Bug 25053

Summary: Update request: microcode-0.20190618-1.mga6/7.nonfree
Product: Mageia Reporter: Thomas Backlund <tmb>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, jim, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO, MGA6-32-OK, MGA6-64-OK, MGA7-64-OK
Source RPM: microcode CVE:
Status comment:

Description Thomas Backlund 2019-07-05 17:20:19 CEST 
Updated microcode package fixes security issue:

Secure Encrypted Virtualization (SEV) on Advanced Micro Devices(AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation. This update provides
Amd SEV Firmware to 0.17 build 22 (CVE-2019-9836). 

It also updates the ntel Microcode for the following:
* SNB-E/EN/EP  C1/M0    6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
* SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X



SRPMS:
microcode-0.20190618-1.mga6/7.nonfree

i586:
microcode-0.20190618-1.mga6/7.nonfree

x86_64:
microcode-0.20190618-1.mga6/7.nonfree


Note to testers that you probably only can test that it installs cleanly.

This is because the SEV firmware is for AMD Epyc Server processors
And the Intel update is only for Xeon E3/E5, Core X (based on SB-E*, and specific steppings listed above.
Thomas Backlund 2019-07-05 17:20:29 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Len Lawrence 2019-07-05 17:53:21 CEST 
mga7, x86_64

Installed the microcode on a Skylake system without any problem.
# rpm -qa | grep microcode
microcode-0.20190618-1.mga7.nonfree
microcode_ctl-2.1-9.mga7
$ sudo journalctl -xe | grep microcode
Jul 05 16:45:51 canopus [RPM][16741]: erase microcode-0.20190514-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: install microcode-0.20190618-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: erase microcode-0.20190514-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: install microcode-0.20190618-1.mga7.nonfree.noarch: success

Strange that it was done twice.
It looks OK but I shall reboot to make sure everything works as before.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2019-07-05 18:00:03 CEST 
After reboot:
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x200005e, date = 2019-04-02
[    1.054235] microcode: sig=0x50654, pf=0x4, revision=0x200005e
[    1.054286] microcode: Microcode Update Driver: v2.2.
[    5.884905] em28xx 1-12:1.0: 	microcode start address = 0x0004, boot configuration = 0x01
Comment 3 Herman Viaene 2019-07-06 13:40:27 CEST 
MGA6-32 on IBM Thinkpad R50e
No installation issues.
After update:
# journalctl -xe | grep microcode
jul 06 13:13:41 mach6.hviaene.thuis kernel: microcode: sig=0x6d8, pf=0x20, revision=0x20
jul 06 13:13:41 mach6.hviaene.thuis kernel: microcode: Microcode Update Driver: v2.2.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2019-07-06 13:44:40 CEST 
Side note: Just as I did this test, the package appeared as update on my desktop PC, which I never use for update testing, but the bug is still "New" and no formal OK hqs been given up to now. A bit strange.

Whiteboard: MGA6TOO => MGA6TOO, MGA6-32-OK

Comment 5 James Kerr 2019-07-07 12:44:31 CEST 
On mga7-64

before update:

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[    0.870594] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.870770] microcode: Microcode Update Driver: v2.2.

package installed cleanly:

- microcode-0.20190618-1.mga7.nonfree.noarch

From the journal:
erase microcode-0.20190514-1.mga7.nonfree.noarch: success
install microcode-0.20190618-1.mga7.nonfree.noarch: success

After re-boot:

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[    0.869030] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.869253] microcode: Microcode Update Driver: v2.2.

However, after installing an "urgent" BIOS update from Dell:

$ dmesg | grep microcode
[    0.852772] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.852889] microcode: Microcode Update Driver: v2.2.

I assume that the BIOS update has made this version of microcode unnecessary on this machine:

Machine:   Type: Desktop System: Dell product: Precision Tower 3620 
           Mobo: Dell model: 09WH54 v: A00  UEFI [Legacy]: Dell v: 2.13.1 
CPU:       Quad Core model: Intel Core i7-6700 bits: 64 type: MT MCP

CC: (none) => jim

Comment 6 James Kerr 2019-07-07 12:50:09 CEST 
On mga6-64

On the same system I have the same result as reported in comment#5
Comment 7 Rémi Verschelde 2019-07-10 11:38:42 CEST 
Installed successfully on Mageia 7 x86_64. I don't have the relevant AMD or Intel hardware to actually test the new microcode.

Whiteboard: MGA6TOO, MGA6-32-OK => MGA6TOO, MGA6-32-OK, MGA6-64-OK, MGA7-64-OK

Comment 8 Rémi Verschelde 2019-07-10 11:40:55 CEST 
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2019-07-10 12:45:50 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0207.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED