diff --git a/Makefile b/Makefile index 1d5f5a0..dce857f 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,8 @@ IUC_OLDIES_EXCLUDE := IUC_EXCLUDE := # 0x106c0: alpha hardware, seen in a very very old microcode data file -IUC_EXCLUDE += -s !0x106c0 +# 0x50656, 0xc06f1: QS steppings, removed by upstream 20250512 +IUC_EXCLUDE += -s !0x106c0 -s !0x50656 -s !0xc06f1 # INCLUDING MICROCODES: # @@ -156,6 +157,17 @@ intel-microcode-64.bin: intel-microcode.bin $(shell sed -n -r -e '/^i.86/ { s/^[^ ]+ +/-s !/;s/ +\#.*//;p}' cpu-signatures.txt) $(IUC_EXCLUDE) \ --overwrite -w "$@" $^ +# Aux. targets for packaging: make FWDIR=${PREFIX}/lib/firmware intel-ucode-fw/fw64 +intel-ucode-fw: intel-microcode.bin + @test -d "$(FWDIR)" && \ + $(IUCODE_TOOL) $(IUC_EXCLUDE) --overwrite --write-firmware="$(FWDIR)" $^ + +intel-ucode-fw64: intel-microcode-64.bin + @test -d "$(FWDIR)" && \ + $(IUCODE_TOOL) $(IUC_EXCLUDE) --overwrite --write-firmware="$(FWDIR)" $^ + +.PHONY: intel-ucode-fw intel-ucode-fw64 + distclean: clean clean: rm -f intel-microcode-64.bin intel-microcode.bin diff --git a/changelog b/changelog index 50af05b..8b23c9d 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,181 @@ +2025-08-12: + * New upstream microcode datafile 20250812 + - Mitgations for INTEL-SA-01249 (processor Stream Cache): + CVE-2025-20109: Improper Isolation or Compartmentalization in the + stream cache mechanism for some Intel Processors may allow an + authenticated user to potentially enable escalation of privilege via + local access. Intel also disclosed that several processors models + had already received this mitigation on the previous microcode + release, 20250512. + - Mitigations for INTEL-SA-01308: + CVE-2025-22840: Sequence of processor instructions leads to + unexpected behavior for some Intel Xeon 6 Scalable processors may + allow an authenticated user to potentially enable escalation of + privilege via local access. + - Mitigations for INTEL-SA-01310 (OOBM services module): + CVE-2025-22839: Insufficient granularity of access control in the + OOB-MSM for some Intel Xeon 6 Scalable processors may allow a + privileged user to potentially enable escalation of privilege via + adjacent access. + - Mitigations for INTEL-SA-01311 (Intel TDX): + CVE-2025-22889: Improper handling of overlap between protected + memory ranges for some Intel Xeon 6 processors with Intel TDX may + allow a privileged user to potentially enable escalation of + privilege via local access. + - Mitigations for INTEL-SA-01313: + CVE-2025-20053: Improper buffer restrictions for some Intel Xeon + Processor firmware with SGX enabled may allow a privileged user to + potentially enable escalation of privilege via local access. + CVE-2025-21090: Missing reference to active allocated resource for + some Intel Xeon processors may allow an authenticated user to + potentially enable denial of service via local access. + CVE-2025-24305: Insufficient control flow management in the Alias + Checking Trusted Module (ACTM) firmware for some Intel Xeon + processors may allow a privileged user to potentially enable + escalation of privilege via local access. + - Mitigations for INTEL-SA-01367 (Intel SGX, TDX): + CVE-2025-26403: Out-of-bounds write in the memory subsystem for some + Intel Xeon 6 processors when using Intel SGX or Intel TDX may allow + a privileged user to potentially enable escalation of privilege via + local access. + CVE-2025-32086: Improperly implemented security check for standard + in the DDRIO configuration for some Intel Xeon 6 Processors when + using Intel SGX or Intel TDX may allow a privileged user to + potentially enable escalation of privilege via local access. + - Fixes for unspecified functional issues on several Intel Core and + Intel Xeon processor models. + * Updated microcodes: + sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248 + sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056 + sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896 + sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664 + sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288 + sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072 + sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400 + sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880 + sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256 + sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129 + sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129 + sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896 + sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112 + sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224 + sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3 + +2025-05-12: + * New upstream microcode datafile 20250512 + - Mitigations for INTEL-SA-01153 (ITS: Indirect Target Selection): + CVE-2024-28956: Processor may incompletely mitigate Branch Target + Injection due to indirect branch predictions that are not fully + constrained by eIBRS nor by the IBPB barrier. Part of the "Training + Solo" set of vulnerabilities. + - Mitigations for INTEL-SA-01244: + CVE-2025-20103: Insufficient resource pool in the core management + mechanism for some Intel Processors may allow an authenticated user + to potentially enable denial of service via local access. + CVE-2025-20054: Uncaught exception in the core management mechanism + for some Intel Processors may allow an authenticated user to + potentially enable denial of service via local access. + - Mitigations for INTEL-SA-01247: + CVE-2024-43420, CVE-2025-20623: Exposure of sensitive information + caused by shared microarchitectural predictor state that influences + transient execution for some Intel Atom and some Intel Core + processors (10th Generation) may allow an authenticated user to + potentially enable information disclosure via local access. + CVE-2024-45332 (Branch Privilege Injection): Exposure of sensitive + information caused by shared microarchitectural predictor state that + influences transient execution in the indirect branch predictors for + some Intel Processors may allow an authenticated user to potentially + enable information disclosure via local access. + - Mitigations for INTEL-SA-01322: + CVE-2025-24495 (Training Solo): Incorrect initialization of resource + in the branch prediction unit for some Intel Core Ultra Processors + may allow an authenticated user to potentially enable information + disclosure via local access (IBPB bypass) + CVE-2025-20012 (Training Solo): Incorrect behavior order for some + Intel Core Ultra Processors may allow an unauthenticated user to + potentially enable information disclosure via physical access. + - Improved fix for the Vmin Shift Instability for the Intel Core 13th + and 14th gen processors under low-activity scenarios (sig 0xb0671). + This microcode update is supposed to be delivered as a system + firmware update, but according to Intel it should be effective when + loaded by the operating system if the system firmware has revision + 0x12e. + - Mitgations for INTEL-SA-01249 (processor Stream Cache): + CVE-2025-20109: Improper Isolation or Compartmentalization in the + stream cache mechanism for some Intel Processors may allow an + authenticated user to potentially enable escalation of privilege via + local access. This information was disclosed by Intel for release + 20250812. + - Fixes for unspecified functional issues on several processor models + * New microcodes or new extended signatures: + sig 0x000a06d1, pf_mask 0x95, 2025-02-07, rev 0x10003a2, size 1664000 + sig 0x000a06d1, pf_mask 0x20, 2025-02-07, rev 