Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 18 Aug 2013 21:07:40 -0300
Message-id: <[🔎] 20130819000740.GA8051@khazad-dum.debian.net>
Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 720125@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release manager(s),

There is a need to update the intel-microcode package in stable:  Intel
released a microcode update package that fixes several nasty processor
errata, including a critical issue.  The errata are present on just about
every Intel Core and Core-based Xeon processors since the 1st gen i3/i5/i7
and Xeons since Nehalem.

I've added a full description of the worst processor erratum the microcode
update fixes in the relevant debian changelog.  Intel classified this
microcode update as a security fix, but I've asked the security team about
it and they feel this is best addressed through stable-proposed-updates due
to the non-free nature of intel-microcode.

Please refer to the attached diff.  I have ommited the upstream microcode
data changes from the diff to make it an easier read.

All changes present in the diff have been tested in unstable and testing for
a couple months without any issues reported.  They're necessary to avoid the
need for a reboot (or manual intervention) to apply the microcode.

Please verify whether the proposed changes would be acceptable for an upload
to stable.

I have *not* included the changes required to fix bug #716917 in this
update, however if you feel I should do so, I can prepare an update that
would also fix #716917 in stable.

Thank you.

diffstat:
 changelog                       |   23 
 debian/changelog                |   49 
 debian/intel-microcode.kpreinst |   28 
 debian/intel-microcode.postinst |   31 
 microcode-20130808.dat          |14880 ++++++++++++++++++++++++++--------------
 5 files changed, 9846 insertions(+), 5165 deletions(-)

-- System Information:
Debian Release: 7.1
  APT prefers proposed-updates
  APT policy: (990, 'proposed-updates'), (990, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.4.58+ (SMP w/8 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

diff --git a/changelog b/changelog
index 16c601f..10ad8a2 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,26 @@
+2013-08-08:
+  * New Microcodes:
+    sig 0x000306c3, pf mask 0x32, 2013-07-02, rev 0x0012, size 19456
+    sig 0x000306e4, pf mask 0xed, 2013-06-13, rev 0x0415, size 11264
+    sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264
+    sig 0x00040651, pf mask 0x72, 2013-07-02, rev 0x0015, size 18432
+
+  * Updated Microcodes (removed in the past):
+    sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240
+
+  * Updated Microcodes:
+    sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336
+    sig 0x000106e5, pf mask 0x13, 2013-07-01, rev 0x0006, size 7168
+    sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192
+    sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072
+    sig 0x000206a7, pf mask 0x12, 2013-06-12, rev 0x0029, size 10240
+    sig 0x000206d7, pf mask 0x6d, 2013-06-17, rev 0x0710, size 17408
+    sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312
+    sig 0x000306a9, pf mask 0x12, 2013-06-13, rev 0x0019, size 12288
+
+  * Removed Microcodes:
+    sig 0x000106e4, pf mask 0x09, 2010-03-08, rev 0x0002, size 5120
+
 2013-02-22:
   * Updated Microcodes:
     sig 0x000306a9, pf mask 0x12, 2013-01-09, rev 0x0017, size 11264
diff --git a/debian/changelog b/debian/changelog
index 247bf7c..ce4ce71 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,52 @@
+intel-microcode (1.20130808.0+deb7u1) stable; urgency=high
+
+  * New upstream microcode data file 20130808
+    + New Microcodes:
+      sig 0x000306c3, pf mask 0x32, 2013-07-02, rev 0x0012, size 19456
+      sig 0x000306e4, pf mask 0xed, 2013-06-13, rev 0x0415, size 11264
+      sig 0x000306e6, pf mask 0xed, 2013-06-19, rev 0x0600, size 11264
+      sig 0x00040651, pf mask 0x72, 2013-07-02, rev 0x0015, size 18432
+    + Updated Microcodes (removed in the past):
+      sig 0x000106a5, pf mask 0x03, 2013-06-21, rev 0x0019, size 10240
+    + Updated Microcodes:
+      sig 0x000106a4, pf mask 0x03, 2013-06-21, rev 0x0012, size 14336
+      sig 0x000106e5, pf mask 0x13, 2013-07-01, rev 0x0006, size 7168
+      sig 0x00020652, pf mask 0x12, 2013-06-26, rev 0x000e, size 8192
+      sig 0x00020655, pf mask 0x92, 2013-06-28, rev 0x0004, size 3072
+      sig 0x000206a7, pf mask 0x12, 2013-06-12, rev 0x0029, size 10240
+      sig 0x000206d7, pf mask 0x6d, 2013-06-17, rev 0x0710, size 17408
+      sig 0x000206f2, pf mask 0x05, 2013-06-18, rev 0x0037, size 13312
+      sig 0x000306a9, pf mask 0x12, 2013-06-13, rev 0x0019, size 12288
+    + Removed Microcodes:
+      sig 0x000106e4, pf mask 0x09, 2010-03-08, rev 0x0002, size 5120
+    + This microcode update has been documented by Intel to fix a severe
+      security issue (refer to LP bug 1212497); This update is known to fix
+      several nasty errata on 1st to 4th gens of Core i3/i5/i7, and Xeon
+      5500 and later, including but not limited to:
+      + AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
+        may cause system crash
+      + AAK170/BT246: The upper 32 bits of CR3 may be incorrectly used
+        with 32-bit paging
+    + Erratum AAK167/BT248 is nasty: "If a logical processor has EPT (Extended
+      Page Tables) enabled, is using 32-bit PAE paging, and accesses the
+      virtual-APIC page then a complex sequence of internal processor
+      micro-architectural events may cause an incorrect address translation or
+      machine check on either logical processor.  This erratum may result in
+      unexpected faults, an uncorrectable TLB error logged in
+      IA32_MCi_STATUS.MCACOD (bits [15:0]), a guest or hypervisor crash, or
+      other unpredictable system behavior"
+  * kernel preinst: simplify and load microcode and cpuid modules
+  * postinst: attempt to load microcode module (closes: #692535)
+  * Remove from the source package an unused upstream microcode bundle,
+    which has been completely superseded by later bundles:
+    microcode-20130222.dat
+  * Use 1.20130808.0+deb7u1 as the Debian version to start a new branch that
+    sorts before 1.20130808.1, which was uploaded to unstable.  Further
+    updates targeting stable will go into the 1.x branch.  Further updates
+    targeting unstable and stable-backports will go into the 2.x branch
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 17 Aug 2013 22:44:59 -0300
+
 intel-microcode (1.20130222.1) unstable; urgency=low
 
