Bug#899030: jessie-pu: package intel-microcode/3.20180425.1~deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
This is related to s-p-u bug #899006, and the package for jessie is
basically the same as the package for stretch. The differences are only
in debian/changelog.
I'd like to update the intel-microcode package in Debian jessie.
This update adds the microcode-side fix for CVE-2017-5715 aka Spectre
v2.
It has been very extensibly tested, as noted in the changelog:
* RELEASE MANAGER INFORMATION: This update deploys the microcode side
fix for CVE-2017-5715 (Spectre v2). On the more recent processors,
it also fixes other unspecified errata. This microcode update pack
has been extensively tested in Debian unstable, testing,
strech-backports and jessie-backports. It has been extensively
deployed by other distributions to their stable branches without
causing any issues, with one notable exception (a distro-specific
kernel bug, already fixed by that distro).
The only difference between this package and the ones that have been
uploaded (and tested) in jessie-backports, stretch-backports, testing
and unstable are in debian/changelog.
There is no need to worry about "intel-ucode-with-caveats/06-4f-01", the
"caveat" is described in releasenotes: it must be updated using the
early microcode update mode. This is irrelevant to Debian, we always
use early microcode update mode since jessie, and I had already
blacklisted that specific microcode update from any attempts to "late
load" a while ago, anyway, because of a documented erratum.
Some upstream stuff is irrelevant to Debian and does not get used or
shipped in the binary packages, such as the linux-kernel-patches/
directory (our kernel team already has that handled). It can also be
ignored.
Note that, because Intel switched from text files (".dat" format) to
binary format in the upstream microcode distribution, and I use symlinks
in the source package, the debdiff ended up *quite big*.
The source changes required to support the binary format have been
extensively tested, I already had them for a couple (unstable) releases.
They are also only relevant during package build.
As usual, I have removed the noise caused by the binary blob changes
from upstream from the debdiff output for clarity. The abridged debdiff
is attached.
Full diffstat:
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode-with-caveats/06-4f-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-03-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-05-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-06-0d |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-07-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-08-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-09-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0a-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0a-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0b-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0b-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0d-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0e-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0e-0c |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-0b |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-0f-0d |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-16-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-17-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-17-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-17-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1a-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1a-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1c-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1c-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1d-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-1e-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-25-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-25-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-26-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-2a-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-2d-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-2d-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-2f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3a-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3c-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3d-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3e-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3e-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3e-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-3f-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-45-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-46-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-47-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-4e-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-55-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-55-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-56-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-56-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-56-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-56-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-5c-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-5e-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-7a-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-8e-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-8e-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-9e-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-9e-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/06-9e-0b |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-00-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-00-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-01-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-02-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-02-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-02-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-02-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-02-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-03-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-03-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-03-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-04-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-06-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-06-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-06-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/intel-ucode/0f-06-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-03-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-05-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-05-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-05-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-05-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-06-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-06-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-06-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-06-0d |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-07-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-07-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-07-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-08-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-08-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-08-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-08-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-09-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0a-00 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0a-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0b-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0b-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0d-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0e-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0e-0c |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-0b |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-0f-0d |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-16-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-17-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-17-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-17-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1a-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1a-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1c-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1c-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1d-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-1e-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-25-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-25-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-26-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-2a-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-2d-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-2d-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-2f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3a-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3c-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3d-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3e-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3e-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3e-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3f-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-3f-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-45-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-46-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-47-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-4e-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-55-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-55-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-56-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-56-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-56-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-56-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-5c-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-5e-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-7a-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-8e-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-8e-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-9e-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-9e-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/06-9e-0b |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-00-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-00-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-01-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-02-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-02-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-02-06 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-02-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-02-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-03-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-03-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-03-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-01 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-03 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-07 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-09 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-04-0a |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-06-02 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-06-04 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-06-05 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/microcode-20180425.d/0f-06-08 |binary
/tmp/wAUU636cM5/intel-microcode-3.20180425.1~deb8u1/supplementary-ucode-20180425_BDX-ML.bin |binary
intel-microcode-3.20180425.1~deb8u1/Makefile | 36
intel-microcode-3.20180425.1~deb8u1/changelog | 72
intel-microcode-3.20180425.1~deb8u1/debian/README.Debian | 18
intel-microcode-3.20180425.1~deb8u1/debian/README.source | 51
intel-microcode-3.20180425.1~deb8u1/debian/changelog | 160
intel-microcode-3.20180425.1~deb8u1/debian/control | 6
intel-microcode-3.20180425.1~deb8u1/debian/copyright | 3
intel-microcode-3.20180425.1~deb8u1/debian/rules | 41
intel-microcode-3.20180425.1~deb8u1/debian/ucode-blacklist.txt | 1
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch | 234
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch | 90
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch | 64
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch | 62
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch | 90
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch | 58
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch | 71
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch | 54
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch | 67
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch | 213
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch | 154
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch | 163
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch | 59
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch | 48
intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/patch-readme | 17
intel-microcode-3.20180425.1~deb8u1/microcode-20170707.dat |81602 ----------
intel-microcode-3.20180425.1~deb8u1/releasenote | 109
218 files changed, 1851 insertions(+), 81692 deletions(-)
Abridged diffstat:
Makefile | 36 +
changelog | 72 +++
debian/README.Debian | 18
debian/README.source | 51 +-
debian/changelog | 160 ++++++
debian/control | 6
debian/copyright | 3
debian/rules | 41 -
debian/ucode-blacklist.txt | 1
linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch | 234 ++++++++++
linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch | 90 +++
linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch | 64 ++
linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch | 62 ++
linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch | 90 +++
linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch | 58 ++
linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch | 71 +++
linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch | 54 ++
linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch | 67 ++
linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch | 213 +++++++++
linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch | 154 ++++++
linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch | 163 ++++++
linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch | 59 ++
linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch | 48 ++
linux-kernel-patches/patch-readme | 17
releasenote | 109 +++-
25 files changed, 1851 insertions(+), 90 deletions(-)
Thank you!
--
Henrique Holschuh
diff -Nru intel-microcode-3.20170707.1~deb8u1/changelog intel-microcode-3.20180425.1~deb8u1/changelog
--- intel-microcode-3.20170707.1~deb8u1/changelog 2017-07-08 20:18:26.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/changelog 2018-05-18 09:36:54.000000000 -0300
@@ -1,3 +1,75 @@
+2018-04-25:
+ * Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
+ * Updated Microcodes:
+ sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+
+2018-03-12:
+ * Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
+ * New Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
+ sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432
+
+ * Updated Microcodes:
+ sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
+ sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
+ sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
+ sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
+ sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
+ sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
+ sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
+ sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
+ sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672
+ sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744
+ sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528
+ sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256
+ sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304
+
+2018-01-08:
+ * This release has been officially recalled by Intel
+ * Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+ sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
+ sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
+ sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
+ sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
+ sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+
+2017-11-17:
+ * New Microcodes:
+ sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+ sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704
+ sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232
+ sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280
+
+ * Updated Microcodes:
+ sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624
+ sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256
+
2017-07-07:
* New Microcodes:
sig 0x00050654, pf_mask 0x97, 2017-06-01, rev 0x2000022, size 25600
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/changelog intel-microcode-3.20180425.1~deb8u1/debian/changelog
--- intel-microcode-3.20170707.1~deb8u1/debian/changelog 2017-07-08 20:25:31.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/changelog 2018-05-18 09:38:22.000000000 -0300
@@ -1,3 +1,163 @@
+intel-microcode (3.20180425.1~deb8u1) jessie; urgency=medium
+
+ * Upload to Debian jessie (no changes)
+ * RELEASE MANAGER INFORMATION: This update deploys the microcode side fix
+ for CVE-2017-5715 (Spectre v2). On the more recent processors, it also
+ fixes other unspecified errata. This microcode update pack has been
+ extensively tested in Debian unstable, testing, strech-backports and
+ jessie-backports. It has been extensively deployed by other distributions
+ to their stable branches without causing any issues, with one notable
+ exception (a distro-specific kernel bug, already fixed by that distro).
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Fri, 18 May 2018 09:38:22 -0300
+
+intel-microcode (3.20180425.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20180425 (closes: #897443, #895878)
+ + Updated Microcodes:
+ sig 0x000406f1, pf_mask 0xef, 2018-03-21, rev 0xb00002c, size 27648
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+ + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation
+ + Note that sig 0x000604f1 has been blacklisted from late-loading
+ since Debian release 3.20171117.1.
+ * source: remove undesired list files from microcode directories
+ * source: switch to microcode-<id>.d/ since Intel dropped .dat
+ support.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 02 May 2018 16:48:44 -0300
+
+intel-microcode (3.20180312.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20180312 (closes: #886367)
+ + New Microcodes:
+ sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
+ sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009, size 18432
+ + Updated Microcodes:
+ sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
+ sig 0x000206d6, pf_mask 0x6d, 2018-01-30, rev 0x061c, size 18432
+ sig 0x000206d7, pf_mask 0x6d, 2018-01-26, rev 0x0713, size 19456
+ sig 0x000306a9, pf_mask 0x12, 2018-02-07, rev 0x001f, size 13312
+ sig 0x000306c3, pf_mask 0x32, 2018-01-21, rev 0x0024, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2018-01-18, rev 0x002a, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2018-01-25, rev 0x042c, size 15360
+ sig 0x000306e7, pf_mask 0xed, 2018-02-16, rev 0x0713, size 16384
+ sig 0x000306f2, pf_mask 0x6f, 2018-01-19, rev 0x003c, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2018-01-22, rev 0x0011, size 17408
+ sig 0x00040651, pf_mask 0x72, 2018-01-18, rev 0x0023, size 21504
+ sig 0x00040661, pf_mask 0x32, 2018-01-21, rev 0x0019, size 25600
+ sig 0x00040671, pf_mask 0x22, 2018-01-21, rev 0x001d, size 12288
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2018-01-26, rev 0x2000043, size 28672
+ sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015, size 31744
+ sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012, size 22528
+ sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-21, rev 0x0084, size 97280
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-21, rev 0x0084, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-21, rev 0x0084, size 96256
+ sig 0x000906eb, pf_mask 0x02, 2018-01-21, rev 0x0084, size 98304
+ + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for:
+ Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake,
+ Coffee Lake
+ + Missing production updates:
+ + Broadwell-E/EX Xeons (sig 0x406f1)
+ + Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell,
+ Gemini Lake, Denverton
+ * Update past changelog entries with new information:
+ Intel already had all necessary semanthics in LFENCE, so the
+ Spectre-related Intel microcode changes did not need to enhance LFENCE.