0xa0000d1, size 1635328 + sig 0x000b0650, pf_mask 0x80, 2025-03-18, rev 0x000a, size 136192 + sig 0x000b06d1, pf_mask 0x80, 2025-03-18, rev 0x011f, size 79872 + sig 0x000c0662, pf_mask 0x82, 2025-03-20, rev 0x0118, size 90112 + sig 0x000c06a2, pf_mask 0x82, 2025-03-20, rev 0x0118 + sig 0x000c0652, pf_mask 0x82, 2025-03-20, rev 0x0118 + sig 0x000c0664, pf_mask 0x82, 2025-03-20, rev 0x0118 + * Updated microcodes: + sig 0x00050657, pf_mask 0xbf, 2024-12-12, rev 0x5003901, size 39936 + sig 0x0005065b, pf_mask 0xbf, 2024-12-12, rev 0x7002b01, size 30720 + sig 0x000606a6, pf_mask 0x87, 2025-01-07, rev 0xd000404, size 309248 + sig 0x000606c1, pf_mask 0x10, 2025-01-07, rev 0x10002d0, size 300032 + sig 0x000706a8, pf_mask 0x01, 2024-12-05, rev 0x0026, size 76800 + sig 0x000706e5, pf_mask 0x80, 2025-01-07, rev 0x00ca, size 115712 + sig 0x000806c1, pf_mask 0x80, 2024-12-01, rev 0x00bc, size 112640 + sig 0x000806c2, pf_mask 0xc2, 2024-12-01, rev 0x003c, size 99328 + sig 0x000806d1, pf_mask 0xc2, 2024-12-11, rev 0x0056, size 105472 + sig 0x000806ec, pf_mask 0x94, 2024-11-17, rev 0x0100, size 106496 + sig 0x000806f8, pf_mask 0x87, 2025-01-28, rev 0x2b000639, size 591872 + sig 0x000806f7, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f6, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f5, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f4, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f8, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7, size 624640 + sig 0x000806f6, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x000806f5, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x000806f4, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x00090672, pf_mask 0x07, 2024-12-12, rev 0x003a, size 226304 + sig 0x00090675, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f2, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f5, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f6, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f7, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000906a3, pf_mask 0x80, 2024-12-12, rev 0x0437, size 224256 + sig 0x000906a4, pf_mask 0x80, 2024-12-12, rev 0x0437 + sig 0x000906a4, pf_mask 0x40, 2024-12-06, rev 0x000a, size 119808 + sig 0x000906ed, pf_mask 0x22, 2024-11-14, rev 0x0104, size 106496 + sig 0x000a0652, pf_mask 0x20, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0653, pf_mask 0x22, 2024-11-14, rev 0x0100, size 98304 + sig 0x000a0655, pf_mask 0x22, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0660, pf_mask 0x80, 2024-11-14, rev 0x0102, size 98304 + sig 0x000a0661, pf_mask 0x80, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0671, pf_mask 0x02, 2024-12-01, rev 0x0064, size 108544 + sig 0x000a06a4, pf_mask 0xe6, 2025-02-13, rev 0x0024, size 140288 + sig 0x000a06f3, pf_mask 0x01, 2025-02-10, rev 0x3000341, size 1542144 + sig 0x000b0671, pf_mask 0x32, 2025-03-17, rev 0x012f, size 219136 + sig 0x000b0674, pf_mask 0x32, 2025-03-17, rev 0x012f + sig 0x000b06a2, pf_mask 0xe0, 2025-01-15, rev 0x4128, size 224256 + sig 0x000b06a3, pf_mask 0xe0, 2025-01-15, rev 0x4128 + sig 0x000b06a8, pf_mask 0xe0, 2025-01-15, rev 0x4128 + sig 0x000b06e0, pf_mask 0x19, 2024-12-06, rev 0x001d, size 139264 + sig 0x000c06f2, pf_mask 0x87, 2025-03-14, rev 0x210002a9, size 563200 + sig 0x000c06f1, pf_mask 0x87, 2025-03-14, rev 0x210002a9 + * Removed microcodes (ES/QS steppings): + sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 + sig 0x000c06f1, pf_mask 0x87, 2025-03-14, rev 0x210002a9 [EXCLUDED] + 2025-02-11: * New upstream microcode datafile 20250211 - Mitigations for INTEL-SA-01166 (CVE-2024-31068) diff --git a/debian/changelog b/debian/changelog index 13202a7..c46be85 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,201 @@ -intel-microcode (3.20250512.1) unstable; urgency=medium +intel-microcode (3.20250812.1) unstable; urgency=medium - * New upstream microcode 20250512 - - -- bluesky Wed, 14 May 2025 10:24:10 +0800 + [ Henrique de Moraes Holschuh ] + * New upstream microcode datafile 20250812 (closes: #1110983, #1112168) + - Mitgations for INTEL-SA-01249 (processor Stream Cache): + CVE-2025-20109: Improper Isolation or Compartmentalization in the + stream cache mechanism for some Intel Processors may allow an + authenticated user to potentially enable escalation of privilege via + local access. Intel also disclosed that several processors models + had already received this mitigation on the previous microcode + release, 20250512. + - Mitigations for INTEL-SA-01308: + CVE-2025-22840: Sequence of processor instructions leads to + unexpected behavior for some Intel Xeon 6 Scalable processors may + allow an authenticated user to potentially enable escalation of + privilege via local access. + - Mitigations for INTEL-SA-01310 (OOBM services module): + CVE-2025-22839: Insufficient granularity of access control in the + OOB-MSM for some Intel Xeon 6 Scalable processors may allow a + privileged user to potentially enable escalation of privilege via + adjacent access. + - Mitigations for INTEL-SA-01311 (Intel TDX): + CVE-2025-22889: Improper handling of overlap between protected + memory ranges for some Intel Xeon 6 processors with Intel TDX may + allow a privileged user to potentially enable escalation of + privilege via local access. + - Mitigations for INTEL-SA-01313: + CVE-2025-20053: Improper buffer restrictions for some Intel Xeon + Processor firmware with SGX enabled may allow a privileged user to + potentially enable escalation of privilege via local access. + CVE-2025-21090: Missing reference to active allocated resource for + some Intel Xeon processors may allow an authenticated user to + potentially enable denial of service via local access. + CVE-2025-24305: Insufficient control flow management in the Alias + Checking Trusted Module (ACTM) firmware for some Intel Xeon + processors may allow a privileged user to potentially enable + escalation of privilege via local access. + - Mitigations for INTEL-SA-01367 (Intel SGX, TDX): + CVE-2025-26403: Out-of-bounds write in the memory subsystem for some + Intel Xeon 6 processors when using Intel SGX or Intel TDX may allow + a privileged user to potentially enable escalation of privilege via + local access. + CVE-2025-32086: Improperly implemented security check for standard + in the DDRIO configuration for some Intel Xeon 6 Processors when + using Intel SGX or Intel TDX may allow a privileged user to + potentially enable escalation of privilege via local access. + - Fixes for unspecified functional issues on several Intel Core and + Intel Xeon processor models. + * Updated microcodes: + sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248 + sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056 + sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896 + sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643 + sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664 + sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401 + sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288 + sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072 + sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400 + sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880 + sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256 + sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129 + sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129 + sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896 + sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112 + sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119 + sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224 + sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3 + * update entry for 3.20250512.1 with new information + * source: update symlinks to reflect id of the latest release, 20250812 + + [ Ben Hutchings ] + * debian/tests/initramfs: Update to work with forky's initramfs-tools. + In version 0.149 of initramfs-tools, unmkinitramfs was changed to no + longer create early/ and main/ subdirectories. Update the microcode + file check to work with both old and new behaviours. + + -- Henrique de Moraes Holschuh Sat, 13 Sep 2025 18:30:55 -0300 + +intel-microcode (3.20250512.1) unstable; urgency=high + + * New upstream microcode datafile 20250512 (closes: #1105172) + - Mitigations for INTEL-SA-01153 (ITS: Indirect Target Selection): + CVE-2024-28956: Processor may incompletely mitigate Branch Target + Injection due to indirect branch predictions that are not fully + constrained by eIBRS nor by the IBPB barrier. Part of the "Training + Solo" set of vulnerabilities. + - Mitigations for INTEL-SA-01244: + CVE-2025-20103: Insufficient resource pool in the core management + mechanism for some Intel Processors may allow an authenticated user + to potentially enable denial of service via local access. + CVE-2025-20054: Uncaught exception in the core management mechanism + for some Intel Processors may allow an authenticated user to + potentially enable denial of service via local access. + - Mitigations for INTEL-SA-01247: + CVE-2024-43420, CVE-2025-20623: Exposure of sensitive information + caused by shared microarchitectural predictor state that influences + transient execution for some Intel Atom and some Intel Core + processors (10th Generation) may allow an authenticated user to + potentially enable information disclosure via local access. + CVE-2024-45332 (Branch Privilege Injection): Exposure of sensitive + information caused by shared microarchitectural predictor state that + influences transient execution in the indirect branch predictors for + some Intel Processors may allow an authenticated user to potentially + enable information disclosure via local access. + - Mitigations for INTEL-SA-01322: + CVE-2025-24495 (Training Solo): Incorrect initialization of resource + in the branch prediction unit for some Intel Core Ultra Processors + may allow an authenticated user to potentially enable information + disclosure via local access (IBPB bypass) + CVE-2025-20012 (Training Solo): Incorrect behavior order for some + Intel Core Ultra Processors may allow an unauthenticated user to + potentially enable information disclosure via physical access. + - Improved fix for the Vmin Shift Instability for the Intel Core 13th + and 14th gen processors under low-activity scenarios (sig 0xb0671). + This microcode update is supposed to be delivered as a system + firmware update, but according to Intel it should be effective when + loaded by the operating system if the system firmware has revision + 0x12e. + - Mitgations for INTEL-SA-01249 (processor Stream Cache): + CVE-2025-20109: Improper Isolation or Compartmentalization in the + stream cache mechanism for some Intel Processors may allow an + authenticated user to potentially enable escalation of privilege via + local access. This information was disclosed by Intel for release + 20250812. + - Fixes for unspecified functional issues on several processor models + * New microcodes or new extended signatures: + sig 0x000a06d1, pf_mask 0x95, 2025-02-07, rev 0x10003a2, size 1664000 + sig 0x000a06d1, pf_mask 0x20, 2025-02-07, rev 0xa0000d1, size 1635328 + sig 0x000b0650, pf_mask 0x80, 2025-03-18, rev 0x000a, size 136192 + sig 0x000b06d1, pf_mask 0x80, 2025-03-18, rev 0x011f, size 79872 + sig 0x000c0662, pf_mask 0x82, 2025-03-20, rev 0x0118, size 90112 + sig 0x000c06a2, pf_mask 0x82, 