New microcode_ctl file(s)

[troelsarvin]

In the "CPU microcode" section, it currently states:

"It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes **three new files**: 06-3f-02, 06-4f-01, 06-55-04."

I compared two RHEL 7 servers where the microcode_ctl package is installed: One server was last patched in November of 2017, the other was last patched January 5th 2018. On both servers, the following files existed, as part of package microcode_ctl
/usr/lib/firmware/intel-ucode/06-3f-02
/usr/lib/firmware/intel-ucode/06-4f-01

Only the following file is new with the latest updates (microcode_ctl-2.1-22.2.el7.x86_64):
/usr/lib/firmware/intel-ucode/06-55-04

So the text should be changed to mention only 06-55-04, I think.

[gvarisco]

Hey Troel! What I find interesting is that I've compared my wording and feedback gathered from RH engineers with Gentoo's archive and I see:

33792 Dec 15 13:59 06-3f-02
27648 Dec 15 13:59 06-4f-01
27648 Dec 15 13:59 06-55-04

Let me check later today and get back to you.

[Klaas-]

EDIT:
this seems to be an issue with the compilation, the microcode.dat files are the same that were used to build the binarys. No idea how this happens though

I would say redhat has updated more files than changelog suggests, if I diff the package that it should be based on with the rpm contents I get this:

Binary files intel-ucode-intel-20170707/06-05-00 and intel-ucode-redhat-rpm/06-05-00 differ
Binary files intel-ucode-intel-20170707/06-05-02 and intel-ucode-redhat-rpm/06-05-02 differ
Binary files intel-ucode-intel-20170707/06-05-03 and intel-ucode-redhat-rpm/06-05-03 differ
Binary files intel-ucode-intel-20170707/06-06-0a and intel-ucode-redhat-rpm/06-06-0a differ
Binary files intel-ucode-intel-20170707/06-06-0d and intel-ucode-redhat-rpm/06-06-0d differ
Binary files intel-ucode-intel-20170707/06-08-01 and intel-ucode-redhat-rpm/06-08-01 differ
Binary files intel-ucode-intel-20170707/06-08-06 and intel-ucode-redhat-rpm/06-08-06 differ
Binary files intel-ucode-intel-20170707/06-08-0a and intel-ucode-redhat-rpm/06-08-0a differ
Binary files intel-ucode-intel-20170707/06-09-05 and intel-ucode-redhat-rpm/06-09-05 differ
Binary files intel-ucode-intel-20170707/06-0b-01 and intel-ucode-redhat-rpm/06-0b-01 differ
Binary files intel-ucode-intel-20170707/06-0f-0b and intel-ucode-redhat-rpm/06-0f-0b differ
Binary files intel-ucode-intel-20170707/06-0f-0d and intel-ucode-redhat-rpm/06-0f-0d differ
Binary files intel-ucode-intel-20170707/06-16-01 and intel-ucode-redhat-rpm/06-16-01 differ
Binary files intel-ucode-intel-20170707/06-17-06 and intel-ucode-redhat-rpm/06-17-06 differ
Binary files intel-ucode-intel-20170707/06-17-0a and intel-ucode-redhat-rpm/06-17-0a differ
Binary files intel-ucode-intel-20170707/06-1c-0a and intel-ucode-redhat-rpm/06-1c-0a differ
Binary files intel-ucode-intel-20170707/06-3f-02 and intel-ucode-redhat-rpm/06-3f-02 differ
Binary files intel-ucode-intel-20170707/06-4f-01 and intel-ucode-redhat-rpm/06-4f-01 differ
Binary files intel-ucode-intel-20170707/06-55-04 and intel-ucode-redhat-rpm/06-55-04 differ
Binary files intel-ucode-intel-20170707/0f-00-07 and intel-ucode-redhat-rpm/0f-00-07 differ
Binary files intel-ucode-intel-20170707/0f-00-0a and intel-ucode-redhat-rpm/0f-00-0a differ
Binary files intel-ucode-intel-20170707/0f-02-04 and intel-ucode-redhat-rpm/0f-02-04 differ
Binary files intel-ucode-intel-20170707/0f-02-05 and intel-ucode-redhat-rpm/0f-02-05 differ
Binary files intel-ucode-intel-20170707/0f-02-07 and intel-ucode-redhat-rpm/0f-02-07 differ
Binary files intel-ucode-intel-20170707/0f-02-09 and intel-ucode-redhat-rpm/0f-02-09 differ
Binary files intel-ucode-intel-20170707/0f-04-01 and intel-ucode-redhat-rpm/0f-04-01 differ
Binary files intel-ucode-intel-20170707/0f-04-08 and intel-ucode-redhat-rpm/0f-04-08 differ