+ * debian/control: update Vcs-* fields for the move to salsa.debian.org
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 14 Mar 2018 09:21:24 -0300
+
+intel-microcode (3.20180108.1+really20171117.1) unstable; urgency=critical
+
+ * Revert to release 20171117, as per Intel instructions issued to
+ the public in 2018-01-22 (closes: #886998)
+ * This effectively removes IBRS/IBPB/STIPB microcode support for
+ Spectre variant 2 mitigation.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Mon, 22 Jan 2018 23:01:59 -0200
+
+intel-microcode (3.20180108.1) unstable; urgency=high
+
+ * New upstream microcode data file 20180108 (closes: #886367)
+ + Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+ sig 0x000306e4, pf_mask 0xed, 2017-12-01, rev 0x042a, size 15360
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+ sig 0x000306f4, pf_mask 0x80, 2017-11-17, rev 0x0010, size 17408
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+ sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
+ sig 0x00040671, pf_mask 0x22, 2017-11-17, rev 0x001b, size 13312
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x00050654, pf_mask 0xb7, 2017-12-08, rev 0x200003c, size 27648
+ sig 0x00050662, pf_mask 0x10, 2017-12-16, rev 0x0014, size 31744
+ sig 0x00050663, pf_mask 0x10, 2017-12-16, rev 0x7000011, size 22528
+ sig 0x000506e3, pf_mask 0x36, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728
+ sig 0x000806e9, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000806ea, pf_mask 0xc0, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2018-01-04, rev 0x0080, size 98304
+ sig 0x000906ea, pf_mask 0x22, 2018-01-04, rev 0x0080, size 97280
+ sig 0x000906eb, pf_mask 0x02, 2018-01-04, rev 0x0080, size 98304
+ + Implements IBRS/IBPB support: mitigation against Spectre (CVE-2017-5715)
+ + Very likely fixes several other errata on some of the processors
+ * supplementary-ucode-CVE-2017-5715.d/: remove.
+ + Downgraded microcodes:
+ sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624
+ sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+ + Recall related to bug #886998
+ * source: remove superseded upstream data file: 20171117
+ * README.Debian, copyright: update download URLs (closes: #886368)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Wed, 10 Jan 2018 00:23:44 -0200
+
+intel-microcode (3.20171215.1) unstable; urgency=high
+
+ * Add supplementary-ucode-CVE-2017-5715.d/: (closes: #886367)
+ New upstream microcodes to partially address CVE-2017-5715
+ + Updated Microcodes:
+ sig 0x000306c3, pf_mask 0x32, 2017-11-20, rev 0x0023, size 23552
+ sig 0x000306d4, pf_mask 0xc0, 2017-11-17, rev 0x0028, size 18432
+ sig 0x000306f2, pf_mask 0x6f, 2017-11-17, rev 0x003b, size 33792
+ sig 0x00040651, pf_mask 0x72, 2017-11-20, rev 0x0021, size 22528
+ sig 0x000406e3, pf_mask 0xc0, 2017-11-16, rev 0x00c2, size 99328
+ sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648
+ sig 0x00050654, pf_mask 0xb7, 2017-11-21, rev 0x200003a, size 27648
+ sig 0x000506c9, pf_mask 0x03, 2017-11-22, rev 0x002e, size 16384
+ sig 0x000806e9, pf_mask 0xc0, 2017-12-03, rev 0x007c, size 98304
+ sig 0x000906e9, pf_mask 0x2a, 2017-12-03, rev 0x007c, size 98304
+ * Implements IBRS and IBPB support via new MSR (Spectre variant 2
+ mitigation, indirect branches). Support is exposed through cpuid(7).EDX.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Thu, 04 Jan 2018 23:04:38 -0200
+
+intel-microcode (3.20171117.1) unstable; urgency=medium
+
+ * New upstream microcode data file 20171117
+ + New Microcodes:
+ sig 0x000506c9, pf_mask 0x03, 2017-03-25, rev 0x002c, size 16384
+ sig 0x000706a1, pf_mask 0x01, 2017-10-31, rev 0x001e, size 72704
+ sig 0x000906ea, pf_mask 0x22, 2017-08-23, rev 0x0070, size 95232
+ sig 0x000906eb, pf_mask 0x02, 2017-09-20, rev 0x0072, size 97280
+ + Updated Microcodes:
+ sig 0x00050654, pf_mask 0xb7, 2017-10-17, rev 0x2000035, size 26624
+ sig 0x000806ea, pf_mask 0xc0, 2017-08-03, rev 0x0070, size 96256
+ * source: remove superseded upstream data file: 20170707.
+ * source: remove unneeded intel-ucode/ directory for 20171117.
+ * debian/control: bump standards version to 4.1.1 (no changes)
+ * Makefile: rename microcode-extras.pbin to microcode-includes.pbin.
+ * README.source: fix IUC_EXCLUDE example and minor issues.
+ * Makefile, README.souce: support loading ucode from directories.
+ * debian/rules: switch to dh mode (debhelper v9)
+ * ucode-blacklist: blacklist sig 0x406f1 (Skylake-X H0) from late
+ loading.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org> Sat, 18 Nov 2017 18:55:09 -0200
+
intel-microcode (3.20170707.1~deb8u1) jessie; urgency=high
* Upload to jessie (no changes)
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/control intel-microcode-3.20180425.1~deb8u1/debian/control
--- intel-microcode-3.20170707.1~deb8u1/debian/control 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/control 2018-05-18 09:36:54.000000000 -0300
@@ -4,10 +4,10 @@
Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Uploaders: Giacomo Catenazzi <cate@debian.org>
Build-Depends: debhelper (>= 9), iucode-tool (>= 0.9)
-Standards-Version: 3.9.8
+Standards-Version: 4.1.1
Homepage: https://downloadcenter.intel.com/search?keyword=linux+microcode
-Vcs-Git: git://git.debian.org/users/hmh/intel-microcode.git
-Vcs-Browser: http://git.debian.org/?p=users/hmh/intel-microcode.git
+Vcs-Git: https://salsa.debian.org/hmh/intel-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/intel-microcode
XS-Autobuild: yes
Package: intel-microcode
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/copyright intel-microcode-3.20180425.1~deb8u1/debian/copyright
--- intel-microcode-3.20170707.1~deb8u1/debian/copyright 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/copyright 2018-05-18 09:36:54.000000000 -0300
@@ -2,8 +2,7 @@
Wed, 20 Feb 2008 07:43:49 +0100, and heavily modified by Henrique de
Moraes Holschuh <hmh@debian.org> on Fri, 13 Jul 2012 15:23:23 -0300.
-It was downloaded from http://downloadcenter.intel.com/Detail_Desc.aspx?ProductID=483&DwnldID=14303
-and later from http://feeds.downloadcenter.intel.com/rss/?p=483&lang=eng
+It was downloaded through https://downloadcenter.intel.com/search?keyword=linux+microcode
Debian distributes each individual Intel microcode update unmodified, as
downloaded from Intel. Each individual microcode update is translated to a
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/README.Debian intel-microcode-3.20180425.1~deb8u1/debian/README.Debian
--- intel-microcode-3.20170707.1~deb8u1/debian/README.Debian 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/README.Debian 2018-05-18 09:36:54.000000000 -0300
@@ -182,14 +182,13 @@
Downloading new microcode data from Intel:
A new version of the microcode bundle can be downloaded directly from
-Intel. Try to search for "Linux Processor Microcode":
+Intel. Try to search for "Linux Microcode":
-https://downloadcenter.intel.com/search?keyword=Linux+Processor+Microcode+Data+File
+ https://downloadcenter.intel.com/search?keyword=linux+microcode
-Alternatively, you can try one of these RSS feeds:
+Alternatively, you can try looking for the downloads related to a recent
+Intel processor.
-http://feeds.downloadcenter.intel.com/rss/?p=483&lang=eng
-http://feeds.downloadcenter.intel.com/rss/?p=2371&lang=eng
To manually install the downloaded microcode bundle, unpack the archive you
got from Intel and copy the microcode-*.dat file from the archive to
@@ -203,10 +202,15 @@
After you install the updated intel-microcode.dat file, run as root:
- modprobe cpuid
- iucode_tool --scan-system --write-firmware /usr/share/misc/intel-microcode.dat
update-initramfs -u
+The intel-microcode package supports "extra" microcode data in the
+following files (and will warn you if it detects and use them):
+
+ /usr/share/misc/intel-microcode*
+
+both .dat and .bin formats are supported.
+
Triggering an immediate microcode update (without a reboot):
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/README.source intel-microcode-3.20180425.1~deb8u1/debian/README.source
--- intel-microcode-3.20170707.1~deb8u1/debian/README.source 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/README.source 2018-05-18 09:36:54.000000000 -0300
@@ -3,17 +3,36 @@
Adding new microcodes to the package:
-* Regular microcode bundles:
+* Regular microcode bundles (upstream releases):
Add them to the top-level dir, names must match the patterns:
* microcode-<id>.dat for Intel text format bundles;
* microcode-<id>.bin for Intel binary bundles.