2025-03-20, rev 0x0118 + sig 0x000c0652, pf_mask 0x82, 2025-03-20, rev 0x0118 + sig 0x000c0664, pf_mask 0x82, 2025-03-20, rev 0x0118 + * Updated microcodes: + sig 0x00050657, pf_mask 0xbf, 2024-12-12, rev 0x5003901, size 39936 + sig 0x0005065b, pf_mask 0xbf, 2024-12-12, rev 0x7002b01, size 30720 + sig 0x000606a6, pf_mask 0x87, 2025-01-07, rev 0xd000404, size 309248 + sig 0x000606c1, pf_mask 0x10, 2025-01-07, rev 0x10002d0, size 300032 + sig 0x000706a8, pf_mask 0x01, 2024-12-05, rev 0x0026, size 76800 + sig 0x000706e5, pf_mask 0x80, 2025-01-07, rev 0x00ca, size 115712 + sig 0x000806c1, pf_mask 0x80, 2024-12-01, rev 0x00bc, size 112640 + sig 0x000806c2, pf_mask 0xc2, 2024-12-01, rev 0x003c, size 99328 + sig 0x000806d1, pf_mask 0xc2, 2024-12-11, rev 0x0056, size 105472 + sig 0x000806ec, pf_mask 0x94, 2024-11-17, rev 0x0100, size 106496 + sig 0x000806f8, pf_mask 0x87, 2025-01-28, rev 0x2b000639, size 591872 + sig 0x000806f7, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f6, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f5, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f4, pf_mask 0x87, 2025-01-28, rev 0x2b000639 + sig 0x000806f8, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7, size 624640 + sig 0x000806f6, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x000806f5, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x000806f4, pf_mask 0x10, 2025-01-28, rev 0x2c0003f7 + sig 0x00090672, pf_mask 0x07, 2024-12-12, rev 0x003a, size 226304 + sig 0x00090675, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f2, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f5, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f6, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000b06f7, pf_mask 0x07, 2024-12-12, rev 0x003a + sig 0x000906a3, pf_mask 0x80, 2024-12-12, rev 0x0437, size 224256 + sig 0x000906a4, pf_mask 0x80, 2024-12-12, rev 0x0437 + sig 0x000906a4, pf_mask 0x40, 2024-12-06, rev 0x000a, size 119808 + sig 0x000906ed, pf_mask 0x22, 2024-11-14, rev 0x0104, size 106496 + sig 0x000a0652, pf_mask 0x20, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0653, pf_mask 0x22, 2024-11-14, rev 0x0100, size 98304 + sig 0x000a0655, pf_mask 0x22, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0660, pf_mask 0x80, 2024-11-14, rev 0x0102, size 98304 + sig 0x000a0661, pf_mask 0x80, 2024-11-14, rev 0x0100, size 97280 + sig 0x000a0671, pf_mask 0x02, 2024-12-01, rev 0x0064, size 108544 + sig 0x000a06a4, pf_mask 0xe6, 2025-02-13, rev 0x0024, size 140288 + sig 0x000a06f3, pf_mask 0x01, 2025-02-10, rev 0x3000341, size 1542144 + sig 0x000b0671, pf_mask 0x32, 2025-03-17, rev 0x012f, size 219136 + sig 0x000b0674, pf_mask 0x32, 2025-03-17, rev 0x012f + sig 0x000b06a2, pf_mask 0xe0, 2025-01-15, rev 0x4128, size 224256 + sig 0x000b06a3, pf_mask 0xe0, 2025-01-15, rev 0x4128 + sig 0x000b06a8, pf_mask 0xe0, 2025-01-15, rev 0x4128 + sig 0x000b06e0, pf_mask 0x19, 2024-12-06, rev 0x001d, size 139264 + sig 0x000c06f2, pf_mask 0x87, 2025-03-14, rev 0x210002a9, size 563200 + sig 0x000c06f1, pf_mask 0x87, 2025-03-14, rev 0x210002a9 + * Removed microcodes (ES/QS steppings): + sig 0x00050656, pf_mask 0xbf, 2023-07-28, rev 0x4003605, size 38912 + sig 0x000c06f1, pf_mask 0x87, 2025-03-14, rev 0x210002a9 [EXCLUDED] + * Makefile: exclude QS/ES steppings 0x50656, 0xc06f1. + * Makefile: add targets to create split F-M-S /lib/firmware dir + * debian/rules: use new intel-ucode-{fw,fw64} Makefile targets + Removes from the binary package the F-M-S files for extended signatures + that were excluded by IUC_EXCLUDE. + * source: update symlinks to reflect id of the latest release, 20250512 + + -- Henrique de Moraes Holschuh Sat, 17 May 2025 01:35:08 -0300 intel-microcode (3.20250211.1) unstable; urgency=medium diff --git a/debian/rules b/debian/rules index 