   * New upstream microcode data file 20130222 (closes: #702152)
diff --git a/debian/intel-microcode.kpreinst b/debian/intel-microcode.kpreinst
index a4be162..defb6d4 100644
--- a/debian/intel-microcode.kpreinst
+++ b/debian/intel-microcode.kpreinst
@@ -4,26 +4,16 @@
 # Copyright (C) 2012 Henrique de Moraes Holschuh <hmh@hmh.eng.br>
 # Released under the GPL v2 or later license
 #
-# This script makes sure the cpuid module will be loaded before
-# the kernel image replaces it.  It is necessary when cpuid is not
-# loaded or built-in, IUCODE_TOOL_SCANCPUS=yes is set, and the
-# kernel is being upgraded in-place.
+# This script makes sure the microcode and cpuid modules are
+# loaded, before the kernel image has a chance to replace them
+# with new ones that might not be compatible with the current
+# kernel.
+#
+# We need the microcode module to update microcode on postinst,
+# and the cpuid module for iucode_tool --scan-system.
 #
 
-IUCODE_CONFIG=/etc/default/intel-microcode
-
-IUCODE_TOOL=$(command -v iucode_tool)
-if [ -z "${IUCODE_TOOL}" -a -x /usr/sbin/iucode_tool ] ; then
-	IUCODE_TOOL=/usr/sbin/iucode_tool
-fi
-
-IUCODE_TOOL_SCANCPUS=yes
-[ -r ${IUCODE_CONFIG} ] && . ${IUCODE_CONFIG}
-
-if [ -z "${IUCODE_TOOL}" -o "${IUCODE_TOOL_SCANCPUS}" != "yes" ] ; then
-	exit
-else
-	grep -q cpu/cpuid /proc/devices || modprobe cpuid
-fi
+modprobe -q microcode || true
+grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true
 
 :
diff --git a/debian/intel-microcode.postinst b/debian/intel-microcode.postinst
index 8ea4ff6..61fa9ca 100644
--- a/debian/intel-microcode.postinst
+++ b/debian/intel-microcode.postinst
@@ -19,20 +19,27 @@ set -e
 
 case "$1" in
     configure)
-	if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
+	# try to load the microcode module just in case.  If we succeed,
+	# it will trigger a microcode update by itself
+	if modprobe -q --first-time microcode ; then
 	    echo "Updating microcode on all online processors..." >&2
-	    echo 1 > /sys/devices/system/cpu/microcode/reload || {
-	        echo "Kernel reported failure while updating microcode!" >&2
-            }
 	else
-	    # Try all online processors, broken kernels need this,
-	    # fixed kernels will accept it only on the BSP and update
-	    # all processors anyway, and -EINVAL all others... but we
-	    # don't know which one is the BSP, so we try all of them
-	    # and hide errors, the kernel will log any real problem.
-	    echo "Using per-core interface to update microcode on online processors..." >&2
-	    find /sys/devices/system/cpu -noleaf -type f -path '/sys/devices/system/cpu/cpu*/microcode/reload' | \
-		while read i ; do echo -n 1 2>/dev/null >"$i" || true ; done
+	    # we have to trigger the microcode update manually
+	    if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
+		echo "Updating microcode on all online processors..." >&2
+		echo 1 > /sys/devices/system/cpu/microcode/reload || {
+		    echo "Kernel reported failure while updating microcode!" >&2
+		}
+	    else
+		# Try all online processors, broken kernels need this,
+		# fixed kernels will accept it only on the BSP and update
+		# all processors anyway, and -EINVAL all others... but we
+		# don't know which one is the BSP, so we try all of them
+		# and hide errors, the kernel will log any real problem.
+		echo "Using per-core interface to update microcode on online processors..." >&2
+		find /sys/devices/system/cpu -noleaf -type f -path '/sys/devices/system/cpu/cpu*/microcode/reload' | \
+		    while read i ; do echo -n 1 2>/dev/null >"$i" || true ; done
+	    fi
 	fi
 	# do it like udev and firmware-linux-*
 	if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
diff --git a/microcode-20130222.dat b/microcode-20130808.dat
similarity index 74%
rename from microcode-20130222.dat
rename to microcode-20130808.dat
index c5d7522..7da0f2b 100644
--- a/microcode-20130222.dat
+++ b/microcode-20130808.dat

Reply to:

Follow-Ups:
- Processed: Re: Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#710708: marked as done (transition: gtksourceview3)
Next by Date: Minor bug fix in wheezy.
Previous by thread: Bug#710708: marked as done (transition: gtksourceview3)
Next by thread: Processed: Re: Bug#720125: pu: package intel-microcode/1.20130808.0+deb7u1
Index(es):
- Date
- Thread