancies between the two microcode sets + (.dat and intel-ucode/) + * source: remove superseded upstream data file: 20161104 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 15 May 2017 15:12:25 -0300 + +intel-microcode (3.20161104.1) unstable; urgency=medium + + * New upstream microcode datafile 20161104 + + New Microcodes: + sig 0x00050663, pf_mask 0x10, 2016-10-12, rev 0x700000d, size 20480 + sig 0x00050664, pf_mask 0x10, 2016-06-02, rev 0xf00000a, size 21504 + + Updated Microcodes: + sig 0x000306f2, pf_mask 0x6f, 2016-10-07, rev 0x0039, size 32768 + sig 0x000406f1, pf_mask 0xef, 2016-10-07, rev 0xb00001f, size 25600 + + Removed Microcodes: + sig 0x000106e4, pf_mask 0x09, 2013-07-01, rev 0x0003, size 6144 + + This update fixes critical errata on Broadwell-DE V2/Y0 (Xeon + D-1500 family), including one that can crash VMWare ESXi 6 with + #PF (VMWare KB2146388), and could affect Linux as well. This same + issue was fixed for the E5v4 Xeons in release 20160607 + + This update fixes undisclosed (and likely critical) errata on + Broadwell-E Core i7-68xxK/69xxK/6950X, Broadwell-EP/EX B0/R0/M0 + Xeon E5v4 and Xeon E7v4, and Haswell-EP Xeon E5v3 + + This release deletes the microcode update for the Jasper Forest + embedded Xeons (Xeon EC35xx/LC35xx/EC35xx/LC55xx), for undisclosed + reasons. The deleted microcode is outdated when compared with the + updates for the other Nehalem Xeons + * Makefile: always exclude microcode sig 0x206c2 just in case + Intel is quite clear in the Intel SA-00030 advisory text that recent + revisions (0x14 and later?) of the 0x206c2 microcode updates must be + installed along with updated SINIT ACM on vPro systems (i.e. through + an UEFI/BIOS firmware update). This is a defensive change so that we + don't ship such a microcode update in the future by mistake + * source: remove partially superseded upstream data file: 20160714 + * source: remove superseded upstream data file: 20101123 + * changelog: replace "pf mask" with "pf_mask" + * control, compat: switch debhelper compatibility level to 9 + * control: bump standards-version, no changes required + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 09 Nov 2016 20:35:57 -0200 + +intel-microcode (3.20160714.1) unstable; urgency=medium + + * New upstream microcode datafile 20160714 + + Updated Microcodes: + sig 0x000306f4, pf mask 0x80, 2016-06-07, rev 0x000d, size 15360 + sig 0x000406e3, pf mask 0xc0, 2016-06-22, rev 0x009e, size 97280 + sig 0x000406f1, pf mask 0xef, 2016-06-06, rev 0xb00001d, size 25600 + sig 0x000506e3, pf mask 0x36, 2016-06-22, rev 0x009e, size 97280 + + This release hopefully fixes a hang when updating the microcode on + some Skylake-U D-1/Skylake-Y D-1 (sig 0x406e3, pf 0x80) systems + * source: remove superseded upstream data file: 20160607 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 21 Jul 2016 19:04:09 -0300 + +intel-microcode (3.20160607.2) unstable; urgency=low + + * REMOVE microcode: + sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 + (closes: #828819) + * The Core i7-6500U and m3-6Y30 processors (Skylake-UY D-1, + sig=0x406e3, pf=0x80) may hang while attempting an early microcode + update to revision 0x8a, apparently due to some sort of firmware + dependency. On affected systems, the only way to avoid the issue is + to get a firmware update that includes microcode revision 0x8a or + later. At this time, there are reports of both sucessful and failed + updates on the m3-6Y30, and only of failed updates on the i7-6500U. + There are no reports about Skylake-U K-1 (pf=0x40). + + WARNING: it is unsafe to use a system based on an Intel Skylake-U/Y + processor with microcode earlier than revision 0x8a, due to several + critical errata that cause unpredictable behavior, data corruption, + and other problems. Users *must* update their firmware to get + microcode 0x8a or newer, and keep it up-to-date. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 08 Jul 2016 22:54:26 -0300 + +intel-microcode (3.20160607.1) unstable; urgency=medium + + * New upstream microcode data file 20160607 + + New Microcodes: + sig 0x000406e3, pf mask 0xc0, 2016-04-06, rev 0x008a, size 96256 + sig 0x000406f1, pf mask 0xef, 2016-05-20, rev 0xb00001c, size 25600 + sig 0x00050662, pf mask 0x10, 2015-12-12, rev 0x000f, size 28672 + sig 0x000506e3, pf mask 0x36, 2016-04-06, rev 0x008a, size 96256 + + Updated Microcodes: + sig 0x000306c3, pf mask 0x32, 2016-03-16, rev 0x0020, size 22528 + sig 0x000306d4, pf mask 0xc0, 2016-04-29, rev 0x0024, size 17408 + sig 0x000306f2, pf mask 0x6f, 2016-03-28, rev 0x0038, size 32768 + sig 0x000306f4, pf mask 0x80, 2016-02-11, rev 0x000a, size 15360 + sig 0x00040651, pf mask 0x72, 2016-04-01, rev 0x001f, size 20480 + sig 0x00040661, pf mask 0x32, 2016-04-01, rev 0x0016, size 24576 + sig 0x00040671, pf mask 0x22, 2016-04-29, rev 0x0016, size 11264 + * source: remove superseded upstream data file: 20151106. + * control: change upstream URL to a search for "linux microcode" + Unfortunately, many of the per-processor-model feeds have not been + updated for microcode release 20160607. Switch to the general search + page as the upstream URL. + * README.Debian: fix duplicated word 'to' + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 23 Jun 2016 12:17:03 -0300 + +intel-microcode (3.20151106.2) unstable; urgency=medium + + * Makefile: make the build less verbose. + * debian/changelog: fix error in past entry. + Correct the version of the microcode that caused bug #776431, + in the entry for version 3.20150121.1. + * initramfs: don't force_load microcode.ko when missing. + Detect a missing microcode.ko and don't attempt to force_load() it, + otherwise we get spurious warnings at boot. In verbose mode, log the + fact that the microcode driver is modular. For Linux 4.4 and later, + skip the entire module loading logic, since the microcode driver cannot + be modular for those kernels (closes: #814301). + * initramfs: update copyright notice + * initramfs: use iucode_tool -l for verbose mode + * README.Debian: enhance and add recovery instructions. + Rewrite large parts of the README.Debian document, and add recovery + instructions (use of the "dis_ucode_ldr" kernel parameter). + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 17 Apr 2016 12:38:12 -0300 + +intel-microcode (3.20151106.1) unstable; urgency=medium + + * New upstream microcode data file 20151106 + + New Microcodes: + sig 0x000306f4, pf mask 0x80, 2015-07-17, rev 0x0009, size 14336 + sig 0x00040671, pf mask 0x22, 2015-08-03, rev 0x0013, size 11264 + + Updated Microcodes: + sig 0x000306a9, pf mask 0x12, 2015-02-26, rev 0x001c, size 12288 + sig 0x000306c3, pf mask 0x32, 2015-08-13, rev 0x001e, size 21504 + sig 0x000306d4, pf mask 0xc0, 2015-09-11, rev 0x0022, size 16384 + sig 0x000306f2, pf mask 0x6f, 2015-08-10, rev 0x0036, size 30720 + sig 0x00040651, pf mask 0x72, 2015-08-13, rev 0x001d, size 20480 + * This massive Haswell + Broadwell (and related Xeons) update fixes + several critical errata, including the high-hitting BDD86/BDM101/ + HSM153(?) which triggers an MCE and locks the processor core + (LP: #1509764) + * Might fix critical errata BDD51, BDM53 (TSX-related) + * source: remove superseded upstream data file: 20150121 + * Add