97c06a5..716614f 100755 --- a/debian/rules +++ b/debian/rules @@ -17,8 +17,10 @@ export DH_ALWAYS_EXCLUDE=CVS:.svn:.git ifneq (,$(filter amd64 x32,$(DEB_HOST_ARCH))) IUCODE_FILE := intel-microcode-64.bin +FWDIR_TARGET := intel-ucode-fw64 else IUCODE_FILE := intel-microcode.bin +FWDIR_TARGET := intel-ucode-fw endif # Work around Debian bug #688794 @@ -32,7 +34,7 @@ override_dh_auto_install: dh_install # split microcode pack - $(IUCODE_TOOL) -q --write-firmware="$(PKGDIR)/usr/lib/firmware/intel-ucode" $(IUCODE_FILE) + $(MAKE) FWDIR="$(PKGDIR)/usr/lib/firmware/intel-ucode" $(FWDIR_TARGET) # apply best-effort blacklist if [ -r debian/ucode-blacklist.txt ] ; then \ diff --git a/debian/tests/initramfs b/debian/tests/initramfs index 2cd833c..32c8bc4 100644 --- a/debian/tests/initramfs +++ b/debian/tests/initramfs @@ -7,6 +7,12 @@ INITRDS=(/boot/initrd.img-*) unmkinitramfs "${INITRDS[0]}" initramfs/ find initramfs/ -test -e initramfs/early/kernel/x86/microcode/GenuineIntel.bin +# Microcode may be extracted under an early/ subdirectory, depending +# on the version of unmkinitramfs +if [ -d initramfs/early ]; then + test -e initramfs/early/kernel/x86/microcode/GenuineIntel.bin +else + test -e initramfs/kernel/x86/microcode/GenuineIntel.bin +fi echo '# everything seems ok' diff --git a/intel-ucode/06-6a-06 b/intel-ucode/06-6a-06 index bdaa4d9..95b45d6 100644 Binary files a/intel-ucode/06-6a-06 and b/intel-ucode/06-6a-06 differ diff --git a/intel-ucode/06-6c-01 b/intel-ucode/06-6c-01 index 3c149ef..b0d2943 100644 Binary files a/intel-ucode/06-6c-01 and b/intel-ucode/06-6c-01 differ diff --git a/intel-ucode/06-8f-07 b/intel-ucode/06-8f-07 index e25c193..8c89d49 100644 Binary files a/intel-ucode/06-8f-07 and b/intel-ucode/06-8f-07 differ diff --git a/intel-ucode/06-8f-08 b/intel-ucode/06-8f-08 index e5e46a5..2e1f105 100644 Binary files a/intel-ucode/06-8f-08 and b/intel-ucode/06-8f-08 differ diff --git a/intel-ucode/06-aa-04 b/intel-ucode/06-aa-04 index 65bc48e..4d273df 100644 Binary files a/intel-ucode/06-aa-04 and b/intel-ucode/06-aa-04 differ diff --git a/intel-ucode/06-ad-01 b/intel-ucode/06-ad-01 index 048474e..fd0fafd 100644 Binary files a/intel-ucode/06-ad-01 and b/intel-ucode/06-ad-01 differ diff --git a/intel-ucode/06-af-03 b/intel-ucode/06-af-03 index 45f7e53..115eb8a 100644 Binary files a/intel-ucode/06-af-03 and b/intel-ucode/06-af-03 differ diff --git a/intel-ucode/06-ba-02 b/intel-ucode/06-ba-02 index 18b4cfc..bf4e0b9 100644 Binary files a/intel-ucode/06-ba-02 and b/intel-ucode/06-ba-02 differ diff --git a/intel-ucode/06-ba-03 b/intel-ucode/06-ba-03 index 18b4cfc..bf4e0b9 100644 Binary files a/intel-ucode/06-ba-03 and b/intel-ucode/06-ba-03 differ diff --git a/intel-ucode/06-bd-01 b/intel-ucode/06-bd-01 index 7e394c6..160d57e 100644 Binary files a/intel-ucode/06-bd-01 and b/intel-ucode/06-bd-01 differ diff --git a/intel-ucode/06-c5-02 b/intel-ucode/06-c5-02 index e27cd5d..dee7196 100644 Binary files a/intel-ucode/06-c5-02 and b/intel-ucode/06-c5-02 differ diff --git a/intel-ucode/06-c6-02 b/intel-ucode/06-c6-02 index e27cd5d..dee7196 100644 Binary files a/intel-ucode/06-c6-02 and b/intel-ucode/06-c6-02 differ diff --git a/intel-ucode/06-cf-02 b/intel-ucode/06-cf-02 index 44ff030..c6c61a3 100644 Binary files a/intel-ucode/06-cf-02 and b/intel-ucode/06-cf-02 differ diff --git a/microcode-20250211.d b/microcode-20250812.d similarity index 100% rename from microcode-20250211.d rename to microcode-20250812.d diff --git a/releasenote.md b/releasenote.md index c1e4821..04a9a70 100644 --- a/releasenote.md +++ b/releasenote.md @@ -1,4 +1,57 @@ # Release Notes +## [microcode-20250812](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812) + +### Purpose +- Security updates for [INTEL-SA-01249](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01249.html) +- Security