Bug 23457

Summary: Update request: microcode-0.20180807-1.mga6.nonfree
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: High CC: brtians1, fri, jim, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok, mga6-32-ok
Source RPM: microcode CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 23458, 23459, 23460    

Description Thomas Backlund 2018-08-17 08:51:36 CEST 
Intel finally rolls out its big microcode update...

And it contains updates from Core gen2 and up...

Intel Changelog:
== 20180807 Release ==
-- Updates upon 20180703 release --
Processor             Identifier     Version       Products
Model        Stepping F-MO-S/PI      Old->New
---- new platforms ----------------------------------------
WSM-EP/WS    U1       6-2c-2/03           0000001f Xeon E/L/X56xx, W36xx
NHM-EX       D0       6-2e-6/04           0000000d Xeon E/L/X65xx/75xx
BXT          C0       6-5c-2/01           00000014 Atom T5500/5700
APL          E0       6-5c-a/03           0000000c Atom x5-E39xx
DVN          B0       6-5f-1/01           00000024 Atom C3xxx
---- updated platforms ------------------------------------
NHM-EP/WS    D0       6-1a-5/03 00000019->0000001d Xeon E/L/X/W55xx
NHM          B1       6-1e-5/13 00000007->0000000a Core i7-8xx, i5-7xx; Xeon L3426, X24xx
WSM          B1       6-25-2/12 0000000e->00000011 Core i7-6xx, i5-6xx/4xxM, i3-5xx/3xxM, Pentium G69xx, Celeon P45xx; Xeon L3406
WSM          K0       6-25-5/92 00000004->00000007 Core i7-6xx, i5-6xx/5xx/4xx, i3-5xx/3xx, Pentium G69xx/P6xxx/U5xxx, Celeron P4xxx/U3xxx
SNB          D2       6-2a-7/12 0000002d->0000002e Core Gen2; Xeon E3
WSM-EX       A2       6-2f-2/05 00000037->0000003b Xeon E7
IVB          E2       6-3a-9/12 0000001f->00000020 Core Gen3 Mobile
HSW-H/S/E3   Cx/Dx    6-3c-3/32 00000024->00000025 Core Gen4 Desktop; Xeon E3 v3
BDW-U/Y      E/F      6-3d-4/c0 0000002a->0000002b Core Gen5 Mobile
HSW-ULT      Cx/Dx    6-45-1/72 00000023->00000024 Core Gen4 Mobile and derived Pentium/Celeron
HSW-H        Cx       6-46-1/32 00000019->0000001a Core Extreme i7-5xxxX
BDW-H/E3     E/G      6-47-1/22 0000001d->0000001e Core i5-5xxxR/C, i7-5xxxHQ/EQ; Xeon E3 v4
SKL-U/Y      D0       6-4e-3/c0 000000c2->000000c6 Core Gen6 Mobile
BDX-DE       V1       6-56-2/10 00000015->00000017 Xeon D-1520/40
BDX-DE       V2/3     6-56-3/10 07000012->07000013 Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19
BDX-DE       Y0       6-56-4/10 0f000011->0f000012 Xeon D-1557/59/67/71/77/81/87
APL          D0       6-5c-9/03 0000002c->00000032 Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx
SKL-H/S/E3   R0       6-5e-3/36 000000c2->000000c6 Core Gen6; Xeon E3 v5
GLK          B0       6-7a-1/01 00000022->00000028 Pentium Silver N/J5xxx, Celeron N/J4xxx
KBL-U/Y      H0       6-8e-9/c0 00000084->0000008e Core Gen7 Mobile
CFL-U43e     D0       6-8e-a/c0 00000084->00000096 Core Gen8 Mobile
KBL-H/S/E3   B0       6-9e-9/2a 00000084->0000008e Core Gen7; Xeon E3 v6
CFL-H/S/E3   U0       6-9e-a/22 00000084->00000096 Core Gen8
CFL-H/S/E3   B0       6-9e-b/02 00000084->0000008e Core Gen8 Desktop


(S)RPM:
microcode-0.20180807-1.mga6.nonfree
Thomas Backlund 2018-08-17 18:41:31 CEST