support for supplementary microcode bundles: + + README.source: update and mention supplementary microcode + + Makefile: support supplementary microcode + Add support for supplementary microcode bundles, which (unlike .fw + microcode override files) can be superseded by a higher revision + microcode from the latest regular microcode bundle. Also, fix the + "oldies" target to have its own exclude filter (IUC_OLDIES_EXCLUDE) + * Add support for x32 arch: + + README.source: mention x32 + + control,rules: enable building on x32 arch (Closes: #777356) + * ucode-blacklist: add Broadwell and Haswell-E signatures + Add a missing signature for Haswell Refresh (Haswell-E) to the "must + be updated only by the early microcode update driver" list. There is + at least one report of one of the Broadwell microcode updates disabling + TSX-NI, so add them as well just in case + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 09 Nov 2015 23:07:32 -0200 + +intel-microcode (3.20150121.1) unstable; urgency=critical + + * New upstream microcode data file 20150121 + * Downgraded microcodes (to a previously shipped revision): + sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 + * The microcode downgrade fixes a very nasty regression on Xeon E5v3 + processors (closes: #776431) + * critical urgency: the broken sig 0x306f2, rev 0x2d microcode shipped + in release 20150107 caused CPU core hangs and Linux boot failures. + The upstream fix was to downgrade it to the same microcode revision + that was shipped in release 20140913 + * source: remove superseded upstream data file: 20150107. + * initramfs.hook: do not mix arrays and lists. + Avoid echo "foo $@", use echo "foo $*" instead. This is unlikely + to be expÄŗoitable, but it makes ShellCheck happier. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 28 Jan 2015 20:03:20 -0200 + +intel-microcode (3.20150107.1) unstable; urgency=high + + * New upstream microcode data file 20150107 + + New Microcodes: + sig 0x000306d4, pf mask 0xc0, 2014-12-05, rev 0x0018, size 14336 + + Updated Microcodes: + sig 0x000306f2, pf mask 0x6f, 2014-11-21, rev 0x002d, size 28672 + + High urgency: there are fast-tracked microcode updates in this + release which imply that critical errata are being fixed + * source: remove superseded upstream data file: 20140913 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 18 Jan 2015 00:30:11 -0200 + +intel-microcode (3.20140913.1) unstable; urgency=low + + * New upstream microcode data file 20140913 + + New Microcodes: + sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672 + + Updated Microcodes: + sig 0x000306c3, pf mask 0x32, 2014-07-03, rev 0x001c, size 21504 + sig 0x00040651, pf mask 0x72, 2014-07-03, rev 0x001c, size 20480 + sig 0x00040661, pf mask 0x32, 2014-07-03, rev 0x0012, size 23552 + + WARNING: UNSAFE TO BE APPLIED AT RUNTIME (lp#1370352) + * Microcode updates are now applied only through the early initramfs + + Bump major version number + + Requires Linux kernel v3.10 or later, other kernels unsupported + + postinst: don't apply microcode update + + kernel preinst: stop loading microcode module + + modprobe.d: blacklist microcode module from autoloading outside + of the initramfs. Still load it inside the initramfs for logging + + initramfs: always use early initramfs mode, reject kernels before + v3.10 + + README.Debian, NEWS.Debian: update + * add a microcode best-effort blacklist. This is a reactive blacklist + which renames problematic microcode data files in such a way they + will only be used for the [early] initramfs. Use it to blacklist + all Haswell microcode updates + * Allow a non-Intel box to generate an early initramfs with microcode + for an Intel box if the /etc/default/intel-microcode defaults are + changed: + + postinst: always attempt to update the initramfs + + initramfs: on auto mode, do nothing in a non-intel box. In + forced "early" mode, attempt to run iucode-tool. This will do + nothing (add no microcode) unless the default configuration is + changed in /etc/default/intel-microcode + + default: update comments + * source: remove superseded upstream data file: 20140624 + * README.source: remove information about lenny, oldstable + * debian/control: bump standards vesion to 3.9.6 + * lintian-overrides: remove + * debian/copyright: update upstream copyright dates + * postrm: avoid use of test -a + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 19 Oct 2014 15:23:13 -0200 + +intel-microcode (2.20140624.1) unstable; urgency=high + + * New upstream microcode data file 20140624 + + Updated Microcodes: + sig 0x000306a9, pf mask 0x12, 2014-05-29, rev 0x001b, size 12288 + sig 0x000306c3, pf mask 0x32, 2014-05-23, rev 0x001a, size 20480 + sig 0x000306e4, pf mask 0xed, 2014-05-29, rev 0x0428, size 13312 + sig 0x000306e7, pf mask 0xed, 2014-05-29, rev 0x070d, size 15360 + sig 0x00040651, pf mask 0x72, 2014-05-23, rev 0x0018, size 19456 + sig 0x00040661, pf mask 0x32, 2014-05-23, rev 0x0010, size 23552 + + High urgency: there are fast-tracked microcode updates in this + release which imply that critical errata are being fixed + * Intel strongly suggests that this CPU microcode update be applied + to all Ivy Bridge, Haswell, and Broadwell processors (thanks to + Canonical for the warning, refer to LP#1335156) + * This update is reported to better fix the errata addressed by the + 20140430 update (refer to LP#1335156) + * source: remove superseded upstream data file: 20140430 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 27 Jun 2014 16:35:12 -0300 + +intel-microcode (2.20140430.1) unstable; urgency=low + + * New upstream microcode data file 20140430 + + New microcodes: + sig 0x000306e7, pf mask 0xed, 2014-04-14, rev 0x070c, size 15360 + + Updated microcodes: + sig 0x000306e4, pf mask 0xed, 2014-04-10, rev 0x0427, size 12288 + * source: remove superseded upstream data file: 20140122 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 03 May 2014 14:21:27 -0300 + +intel-microcode (2.20140122.1) unstable; urgency=low + + * New upstream microcode data file 20140122 + + New Microcodes: + sig 0x00040661, pf mask 0x32, 2013-08-21, rev 0x000f, size 23552 + + Updated Microcodes: + sig 0x000106e5, pf mask 0x13, 2013-08-20, rev 0x0007, size 7168 + sig 0x000306c3, pf mask 0x32, 2013-08-16, rev 0x0017, size 20480 + sig 0x000306e4, pf mask 0xed, 2013-07-09, rev 0x0416, size 11264 + sig 0x00040651, pf mask 0x72, 2013-09-14, rev 0x0017, size 19456 + * source: remove superseded upstream data file: 20130906 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 01 Feb 2014 15:39:03 -0200 + +intel-microcode (2.20130906.1) unstable; urgency=high + + * New upstream microcode data file 20130906 + + Updated Microcodes: + sig 0x000306c3, pf mask 0x32, 2013-08-07, rev 0x0016, size 20480 + sig 0x00040651, pf mask 0x72, 2013-08-08, rev 0x0016, size 19456 + + Updated Microcodes (recently removed): + sig 0x000106e4, pf mask 0x09, 2013-07-01, rev 0x0003, size 6144 + * This microcode release *likely* fixes the security issues addressed by + the 20130808 update for signature 0x106e4 (Xeon EC3500/EC5500/LC3500/ + LC5500, Jasper Forest core), which was missing from the 20130808 update + * upstream changelog: trim down, sunrise now at 20080220, the first + microcode pack with a license that allows redistribution + * debian/control: recommend initramfs-tools (>= 0.113~) for backports + * cpu-signatures.txt: Xeon nocona cores are 64-bit, ship for amd64 arch + * source: remove superseded upstream data file: 20130808 + * postinst: fix kernel version check for blacklist + Distro kernels have version strings that make it hard to get the real + kernel version, so we have to blacklist by branches only. We were + refusing to update the kernel on postinst for users of Debian stable's + kernel because of this issue + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 21 Sep 2013 20:35:47 -0300 + +intel-microcode (2.20130808.1) unstable; urgency=high + + * Reupload, high severity, no changes + * Bump major version number. I will need this so that I can track two + separate branches for Wheezy: branch 1.x will target stable-updates (no + early firmware support), while branch 2.x will target stable-backports, + testing and unstable. This major version bump should have been done for + the 1.20130222.3 upload in hindsight. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 17 Aug 2013 10:56:45 -0300 + +intel-microcode (1.20130808.2) unstable; urgency=high + + * Reupload with high severity. This microcode update has been documented + by Intel to fix a severe security issue (refer to LP bug 1212497); + This update is known to fix several nasty errata on 3rd-gen and + 4th-gen Core i3/i5/i7, and Xeon 5500 and later, including but not + limited to: + + AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging + may cause system crash + + AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used + with 32-bit paging + * Erratum AAK167/BT248 is nasty: "If a logical processor has EPT (Extended + Page Tables) enabled, is using 32-bit PAE paging, and accesses the + virtual-APIC page then a complex sequence of internal processor + micro-architectural events may cause an incorrect address translation or + machine check on either logical processor. This erratum may result in + unexpected faults, an uncorrectable TLB error logged in + IA32_MCi_STATUS.MCACOD (bits [15:0]), a guest or hypervisor crash, or + other unpredictable system behavior" + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 16 Aug 2013 21:10:12 -0300 + +intel-microcode (1.20130808.1) unstable; urgency=low + + * New upstream microcode data file 20130808 + + New Microcodes: + sig 0x000306c3, pf mask 0x32, 2013-07-02, rev 0x0012, size 19456 + sig 0x000306e4, pf mask 0xed, 2013-06-13, rev 0x0415, size 11264 + sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264 + sig 0x00040651, pf mask 0x72, 2013-07-02, rev 0x0015, size 18432 + + Updated Microcodes (removed in the past): + sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240 + + Updated Microcodes: + sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336 + sig 0x000106e5, pf mask 0x13, 2013-07-01, rev 0x0006, size 7168 + sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192 + sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072 + sig 0x000206a7, pf mask 0x12, 2013-06-12, rev 0x0029, size 10240 + sig 0x000206d7, pf mask 0x6d, 2013-06-17, rev 0x0710, size 17408 + sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312 + sig 0x000306a9, pf mask 0x12, 2013-06-13, rev 0x0019, size 12288 + + Removed Microcodes: + sig 0x000106e4, pf mask 0x09, 2010-03-08, rev 0x0002, size 5120 + * Remove from the source package an unused upstream microcode bundle, + which has been completely superseded by later bundles: + microcode-20130222.dat + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 15 Aug 2013 20:18:32 -0300 + +intel-microcode (1.20130222.6) unstable; urgency=low + + * initramfs, postinst: don't do anything on non-Intel systems + * initramfs, postinst: blacklist several kernel versions (closes: #716917) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 20 Jul 2013 10:46:59 -0300 + +intel-microcode (1.20130222.5) unstable; urgency=low + + * debian/control: depend on iucode-tool, and shorten description + * initramfs hook: several auto mode fixes + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 03 Jul 2013 19:55:13 -0300 + +intel-microcode (1.20130222.4) unstable; urgency=low + + * initramfs: fix xargs error when iucode-tool is not installed + in the early firmware update mode code path (closes: #712943) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 20 Jun 2013 22:07:04 -0300 + +intel-microcode (1.20130222.3) unstable; urgency=low + + * initramfs: add support for early firmware update + Add support to update microcode during early kernel startup, requires + Linux 3.9 or later with CONFIG_MICROCODE_INTEL_EARLY enabled. + This also requires initramfs-tools 0.113 or later, as well as iucode-tool + 1.0 or later. We fallback to late initramfs mode if outdated versions of + initramfs-tools or iucode-tool are installed. + * Update README.Debian and NEWS.Debian for early updates + * debian/control: update recommends for early-fw support + Recommend iucode-tool v1.0 or later and initramfs-tools 0.113, and + update the explanation in the package description accordingly. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2013 22:15:46 -0300 + +intel-microcode (1.20130222.2) unstable; urgency=low + + * kernel preinst: simplify and load microcode and cpuid modules + * postinst: attempt to load microcode module (closes: #692535) + * Makefile: Use the -s! and --loose-date-filtering facilities added to + iucode_tool v0.9 to better implement the selection of legacy microcode, + and to fix the support for IUC_INCLUDE, which was non-functional. + * debian/control: build-depend on iucode-tool (>= 0.9) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 27 Mar 2013 16:39:06 -0300 + +intel-microcode (1.20130222.1) unstable; urgency=low + + * New upstream microcode data file 20130222 (closes: #702152) + + Updated Microcodes: + sig 0x000306a9, pf mask 0x12, 2013-01-09, rev 0x0017, size 11264 + * Remove from the source package an unused microcode data file, which + was completely superseded by later ones: microcode-20120606-v2.dat + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 03 Mar 2013 16:59:35 -0300 + +intel-microcode (1.20120606.v2.2) unstable; urgency=medium + + * initramfs: work around initramfs-tools bug #688794. + Use "_" in place of "+-." for the initramfs script name. This works + around a PANIC during boot when the initramfs was created in a system + with noexec $TMPDIR. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 09 Oct 2012 07:43:37 -0300 + +intel-microcode (1.20120606.v2.1) unstable; urgency=medium + + * New upstream microcode data file 20120606-v2 (2012-10-01) + + Updated Microcodes: + sig 0x000206d6, pf mask 0x6d, 2012-05-22, rev 0x0619, size 16384 + sig 0x000206d7, pf mask 0x6d, 2012-05-22, rev 0x070d, size 16384 + sig 0x000306a9, pf mask 0x12, 2012-07-16, rev 0x0013, size 11264 + + Updated Microcodes (recently removed): + sig 0x000206f2, pf mask 0x05, 2012-04-12, rev 0x0036, size 12288 + * Remove from the source package some unused upstream microcode bundles, + which were completely superseded by later ones: microcode-20080401.dat, + microcode-20090330.dat, microcode-20090927.dat, microcode-20100209.dat, + microcode-20110428.dat, microcode-20111110.dat. