Bug#773479: pu: package intel-microcode/1.20140913.1

Thu, 18 Dec 2014 12:04:00 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu

Please approve an update of intel-microcode in non-free stable (wheezy),
to version 1.20140913.1.

Intel released in 2014-09-13 a new microcode update package, which targets
their Haswell processors (server, mobile and desktop).

The 2014-09-13 microcode update is in unstable since 2014-10-19, and in
jessie since 2014-10-30.  No issues were reported.

This update, among other errata fixes we know nothing about (as usual),
disables Intel TSX instructions.  As it was widely published, Intel TSX
instructions in the Haswell microarchitecture are subject to a critical
errata that can cause unpredictable system behavior once they're used.

It is important to update the microcode of Intel Haswell system processors
even on Debian stable systems, because without the update any third-party
code could issue an Intel TSX instruction and trigger the erratum (some sort
of L1 cache malfunction).  And that's just the one erratum we know for sure
this microcode update addresses, it could be fixing other errata as well.
There is no shortage of them in Haswell and Haswell-E.

For future-proofing and safety, this package update removes support for
*automated* microcode updates outside of the initramfs, and adds a safety
layer that ensures any such microcode update will only be applied by direct
action of the local admin.  This is *much* safer in this new world of Intel
microcode updates that cause visible changes to the ISA (instruction set
architecture).

The changes are throughoutly documented by the NEWS entry and the package
README.Debian.  The postinst script also informs the admin that he must
reboot to apply the microcode update.

As usual, I've attached an abridged debdiff to remove the noise related to
the upstream microcode data file changes.

diffstat (for the complete debdiff):
 changelog                       |    9 
 debian/README.Debian            |   14 
 debian/changelog                |   23 
 debian/intel-microcode.NEWS     |   16 
 debian/intel-microcode.kpreinst |   16 
 debian/intel-microcode.postinst |   38 
 debian/rules                    |   10 
 debian/ucode-blacklist.txt      |    7 
 microcode-20140624.dat          |38773 --------------------------------------
 microcode-20140913.dat          |40694 ++++++++++++++++++++++++++++++++++++++++
 10 files changed, 40790 insertions(+), 38810 deletions(-)

diffstat (for the abridged debdiff):
 changelog                       |    9 +++++++++
 debian/README.Debian            |   14 ++++++++++++++
 debian/changelog                |   23 +++++++++++++++++++++++
 debian/intel-microcode.NEWS     |   16 ++++++++++++++++
 debian/intel-microcode.kpreinst |   16 +++++++---------
 debian/intel-microcode.postinst |   38 ++++++++++----------------------------
 debian/rules                    |   10 ++++++++++
 debian/ucode-blacklist.txt      |    7 +++++++
 8 files changed, 96 insertions(+), 37 deletions(-)

Thank you.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

diff -Nru intel-microcode-1.20140624.1/changelog intel-microcode-1.20140913.1/changelog
--- intel-microcode-1.20140624.1/changelog	2014-06-27 16:58:54.000000000 -0300
+++ intel-microcode-1.20140913.1/changelog	2014-10-30 16:14:19.000000000 -0200
@@ -1,3 +1,12 @@
+2014-09-13:
+  * New Microcodes:
+    sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+
+  * Updated Microcodes:
+    sig 0x000306c3, pf mask 0x32, 2014-07-03, rev 0x001c, size 21504
+    sig 0x00040651, pf mask 0x72, 2014-07-03, rev 0x001c, size 20480
+    sig 0x00040661, pf mask 0x32, 2014-07-03, rev 0x0012, size 23552
+
 2014-06-24:
   * Updated Microcodes:
     sig 0x000306a9, pf mask 0x12, 2014-05-29, rev 0x001b, size 12288
diff -Nru intel-microcode-1.20140624.1/debian/changelog intel-microcode-1.20140913.1/debian/changelog
--- intel-microcode-1.20140624.1/debian/changelog	2014-06-27 17:00:55.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/changelog	2014-12-18 16:31:28.000000000 -0200
@@ -1,3 +1,26 @@
+intel-microcode (1.20140913.1) stable; urgency=low
+
+  * New upstream microcode data file 20140913
+    + New Microcodes:
+      sig 0x000306f2, pf mask 0x6f, 2014-09-03, rev 0x0029, size 28672
+    + Updated Microcodes:
+      sig 0x000306c3, pf mask 0x32, 2014-07-03, rev 0x001c, size 21504
+      sig 0x00040651, pf mask 0x72, 2014-07-03, rev 0x001c, size 20480
+      sig 0x00040661, pf mask 0x32, 2014-07-03, rev 0x0012, size 23552
+    + WARNING: UNSAFE TO BE APPLIED AT RUNTIME (lp#1370352)
+  * Microcode updates are now applied only through the initramfs
+    + postinst: don't apply microcode update
+    + kernel preinst: stop loading microcode module
+    + modprobe.d: blacklist microcode module from autoloading outside
+      of the initramfs
+  * add a microcode best-effort blacklist.  This is a reactive blacklist
+    which renames problematic microcode data files in such a way they
+    will only be used for the initramfs.  Use it to blacklist all
+    Haswell microcode updates
+  * source: remove superseded upstream data file: 20140624
+
+ -- Henrique de Moraes Holschuh <h...@debian.org>  Fri, 24 Oct 2014 19:01:18 -0200
+
 intel-microcode (1.20140624.1) stable; urgency=high
 