Diff to newest microcode download from intel would be:

Binary files intel-ucode-intel-20171117/06-05-00 and intel-ucode-redhat-rpm/06-05-00 differ
Binary files intel-ucode-intel-20171117/06-05-02 and intel-ucode-redhat-rpm/06-05-02 differ
Binary files intel-ucode-intel-20171117/06-05-03 and intel-ucode-redhat-rpm/06-05-03 differ
Binary files intel-ucode-intel-20171117/06-06-0a and intel-ucode-redhat-rpm/06-06-0a differ
Binary files intel-ucode-intel-20171117/06-06-0d and intel-ucode-redhat-rpm/06-06-0d differ
Binary files intel-ucode-intel-20171117/06-08-01 and intel-ucode-redhat-rpm/06-08-01 differ
Binary files intel-ucode-intel-20171117/06-08-06 and intel-ucode-redhat-rpm/06-08-06 differ
Binary files intel-ucode-intel-20171117/06-08-0a and intel-ucode-redhat-rpm/06-08-0a differ
Binary files intel-ucode-intel-20171117/06-09-05 and intel-ucode-redhat-rpm/06-09-05 differ
Binary files intel-ucode-intel-20171117/06-0b-01 and intel-ucode-redhat-rpm/06-0b-01 differ
Binary files intel-ucode-intel-20171117/06-0f-0b and intel-ucode-redhat-rpm/06-0f-0b differ
Binary files intel-ucode-intel-20171117/06-0f-0d and intel-ucode-redhat-rpm/06-0f-0d differ
Binary files intel-ucode-intel-20171117/06-16-01 and intel-ucode-redhat-rpm/06-16-01 differ
Binary files intel-ucode-intel-20171117/06-17-06 and intel-ucode-redhat-rpm/06-17-06 differ
Binary files intel-ucode-intel-20171117/06-17-0a and intel-ucode-redhat-rpm/06-17-0a differ
Binary files intel-ucode-intel-20171117/06-1c-0a and intel-ucode-redhat-rpm/06-1c-0a differ
Binary files intel-ucode-intel-20171117/06-3f-02 and intel-ucode-redhat-rpm/06-3f-02 differ
Binary files intel-ucode-intel-20171117/06-4f-01 and intel-ucode-redhat-rpm/06-4f-01 differ
Binary files intel-ucode-intel-20171117/06-55-04 and intel-ucode-redhat-rpm/06-55-04 differ
Only in intel-ucode-intel-20171117: 06-5c-09
Only in intel-ucode-intel-20171117: 06-7a-01
Binary files intel-ucode-intel-20171117/06-8e-0a and intel-ucode-redhat-rpm/06-8e-0a differ
Only in intel-ucode-intel-20171117: 06-9e-0a
Only in intel-ucode-intel-20171117: 06-9e-0b
Binary files intel-ucode-intel-20171117/0f-00-07 and intel-ucode-redhat-rpm/0f-00-07 differ
Binary files intel-ucode-intel-20171117/0f-00-0a and intel-ucode-redhat-rpm/0f-00-0a differ
Binary files intel-ucode-intel-20171117/0f-02-04 and intel-ucode-redhat-rpm/0f-02-04 differ
Binary files intel-ucode-intel-20171117/0f-02-05 and intel-ucode-redhat-rpm/0f-02-05 differ
Binary files intel-ucode-intel-20171117/0f-02-07 and intel-ucode-redhat-rpm/0f-02-07 differ
Binary files intel-ucode-intel-20171117/0f-02-09 and intel-ucode-redhat-rpm/0f-02-09 differ
Binary files intel-ucode-intel-20171117/0f-04-01 and intel-ucode-redhat-rpm/0f-04-01 differ
Binary files intel-ucode-intel-20171117/0f-04-08 and intel-ucode-redhat-rpm/0f-04-08 differ