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 08 Oct 2012 14:56:17 -0300 + +intel-microcode (1.20120606.6) unstable; urgency=medium + + * debian/control: conflicts with microcode.ctl (<< 1.18~0) + microcode.ctl (1.18~0+nmu1) is a transitional package. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 02 Sep 2012 17:46:39 -0300 + +intel-microcode (1.20120606.5) unstable; urgency=low + + * debian/copyright: correct statement. + * debian/control: use i686 instead of IA32 in package description. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 29 Aug 2012 19:33:14 -0300 + +intel-microcode (1.20120606.4) unstable; urgency=low + + * README.Debian: mention module-init-tools, not just kmod. This + is useful when backporting to Debian Squeeze. + * initramfs: make sure we modprobe cpuid early. + Provide an /etc/kernel/preinst.d hook to modprobe the cpuid module + before an in-place kernel upgrade makes it impossible to do so at + initramfs rebuild time. This is only done when dev/cpuid is not yet + available, IUCODE_TOOL_SCANCPUS is active, and iucode-tool is + installed. Thanks to Philipp Kern for the report. + * NEWS.Debian: document failures with in-place kernel upgrades + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 11 Aug 2012 19:35:46 -0300 + +intel-microcode (1.20120606.3) unstable; urgency=low + + * initramfs: while creating the initramfs, if we need to iucode_tool + --scan-system, attempt to modprobe cpuid if cpu/cpuid device is missing, + and report an error if it doesn't work. Thanks to Sebastian Andrzej + Siewior for a good suggestion on how to fix it (closes: #683161) + * README.Debian: add "modprobe cpuid" to example + * debian/control: use better Vcs-browser URI that is properly + handled by the current alioth redirector. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 29 Jul 2012 11:09:44 -0300 + +intel-microcode (1.20120606.2) unstable; urgency=low + + * Fix README.source to reflect that cpu-signatures.txt processing + was moved to the toplevel Makefile + * Update diff-latest-pack.sh to really find iucode_tool + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 21 Jul 2012 18:10:47 -0300 + +intel-microcode (1.20120606.1) unstable; urgency=low + + * Change to ABI 1: + + Ship binary microcode in /lib/firmware + + Add initramfs helpers to install and load binary microcode on boot + + Call update-initramfs on package upgrades and removals + + Use non-deprecated kernel interface to interact with kernel + (sysfs+fw loader) + * Include microcode for older processors. This should help some + older boxes for which microcode was not being shipped by Intel + anymore but which still have users, with the trade-off that we + will also ship some useless and mostly useless microcode + * Do not ship i686-only microcode in the amd64 binary package. We + still ship all microcode in the i386 binary package, to support + 64bit processors running i?86 userspace transparently + * Switch myself to maintainer, and Giacomo to uploader to better + reflect who is responsible for any bugs this could cause... + * Switch to the 3.0 (native) package format as it doesn't make practical + sense to base the source package on the Intel upstream tarball anymore + because we use all past Intel microcode releases as source + + Use xz to compress the tarball, it does a _much_ better job than + bzip2 and gzip for this package + + Override lintian warning about switch to native packaging, as it was + done on purpose. It can be removed in the future + * Drop CDBS, switch to classic (less obfuscated/much better documented) + debhelper build + * Switch to debhelper v7, which is good enough for Debian Lenny and later + don't use a newer mode for now, to facilitate backporting + * Document in README.source: + + this package must be trivial to backport to oldstable and stable + (i.e. Debian Lenny and Debian Squeeze ATM) + + how to add new upstream microcode packs and microcode overrides + + other relevant details related to the lack of Intel changelogs + * Build-Depend on iucode-tool to handle binary microcode, merge + microcode packs and overrides, and split into firmware files + * Drop support for microcode.ctl, as it cannot handle binary + microcode or the non-deprecated kernel interface + * Update package short and long descriptions + * Add a NEWS file to explain all the behaviour changes + * Recommend iucode-tool to support optional selective microcode + selection for the initramfs (reduces microcode size greatly) + * Change to priority: standard. This package should be installed in + every Intel-based Debian system, which is unfortunately impossible + since it is non-free, but at least mark it as such + * add debian/diff-latest-pack.sh utility (not shipped in the binary + package) to help produce the "upstream changelogs" + * debian/control: add Vcs-* fields + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 13 Jul 2012 15:23:23 -0300 + +intel-microcode (0.20120606-1) unstable; urgency=medium + + * New upstream data file: microcode-20120606 + + New Microcodes: + sig 0x00020661, pf mask 0x02, 2011-07-18, rev 0x0105, size 5120 + sig 0x000206d7, pf mask 0x6d, 2012-04-03, rev 0x070c, size 16384 + sig 0x000306a9, pf mask 0x12, 2012-04-12, rev 0x0012, size 11264 + + Updated Microcodes: + sig 0x000106e5, pf mask 0x13, 2011-09-01, rev 0x0005, size 6144 + sig 0x000206a7, pf mask 0x12, 2012-04-24, rev 0x0028, size 9216 + sig 0x000206d6, pf mask 0x6d, 2012-04-18, rev 0x0618, size 16384 + + Removed Microcodes (recently updated): + sig 0x000206f2, pf mask 0x05, 2011-08-31, rev 0x0034, size 12288 + * Fixes precise-event based sampling (PEBS) on Sandy Bridge processors + (http://lkml.org/lkml/2012/6/7/145) + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 09 Jun 2012 00:44:12 -0300 + +intel-microcode (0.20111110-1) unstable; urgency=low + + * New upstream data file: microcode-20111110 + + New Microcodes: + sig 0x000206d6, pf mask 0x6d, 2011-09-29, rev 0x060c, size 15360 + + Updated Microcodes: + sig 0x00020652, pf mask 0x12, 2011-09-01, rev 0x000d, size 7168 + sig 0x00020655, pf mask 0x92, 2011-09-01, rev 0x0003, size 2048 + sig 0x000206a7, pf mask 0x12, 2011-10-11, rev 0x0025, size 9216 + sig 0x000206f2, pf mask 0x05, 2011-08-31, rev 0x0034, size 12288 + + Removed Microcodes (recently added): + sig 0x00030661, pf mask 0x02, 2011-06-23, rev 0x0106, size 5120 + sig 0x00030661, pf mask 0x04, 2011-06-23, rev 0x0106, size 5120 + sig 0x00030661, pf mask 0x08, 2011-06-23, rev 0x0106, size 5120 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 24 Dec 2011 18:17:05 -0200 + +intel-microcode (0.20110915-1) unstable; urgency=low + + * New upstream data file: microcode-20110915 + + New Microcodes: + sig 0x000206f2, pf mask 0x05, 2011-07-21, rev 0x0032, size 12288 + sig 0x00030661, pf mask 0x02, 2011-06-23, rev 0x0106, size 5120 + sig 0x00030661, pf mask 0x04, 2011-06-23, rev 0x0106, size 5120 + sig 0x00030661, pf mask 0x08, 2011-06-23, rev 0x0106, size 5120 + + Updated Microcodes: + sig 0x000206a7, pf mask 0x12, 2011-07-14, rev 0x001b, size 9216 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 16 Oct 2011 13:10:43 -0200 + +intel-microcode (0.20110428-1) unstable; urgency=low + + * New upstream