+ * microcode-<id>.d/ for directories with split binary microcode.
<id> should be the upstream release date in YYYYMMDD format.
If it is not, you must make sure microcode files that have
been released later also come later in C collating order.
+ Some upstream releases contain the microcode update data twice:
+ in .dat, and as a directory with several binary files. In that
+ case, you must compare the contents (e.g. using iucode_tool -L)
+ to ensure that they match. Don't add both copies of the update
+ data to the package: it is a waste of mirror space, and only one
+ copy (the one that sorts last) would be used to generate the
+ final microcode pack (so you would still have to ensure both
+ formats had the same contents anyway).
+
+ Hint: iucode_tool will compare two "supposedly identical"
+ microcodes to ensure they are just that: identical. So, it is
+ enough to do something like this:
+
+ iucode_tool --write-all-named-to=/tmp/dir1 file1.dat ;
+ iucode_tool --write-all-named-to=/tmp/dir2 intel-ucode/ ;
+ diff -R /tmp/dir1 /tmp/dir2 && echo ok ;
+ iucode_tool -v /tmp/dir1 /tmp/dir2
+
Later regular microcode bundles have precedence over older regular
microcode bundles, and may downgrade microcode revisions. This
implements the automatic "revision rollback" mechanism.
@@ -24,8 +43,15 @@
be selected. This logic implements the "automatic removal" mechanism
to handle microcode recalls.
+ Directories of microcodes must not have nested subdirectories. The
+ contents of the directory will be processed into a temporary ".dbin"
+ binary microcode file, to allow the automatic "revision rollback"
+ mechanism to work in a predictable way. Due to sorting order,
+ ".dbin" files are preferred over ".dat" files when deciding which
+ would be used to generate the final microcode pack.
+
Supplementary microcode bundles and microcode overrides can select
- additional microcode.
+ additional microcode (see below).
* Latest available version of a microcode that is not being shipped
anymore, but which is present in an older microcode bundle:
@@ -41,6 +67,7 @@
Add them to the top-level dir, names must match the pattern:
* supplementary-ucode-<id>.bin
+ * supplementary-ucode-<id>.d/
<id> should be a descriptive name, sorting order does not
matter. It must not have spaces or tabs.
@@ -48,17 +75,23 @@
These bundles have the same precedence as the newest regular microcode
bundle: microcodes with the highest revision among the newest regular
microcode bundle and every supplementary microcode bundles will be
- selected
+ selected.
Supplementary microcode bundles must be in binary format.
- Use "iucode_tool -w" to create supplementary microcode bundles. The
- bundles may have any number of microcodes inside, and should be
+ Use "iucode_tool -w" to create supplementary microcode bundles.
+ The bundles may have any number of microcodes inside, and should be
described in the "upstream" changelog.
- WARNING: by definition, microcodes added through supplementary bundles
- cannot be "recalled" (excluded or downgraded) automatically by the
- latest regular microcode bundle, only by overrides and IUC_EXCLUDE.
+ Directories of supplementary microcode updates must not have nested
+ subdirectories. The data files inside the directory should be in
+ binary format, and may contain more than one microcode update. They
+ should be descriptively named, and should be described in the
+ "upstream" changelog.
+
+ WARNING: microcodes added through supplementary bundles cannot be
+ "recalled" (excluded or downgraded) automatically by the latest
+ regular microcode bundle, only by overrides and IUC_EXCLUDE.
* Individual microcode overrides (at a specific revision):
@@ -88,7 +121,7 @@
* Excluding microcodes, no matter where they were sourced from:
- Add "-s <signature>" to IUC_EXCLUDE in the Makefile.
+ Add "-s !<signature>" to IUC_EXCLUDE in the Makefile.
This will remove from the final microcode distribution even microcodes
that were sourced from override files.
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/rules intel-microcode-3.20180425.1~deb8u1/debian/rules
--- intel-microcode-3.20170707.1~deb8u1/debian/rules 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/rules 2018-05-18 09:36:54.000000000 -0300
@@ -1,6 +1,6 @@
#!/usr/bin/make -f
-# debian/rules for intel-microcode
-# Copyright (C) 2011,2012 by Henrique de Moraes Holschuh
+# debian/rules for intel-microcode, dh version
+# Copyright (C) 2011,2016 by Henrique de Moraes Holschuh
# Published under the GNU GPL license version 2 or any later versions
PACKAGE := intel-microcode
@@ -24,24 +24,12 @@
# Work around Debian bug #688794
INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE))))
-build-indep:
+%:
+ dh $@
-build-arch: build
-build:
+override_dh_auto_install:
dh_testdir
- $(MAKE)
-
-clean:
- dh_testdir
- dh_testroot
- $(MAKE) clean
- dh_clean
-
-install: build
- dh_testdir
- dh_testroot
- dh_prep
- dh_installdirs
+ dh_install
# split microcode pack
$(IUCODE_TOOL) -q --write-firmware="$(PKGDIR)/lib/firmware/intel-ucode" $(IUCODE_FILE)
@@ -69,21 +57,6 @@
# modprobe.d blacklist
install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf"
-binary: install
- dh_testdir
- dh_testroot
- dh_installdocs
+override_dh_installchangelogs:
dh_installchangelogs changelog
- dh_lintian
- dh_compress
- dh_fixperms
- dh_installdeb
- dh_gencontrol
- dh_md5sums
- dh_builddeb
-
-binary-indep:
-
-binary-arch: binary
-.PHONY: build clean binary install binary-arch binary-indep
diff -Nru intel-microcode-3.20170707.1~deb8u1/debian/ucode-blacklist.txt intel-microcode-3.20180425.1~deb8u1/debian/ucode-blacklist.txt
--- intel-microcode-3.20170707.1~deb8u1/debian/ucode-blacklist.txt 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/debian/ucode-blacklist.txt 2018-05-18 09:36:54.000000000 -0300
@@ -10,3 +10,4 @@
06-46-01
06-47-01
06-56-02
+06-4f-01
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/01-3f1f576a195aa266813cbd4ca70291deb61e0129.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,234 @@
+From 3f1f576a195aa266813cbd4ca70291deb61e0129 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 16 Feb 2018 12:26:38 +0100
+Subject: x86/microcode: Propagate return value from updating functions
+
+... so that callers can know when microcode was updated and act
+accordingly.
+
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180216112640.11554-2-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/include/asm/microcode.h | 9 +++++++--
+ arch/x86/kernel/cpu/microcode/amd.c | 10 +++++-----
+ arch/x86/kernel/cpu/microcode/core.c | 33 +++++++++++++++++----------------
+ arch/x86/kernel/cpu/microcode/intel.c | 10 +++++-----
+ 4 files changed, 34 insertions(+), 28 deletions(-)
+
+diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
+index 55520cec..7fb1047 100644
+--- a/arch/x86/include/asm/microcode.h
++++ b/arch/x86/include/asm/microcode.h
+@@ -37,7 +37,12 @@ struct cpu_signature {
+
+ struct device;
+
+-enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
++enum ucode_state {
++ UCODE_OK = 0,
++ UCODE_UPDATED,
++ UCODE_NFOUND,
++ UCODE_ERROR,
++};
+
+ struct microcode_ops {
+ enum ucode_state (*request_microcode_user) (int cpu,
+@@ -54,7 +59,7 @@ struct microcode_ops {
+ * are being called.
+ * See also the "Synchronization" section in microcode_core.c.
+ */
+- int (*apply_microcode) (int cpu);
++ enum ucode_state (*apply_microcode) (int cpu);
+ int (*collect_cpu_info) (int cpu, struct cpu_signature *csig);
+ };
+
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index 330b846..a998e1a 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -498,7 +498,7 @@ static unsigned int verify_patch_size(u8 family, u32 patch_size,
+ return patch_size;
+ }
+
+-static int apply_microcode_amd(int cpu)
++static enum ucode_state apply_microcode_amd(int cpu)
+ {
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+ struct microcode_amd *mc_amd;
+@@ -512,7 +512,7 @@ static int apply_microcode_amd(int cpu)
+
+ p = find_patch(cpu);
+ if (!p)
+- return 0;
++ return UCODE_NFOUND;
+
+ mc_amd = p->data;
+ uci->mc = p->data;
+@@ -523,13 +523,13 @@ static int apply_microcode_amd(int cpu)
+ if (rev >= mc_amd->hdr.patch_id) {
+ c->microcode = rev;
+ uci->cpu_sig.rev = rev;
+- return 0;
++ return UCODE_OK;
+ }
+
+ if (__apply_microcode_amd(mc_amd)) {
+ pr_err("CPU%d: update failed for patch_level=0x%08x\n",
+ cpu, mc_amd->hdr.patch_id);
+- return -1;
++ return UCODE_ERROR;
+ }
+ pr_info("CPU%d: new patch_level=0x%08x\n", cpu,
+ mc_amd->hdr.patch_id);
+@@ -537,7 +537,7 @@ static int apply_microcode_amd(int cpu)
+ uci->cpu_sig.rev = mc_amd->hdr.patch_id;
+ c->microcode = mc_amd->hdr.patch_id;
+
+- return 0;
++ return UCODE_UPDATED;
+ }
+
+ static int install_equiv_cpu_table(const u8 *buf)
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 319dd65..6fdaf7c 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -374,7 +374,7 @@ static int collect_cpu_info(int cpu)
+ }
+
+ struct apply_microcode_ctx {
+- int err;
++ enum ucode_state err;
+ };
+
+ static void apply_microcode_local(void *arg)
+@@ -489,31 +489,29 @@ static void __exit microcode_dev_exit(void)
+ /* fake device for request_firmware */
+ static struct platform_device *microcode_pdev;
+
+-static int reload_for_cpu(int cpu)
++static enum ucode_state reload_for_cpu(int cpu)
+ {
+ struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
+ enum ucode_state ustate;
+- int err = 0;
+
+ if (!uci->valid)
+- return err;
++ return UCODE_OK;
+
+ ustate = microcode_ops->request_microcode_fw(cpu, µcode_pdev->dev, true);
+- if (ustate == UCODE_OK)
+- apply_microcode_on_target(cpu);
+- else
+- if (ustate == UCODE_ERROR)
+- err = -EINVAL;
+- return err;
++ if (ustate != UCODE_OK)
++ return ustate;
++
++ return apply_microcode_on_target(cpu);
+ }
+
+ static ssize_t reload_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t size)
+ {
++ enum ucode_state tmp_ret = UCODE_OK;
+ unsigned long val;
++ ssize_t ret = 0;
+ int cpu;
+- ssize_t ret = 0, tmp_ret;
+
+ ret = kstrtoul(buf, 0, &val);
+ if (ret)
+@@ -526,15 +524,18 @@ static ssize_t reload_store(struct device *dev,
+ mutex_lock(µcode_mutex);
+ for_each_online_cpu(cpu) {
+ tmp_ret = reload_for_cpu(cpu);
+- if (tmp_ret != 0)
++ if (tmp_ret > UCODE_NFOUND) {
+ pr_warn("Error reloading microcode on CPU %d\n", cpu);
+
+- /* save retval of the first encountered reload error */
+- if (!ret)
+- ret = tmp_ret;
++ /* set retval for the first encountered reload error */
++ if (!ret)
++ ret = -EINVAL;
++ }
+ }
+- if (!ret)
++
++ if (!ret && tmp_ret == UCODE_UPDATED)
+ perf_check_microcode();
++
+ mutex_unlock(µcode_mutex);
+ put_online_cpus();
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index a15db2b..923054a 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -772,7 +772,7 @@ static int collect_cpu_info(int cpu_num, struct cpu_signature *csig)
+ return 0;
+ }
+
+-static int apply_microcode_intel(int cpu)
++static enum ucode_state apply_microcode_intel(int cpu)
+ {
+ struct microcode_intel *mc;
+ struct ucode_cpu_info *uci;
+@@ -782,7 +782,7 @@ static int apply_microcode_intel(int cpu)
+
+ /* We should bind the task to the CPU */
+ if (WARN_ON(raw_smp_processor_id() != cpu))
+- return -1;
++ return UCODE_ERROR;
+
+ uci = ucode_cpu_info + cpu;
+ mc = uci->mc;
+@@ -790,7 +790,7 @@ static int apply_microcode_intel(int cpu)
+ /* Look for a newer patch in our cache: */
+ mc = find_patch(uci);
+ if (!mc)
+- return 0;
++ return UCODE_NFOUND;
+ }
+
+ /* write microcode via MSR 0x79 */
+@@ -801,7 +801,7 @@ static int apply_microcode_intel(int cpu)
+ if (rev != mc->hdr.rev) {
+ pr_err("CPU%d update to revision 0x%x failed\n",
+ cpu, mc->hdr.rev);
+- return -1;
++ return UCODE_ERROR;
+ }
+
+ if (rev != prev_rev) {
+@@ -818,7 +818,7 @@ static int apply_microcode_intel(int cpu)
+ uci->cpu_sig.rev = rev;
+ c->microcode = rev;
+
+- return 0;
++ return UCODE_UPDATED;
+ }
+
+ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/02-1008c52c09dcb23d93f8e0ea83a6246265d2cce0.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,90 @@
+From 1008c52c09dcb23d93f8e0ea83a6246265d2cce0 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 16 Feb 2018 12:26:39 +0100
+Subject: x86/CPU: Add a microcode loader callback
+
+Add a callback function which the microcode loader calls when microcode
+has been updated to a newer revision. Do the callback only when no error
+was encountered during loading.
+
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180216112640.11554-3-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/include/asm/processor.h | 1 +
+ arch/x86/kernel/cpu/common.c | 10 ++++++++++
+ arch/x86/kernel/cpu/microcode/core.c | 8 ++++++--
+ 3 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index 1bd9ed8..b0ccd48 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -977,4 +977,5 @@ bool xen_set_default_idle(void);
+
+ void stop_this_cpu(void *dummy);
+ void df_debug(struct pt_regs *regs, long error_code);
++void microcode_check(void);
+ #endif /* _ASM_X86_PROCESSOR_H */
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 824aee0..84f1cd8 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1749,3 +1749,13 @@ static int __init init_cpu_syscore(void)
+ return 0;
+ }
+ core_initcall(init_cpu_syscore);
++
++/*
++ * The microcode loader calls this upon late microcode load to recheck features,
++ * only when microcode has been updated. Caller holds microcode_mutex and CPU
++ * hotplug lock.
++ */
++void microcode_check(void)
++{
++ perf_check_microcode();
++}
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 6fdaf7c..aa1b9a4 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -509,6 +509,7 @@ static ssize_t reload_store(struct device *dev,
+ const char *buf, size_t size)
+ {
+ enum ucode_state tmp_ret = UCODE_OK;
++ bool do_callback = false;
+ unsigned long val;
+ ssize_t ret = 0;
+ int cpu;
+@@ -531,10 +532,13 @@ static ssize_t reload_store(struct device *dev,
+ if (!ret)
+ ret = -EINVAL;
+ }
++
++ if (tmp_ret == UCODE_UPDATED)
++ do_callback = true;
+ }
+
+- if (!ret && tmp_ret == UCODE_UPDATED)
+- perf_check_microcode();
++ if (!ret && do_callback)
++ microcode_check();
+
+ mutex_unlock(µcode_mutex);
+ put_online_cpus();
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/03-42ca8082e260dcfd8afa2afa6ec1940b9d41724c.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,64 @@
+From 42ca8082e260dcfd8afa2afa6ec1940b9d41724c Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 16 Feb 2018 12:26:40 +0100
+Subject: x86/CPU: Check CPU feature bits after microcode upgrade
+
+With some microcode upgrades, new CPUID features can become visible on
+the CPU. Check what the kernel has mirrored now and issue a warning
+hinting at possible things the user/admin can do to make use of the
+newly visible features.
+
+Originally-by: Ashok Raj <ashok.raj@intel.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: http://lkml.kernel.org/r/20180216112640.11554-4-bp@alien8.de
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+---
+ arch/x86/kernel/cpu/common.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 84f1cd8..348cf48 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1757,5 +1757,25 @@ core_initcall(init_cpu_syscore);
+ */
+ void microcode_check(void)
+ {
++ struct cpuinfo_x86 info;
++
+ perf_check_microcode();
++
++ /* Reload CPUID max function as it might've changed. */
++ info.cpuid_level = cpuid_eax(0);
++
++ /*
++ * Copy all capability leafs to pick up the synthetic ones so that
++ * memcmp() below doesn't fail on that. The ones coming from CPUID will
++ * get overwritten in get_cpu_cap().
++ */
++ memcpy(&info.x86_capability, &boot_cpu_data.x86_capability, sizeof(info.x86_capability));
++
++ get_cpu_cap(&info);
++
++ if (!memcmp(&info.x86_capability, &boot_cpu_data.x86_capability, sizeof(info.x86_capability)))
++ return;
++
++ pr_warn("x86/CPU: CPU features have changed after loading microcode, but might not take effect.\n");
++ pr_warn("x86/CPU: Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
+ }
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/04-854857f5944c59a881ff607b37ed9ed41d031a3b.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,62 @@
+From 854857f5944c59a881ff607b37ed9ed41d031a3b Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 28 Feb 2018 11:28:40 +0100
+Subject: x86/microcode: Get rid of struct apply_microcode_ctx
+
+It is a useless remnant from earlier times. Use the ucode_state enum
+directly.
+
+No functional change.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: https://lkml.kernel.org/r/20180228102846.13447-2-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index aa1b9a4..6337065 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -373,26 +373,23 @@ static int collect_cpu_info(int cpu)
+ return ret;
+ }
+
+-struct apply_microcode_ctx {
+- enum ucode_state err;
+-};
+-
+ static void apply_microcode_local(void *arg)
+ {
+- struct apply_microcode_ctx *ctx = arg;
++ enum ucode_state *err = arg;
+
+- ctx->err = microcode_ops->apply_microcode(smp_processor_id());
++ *err = microcode_ops->apply_microcode(smp_processor_id());
+ }
+
+ static int apply_microcode_on_target(int cpu)
+ {
+- struct apply_microcode_ctx ctx = { .err = 0 };
++ enum ucode_state err;
+ int ret;
+
+- ret = smp_call_function_single(cpu, apply_microcode_local, &ctx, 1);
+- if (!ret)
+- ret = ctx.err;
+-
++ ret = smp_call_function_single(cpu, apply_microcode_local, &err, 1);
++ if (!ret) {
++ if (err == UCODE_ERROR)
++ ret = 1;
++ }
+ return ret;
+ }
+
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/05-c182d2b7d0ca48e0d6ff16f7d883161238c447ed.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,90 @@
+From c182d2b7d0ca48e0d6ff16f7d883161238c447ed Mon Sep 17 00:00:00 2001
+From: Ashok Raj <ashok.raj@intel.com>
+Date: Wed, 28 Feb 2018 11:28:41 +0100
+Subject: x86/microcode/intel: Check microcode revision before updating sibling
+ threads
+
+After updating microcode on one of the threads of a core, the other
+thread sibling automatically gets the update since the microcode
+resources on a hyperthreaded core are shared between the two threads.
+
+Check the microcode revision on the CPU before performing a microcode
+update and thus save us the WRMSR 0x79 because it is a particularly
+expensive operation.