Blocks: (none) => 23458

Thomas Backlund 2018-08-17 18:41:45 CEST

Blocks: (none) => 23459

Thomas Backlund 2018-08-17 18:41:51 CEST

Blocks: (none) => 23460

Comment 1 Thomas Backlund 2018-08-17 23:01:42 CEST 
Advisory, added to svn:


type: security
subject: Updated microcode packages fix security vulnerabilities
CVE:
 - CVE-2018-3615
 - CVE-2018-3620
 - CVE-2018-3646
src:
  6:
   nonfree:
     - microcode-0.20180807-1.mga6.nonfree
description: |
  This microcode update provides the Intel 20180807 microcode release
  that adds the processor microcode side of fixes and mitigations for
  the now publically known security issue affected Intel processors
  called L1 Terminal Fault (L1TF) for most Intel processors since
  Intel Core gen2:

  Systems with microprocessors utilizing speculative execution and Intel
  Software Guard Extensions (Intel SGX) may allow unauthorized disclosure
  of information residing in the L1 data cache from an enclave to an
  attacker with local user access via side-channel analysis (CVE-2018-3615).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access via a terminal
  page fault and side-channel analysis (CVE-2018-3620).

  Systems with microprocessors utilizing speculative execution and address
  translations may allow unauthorized disclosure of information residing in
  the L1 data cache to an attacker with local user access with guest OS
  privilege via a terminal page fault and side-channel analysis
  (CVE-2018-3646).

  The impact of the L1TF security issues:
  * Malicious applications may be able to infer the values of data in the
    operating system memory, or data from other applications.
  * A malicious guest virtual machine (VM) may be able to infer the values
    of data in the VMM’s memory, or values of data in the memory of other
    guest VMs.
  * Malicious software running outside of SMM may be able to infer values
    of data in SMM memory.
  * Malicious software running outside of an Intel® SGX enclave or within an
    enclave may be able to infer data from within another Intel SGX enclave.

  NOTE! You also need to install one of the 4.14.64 based kernel updates
  to get the current operating system side set of fixes and mitigations
  for L1TF. That means either kernel (mga#23458), kernel-tmb (mga#23459)
  or kernel-linus (mga#23460).

  For more detailed info about the microcode and a list of processors,
  see the referenced changelog.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=23457
 - https://bugs.mageia.org/show_bug.cgi?id=23458
 - https://bugs.mageia.org/show_bug.cgi?id=23459
 - https://bugs.mageia.org/show_bug.cgi?id=23460
 - https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File
 - https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Severity: normal => critical
Keywords: (none) => advisory
Priority: Normal => High

Comment 2 Thomas Backlund 2018-08-18 12:24:30 CEST 
Works here on x86_64 Intel KabyLake laptop and Mageia infra servers
Comment 3 Brian Rockwell 2018-08-18 14:53:34 CEST 
AMD x2-3800, nvidia 6150le (304 driver).

Working

CC: (none) => brtians1

Comment 4 Morgan Leijström 2018-08-18 22:10:33 CEST 
OK on my workstation: i7-2600K see bug 23458#c19 
https://bugs.mageia.org/show_bug.cgi?id=23458#c19

CC: (none) => fri

Comment 5 Marja Van Waes 2018-08-18 22:14:30 CEST 
No regressions seen on an old ThinkPad SL510 with just as old Intel Core2 processor (x86_64 install).

CC: (none) => marja11

Comment 6 Brian Rockwell 2018-08-19 00:29:41 CEST 
Intel video and m350 processor

- cpupower-4.14.65-1.mga6.x86_64
- kernel-desktop-4.14.65-1.mga6-1-1.mga6.x86_64
- kernel-desktop-latest-4.14.65-1.mga6.x86_64
- microcode-0.20180807-1.mga6.nonfree.noarch

working fine.
Comment 7 Morgan Leijström 2018-08-19 05:20:47 CEST 
Also OK on my Thinkpad T60
https://bugs.mageia.org/show_bug.cgi?id=23458#c26

And our more modern Asus Aspire7
https://bugs.mageia.org/show_bug.cgi?id=23458#c28
Comment 8 James Kerr 2018-08-19 12:12:16 CEST 
Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.11.0 
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530

$ rpm -q microcode
microcode-0.20180807-1.mga6.nonfree

OK on mga6-64 plasma

CC: (none) => jim

Comment 9 Thomas Backlund 2018-08-19 13:00:48 CEST 
Enough tests...

Validating and flushing out due to the severity

Keywords: (none) => validated_update
Whiteboard: (none) => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2018-08-19 13:25:48 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0344.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED