Bug#920632: stretch-pu: package intel-microcode/3.20180807a.2~deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#920632: stretch-pu: package intel-microcode/3.20180807a.2~deb9u1
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 27 Jan 2019 16:09:49 -0200
Message-id: <[🔎] 20190127180949.hxmnnptizc4r5rd6@khazad-dum.debian.net>
Reply-to: Henrique de Moraes Holschuh <hmh@debian.org>, 920632@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Please update the intel-microcode package in stable (stretch) to version
3.20180807a.2~deb9u1.  This is a limited security update that affects
Intel Westmere EP processors, only.

It has been tested for several months in unstable, testing, and
backports.  Also, other distros have been shipping it for months and I
could not find any issue reported.

The source debdiff is attached, and the binary debdiff is also attached.
The changes are very minimal, they just enable shipping the microcode
update for Westmere EP.

Reasoning for this update is included in the Debian changelog,
reproduced below:

* Release managers:
  This update is being distributed by Debian in unstable, testing and
  jessie- and stretch-backports since 2018-10-30 without issues, and by
  most distros since 2018-08/2018-09, with no known reports of
  regressions on Westmere EP processors (Spectre mitigations are very
  expensive on Nehalem and Westmere, though).
* SECURITY FIX: this update adds the accumulated fixes for Westmere EP
  (signature 0x206c2) from nearly a decade, including but likely not
  limited to:
  + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation)
    Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
  + Implements SSBD support (Spectre v4 mitigation),
    Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix)
    Intel SA-00115, CVE-2018-3639, CVE-2018-3640
  + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation.
    Intel SA-0088, CVE-2017-5753, CVE-2017-5754
  + Very likely implements LAPIC sinkhole fix
  + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
    may cause system crash
* This Westmere EP microcode update has been explicitly approved by
  Intel for general distribution by operating systems, refer to the
  changelog entry for 3.20180807a.2 below

Thank you!

-- 
  Henrique Holschuh

diff -Nru intel-microcode-3.20180807a.1~deb9u1/debian/changelog intel-microcode-3.20180807a.2~deb9u1/debian/changelog
--- intel-microcode-3.20180807a.1~deb9u1/debian/changelog	2018-09-15 00:53:22.000000000 -0300
+++ intel-microcode-3.20180807a.2~deb9u1/debian/changelog	2019-01-27 13:07:47.000000000 -0200
@@ -1,3 +1,40 @@
+intel-microcode (3.20180807a.2~deb9u1) unstable; urgency=medium
+
+  * Release managers:
+    This update is being distributed by Debian in unstable, testing and
+    jessie- and stretch-backports since 2018-10-30 without issues, and by
+    most distros since 2018-08/2018-09, with no known reports of
+    regressions on Westmere EP processors (Spectre mitigations are very
+    expensive on Nehalem and Westmere, though).
+  * SECURITY FIX: this update adds the accumulated fixes for Westmere EP
+    (signature 0x206c2) from nearly a decade, including but likely not
+    limited to:
+    + Implements L1D_FLUSH support (L1TF "Foreshadow/-NG" mitigation)
+      Intel SA-00161, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646
+    + Implements SSBD support (Spectre v4 mitigation),
+      Disable speculation for (some) RDMSR/WRMSR (Spectre v3a fix)
+      Intel SA-00115, CVE-2018-3639, CVE-2018-3640
+    + Implements IBRS/IBPB/STIPB support, Spectre v2 mitigation.
+      Intel SA-0088, CVE-2017-5753, CVE-2017-5754
+    + Very likely implements LAPIC sinkhole fix
+    + Fixes AAK167/BT248: Virtual APIC accesses with 32-bit PAE paging
+      may cause system crash
+  * This Westmere EP microcode update has been explicitly approved by
+    Intel for general distribution by operating systems, refer to the
+    changelog entry for 3.20180807a.2 below
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sun, 27 Jan 2019 13:07:47 -0200
+
+intel-microcode (3.20180807a.2) unstable; urgency=medium
+
+  * Makefile: unblacklist 0x206c2 (Westmere EP)
+    According to pragyansri.pathi@intel.com, on message to LP#1795594
+    on 2018-10-09, we can ship 0x206c2 updates without restrictions.
+    Also, there are no reports in the field about this update causing
+    issues (closes: #907402) (LP: #1795594)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Tue, 23 Oct 2018 19:52:40 -0300
+
 intel-microcode (3.20180807a.1~deb9u1) stretch-security; urgency=high
 
   * Upload to Debian stretch (no changes)
diff -Nru intel-microcode-3.20180807a.1~deb9u1/Makefile intel-microcode-3.20180807a.2~deb9u1/Makefile
--- intel-microcode-3.20180807a.1~deb9u1/Makefile	2018-08-24 08:10:09.000000000 -0300
+++ intel-microcode-3.20180807a.2~deb9u1/Makefile	2019-01-27 10:04:48.000000000 -0200
@@ -31,27 +31,6 @@
 # 0x106c0: alpha hardware, seen in a very very old microcode data file
 IUC_EXCLUDE += -s !0x106c0
 
-# 0x206c2: Intel Westmere B1 (Xeon 3600, 5600, Core i7 2nd gen).
-#
-# When Intel released a fix for Intel SA-00030, they issued a MCU that
-# bumps the minimum acceptable version of the Intel TXT ACMs in the
-# TPM persistent storage.  This permanently blacklists the vulnerable
-# ACMs *even on older microcode* in order to make it somewhat harder
-# to work around the security fix through a BIOS downgrade attack.
-#
-# It is possible that such a microcode update, when peformed by the
-# operating system, could sucessfully trigger the TPM persistent
-# storage update Intel intended to happen during firmware boot: we
-# simply don't know enough to rule it out.  Should that happen, Intel
-# TXT will be permanently disabled.  This could easily interact very
-# badly with the firmware, rendering the system unbootable.  If *that*
-# happens, it would likely require either a TPM module replacement
-# (rendering sealed data useless) or a direct flash of a new BIOS with
-# updated ACMs, to repair.
-#
-# Blacklist updates for signature 0x206c2 as a safety net.
-IUC_EXCLUDE += -s !0x206c2
-
 # INCLUDING MICROCODES:
 #
 # This should be used to add a microcode from any of the regular

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .changes but not in first
-----------------------------------------
-rw-r--r--  root/root   /lib/firmware/intel-ucode/06-2c-02

Control files of package intel-microcode: lines which differ (wdiff format)
---------------------------------------------------------------------------
Installed-Size: [-1830-] {+1842+}
Version: [-3.20180807a.1~deb9u1-] {+3.20180807a.2~deb9u1+}

Reply to:

Prev by Date: Bug#919395: Heads up to release team about MariadB 10.3
Next by Date: Bug#887399: Question about stable-updates
Previous by thread: Bug#913942: espeakup 0.80-5+deb9u3 flagged for acceptance
Next by thread: Bug#887399: Question about stable-updates
Index(es):
- Date
- Thread