[rfc1459]

The microcode situation is complex and we might see another update soon(ish) to add IBRS support and enhanced LFENCE on desktop SKUs (for instance, my office workstation with an old i5 got a new ucode revision dated 2017-11-20 with IBRS support while my personal workstation with an i7-6700 and the same microcode_ctl package is still on revision 0xba dated 2017-04-09, which obviously lacks IBRS and enhanced LFENCE).

Fedora 26 and 27 as of today are still shipping microcode using the publicly available package from Intel, which lacks IBRS-enabled ucode altogether.

[teknoraver]

IMHO it's better to query the MSR 0x48 directly instead of guessing based on microcode version and date

[rfc1459]

That's exactly what I did, sorry for omitting that part :)

[gvarisco]

Intel has released https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File?product=122139

[gvarisco]

Its release notes says:

-- Updates upon 20171117 release --
IVT C0		(06-3e-04:ed) 428->42a
SKL-U/Y D0	(06-4e-03:c0) ba->c2
BDW-U/Y E/F	(06-3d-04:c0) 25->28
HSW-ULT Cx/Dx	(06-45-01:72) 20->21
Crystalwell Cx	(06-46-01:32) 17->18
BDW-H E/G	(06-47-01:22) 17->1b
HSX-EX E0	(06-3f-04:80) 0f->10
SKL-H/S R0	(06-5e-03:36) ba->c2
HSW Cx/Dx	(06-3c-03:32) 22->23
HSX C0		(06-3f-02:6f) 3a->3b
BDX-DE V0/V1	(06-56-02:10) 0f->14
BDX-DE V2	(06-56-03:10) 700000d->7000011
KBL-U/Y H0	(06-8e-09:c0) 62->80
KBL Y0 / CFL D0	(06-8e-0a:c0) 70->80
KBL-H/S B0	(06-9e-09:2a) 5e->80
CFL U0		(06-9e-0a:22) 70->80
CFL B0		(06-9e-0b:02) 72->80
SKX H0		(06-55-04:b7) 2000035->200003c
GLK B0		(06-7a-01:01) 1e->22

[Feandil]

What is weird in this release by Intel is that is does not seem to contain the 06-4f-01 updated in RedHat:

% curl -s https://downloadmirror.intel.com/27431/eng/microcode-20180108.tgz | tar -xzO intel-ucode/06-4f-01 | iucode_tool -tb -L - 
microcode bundle 1: (stdin)
001/001: sig 0x000406f1, pf_mask 0xef, 2017-03-01, rev 0xb000021, size 26624

% rpm2cpio <(curl -s http://mirror.centos.org/centos/7/updates/x86_64/Packages/microcode_ctl-2.1-22.2.el7.x86_64.rpm -o -) | cpio --extract --to-stdout ./lib/firmware/intel-ucode/06-4f-01 | iucode_tool -tb -L -
2606 blocks
microcode bundle 1: (stdin)
001/001: sig 0x000406f1, pf_mask 0xef, 2017-11-18, rev 0xb000025, size 27648

[rfc1459]

According to the (yet to be released) Debian intel-microcode package changelog, Intel removed updated ucode for two CPU families for unknown reasons and many affected CPU families didn't get updated ucode in this release.

[Feandil]

Thanks for the pointer!

The maintainer of the microcode_ctl package on Fedora has checked with Intel and according to his last comment, there should be another update from intel: https://bodhi.fedoraproject.org/updates/microcode_ctl-2.1-20.fc27#comment-717804

06-5c-09 was not in the microcode_ctl previously released by RedHat/Centos, only 06-4f-01 (see https://git.centos.org/blobdiff/rpms!microcode_ctl.git/8e8f9859943f5235baff90d925ca8342be12dc18/SPECS!microcode_ctl.spec). I'm not sure where Debian got that one