   * New upstream microcode data file 20140624
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.kpreinst intel-microcode-1.20140913.1/debian/intel-microcode.kpreinst
--- intel-microcode-1.20140624.1/debian/intel-microcode.kpreinst	2014-06-27 16:34:37.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.kpreinst	2014-12-18 16:31:28.000000000 -0200
@@ -1,19 +1,17 @@
 #!/bin/sh
 #
-# /etc/kernel/preinst.d intel-microcode script
-# Copyright (C) 2012 Henrique de Moraes Holschuh <h...@hmh.eng.br>
+# /etc/kernel/preinst.d script for intel-microcode version 1
+# Copyright (C) 2014 Henrique de Moraes Holschuh <h...@debian.org>
 # Released under the GPL v2 or later license
 #
-# This script makes sure the microcode and cpuid modules are
-# loaded, before the kernel image has a chance to replace them
-# with new ones that might not be compatible with the current
-# kernel.
+# This script makes sure the cpuid module is loaded, before the
+# kernel image has a chance to replace it with a new one that
+# might not be compatible with the current kernel.
 #
-# We need the microcode module to update microcode on postinst,
-# and the cpuid module for iucode_tool --scan-system.
+# We need the cpuid module for iucode_tool --scan-system,
+# which is used by the initramfs hook.
 #
 
-modprobe -q microcode || true
 grep -q cpu/cpuid /proc/devices || modprobe -q cpuid || true
 
 :
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.NEWS intel-microcode-1.20140913.1/debian/intel-microcode.NEWS
--- intel-microcode-1.20140624.1/debian/intel-microcode.NEWS	2014-06-27 16:57:16.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.NEWS	2014-12-18 16:31:28.000000000 -0200
@@ -1,3 +1,19 @@
+intel-microcode (1.20140913.1) stable; urgency=low
+
+    This release drops support for automatically applying microcode
+    updates without a reboot.  The microcode updates can still be applied
+    without a reboot through manual action of the system administrator,
+    but this operation is not considered safe anymore.
+
+    Microcodes known to be dangerous have been renamed so that they will
+    not be found by the microcode module, except inside the initramfs.
+    This is a reactive blacklisting: it is unlikely to be complete at any
+    point in time.
+
+    Refer to /usr/share/doc/intel-microcode/README.Debian for details.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org>  Fri, 10 Oct 2014 12:27:57 -0300
+
 intel-microcode (1.20120606.4) unstable; urgency=low
 
     The initramfs logic to automatically restrict the microcodes that have
diff -Nru intel-microcode-1.20140624.1/debian/intel-microcode.postinst intel-microcode-1.20140913.1/debian/intel-microcode.postinst
--- intel-microcode-1.20140624.1/debian/intel-microcode.postinst	2014-06-27 16:57:16.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/intel-microcode.postinst	2014-10-30 16:14:19.000000000 -0200
@@ -19,36 +19,18 @@
 
 case "$1" in
     configure)
-	# try to load the microcode module just in case.  If we succeed,
-	# it will trigger a microcode update by itself
-	if modprobe -q --first-time microcode ; then
-	    echo "Updating microcode on all online processors..." >&2
-	else
-	    # we have to trigger the microcode update manually
-	    if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
-		echo "Updating microcode on all online processors..." >&2
-		echo 1 > /sys/devices/system/cpu/microcode/reload || {
-		    echo "Kernel reported failure while updating microcode!" >&2
-		}
-	    else
-		# Try all online processors, broken kernels need this,
-		# fixed kernels will accept it only on the BSP and update
-		# all processors anyway, and -EINVAL all others... but we
-		# don't know which one is the BSP, so we try all of them
-		# and hide errors, the kernel will log any real problem.
-		echo "Using per-core interface to update microcode on online processors..." >&2
-		find /sys/devices/system/cpu -noleaf -type f -path '/sys/devices/system/cpu/cpu*/microcode/reload' | \
-		    while read i ; do echo -n 1 2>/dev/null >"$i" || true ; done
-	    fi
-	fi
 	# do it like udev and firmware-linux-*
-	if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
-		update-initramfs -u
+	if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+	    update-initramfs -u && {
+		echo "intel-microcode: microcode will be updated at next boot" >&2
+		ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && {
+		    echo "intel-microcode: possibly old microcode files from /usr/share/misc were used" >&2
+		    echo "intel-microcode: remove them if this is not desired and run 'update-initramfs -u'" >&2
+		}
+	    }
+	else
+	    echo "intel-microcode: initramfs support missing" >&2
 	fi
-	ls /usr/share/misc/intel-microcode* >/dev/null 2>&1 && {
-	    echo "WARNING: /usr/share/misc/intel-microcode* installed to the initramfs" >&2
-	    echo "If this is undesired, remove /usr/share/misc/intel-microcode* and run 'update-initramfs -u'" >&2
-	}
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff -Nru intel-microcode-1.20140624.1/debian/README.Debian intel-microcode-1.20140913.1/debian/README.Debian
--- intel-microcode-1.20140624.1/debian/README.Debian	2014-06-27 16:57:16.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/README.Debian	2014-12-18 16:31:28.000000000 -0200
@@ -45,6 +45,15 @@
    the kmod or module-init-tools package, and the root filesystem with
    /lib/firmware must be available when the modules are loaded.
 
+   This used to be safe, but since the 20140913 microcode update, we
+   cannot assume it to be true anymore.  A microcode update may disable
+   functionality currently in use by running processes, causing a
+   disaster.  Always prefer method 1.
+
+   Some microcodes are blacklisted from direct use by the microcode
+   module.  If you need one of them, you are strongly advised to switch
+   to an initramfs configuration.
+
 When the iucode-tool package is installed, the initramfs helpers will
 attempt to restrict the number of microcodes added to the initramfs to the
 bare minimum.  This behaviour can be changed and fine-tuned through the
@@ -62,6 +71,11 @@
 updated by the BIOS/EFI, by the bootloader itself, or by the kernel with
 microcode data supplied by the bootloader.
 
+NOTE FOR USERS OF NEWER (CUSTOM/BACKPORTED) KERNELS: If your Debian system
+is running a custom or backported Linux kernel version 3.10 or newer,
+please use the backported intel-microcode packages and the "early
+initramfs" method of updating microcode.
+
 
 Downloading new microcode data from Intel:
 
diff -Nru intel-microcode-1.20140624.1/debian/rules intel-microcode-1.20140913.1/debian/rules
--- intel-microcode-1.20140624.1/debian/rules	2014-06-27 14:28:01.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/rules	2014-12-18 16:31:28.000000000 -0200
@@ -46,6 +46,16 @@
 	# split microcode pack
 	$(IUCODE_TOOL) -q --write-firmware="$(PKGDIR)/lib/firmware/intel-ucode" $(IUCODE_FILE)
 
+	# apply best-effort blacklist
+	if [ -r debian/ucode-blacklist.txt ] ; then \
+		cat debian/ucode-blacklist.txt | while read -r fn crap ; do \
+			if [ -r "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" ] ; then \
+				mv "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}" "$(PKGDIR)/lib/firmware/intel-ucode/$${fn}.initramfs" ;\
+				echo "Renaming blacklisted microcode $${fn}" ; \
+			fi ; \
+		done ; \
+	fi
+
 	mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks"
 	install -m 755 "$(DEBDIR)/initramfs.hook" \
 		"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
diff -Nru intel-microcode-1.20140624.1/debian/ucode-blacklist.txt intel-microcode-1.20140913.1/debian/ucode-blacklist.txt
--- intel-microcode-1.20140624.1/debian/ucode-blacklist.txt	1969-12-31 21:00:00.000000000 -0300
+++ intel-microcode-1.20140913.1/debian/ucode-blacklist.txt	2014-10-30 16:14:19.000000000 -0200
@@ -0,0 +1,7 @@
+06-3c-01
+06-3c-02
+06-3c-03
+06-3f-01
+06-3f-02
+06-45-01
+06-46-01
diff -Nru intel-microcode-1.20140624.1/microcode-20140624.dat intel-microcode-1.20140913.1/microcode-20140624.dat
diff -Nru intel-microcode-1.20140624.1/microcode-20140913.dat intel-microcode-1.20140913.1/microcode-20140913.dat

Reply via email to