updates for [INTEL-SA-01308](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01308.html) +- Security updates for [INTEL-SA-01310](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01310.html) +- Security updates for [INTEL-SA-01311](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01311.html) +- Security updates for [INTEL-SA-01313](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01313.html) +- Security updates for [INTEL-SA-01367](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01367.html) +- Update for functional issues. Refer to [13th/14th Gen Intel® Core™ Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/740518) for details. +- Update for functional issues. Refer to [3rd Gen Intel® Xeon® Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780) for details. +- Update for functional issues. Refer to [4th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/772415) for details. +- Update for functional issues. Refer to [5th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/793902) for details. +- Update for functional issues. Refer to [6th Gen Intel® Xeon® Scalable Processors Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/835486) for details. +- Update for functional issues. Refer to [Intel® Core™ Ultra 200 V Series Processor](https://cdrdv2.intel.com/v1/dl/getContent/827538) for details. +- Update for functional issues. Refer to [Intel® Core™ Ultra Processor](https://cdrdv2.intel.com/v1/dl/getContent/792254) for details. +- Update for functional issues. Refer to [Intel® Core™ Ultra Processor (Series 2)](https://cdrdv2.intel.com/v1/dl/getContent/834774) for details. +- Update for functional issues. Refer to [Intel® Xeon® 6700-Series Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/820922) for details. +- Update for functional issues. Refer to [Intel® Xeon® D-2700 Processor Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/714071) for details. + + +### New Platforms + +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:--------- + + +### Updated Platforms + +| Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products +|:---------------|:---------|:------------|:---------|:---------|:--------- +| ARL-H | A1 | 06-c5-02/82 | 00000118 | 00000119 | Core Ultra Processor (Series 2) +| ARL-S/HX (8P) | B0 | 06-c6-02/82 | 00000118 | 00000119 | Core Ultra Processor (Series 2) +| EMR-SP | A1 | 06-cf-02/87 | 210002a9 | 210002b3 | Xeon Scalable Gen5 +| GNR-AP/SP | B0 | 06-ad-01/95 | 010003a2 | 010003d0 | Xeon Scalable Gen6 +| GNR-AP/SP | H0 | 06-ad-01/20 | 0a0000d1 | 0a000100 | Xeon Scalable Gen6 +| ICL-D | B0 | 06-6c-01/10 | 010002d0 | 010002e0 | Xeon D-17xx, D-27xx +| ICX-SP | Dx/M1 | 06-6a-06/87 | 0d000404 | 0d000410 | Xeon Scalable Gen3 +| LNL | B0 | 06-bd-01/80 | 0000011f | 00000123 | Core Ultra 200 V Series Processor +| MTL | C0 | 06-aa-04/e6 | 00000024 | 00000025 | Core™ Ultra Processor +| RPL-H/P/PX 6+8 | J0 | 06-ba-02/e0 | 00004128 | 00004129 | Core Gen13 +| RPL-U 2+8 | Q0 | 06-ba-03/e0 | 00004128 | 00004129 | Core Gen13 +| SPR-HBM | Bx | 06-8f-08/10 | 2c0003f7 | 2c000401 | Xeon Max +| SPR-SP | E4/S2 | 06-8f-07/87 | 2b000639 | 2b000643 | Xeon Scalable Gen4 +| SPR-SP | E5/S3 | 06-8f-08/87 | 2b000639 | 2b000643 | Xeon Scalable Gen4 +| SRF-SP | C0 | 06-af-03/01 | 03000341 | 03000362 | Xeon 6700-Series Processors with E-Cores + + +### New Disclosures Updated in Prior Releases + +All ADL, RPL, SPR, EMR, MTL, ARL Microcode patches previously released in May 2025. + + ## [microcode-20250512](https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250512) ### Purpose diff --git a/supplementary-ucode-20250211_BDX-ML.bin b/supplementary-ucode-20250812_BDX-ML.bin similarity index 100% rename from supplementary-ucode-20250211_BDX-ML.bin rename to supplementary-ucode-20250812_BDX-ML.bin