data file: microcode-20110428 + + New Microcodes: + sig 0x000206a7, pf mask 0x12, 2011-04-07, rev 0x0017, size 8192 + + Readded Microcodes: + sig 0x00000f12, pf mask 0x04, 2003-05-02, rev 0x002e, size 2048 + + Removed Microcodes (recently rolled back): + sig 0x000106a5, pf mask 0x03, 2009-04-14, rev 0x0011, size 8192 + * debian/rules: install microcode*.dat, instead of microcode-*.dat + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 26 Jun 2011 18:56:57 -0300 + +intel-microcode (0.20101123-1) unstable; urgency=low + + * New upstream data file: microcode-20101123 + + New Microcodes: + sig 0x000006fb, pf mask 0x20, 2010-10-03, rev 0x00ba, size 4096 + + Readded Microcodes (older revision): + sig 0x000106a5, pf mask 0x03, 2009-04-14, rev 0x0011, size 8192 + + Updated Microcodes: + sig 0x000006f2, pf mask 0x01, 2010-10-02, rev 0x005d, size 4096 + sig 0x000006f2, pf mask 0x20, 2010-10-02, rev 0x005c, size 4096 + sig 0x000006f6, pf mask 0x01, 2010-09-30, rev 0x00d0, size 4096 + sig 0x000006f6, pf mask 0x04, 2010-10-01, rev 0x00d2, size 4096 + sig 0x000006f6, pf mask 0x20, 2010-10-01, rev 0x00d1, size 4096 + sig 0x000006f7, pf mask 0x10, 2010-10-02, rev 0x006a, size 4096 + sig 0x000006f7, pf mask 0x40, 2010-10-02, rev 0x006b, size 4096 + sig 0x000006fa, pf mask 0x80, 2010-10-02, rev 0x0095, size 4096 + sig 0x000006fb, pf mask 0x01, 2010-10-03, rev 0x00ba, size 4096 + sig 0x000006fb, pf mask 0x04, 2010-10-03, rev 0x00bc, size 4096 + sig 0x000006fb, pf mask 0x08, 2010-10-03, rev 0x00bb, size 4096 + sig 0x000006fb, pf mask 0x10, 2010-10-03, rev 0x00ba, size 4096 + sig 0x000006fb, pf mask 0x40, 2010-10-03, rev 0x00bc, size 4096 + sig 0x000006fb, pf mask 0x80, 2010-10-03, rev 0x00ba, size 4096 + sig 0x000006fd, pf mask 0x01, 2010-10-02, rev 0x00a4, size 4096 + sig 0x000006fd, pf mask 0x20, 2010-10-02, rev 0x00a4, size 4096 + sig 0x000006fd, pf mask 0x80, 2010-10-02, rev 0x00a4, size 4096 + sig 0x00010661, pf mask 0x01, 2010-10-04, rev 0x0043, size 4096 + sig 0x00010661, pf mask 0x02, 2010-10-04, rev 0x0042, size 4096 + sig 0x00010661, pf mask 0x80, 2010-10-04, rev 0x0044, size 4096 + sig 0x00010676, pf mask 0x01, 2010-09-29, rev 0x060f, size 4096 + sig 0x00010676, pf mask 0x04, 2010-09-29, rev 0x060f, size 4096 + sig 0x00010676, pf mask 0x10, 2010-09-29, rev 0x060f, size 4096 + sig 0x00010676, pf mask 0x40, 2010-09-29, rev 0x060f, size 4096 + sig 0x00010676, pf mask 0x80, 2010-09-29, rev 0x060f, size 4096 + sig 0x00010677, pf mask 0x10, 2010-09-29, rev 0x070a, size 4096 + sig 0x0001067a, pf mask 0x11, 2010-09-28, rev 0x0a0b, size 8192 + sig 0x0001067a, pf mask 0x44, 2010-09-28, rev 0x0a0b, size 8192 + sig 0x0001067a, pf mask 0xa0, 2010-09-28, rev 0x0a0b, size 8192 + sig 0x000106d1, pf mask 0x08, 2010-09-30, rev 0x0029, size 4096 + + Removed Microcodes: + sig 0x00000612, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048 + sig 0x00000616, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048 + sig 0x00000617, pf mask 0x00, 1996-12-10, rev 0x00c6, size 2048 + sig 0x00000619, pf mask 0x00, 1998-02-18, rev 0x00d2, size 2048 + sig 0x00000633, pf mask 0x00, 1998-09-23, rev 0x0036, size 2048 + sig 0x00000634, pf mask 0x00, 1998-09-23, rev 0x0037, size 2048 + sig 0x00000650, pf mask 0x04, 1997-12-12, rev 0x0019, size 2048 + sig 0x00000650, pf mask 0x20, 1998-02-11, rev 0x002e, size 2048 + sig 0x00000650, pf mask 0x80, 1998-02-11, rev 0x002f, size 2048 + sig 0x00000651, pf mask 0x02, 1999-05-25, rev 0x0041, size 2048 + sig 0x00000651, pf mask 0x08, 1999-05-25, rev 0x0042, size 2048 + sig 0x00000652, pf mask 0x08, 1999-05-18, rev 0x002d, size 2048 + sig 0x00000672, pf mask 0x01, 1999-09-22, rev 0x0010, size 2048 + sig 0x00000673, pf mask 0x01, 1999-09-10, rev 0x000e, size 2048 + sig 0x00000683, pf mask 0x01, 2001-02-06, rev 0x0013, size 2048 + sig 0x00000683, pf mask 0x04, 2001-02-06, rev 0x0010, size 2048 + sig 0x00000683, pf mask 0x10, 2001-02-06, rev 0x0014, size 2048 + sig 0x000006a4, pf mask 0x04, 2000-06-16, rev 0x0001, size 2048 + sig 0x00000f12, pf mask 0x01, 2003-05-02, rev 0x002d, size 2048 + sig 0x00000f12, pf mask 0x02, 2003-05-02, rev 0x002f, size 2048 + sig 0x00000f12, pf mask 0x04, 2003-05-02, rev 0x002e, size 2048 + sig 0x00000f13, pf mask 0x04, 2003-05-08, rev 0x0005, size 2048 + sig 0x00000f24, pf mask 0x08, 2003-06-05, rev 0x0020, size 2048 + sig 0x000206c2, pf mask 0x03, 2010-09-07, rev 0x0013, size 7168 + + -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 10 Jan 2011 23:25:18 -0200 + +intel-microcode (0.20100914-1) unstable; urgency=low + + * New upstream data file: microcode-20100914 + + Updated Microcodes: + sig 0x000206c2, pf mask 0x03, 2010-09-07, rev 0x0013, size 7168 + + Removed Microcodes: + sig 0x000006d8, pf mask 0x08, 2006-08-31, rev 0x0021, size 2048 + sig 0x000006d8, pf mask 0x20, 2004-07-22, rev 0x0020, size 2048 + sig 0x00000f65, pf mask 0x04, 2007-05-10, rev 0x000b, size 2048 + sig 0x00010661, pf mask 0x04, 2007-05-01, rev 0x0036, size 4096 + sig 0x000106a5, pf mask 0x03, 2010-03-03, rev 0x0015, size 8192 + sig 0x000206e6, pf mask 0x04, 2010-04-21, rev 0x0007, size 6144 + * Add upstream changelog, with a list of changed microcodes per release + * Update debian/copyright to match the latest license + * Update documentation on where and how to get an up-to-date microcode + file directly from Intel, and how to install it + * postinst: run the microcode.ctl initscript on install/upgrades to apply + updated microcodes to the processor + * Merge changes from version 0.20090927-1, which I lost in the last + upload for some stupid reason. The lack of 0.20090927-1 in the + changelog upsets the BTS' version tracking, so it is more than just a + cosmetic fix + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sun, 26 Sep 2010 19:51:46 -0300 + +intel-microcode (0.20100826-1) unstable; urgency=low + + * New upstream data file: microcode-20100826 (closes: #571128) + * debian/control: Add myself to uploaders + * debian/control: bump standards-version to 3.9.1 (no changes required) + * debian/control: Change homepage to the only stable URI available, + which is that of the RSS feed + * debian/source/format: set to 1.0, we gain nothing from the other formats + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 28 Aug 2010 11:25:34 -0300 + +intel-microcode (0.20090927-1) unstable; urgency=low + + * New upstream version (Closes: #549706) + + -- Giacomo Catenazzi <cate@debian.org> Tue, 06 Oct 2009 07:42:02 +0200 + +intel-microcode (0.20090330-1) unstable; urgency=low + + * New upstream version. This version replaced 6 and add + extra 3 microcode files. + + -- Giacomo Catenazzi <cate@debian.org> Tue, 31 Mar 2009 07:54:00 +0200 + +intel-microcode (0.20080910-2) unstable; urgency=low + + * Revert architecture change + + -- Giacomo Catenazzi <cate@debian.org> Mon, 13 Oct 2008 19:40:18 +0200 + +intel-microcode (0.20080910-1) unstable; urgency=low + + * New upstream version. + * Set architecture to all: the data is architecture indipendent + (and used in i386 and amd64 architectures). Note: this package + is "non-free" (i.e. usual manual check), so it should not + use space on CD and other medium, on non Intel architectures. + + -- Giacomo Catenazzi <cate@debian.org> Mon, 15 Sep 2008 08:33:19 +0200 + +intel-microcode (0.20080401-1) unstable; urgency=low + + * New upstream version. + + -- Giacomo Catenazzi <cate@debian.org> Fri, 25 Apr 2008 18:59:10 +0200 + +intel-microcode (0.20080220-1) unstable; urgency=low + + * New upstream version. + + -- Giacomo Catenazzi <cate@debian.org> Mon, 10 Mar 2008 07:48:48 +0100 + +intel-microcode (0.20080131-1) unstable; urgency=low + + * Initial release. The new license is finally enough good for + debian non-free + * BTW packing the microcode will solve potential/theoretical + man-in-the-middle attack (Closes: #282583) + + -- Giacomo Catenazzi <cate@debian.org> Wed, 20 Feb 2008 19:33:10 +0100 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..86659b3 --- /dev/null +++ b/debian/control @@ -0,0 +1,24 @@ +Source: intel-microcode +Section: non-free-firmware/admin +Priority: standard +Maintainer: Henrique de Moraes Holschuh <hmh@debian.org> +Uploaders: Giacomo Catenazzi <cate@debian.org> +Build-Depends: debhelper (>= 9), iucode-tool (>= 0.9) +Standards-Version: 4.1.1 +Homepage: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files +Vcs-Git: https://salsa.debian.org/hmh/intel-microcode.git +Vcs-Browser: https://salsa.debian.org/hmh/intel-microcode +XS-Autobuild: yes + +Package: intel-microcode +Architecture: i386 amd64 x32 +Depends: ${misc:Depends}, iucode-tool (>= 1.0) +Recommends: initramfs-tools (>= 0.113~) +Conflicts: microcode.ctl (<< 0.18~0) +Description: Processor microcode firmware for Intel CPUs + This package contains updated system processor microcode for + Intel i686 and Intel X86-64 processors. Intel releases microcode + updates to correct processor behavior as documented in the + respective processor specification updates. + . + For AMD processors, please refer to the amd64-microcode package. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..47ae680 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,63 @@ +This package was debianized by Giacomo Catenazzi <cate@debian.org> on +Wed, 20 Feb 2008 07:43:49 +0100, and heavily modified by Henrique de +Moraes Holschuh <hmh@debian.org> on Fri, 13 Jul 2012 15:23:23 -0300. + +It was downloaded through https://downloadcenter.intel.com/search?keyword=linux+microcode +and later through https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files + +Debian distributes each individual Intel microcode update unmodified, as +downloaded from Intel. Each individual microcode update is translated to a +reversible, bit-exact binary representation, and formatted to a conveyance +format suitable for use in binary form by the Linux kernel. + +Upstream Author: + + Intel Corporation + +Upstream Copyright: + + Copyright (c) <1995-2019>, Intel Corporation. + All rights reserved. + +Upstream License: + + Redistribution. + + Redistribution and use in binary form, without modification, are + permitted, provided that the following conditions are met: + + 1. Redistributions must reproduce the above copyright notice and the + following disclaimer in the documentation and/or other materials + provided with the distribution. + + 2. Neither the name of Intel Corporation nor the names of its + suppliers may be used to endorse or promote products derived from + this software without specific prior written permission. + + 3. No reverse engineering, decompilation, or disassembly of this + software is permitted. + + "Binary form" includes any format that is commonly used for electronic + conveyance that is a reversible, bit-exact translation of binary + representation to ASCII or ISO text, for example "uuencode". + + DISCLAIMER. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +The Debian packaging is Copyright (c) 2008-2012 by Giacomo Catenazzi and +Copyright (c) 2012 by Henrique de Moraes Holschuh, and is licensed under the +GPLv2 (or at your option, any later version). Refer to +`/usr/share/common-licenses/GPL-2' for the full text of the license. + diff --git a/debian/diff-latest-pack.sh b/debian/diff-latest-pack.sh new file mode 100755 index 0000000..613aa95 --- /dev/null +++ b/debian/diff-latest-pack.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Generate an unified diff of the list of microcodes included in the +# latest two Intel-supplied Microcode packs (microcode-<date>.dat) +# +# Use this to locate updated/removed/added microcodes. Further manual +# analysis is necessary to identify the deletion of recently-added +# or recently-updated microcode, and the addition of previously-deleted +# microcode (often with a version downgrade). +# +# Run this from the directory with the Intel microcode packs. + +export LC_COLLATE=C +PATH=${PATH}:/sbin:/usr/sbin + +FILES=$(ls -1 microcode-*.dat | tail -n 2 | xargs) + +DFILES= +for i in $FILES ; do + fn=$(basename $i) + iucode_tool -q -l $i | sed -e 's/^[^:]\+: //' | sort | grep sig > /tmp/$fn.list + DFILES="${DFILES} /tmp/$fn.list" +done + +diff --unified=1 ${DFILES} | grep sig | sort -k 2 diff --git a/debian/initramfs.hook b/debian/initramfs.hook new file mode 100755 index 0000000..a464d09 --- /dev/null +++ b/debian/initramfs.hook @@ -0,0 +1,168 @@ +#!/bin/sh +# intel-microcode initramfs-tools hook script version 3 +# Copyright (C) 2012-2016 Henrique de Moraes Holschuh <hmh@debian.org> +# Released under the GNU GPL v2 or later license +# +# Generates a copy of the Intel microcode (by default tailored to the +# running system), and installs it in the early initramfs. +# +# iucode_tool v1.0 or later is required. +# + +PREREQ="" +IUCODE_CONFIG=/etc/default/intel-microcode + +prereqs() +{ + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions + +verbose() +{ + if [ "${verbose}" = "y" ] ; then + echo "intel-microcode: $*" + fi + : +} + +if [ "${verbose}" = "y" ] ; then + IUCODE_TOOL_OPTIONS="-l" +else + IUCODE_TOOL_OPTIONS="-q" +fi + +IUCODE_TOOL=$(command -v iucode_tool) +if [ -z "${IUCODE_TOOL}" ] && [ -x /usr/sbin/iucode_tool ] ; then + IUCODE_TOOL=/usr/sbin/iucode_tool +fi + +IUCODE_FW_DIR=/lib/firmware/intel-ucode +if [ "$MODULES" = "most" ]; then + IUCODE_TOOL_INITRAMFS=early + IUCODE_TOOL_SCANCPUS=no +else + IUCODE_TOOL_INITRAMFS=auto + IUCODE_TOOL_SCANCPUS=yes +fi +IUCODE_TOOL_EXTRA_OPTIONS= + +[ -r ${IUCODE_CONFIG} ] && . ${IUCODE_CONFIG} + +[ -z "${IUCODE_TOOL_INITRAMFS}" ] && IUCODE_TOOL_INITRAMFS=no + +case "${IUCODE_TOOL_INITRAMFS}" in + no|0) + verbose "intel-microcode: disabled by ${IUCODE_CONFIG}" + exit 0 + ;; + auto|early) + ;; + yes|1) + IUCODE_TOOL_INITRAMFS=early + echo "W: intel-microcode: initramfs mode not supported, using early initramfs mode" >&2 + ;; + *) + echo "E: intel-microcode: invalid IUCODE_TOOL_INITRAMFS, using automatic mode" >&2 + IUCODE_TOOL_INITRAMFS=auto +esac + +# don't do anything unless there's an Intel processor in the system in auto mode +if [ "${IUCODE_TOOL_INITRAMFS}" = "auto" ] ; then + grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*GenuineIntel" /proc/cpuinfo || { + verbose "no Intel processors detected, nothing to do" + exit 0 + } +fi + +# we require iucode_tool, but something is broken +if [ ! -x "${IUCODE_TOOL}" ] ; then + echo "E: intel-microcode: cannot run iucode_tool!" >&2 + exit 0 +fi + +# Blacklist all kernel versions before v3.10, as they don't support early +# initramfs mode. +# +# This doesn't blacklist early 3.10 kernels in the LTS branches, we don't have +# enough information at the initramfs-tools layer, due to the way Debian and +# Ubuntu version kernel packages. +if dpkg --compare-versions "${version}" lt 3.10 ; then + echo "E: intel-microcode: unsupported kernel version!" >&2 + exit 0 +fi + +if [ "${IUCODE_TOOL_SCANCPUS}" != "yes" ] ; then + verbose "adding microcode for either all or selected Intel processor models" +else + verbose "adding microcode for currently online and selected Intel processors" + grep -q cpu/cpuid /proc/devices || modprobe -q cpuid + IUCODE_TOOL_OPTIONS="${IUCODE_TOOL_OPTIONS} --scan-system" +fi + +# paranoia +[ -z "${DESTDIR}" ] && { + echo "E: intel-microcode: DESTDIR empty!" >&2 + exit 1 +} +[ -z "${IUCODE_FW_DIR}" ] && { + echo "E: intel-microcode: IUCODE_FW_DIR empty!" >&2 + exit 1 +} + +# include the microcode module in the initramfs for logging purposes, but +# ensure it will have no microcode data files to load. This is also a safety +# net: we don't want it to be acidentally loaded outside the initramfs. +# +# This shouldn't be expensive, as the in-kernel firmware loader is quite +# fast at detecting missing data files and doesn't wait for them. +# +# note: force_load will load a blacklisted module. We depend on that behavior. +# +# For 4.4 and later kernels, the microcode driver cannot be a module and will +# be built-in. +dpkg --compare-versions "${version}" lt 4.4 && { + [ -d "${DESTDIR}${IUCODE_FW_DIR}" ] && rm -fr "${DESTDIR}${IUCODE_FW_DIR}" + + manual_add_modules microcode && { + # force_load has broken semanthics when the .ko file is missing + find "${DESTDIR}/${MODULESDIR}" -type f -print | grep -qc '/microcode\.ko$' && { + verbose "modular microcode driver detected" + force_load microcode + } + } +} + +# generate early initramfs image and prepend +verbose "using early initramfs microcode update mode..." +EFW=$(mktemp "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || { + echo "E: intel-microcode: cannot create temporary file" >&2 + exit 1 + } +( find /usr/share/misc -maxdepth 1 -type f -name 'intel-microcode*' -print0 ; + find "${IUCODE_FW_DIR}" -maxdepth 0 -type d -print0 ) 2>/dev/null \ +| xargs -0 -r -x ${IUCODE_TOOL} ${IUCODE_TOOL_OPTIONS} \ + --write-earlyfw="${EFW}" --overwrite \ + ${IUCODE_TOOL_EXTRA_OPTIONS} \ +&& prepend_earlyinitramfs "${EFW}" && { + rm "${EFW}" + exit 0 +} + +# usually we get here when initramfs-tools is missing prepend_earlyinitramfs() +# or when iucode_tool does not support --write-earlyfw, i.e. when old versions +# of these tools are installed. + +rm "${EFW}" || true + +echo "E: intel-microcode: failed to create or prepend the early initramfs to the initramfs" >&2 + +: diff --git a/debian/intel-microcode.NEWS b/debian/intel-microcode.NEWS new file mode 100644 index 0000000..9f18b00 --- /dev/null +++ b/debian/intel-microcode.NEWS @@ -0,0 +1,91 @@ +intel-microcode (3.20140913.1) unstable; urgency=low + + This release drops support for automatically applying microcode + updates without a reboot. The microcode updates can still be applied + without a reboot through manual action of the system administrator, at + his own risk. + + Microcodes known to be dangerous have been renamed so that they will + not be found by the kernel. This is a reactive blacklisting: it is + unlikely to be complete at any point in time. + + The 3.x branch of the intel-microcode packages will only support Linux + kernels v3.10 and above. For older kernels, you must use the 1.x + branch of the intel-microcode packages. + + Refer to /usr/share/doc/intel-microcode/README.Debian for details. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 10 Oct 2014 12:27:57 -0300 + +intel-microcode (1.20130222.3) unstable; urgency=low + + This release adds support for early microcode updates on Linux kernel + v3.9 and later. It requires the kernel support for the feature to be + compiled in, the use of an initramfs, and also recent versions of the + iucode-tool and initramfs-tools packages. + + Early microcode updates greatly reduce the chances of system + malfunction due to any issues that are corrected by the microcode + update. The microcode will be updated while the kernel initializes + the boot processor, and before any other processors (in a multicore + system) are enabled. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 19 Jun 2013 22:03:30 -0300 + +intel-microcode (1.20120606.4) unstable; urgency=low + + The initramfs logic to automatically restrict the microcodes that have + to be installed using iucode-tool can fail in a very specific situation + when the intel-microcode package is installed for the first time at the + same time the _currently running_ kernel is being upgraded. + + intel-microcode will warn you should that happen, and will install all + microcodes, resulting in a much larger initramfs image than expected. + + If you did hit this failure mode and you believe the large initramfs + will cause problems for your system to reboot, please remove the + intel-microcode package to reduce the initramfs size, reboot to load + the upgraded kernel, and then reinstall the intel-microcode package. + + Once the intel-microcode package is installed, it will cooperate with + the kernel packages and automatically avoid the issue on future + upgrades. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 11 Aug 2012 19:02:20 -0300 + +intel-microcode (1.20120606.1) unstable; urgency=low + + This major release update changes how Debian handles Intel system + processor microcode updates. Initscripts and the old microcode.ctl + utility are not used to load microcode anymore. + + Previously, microcode.ctl would be used to read the text file + distributed by Intel (microcode.dat), convert it to binary, and upload + to /dev/cpu/microcode. This functionality has been deprecated in the + kernel upstream for a long time, the firmware loader and a sysfs + interface should be used instead. + + The Intel microcode.dat file is now preprocessed using iucode-tool when + the intel-microcode package is built, and the resulting binary data + files for /lib/firmware/intel-ucode are shipped, ready for use by the + kernel. + + The intel-microcode package now provides automation for autoloading + microcode from the initramfs, instead of relying on any initscripts. + Refer to the README files in /usr/share/ doc/intel-microcode for more + details; there is some limited support for /usr/share/misc/ + intel-microcode.dat files. + + If you don't use an initramfs for a custom-built kernel, please make + sure the microcode driver is a module, and to load it at a time + /lib/firmware is already available. Adding it to /etc/modules is + usually enough. In this specific case, /usr/share/misc/ + intel-microcode.dat is not supported, refer to the README files for + more detail. + + WARNING: if you have an old /usr/share/misc/intel-microcode.dat file, + it may cause problems because of the way Intel does microcode release + management. As a rule, it is best to remove outdated microcode.dat + files from the system. + + -- Henrique de Moraes Holschuh <hmh@debian.org> Tue, 10 Jul 2012 16:06:06 -0300 diff --git a/debian/intel-microcode.default b/debian/intel-microcode.default new file mode 100644 index 0000000..b958464 --- /dev/null +++ b/debian/intel-microcode.default @@ -0,0 +1,26 @@ +# Configuration script for intel-microcode version 3 + +# +# initramfs helper +# + +# Set this to "no" to disable automatic microcode updates on boot; +# Set this to "auto" to use early initramfs mode automatically (default); +# Set this to "early" to always attempt to create an early initramfs; +#IUCODE_TOOL_INITRAMFS=auto + +# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce +# the initramfs size bloat, by detecting which Intel processors are active +# in this system, and installing only their microcodes. +# +# Set this to "no" to either include all microcodes, or only the microcodes +# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below. +# +# WARNING: including all microcodes will increase initramfs size greatly. +# This can cause boot issues if the initramfs is already large. +#IUCODE_TOOL_SCANCPUS=yes + +# Extra options to pass to iucode_tool, useful to forbid or to +# force the inclusion of microcode for specific processor signatures. +# See iucode_tool(8) for details. +#IUCODE_TOOL_EXTRA_OPTIONS="" diff --git a/debian/intel-microcode.dirs b/debian/intel-microcode.dirs new file mode 100644 index 0000000..b0a2588 --- /dev/null +++ b/debian/intel-microcode.dirs @@ -0,0 +1,3 @@ +lib/firmware/intel-ucode +etc/default +etc/modprobe.d diff --git a/debian/intel-microcode.docs b/debian/intel-microcode.docs new file mode 100644 index 0000000..53f29a6 --- /dev/null +++ b/debian/intel-microcode.docs @@ -0,0 +1,3 @@ +license +releasenote*.md +security*.md diff --git a/debian/intel-microcode.kpreinst b/debian/intel-microcode.kpreinst new file mode 100644 index 0000000..d98b40c --- /dev/null +++ b/debian/intel-microcode.kpreinst @@ -0,0 +1,17 @@ +#!/bin/sh +# +# /etc/kernel/preinst.d script for intel-microcode version 3 +# Copyright (C) 2014 Henrique de Moraes Holschuh <hmh@debian.org> +# Released under the GPL v2 or later license +# +# This script makes sure the cpuid module is loaded, before the +# kernel image has a chance to replace it with a new one that +# might not be compatible with the current kernel. +# +# We need the cpuid module for iucode_tool --scan-system, +# which is used by the initramfs hook. +# + +grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true + +: diff --git a/debian/intel-microcode.modprobe-blacklist b/debian/intel-microcode.modprobe-blacklist new file mode 100644 index 0000000..1dc2c23 --- /dev/null +++ b/debian/intel-microcode.modprobe-blacklist @@ -0,0 +1,3 @@ +# The microcode module attempts to apply a microcode update when +# it autoloads. This is not always safe, so we block it by default. +blacklist microcode diff --git a/debian/intel-microcode.postinst b/debian/intel-microcode.postinst new file mode 100644 index 0000000..71f667a --- /dev/null +++ b/debian/intel-microcode.postinst @@ -0,0 +1,50 @@ +#!/bin/sh +# postinst script for intel-microcode +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postinst> `configure' <most-recently-configured-version> +# * <old-postinst> `abort-upgrade' <new version> +# * <conflictor's-postinst> `abort-remove' `in-favour' <package> +# <new-version> +# * <postinst> `abort-remove' +# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' +# <failed-install-package> <version> `removing' +# <conflicting-package> <version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + # do it like udev and firmware-linux-* + if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then + update-initramfs -u && { + echo "intel-microcode: microcode will be updated at next boot" >&2 + ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && { + echo "intel-microcode: possibly old microcode files from /usr/share/misc were used" >&2 + echo "intel-microcode: remove them if this is not desired and run 'update-initramfs -u'" >&2 + } + } + else + echo "intel-microcode: initramfs support missing" >&2 + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/intel-microcode.postrm b/debian/intel-microcode.postrm new file mode 100644 index 0000000..57791c8 --- /dev/null +++ b/debian/intel-microcode.postrm @@ -0,0 +1,42 @@ +#!/bin/sh +# postrm script for intel-microcode +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <postrm> `remove' +# * <postrm> `purge' +# * <old-postrm> `upgrade' <new-version> +# * <new-postrm> `failed-upgrade' <old-version> +# * <new-postrm> `abort-install' +# * <new-postrm> `abort-install' <old-version> +# * <new-postrm> `abort-upgrade' <old-version> +# * <disappearer's-postrm> `disappear' <overwriter> +# <overwriter-version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + purge|remove) + if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then + update-initramfs -u + fi + ;; + + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..eac0d2e --- /dev/null +++ b/debian/rules @@ -0,0 +1,62 @@ +#!/usr/bin/make -f +# debian/rules for intel-microcode, dh version +# Copyright (C) 2011,2016 by Henrique de Moraes Holschuh +# Published under the GNU GPL license version 2 or any later versions + +PACKAGE := intel-microcode +DEBDIR := $(CURDIR)/debian +PKGDIR := $(DEBDIR)/$(PACKAGE) + +DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH) + +export PATH := $(PATH):/sbin:/usr/sbin +IUCODE_TOOL := iucode_tool + +# DebHelper control +export DH_ALWAYS_EXCLUDE=CVS:.svn:.git + +ifneq (,$(filter amd64 x32,$(DEB_HOST_ARCH))) +IUCODE_FILE := intel-microcode-64.bin +else +IUCODE_FILE := intel-microcode.bin +endif + +# Work around Debian bug #688794 +INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE)))) + +%: + dh $@ + +override_dh_auto_install: + dh_testdir + dh_install + + # split microcode pack + $(IUCODE_TOOL) -q --write-firmware="$(PKGDIR)/lib/firmware/intel-ucode" $(IUCODE_FILE) + + # apply best-effort blacklist + if [ -r debian/ucode-blacklist.txt ] ; then \ + cat debian/ucode-blacklist.txt | while read -r fn crap ; do \ + if [ -r "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" ] ; then \ + mv "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}.initramfs" ;\ + echo "Renaming blacklisted microcode $${fn}" ; \ + fi ; \ + done ; \ + fi + + mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks" + install -m 755 "$(DEBDIR)/initramfs.hook" \ + "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)" + mkdir -p "$(PKGDIR)/etc/kernel/preinst.d" + install -m 755 "$(DEBDIR)/$(PACKAGE).kpreinst" \ + "$(PKGDIR)/etc/kernel/preinst.d/$(PACKAGE)" + + # We have a /etc/default file, but no initscript + install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)" + + # modprobe.d blacklist + install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf" + +override_dh_installchangelogs: + dh_installchangelogs changelog + diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..b7bc1f2 --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +compression = "xz" diff --git a/debian/ucode-blacklist.txt b/debian/ucode-blacklist.txt new file mode 100644 index 0000000..50f194b --- /dev/null +++ b/debian/ucode-blacklist.txt @@ -0,0 +1,24 @@ +06-3a-09 +06-3c-01 +06-3c-02 +06-3c-03 +06-3d-04 +06-3f-01 +06-3f-02 +06-3f-04 +06-45-01 +06-46-01 +06-47-01 +06-56-02 +06-4e-03 +06-4f-01 +06-5e-03 +06-8e-09 +06-8e-0a +06-8e-0b +06-8e-0c +06-9e-09 +06-9e-0a +06-9e-0b +06-9e-0c +06-9e-0d |