+
+[ Borislav: Massage changelog and coding style. ]
+
+Signed-off-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: http://lkml.kernel.org/r/1519352533-15992-2-git-send-email-ashok.raj@intel.com
+Link: https://lkml.kernel.org/r/20180228102846.13447-3-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index 923054a..87bd6dc 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -589,6 +589,17 @@ static int apply_microcode_early(struct ucode_cpu_info *uci, bool early)
+ if (!mc)
+ return 0;
+
++ /*
++ * Save us the MSR write below - which is a particular expensive
++ * operation - when the other hyperthread has updated the microcode
++ * already.
++ */
++ rev = intel_get_microcode_revision();
++ if (rev >= mc->hdr.rev) {
++ uci->cpu_sig.rev = rev;
++ return UCODE_OK;
++ }
++
+ /* write microcode via MSR 0x79 */
+ native_wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);
+
+@@ -776,7 +787,7 @@ static enum ucode_state apply_microcode_intel(int cpu)
+ {
+ struct microcode_intel *mc;
+ struct ucode_cpu_info *uci;
+- struct cpuinfo_x86 *c;
++ struct cpuinfo_x86 *c = &cpu_data(cpu);
+ static int prev_rev;
+ u32 rev;
+
+@@ -793,6 +804,18 @@ static enum ucode_state apply_microcode_intel(int cpu)
+ return UCODE_NFOUND;
+ }
+
++ /*
++ * Save us the MSR write below - which is a particular expensive
++ * operation - when the other hyperthread has updated the microcode
++ * already.
++ */
++ rev = intel_get_microcode_revision();
++ if (rev >= mc->hdr.rev) {
++ uci->cpu_sig.rev = rev;
++ c->microcode = rev;
++ return UCODE_OK;
++ }
++
+ /* write microcode via MSR 0x79 */
+ wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);
+
+@@ -813,8 +836,6 @@ static enum ucode_state apply_microcode_intel(int cpu)
+ prev_rev = rev;
+ }
+
+- c = &cpu_data(cpu);
+-
+ uci->cpu_sig.rev = rev;
+ c->microcode = rev;
+
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/06-91df9fdf51492aec9fed6b4cbd33160886740f47.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,58 @@
+From 91df9fdf51492aec9fed6b4cbd33160886740f47 Mon Sep 17 00:00:00 2001
+From: Ashok Raj <ashok.raj@intel.com>
+Date: Wed, 28 Feb 2018 11:28:42 +0100
+Subject: x86/microcode/intel: Writeback and invalidate caches before updating
+ microcode
+
+Updating microcode is less error prone when caches have been flushed and
+depending on what exactly the microcode is updating. For example, some
+of the issues around certain Broadwell parts can be addressed by doing a
+full cache flush.
+
+[ Borislav: Massage it and use native_wbinvd() in both cases. ]
+
+Signed-off-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: http://lkml.kernel.org/r/1519352533-15992-3-git-send-email-ashok.raj@intel.com
+Link: https://lkml.kernel.org/r/20180228102846.13447-4-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index 87bd6dc..e2864bc 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -600,6 +600,12 @@ static int apply_microcode_early(struct ucode_cpu_info *uci, bool early)
+ return UCODE_OK;
+ }
+
++ /*
++ * Writeback and invalidate caches before updating microcode to avoid
++ * internal issues depending on what the microcode is updating.
++ */
++ native_wbinvd();
++
+ /* write microcode via MSR 0x79 */
+ native_wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);
+
+@@ -816,6 +822,12 @@ static enum ucode_state apply_microcode_intel(int cpu)
+ return UCODE_OK;
+ }
+
++ /*
++ * Writeback and invalidate caches before updating microcode to avoid
++ * internal issues depending on what the microcode is updating.
++ */
++ native_wbinvd();
++
+ /* write microcode via MSR 0x79 */
+ wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);
+
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/07-30ec26da9967d0d785abc24073129a34c3211777.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,71 @@
+From 30ec26da9967d0d785abc24073129a34c3211777 Mon Sep 17 00:00:00 2001
+From: Ashok Raj <ashok.raj@intel.com>
+Date: Wed, 28 Feb 2018 11:28:43 +0100
+Subject: x86/microcode: Do not upload microcode if CPUs are offline
+
+Avoid loading microcode if any of the CPUs are offline, and issue a
+warning. Having different microcode revisions on the system at any time
+is outright dangerous.
+
+[ Borislav: Massage changelog. ]
+
+Signed-off-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: http://lkml.kernel.org/r/1519352533-15992-4-git-send-email-ashok.raj@intel.com
+Link: https://lkml.kernel.org/r/20180228102846.13447-5-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 6337065..fa32cb3 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -486,6 +486,16 @@ static void __exit microcode_dev_exit(void)
+ /* fake device for request_firmware */
+ static struct platform_device *microcode_pdev;
+
++static int check_online_cpus(void)
++{
++ if (num_online_cpus() == num_present_cpus())
++ return 0;
++
++ pr_err("Not all CPUs online, aborting microcode update.\n");
++
++ return -EINVAL;
++}
++
+ static enum ucode_state reload_for_cpu(int cpu)
+ {
+ struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
+@@ -519,7 +529,13 @@ static ssize_t reload_store(struct device *dev,
+ return size;
+
+ get_online_cpus();
++
++ ret = check_online_cpus();
++ if (ret)
++ goto put;
++
+ mutex_lock(µcode_mutex);
++
+ for_each_online_cpu(cpu) {
+ tmp_ret = reload_for_cpu(cpu);
+ if (tmp_ret > UCODE_NFOUND) {
+@@ -538,6 +554,8 @@ static ssize_t reload_store(struct device *dev,
+ microcode_check();
+
+ mutex_unlock(µcode_mutex);
++
++put:
+ put_online_cpus();
+
+ if (!ret)
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/08-d8c3b52c00a05036e0a6b315b4b17921a7b67997.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,54 @@
+From d8c3b52c00a05036e0a6b315b4b17921a7b67997 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 28 Feb 2018 11:28:44 +0100
+Subject: x86/microcode/intel: Look into the patch cache first
+
+The cache might contain a newer patch - look in there first.
+
+A follow-on change will make sure newest patches are loaded into the
+cache of microcode patches.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: https://lkml.kernel.org/r/20180228102846.13447-6-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index e2864bc..2aded9d 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -791,9 +791,9 @@ static int collect_cpu_info(int cpu_num, struct cpu_signature *csig)
+
+ static enum ucode_state apply_microcode_intel(int cpu)
+ {
+- struct microcode_intel *mc;
+- struct ucode_cpu_info *uci;
++ struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
++ struct microcode_intel *mc;
+ static int prev_rev;
+ u32 rev;
+
+@@ -801,11 +801,10 @@ static enum ucode_state apply_microcode_intel(int cpu)
+ if (WARN_ON(raw_smp_processor_id() != cpu))
+ return UCODE_ERROR;
+
+- uci = ucode_cpu_info + cpu;
+- mc = uci->mc;
++ /* Look for a newer patch in our cache: */
++ mc = find_patch(uci);
+ if (!mc) {
+- /* Look for a newer patch in our cache: */
+- mc = find_patch(uci);
++ mc = uci->mc;
+ if (!mc)
+ return UCODE_NFOUND;
+ }
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/09-cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,67 @@
+From cfb52a5a09c8ae3a1dafb44ce549fde5b69e8117 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 28 Feb 2018 11:28:45 +0100
+Subject: x86/microcode: Request microcode on the BSP
+
+... so that any newer version can land in the cache and can later be
+fished out by the application functions. Do that before grabbing the
+hotplug lock.
+
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: https://lkml.kernel.org/r/20180228102846.13447-7-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index fa32cb3..5dd157d 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -499,15 +499,10 @@ static int check_online_cpus(void)
+ static enum ucode_state reload_for_cpu(int cpu)
+ {
+ struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
+- enum ucode_state ustate;
+
+ if (!uci->valid)
+ return UCODE_OK;
+
+- ustate = microcode_ops->request_microcode_fw(cpu, µcode_pdev->dev, true);
+- if (ustate != UCODE_OK)
+- return ustate;
+-
+ return apply_microcode_on_target(cpu);
+ }
+
+@@ -515,11 +510,11 @@ static ssize_t reload_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t size)
+ {
++ int cpu, bsp = boot_cpu_data.cpu_index;
+ enum ucode_state tmp_ret = UCODE_OK;
+ bool do_callback = false;
+ unsigned long val;
+ ssize_t ret = 0;
+- int cpu;
+
+ ret = kstrtoul(buf, 0, &val);
+ if (ret)
+@@ -528,6 +523,10 @@ static ssize_t reload_store(struct device *dev,
+ if (val != 1)
+ return size;
+
++ tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true);
++ if (tmp_ret != UCODE_OK)
++ return size;
++
+ get_online_cpus();
+
+ ret = check_online_cpus();
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/10-a5321aec6412b20b5ad15db2d6b916c05349dbff.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,213 @@
+From a5321aec6412b20b5ad15db2d6b916c05349dbff Mon Sep 17 00:00:00 2001
+From: Ashok Raj <ashok.raj@intel.com>
+Date: Wed, 28 Feb 2018 11:28:46 +0100
+Subject: x86/microcode: Synchronize late microcode loading
+
+Original idea by Ashok, completely rewritten by Borislav.
+
+Before you read any further: the early loading method is still the
+preferred one and you should always do that. The following patch is
+improving the late loading mechanism for long running jobs and cloud use
+cases.
+
+Gather all cores and serialize the microcode update on them by doing it
+one-by-one to make the late update process as reliable as possible and
+avoid potential issues caused by the microcode update.
