25053 – Update request: microcode-0.20190618-1.mga6/7.nonfree

Bug 25053 - Update request: microcode-0.20190618-1.mga6/7.nonfree

Summary: Update request: microcode-0.20190618-1.mga6/7.nonfree

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6TOO, MGA6-32-OK, MGA6-64-OK, MGA7...
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-07-05 17:20 CEST by Thomas Backlund
Modified:	2019-07-10 12:45 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	microcode
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2019-07-05 17:20:19 CEST

Updated microcode package fixes security issue:

Secure Encrypted Virtualization (SEV) on Advanced Micro Devices(AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation. This update provides
Amd SEV Firmware to 0.17 build 22 (CVE-2019-9836). 

It also updates the ntel Microcode for the following:
* SNB-E/EN/EP  C1/M0    6-2d-6/6d 0000061d->0000061f Xeon E3/E5, Core X
* SNB-E/EN/EP C2/M1 6-2d-7/6d 00000714->00000718 Xeon E3/E5, Core X



SRPMS:
microcode-0.20190618-1.mga6/7.nonfree

i586:
microcode-0.20190618-1.mga6/7.nonfree

x86_64:
microcode-0.20190618-1.mga6/7.nonfree


Note to testers that you probably only can test that it installs cleanly.

This is because the SEV firmware is for AMD Epyc Server processors
And the Intel update is only for Xeon E3/E5, Core X (based on SB-E*, and specific steppings listed above.

Thomas Backlund 2019-07-05 17:20:29 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Len Lawrence 2019-07-05 17:53:21 CEST

mga7, x86_64

Installed the microcode on a Skylake system without any problem.
# rpm -qa | grep microcode
microcode-0.20190618-1.mga7.nonfree
microcode_ctl-2.1-9.mga7
$ sudo journalctl -xe | grep microcode
Jul 05 16:45:51 canopus [RPM][16741]: erase microcode-0.20190514-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: install microcode-0.20190618-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: erase microcode-0.20190514-1.mga7.nonfree.noarch: success
Jul 05 16:46:04 canopus [RPM][16741]: install microcode-0.20190618-1.mga7.nonfree.noarch: success

Strange that it was done twice.
It looks OK but I shall reboot to make sure everything works as before.

CC: (none) => tarazed25

Comment 2 Len Lawrence 2019-07-05 18:00:03 CEST

After reboot:
$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x200005e, date = 2019-04-02
[    1.054235] microcode: sig=0x50654, pf=0x4, revision=0x200005e
[    1.054286] microcode: Microcode Update Driver: v2.2.
[    5.884905] em28xx 1-12:1.0: 	microcode start address = 0x0004, boot configuration = 0x01

Comment 3 Herman Viaene 2019-07-06 13:40:27 CEST

MGA6-32 on IBM Thinkpad R50e
No installation issues.
After update:
# journalctl -xe | grep microcode
jul 06 13:13:41 mach6.hviaene.thuis kernel: microcode: sig=0x6d8, pf=0x20, revision=0x20
jul 06 13:13:41 mach6.hviaene.thuis kernel: microcode: Microcode Update Driver: v2.2.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2019-07-06 13:44:40 CEST

Side note: Just as I did this test, the package appeared as update on my desktop PC, which I never use for update testing, but the bug is still "New" and no formal OK hqs been given up to now. A bit strange.

Whiteboard: MGA6TOO => MGA6TOO, MGA6-32-OK

Comment 5 James Kerr 2019-07-07 12:44:31 CEST

On mga7-64

before update:

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[    0.870594] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.870770] microcode: Microcode Update Driver: v2.2.

package installed cleanly:

- microcode-0.20190618-1.mga7.nonfree.noarch

From the journal:
erase microcode-0.20190514-1.mga7.nonfree.noarch: success
install microcode-0.20190618-1.mga7.nonfree.noarch: success

After re-boot:

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xcc, date = 2019-04-01
[    0.869030] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.869253] microcode: Microcode Update Driver: v2.2.

However, after installing an "urgent" BIOS update from Dell:

$ dmesg | grep microcode
[    0.852772] microcode: sig=0x506e3, pf=0x2, revision=0xcc
[    0.852889] microcode: Microcode Update Driver: v2.2.

I assume that the BIOS update has made this version of microcode unnecessary on this machine:

Machine:   Type: Desktop System: Dell product: Precision Tower 3620 
           Mobo: Dell model: 09WH54 v: A00  UEFI [Legacy]: Dell v: 2.13.1 
CPU:       Quad Core model: Intel Core i7-6700 bits: 64 type: MT MCP

CC: (none) => jim

Comment 6 James Kerr 2019-07-07 12:50:09 CEST

On mga6-64

On the same system I have the same result as reported in comment#5

Comment 7 Rémi Verschelde 2019-07-10 11:38:42 CEST

Installed successfully on Mageia 7 x86_64. I don't have the relevant AMD or Intel hardware to actually test the new microcode.

Whiteboard: MGA6TOO, MGA6-32-OK => MGA6TOO, MGA6-32-OK, MGA6-64-OK, MGA7-64-OK

Comment 8 Rémi Verschelde 2019-07-10 11:40:55 CEST

Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2019-07-10 12:45:50 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0207.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.