+
+[ Borislav: Rewrite completely. ]
+
+Co-developed-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Ashok Raj <ashok.raj@intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
+Link: https://lkml.kernel.org/r/20180228102846.13447-8-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 118 +++++++++++++++++++++++++++--------
+ 1 file changed, 92 insertions(+), 26 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 5dd157d..70ecbc8 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -22,13 +22,16 @@
+ #define pr_fmt(fmt) "microcode: " fmt
+
+ #include <linux/platform_device.h>
++#include <linux/stop_machine.h>
+ #include <linux/syscore_ops.h>
+ #include <linux/miscdevice.h>
+ #include <linux/capability.h>
+ #include <linux/firmware.h>
+ #include <linux/kernel.h>
++#include <linux/delay.h>
+ #include <linux/mutex.h>
+ #include <linux/cpu.h>
++#include <linux/nmi.h>
+ #include <linux/fs.h>
+ #include <linux/mm.h>
+
+@@ -64,6 +67,11 @@ LIST_HEAD(microcode_cache);
+ */
+ static DEFINE_MUTEX(microcode_mutex);
+
++/*
++ * Serialize late loading so that CPUs get updated one-by-one.
++ */
++static DEFINE_SPINLOCK(update_lock);
++
+ struct ucode_cpu_info ucode_cpu_info[NR_CPUS];
+
+ struct cpu_info_ctx {
+@@ -486,6 +494,19 @@ static void __exit microcode_dev_exit(void)
+ /* fake device for request_firmware */
+ static struct platform_device *microcode_pdev;
+
++/*
++ * Late loading dance. Why the heavy-handed stomp_machine effort?
++ *
++ * - HT siblings must be idle and not execute other code while the other sibling
++ * is loading microcode in order to avoid any negative interactions caused by
++ * the loading.
++ *
++ * - In addition, microcode update on the cores must be serialized until this
++ * requirement can be relaxed in the future. Right now, this is conservative
++ * and good.
++ */
++#define SPINUNIT 100 /* 100 nsec */
++
+ static int check_online_cpus(void)
+ {
+ if (num_online_cpus() == num_present_cpus())
+@@ -496,23 +517,85 @@ static int check_online_cpus(void)
+ return -EINVAL;
+ }
+
+-static enum ucode_state reload_for_cpu(int cpu)
++static atomic_t late_cpus;
++
++/*
++ * Returns:
++ * < 0 - on error
++ * 0 - no update done
++ * 1 - microcode was updated
++ */
++static int __reload_late(void *info)
+ {
+- struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
++ unsigned int timeout = NSEC_PER_SEC;
++ int all_cpus = num_online_cpus();
++ int cpu = smp_processor_id();
++ enum ucode_state err;
++ int ret = 0;
+
+- if (!uci->valid)
+- return UCODE_OK;
++ atomic_dec(&late_cpus);
++
++ /*
++ * Wait for all CPUs to arrive. A load will not be attempted unless all
++ * CPUs show up.
++ * */
++ while (atomic_read(&late_cpus)) {
++ if (timeout < SPINUNIT) {
++ pr_err("Timeout while waiting for CPUs rendezvous, remaining: %d\n",
++ atomic_read(&late_cpus));
++ return -1;
++ }
++
++ ndelay(SPINUNIT);
++ timeout -= SPINUNIT;
++
++ touch_nmi_watchdog();
++ }
++
++ spin_lock(&update_lock);
++ apply_microcode_local(&err);
++ spin_unlock(&update_lock);
++
++ if (err > UCODE_NFOUND) {
++ pr_warn("Error reloading microcode on CPU %d\n", cpu);
++ ret = -1;
++ } else if (err == UCODE_UPDATED) {
++ ret = 1;
++ }
+
+- return apply_microcode_on_target(cpu);
++ atomic_inc(&late_cpus);
++
++ while (atomic_read(&late_cpus) != all_cpus)
++ cpu_relax();
++
++ return ret;
++}
++
++/*
++ * Reload microcode late on all CPUs. Wait for a sec until they
++ * all gather together.
++ */
++static int microcode_reload_late(void)
++{
++ int ret;
++
++ atomic_set(&late_cpus, num_online_cpus());
++
++ ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask);
++ if (ret < 0)
++ return ret;
++ else if (ret > 0)
++ microcode_check();
++
++ return ret;
+ }
+
+ static ssize_t reload_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t size)
+ {
+- int cpu, bsp = boot_cpu_data.cpu_index;
+ enum ucode_state tmp_ret = UCODE_OK;
+- bool do_callback = false;
++ int bsp = boot_cpu_data.cpu_index;
+ unsigned long val;
+ ssize_t ret = 0;
+
+@@ -534,30 +617,13 @@ static ssize_t reload_store(struct device *dev,
+ goto put;
+
+ mutex_lock(µcode_mutex);
+-
+- for_each_online_cpu(cpu) {
+- tmp_ret = reload_for_cpu(cpu);
+- if (tmp_ret > UCODE_NFOUND) {
+- pr_warn("Error reloading microcode on CPU %d\n", cpu);
+-
+- /* set retval for the first encountered reload error */
+- if (!ret)
+- ret = -EINVAL;
+- }
+-
+- if (tmp_ret == UCODE_UPDATED)
+- do_callback = true;
+- }
+-
+- if (!ret && do_callback)
+- microcode_check();
+-
++ ret = microcode_reload_late();
+ mutex_unlock(µcode_mutex);
+
+ put:
+ put_online_cpus();
+
+- if (!ret)
++ if (ret >= 0)
+ ret = size;
+
+ return ret;
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/11-2613f36ed965d0e5a595a1d931fd3b480e82d6fd.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,154 @@
+From 2613f36ed965d0e5a595a1d931fd3b480e82d6fd Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 14 Mar 2018 19:36:14 +0100
+Subject: x86/microcode: Attempt late loading only when new microcode is
+ present
+
+Return UCODE_NEW from the scanning functions to denote that new microcode
+was found and only then attempt the expensive synchronization dance.
+
+Reported-by: Emanuel Czirai <xftroxgpx@protonmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Emanuel Czirai <xftroxgpx@protonmail.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lkml.kernel.org/r/20180314183615.17629-1-bp@alien8.de
+---
+ arch/x86/include/asm/microcode.h | 1 +
+ arch/x86/kernel/cpu/microcode/amd.c | 34 +++++++++++++++++++++-------------
+ arch/x86/kernel/cpu/microcode/core.c | 8 +++-----
+ arch/x86/kernel/cpu/microcode/intel.c | 4 +++-
+ 4 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
+index 7fb1047..6cf0e4c 100644
+--- a/arch/x86/include/asm/microcode.h
++++ b/arch/x86/include/asm/microcode.h
+@@ -39,6 +39,7 @@ struct device;
+
+ enum ucode_state {
+ UCODE_OK = 0,
++ UCODE_NEW,
+ UCODE_UPDATED,
+ UCODE_NFOUND,
+ UCODE_ERROR,
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index a998e1a..4817992 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -339,7 +339,7 @@ int __init save_microcode_in_initrd_amd(unsigned int cpuid_1_eax)
+ return -EINVAL;
+
+ ret = load_microcode_amd(true, x86_family(cpuid_1_eax), desc.data, desc.size);
+- if (ret != UCODE_OK)
++ if (ret > UCODE_UPDATED)
+ return -EINVAL;
+
+ return 0;
+@@ -683,27 +683,35 @@ static enum ucode_state __load_microcode_amd(u8 family, const u8 *data,
+ static enum ucode_state
+ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
+ {
++ struct ucode_patch *p;
+ enum ucode_state ret;
+
+ /* free old equiv table */
+ free_equiv_cpu_table();
+
+ ret = __load_microcode_amd(family, data, size);
+-
+- if (ret != UCODE_OK)
++ if (ret != UCODE_OK) {
+ cleanup();
++ return ret;
++ }
+
+-#ifdef CONFIG_X86_32
+- /* save BSP's matching patch for early load */
+- if (save) {
+- struct ucode_patch *p = find_patch(0);
+- if (p) {
+- memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
+- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data),
+- PATCH_MAX_SIZE));
+- }
++ p = find_patch(0);
++ if (!p) {
++ return ret;
++ } else {
++ if (boot_cpu_data.microcode == p->patch_id)
++ return ret;
++
++ ret = UCODE_NEW;
+ }
+-#endif
++
++ /* save BSP's matching patch for early load */
++ if (!save)
++ return ret;
++
++ memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
++ memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE));
++
+ return ret;
+ }
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 70ecbc8..9f0fe5b 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -607,7 +607,7 @@ static ssize_t reload_store(struct device *dev,
+ return size;
+
+ tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev, true);
+- if (tmp_ret != UCODE_OK)
++ if (tmp_ret != UCODE_NEW)
+ return size;
+
+ get_online_cpus();
+@@ -691,10 +691,8 @@ static enum ucode_state microcode_init_cpu(int cpu, bool refresh_fw)
+ if (system_state != SYSTEM_RUNNING)
+ return UCODE_NFOUND;
+
+- ustate = microcode_ops->request_microcode_fw(cpu, µcode_pdev->dev,
+- refresh_fw);
+-
+- if (ustate == UCODE_OK) {
++ ustate = microcode_ops->request_microcode_fw(cpu, µcode_pdev->dev, refresh_fw);
++ if (ustate == UCODE_NEW) {
+ pr_debug("CPU%d updated upon init\n", cpu);
+ apply_microcode_on_target(cpu);
+ }
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index 2aded9d..32b8e57 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -862,6 +862,7 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
+ unsigned int leftover = size;
+ unsigned int curr_mc_size = 0, new_mc_size = 0;
+ unsigned int csig, cpf;
++ enum ucode_state ret = UCODE_OK;
+
+ while (leftover) {
+ struct microcode_header_intel mc_header;
+@@ -903,6 +904,7 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
+ new_mc = mc;
+ new_mc_size = mc_size;
+ mc = NULL; /* trigger new vmalloc */
++ ret = UCODE_NEW;
+ }
+
+ ucode_ptr += mc_size;
+@@ -932,7 +934,7 @@ static enum ucode_state generic_load_microcode(int cpu, void *data, size_t size,
+ pr_debug("CPU%d found a matching microcode update with version 0x%x (current=0x%x)\n",
+ cpu, new_rev, uci->cpu_sig.rev);
+
+- return UCODE_OK;
++ return ret;
+ }
+
+ static int get_ucode_fw(void *to, const void *from, size_t n)
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/12-bb8c13d61a629276a162c1d2b1a20a815cbcfbb7.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,163 @@
+From bb8c13d61a629276a162c1d2b1a20a815cbcfbb7 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Wed, 14 Mar 2018 19:36:15 +0100
+Subject: x86/microcode: Fix CPU synchronization routine
+
+Emanuel reported an issue with a hang during microcode update because my
+dumb idea to use one atomic synchronization variable for both rendezvous
+- before and after update - was simply bollocks:
+
+ microcode: microcode_reload_late: late_cpus: 4
+ microcode: __reload_late: cpu 2 entered
+ microcode: __reload_late: cpu 1 entered
+ microcode: __reload_late: cpu 3 entered
+ microcode: __reload_late: cpu 0 entered
+ microcode: __reload_late: cpu 1 left
+ microcode: Timeout while waiting for CPUs rendezvous, remaining: 1
+
+CPU1 above would finish, leave and the others will still spin waiting for
+it to join.
+
+So do two synchronization atomics instead, which makes the code a lot more
+straightforward.
+
+Also, since the update is serialized and it also takes quite some time per
+microcode engine, increase the exit timeout by the number of CPUs on the
+system.
+
+That's ok because the moment all CPUs are done, that timeout will be cut
+short.
+
+Furthermore, panic when some of the CPUs timeout when returning from a
+microcode update: we can't allow a system with not all cores updated.
+
+Also, as an optimization, do not do the exit sync if microcode wasn't
+updated.
+
+Reported-by: Emanuel Czirai <xftroxgpx@protonmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Emanuel Czirai <xftroxgpx@protonmail.com>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lkml.kernel.org/r/20180314183615.17629-2-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 68 ++++++++++++++++++++++--------------
+ 1 file changed, 41 insertions(+), 27 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 9f0fe5b..10c4fc2 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -517,7 +517,29 @@ static int check_online_cpus(void)
+ return -EINVAL;
+ }
+
+-static atomic_t late_cpus;
++static atomic_t late_cpus_in;
++static atomic_t late_cpus_out;
++
++static int __wait_for_cpus(atomic_t *t, long long timeout)
++{
++ int all_cpus = num_online_cpus();
++
++ atomic_inc(t);
++
++ while (atomic_read(t) < all_cpus) {
++ if (timeout < SPINUNIT) {
++ pr_err("Timeout while waiting for CPUs rendezvous, remaining: %d\n",
++ all_cpus - atomic_read(t));
++ return 1;
++ }
++
++ ndelay(SPINUNIT);
++ timeout -= SPINUNIT;
++
++ touch_nmi_watchdog();
++ }
++ return 0;
++}
+
+ /*
+ * Returns:
+@@ -527,30 +549,16 @@ static atomic_t late_cpus;
+ */
+ static int __reload_late(void *info)
+ {
+- unsigned int timeout = NSEC_PER_SEC;
+- int all_cpus = num_online_cpus();
+ int cpu = smp_processor_id();
+ enum ucode_state err;
+ int ret = 0;
+
+- atomic_dec(&late_cpus);
+-
+ /*
+ * Wait for all CPUs to arrive. A load will not be attempted unless all
+ * CPUs show up.
+ * */
+- while (atomic_read(&late_cpus)) {
+- if (timeout < SPINUNIT) {
+- pr_err("Timeout while waiting for CPUs rendezvous, remaining: %d\n",
+- atomic_read(&late_cpus));
+- return -1;
+- }
+-
+- ndelay(SPINUNIT);
+- timeout -= SPINUNIT;
+-
+- touch_nmi_watchdog();
+- }
++ if (__wait_for_cpus(&late_cpus_in, NSEC_PER_SEC))
++ return -1;
+
+ spin_lock(&update_lock);
+ apply_microcode_local(&err);
+@@ -558,15 +566,22 @@ static int __reload_late(void *info)
+
+ if (err > UCODE_NFOUND) {
+ pr_warn("Error reloading microcode on CPU %d\n", cpu);
+- ret = -1;
+- } else if (err == UCODE_UPDATED) {
++ return -1;
++ /* siblings return UCODE_OK because their engine got updated already */
++ } else if (err == UCODE_UPDATED || err == UCODE_OK) {
+ ret = 1;
++ } else {
++ return ret;
+ }
+
+- atomic_inc(&late_cpus);
+-
+- while (atomic_read(&late_cpus) != all_cpus)
+- cpu_relax();
++ /*
++ * Increase the wait timeout to a safe value here since we're
++ * serializing the microcode update and that could take a while on a
++ * large number of CPUs. And that is fine as the *actual* timeout will
++ * be determined by the last CPU finished updating and thus cut short.
++ */
++ if (__wait_for_cpus(&late_cpus_out, NSEC_PER_SEC * num_online_cpus()))
++ panic("Timeout during microcode update!\n");
+
+ return ret;
+ }
+@@ -579,12 +594,11 @@ static int microcode_reload_late(void)
+ {
+ int ret;
+
+- atomic_set(&late_cpus, num_online_cpus());
++ atomic_set(&late_cpus_in, 0);
++ atomic_set(&late_cpus_out, 0);
+
+ ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask);
+- if (ret < 0)
+- return ret;
+- else if (ret > 0)
++ if (ret > 0)
+ microcode_check();
+
+ return ret;
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/13-09e182d17e8891dd73baba961a0f5a82e9274c97.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,59 @@
+From 09e182d17e8891dd73baba961a0f5a82e9274c97 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sat, 21 Apr 2018 10:19:30 +0200
+Subject: x86/microcode: Do not exit early from __reload_late()
+
+Vitezslav reported a case where the
+
+ "Timeout during microcode update!"
+
+panic would hit. After a deeper look, it turned out that his .config had
+CONFIG_HOTPLUG_CPU disabled which practically made save_mc_for_early() a
+no-op.
+
+When that happened, the discovered microcode patch wasn't saved into the
+cache and the late loading path wouldn't find any.
+
+This, then, lead to early exit from __reload_late() and thus CPUs waiting
+until the timeout is reached, leading to the panic.
+
+In hindsight, that function should have been written so it does not return
+before the post-synchronization. Oh well, I know better now...
+
+Fixes: bb8c13d61a62 ("x86/microcode: Fix CPU synchronization routine")
+Reported-by: Vitezslav Samel <vitezslav@samel.cz>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Vitezslav Samel <vitezslav@samel.cz>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180418081140.GA2439@pc11.op.pod.cz
+Link: https://lkml.kernel.org/r/20180421081930.15741-2-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/core.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 10c4fc2..77e2013 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -564,14 +564,12 @@ static int __reload_late(void *info)
+ apply_microcode_local(&err);
+ spin_unlock(&update_lock);
+
++ /* siblings return UCODE_OK because their engine got updated already */
+ if (err > UCODE_NFOUND) {
+ pr_warn("Error reloading microcode on CPU %d\n", cpu);
+- return -1;
+- /* siblings return UCODE_OK because their engine got updated already */
++ ret = -1;
+ } else if (err == UCODE_UPDATED || err == UCODE_OK) {
+ ret = 1;
+- } else {
+- return ret;
+ }
+
+ /*
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/14-84749d83758af6576552046b215b9b7f37f9556b.patch 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,48 @@
+From 84749d83758af6576552046b215b9b7f37f9556b Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Sat, 21 Apr 2018 10:19:29 +0200
+Subject: x86/microcode/intel: Save microcode patch unconditionally
+
+save_mc_for_early() was a no-op on !CONFIG_HOTPLUG_CPU but the
+generic_load_microcode() path saves the microcode patches it has found into
+the cache of patches which is used for late loading too. Regardless of
+whether CPU hotplug is used or not.
+
+Make the saving unconditional so that late loading can find the proper
+patch.
+
+Reported-by: Vitezslav Samel <vitezslav@samel.cz>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Vitezslav Samel <vitezslav@samel.cz>
+Tested-by: Ashok Raj <ashok.raj@intel.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180418081140.GA2439@pc11.op.pod.cz
+Link: https://lkml.kernel.org/r/20180421081930.15741-1-bp@alien8.de
+---
+ arch/x86/kernel/cpu/microcode/intel.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
+index 32b8e57..1c2cfa0 100644
+--- a/arch/x86/kernel/cpu/microcode/intel.c
++++ b/arch/x86/kernel/cpu/microcode/intel.c
+@@ -485,7 +485,6 @@ static void show_saved_mc(void)
+ */
+ static void save_mc_for_early(u8 *mc, unsigned int size)
+ {
+-#ifdef CONFIG_HOTPLUG_CPU
+ /* Synchronization during CPU hotplug. */
+ static DEFINE_MUTEX(x86_cpu_microcode_mutex);
+
+@@ -495,7 +494,6 @@ static void save_mc_for_early(u8 *mc, unsigned int size)
+ show_saved_mc();
+
+ mutex_unlock(&x86_cpu_microcode_mutex);
+-#endif
+ }
+
+ static bool load_builtin_intel_microcode(struct cpio_data *cp)
+--
+cgit v1.1
+
diff -Nru intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/patch-readme intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/patch-readme
--- intel-microcode-3.20170707.1~deb8u1/linux-kernel-patches/patch-readme 1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/linux-kernel-patches/patch-readme 2018-05-18 09:36:54.000000000 -0300
@@ -0,0 +1,17 @@
+This directory has a list of kernel patches required to quiese all logical
+cpus during a live update of microcode after system is booted.
+
+The patches are organized in sequence required. All of them are already upstream
+the patches are provided here as reference.
+
+xx-<commit-id>.patch
+
+where xx is the patch to apply in order. commit-id identifies the commit-id
+in linux upstream.
+
+You can identify which release has those patches included by using
+
+git describe --contains <commit-id>
+
+At the time of this release, the patches are integrated in all stable releases
+except 4.9 and 4.4, as the backport work is still in progress.
diff -Nru intel-microcode-3.20170707.1~deb8u1/Makefile intel-microcode-3.20180425.1~deb8u1/Makefile
--- intel-microcode-3.20170707.1~deb8u1/Makefile 2017-07-08 18:32:08.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/Makefile 2018-05-18 09:36:54.000000000 -0300
@@ -63,8 +63,9 @@
# Keep sorting order predictable or things will break
export LC_COLLATE=C
-MICROCODE_REG_SOURCES := $(sort $(wildcard microcode-*.dat microcode-*.bin))
-MICROCODE_SUP_SOURCES := $(wildcard supplementary-ucode-*.bin)
+MICROCODE_REG_DBIN := $(patsubst microcode-%.d/,microcode-%.dbin,$(wildcard microcode-*.d/))
+MICROCODE_REG_SOURCES := $(sort $(wildcard microcode-*.dat microcode-*.bin) $(MICROCODE_REG_DBIN))
+MICROCODE_SUP_SOURCES := $(wildcard supplementary-ucode-*.bin supplementary-ucode-*.d/)
MICROCODE_OVERRIDES := $(wildcard *.fw)
MICROCODE_FINAL_REG_SOURCES :=
@@ -72,7 +73,7 @@
MICROCODE_FINAL_REG_SOURCES += microcode-oldies.pbin
endif
ifneq ($(IUC_INCLUDE),)
- MICROCODE_FINAL_REG_SOURCES += microcode-extras.pbin
+ MICROCODE_FINAL_REG_SOURCES += microcode-includes.pbin
endif
MICROCODE_FINAL_REG_SOURCES += $(lastword $(MICROCODE_REG_SOURCES))
@@ -87,6 +88,18 @@
all: intel-microcode.bin intel-microcode-64.bin
+# When processing a directory that contains a single upstream
+# microcode release (split over many binary microcode files), we need
+# to group it into a single (temporary) bundle for downgrade mode to
+# work as expected. Using iucode_tool (in the default --no-downgrade
+# mode) to generate the temporary bundle ensures reproducibility,
+# since it will sort out any conflicts in a predictable way.
+
+microcode-%.dbin: microcode-%.d/
+ @echo
+ @echo Preprocessing microcode directory $^ into $@...
+ @$(IUCODE_TOOL) $(IUC_FLAGS) --overwrite -w "$@" $^
+
# When looking for "old" microcodes that we should ship even if they
# are not in the latest regular microcode bundle anymore, we use a
# date filter to select *signatures* of microcodes that should be
@@ -103,9 +116,9 @@
$(IUC_OLDIES_SELECT) $(IUC_OLDIES_EXCLUDE) \
--loose-date-filtering --downgrade --overwrite -w "$@" $^
-microcode-extras.pbin: $(MICROCODE_REG_SOURCES)
+microcode-includes.pbin: $(MICROCODE_REG_SOURCES)
@echo
- @echo Preprocessing extra regular microcode...
+ @echo Preprocessing force-included regular microcode...
@$(IUCODE_TOOL) $(IUC_FLAGS) -s! $(IUC_INCLUDE) \
--downgrade --overwrite -w "$@" $^
@@ -114,13 +127,13 @@
# microcodes must have the same precedence. We use two intermediate
# bundles for this.
#
-# The oldies and extra microcodes are bundled together with the latest
-# regular microcode bundle in microcode-regular.pbin. The precedence
-# order for downgrading is:
+# The oldies and force-included microcodes are bundled together with
+# the latest regular microcode bundle in microcode-regular.pbin. The
+# precedence order for downgrading is:
#
-# oldies < extra < latest regular microcode bundle
+# oldies < includes < latest regular microcode bundle
#
-# The precedence order won't matter for oldies and extra as they
+# The precedence order won't matter for oldies and includes, as they
# either have different microcode, or microcode with the same
# revision.
#
@@ -167,6 +180,7 @@
distclean: clean
clean:
rm -f intel-microcode-64.bin intel-microcode.bin
- rm -f microcode-overrides.pbin microcode-oldies.pbin microcode-extras.pbin microcode-regular.pbin microcode-aux.pbin
+ rm -f microcode-overrides.pbin microcode-oldies.pbin microcode-includes.pbin microcode-regular.pbin microcode-aux.pbin
+ rm -f microcode-*.dbin
.PHONY: clean
diff -Nru intel-microcode-3.20170707.1~deb8u1/releasenote intel-microcode-3.20180425.1~deb8u1/releasenote
--- intel-microcode-3.20170707.1~deb8u1/releasenote 2017-07-08 20:18:26.000000000 -0300
+++ intel-microcode-3.20180425.1~deb8u1/releasenote 2018-05-18 09:36:54.000000000 -0300
@@ -1,31 +1,67 @@
Intel Processor Microcode Package for Linux
-20170707 Release
--- New Platforms --
-KBL H0 (06-8e-09:c0) 62
-KBL Y0 (06-8e-0a:c0) 66
-KBL B0 (06-9e-09:2a) 5e
-SKX H0 (06-55-04:97) 2000022
-
--- Microcode update instructions --
-This package contains Intel microcode files in two formats:
-* microcode.dat
-* intel-ucode directory
-
-microcode.dat is in a traditional text format. It is still used in some
-Linux distributions. It can be updated to the system through the old microcode
-update interface which is avaialble in the kernel with
-CONFIG_MICROCODE_OLD_INTERFACE=y.
-
-To update the microcode.dat to the system, one need:
-1. Ensure the existence of /dev/cpu/microcode
-2. Write microcode.dat to the file, e.g.
- dd if=microcode.dat of=/dev/cpu/microcode bs=1M
-
-intel-ucode dirctory contains binary microcode files named in
+CPU microcode is a mechanism to correct certain errata in existing systems.
+The normal preferred method to apply microcode updates is using the system
+BIOS, but for a subset of Intel's processors this can be done at runtime
+using the operating system. This package contains those processors that
+support OS loading of microcode updates.
+
+The target user for this package are OS vendors such as Linux distributions
+for inclusion in their OS releases. Intel recommends getting the microcode
+using the OS vendor update mechanism. Expert users can of course update their
+microcode directly outside the OS vendor mechanism. This method is complex and
+thus could be error prone.
+
+Microcode is best loaded from the BIOS. Certain microcode must only be applied
+from the BIOS. Such processor microcode updates are never packaged in this
+package since they are not appropriate for OS distribution. An OEM may receive
+microcode packages that might be a superset of what is contained in this
+package.
+
+OS vendors may choose to also update microcode that kernel can consume for early
+loading. For e.g. Linux can update processor microcode very early in the kernel
+boot sequence. In situations when the BIOS update isn't available, early loading
+is the next best alternative to updating processor microcode. Microcode states
+are reset on a power reset, hence its required to be updated everytime during
+boot process.
+
+Loading microcode using the initrd method is recommended so that the microcode
+is loaded at the earliest time for best coverage. Systems that cannot tolerate
+downtime may use the late reload method to update a running system without a
+reboot.
+
+== About Processor Signature, Family, Model, Stepping and Platform ID ==
+Processor signature is a number identifying the model and version of a
+Intel processor. It can be obtained using the CPUID instruction, and can
+also be obtained via the command lscpu or from the content of /proc/cpuinfo.
+It's usually presented as 3 fields: Family, Model and Stepping
+(In the table of updates below, they are shorten as F, MO and S).
+
+The width of Family/Model/Stepping is 12/8/4bit, but when arranged in the
+32bit processor signature raw data is like 0FFM0FMS, hexadecimal.
+e.g. if a processor signature is 0x000906eb, it means
+Family=0x006, Model=0x9e and Stepping=0xb
+
+A processor product can be implemented for multiple types of platforms,
+So in MSR(17H), Intel processors have a 3bit Platform ID field,
+that can specify a platform type from at most 8 types.
+A microcode file for a specified processor model can support multiple
+platforms, so the Platform ID of a microcode (shorten as PI in the table)
+is a 8bit mask, each set bit indicates a platform type that it supports.
+One can find the platform ID on Linux using rdmsr from msr-tools.
+
+== Microcode update instructions ==
+-- intel-ucode/ --
+intel-ucode directory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
-and can be updated throught the microcode reload interface.
+and can be updated through the microcode reload interface.
+
+To update early loading initrd, consult your distribution on how to package
+microcode files for early loading. Some distros use update-initramfs or dracut.
+As recommended above, please use the OS vendors are recommended method to ensure
+microcode file is updated for early loading before attempting the late-load
+procedure below.
To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
@@ -33,3 +69,28 @@
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload
+
+If you are using the OS vendor method to update microcode, the above steps may
+have been done automatically during the update process.
+
+-- intel-ucode-with-caveats/ --
+This directory holds microcode that might need special handling.
+BDX-ML microcode is provided in directory, because it need special commits in
+the Linux kernel, otherwise, updating it might result in unexpected system
+behavior.
+
+OS vendors must ensure that the late loader patches (provided in
+linux-kernel-patches\) are included in the distribution before packaging the
+BDX-ML microcode for late-loading.
+
+== 20180425 Release ==
+-- Updates upon 20180312 release --
+Processor Identifier Version Products
+Model Stepping F-MO-S/PI Old->New
+---- updated platforms ------------------------------------
+GLK B0 6-7a-1/01 0000001e->00000022 Pentium Silver N/J5xxx, Celeron N/J4xxx
+---- removed platforms ------------------------------------
+BDX-ML B/M/R0 6-4f-1/ef 0b000021 Xeon E5/E7 v4; Core i7-69xx/68xx
+
+-- Special release with caveats --
+BDX-ML B/M/R0 6-4f-1/ef 0b00002c Xeon E5/E7 v4; Core i7-69xx/68xx
Reply to: