Bug 25688 - Update request: microcode-0.20191112-1.mga7.nonfree
Summary: Update request: microcode-0.20191112-1.mga7.nonfree
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK, MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-11-13 12:05 CET by Thomas Backlund
Modified: 2019-11-19 22:19 CET (History)
6 users (show)

See Also:
Source RPM: microcode
Status comment:


Description Thomas Backlund 2019-11-13 12:05:50 CET
the microcode side fixes of the Zobmieload series TSX Async Abort and  iITLB Multihit


Comment 1 James Kerr 2019-11-14 16:04:54 CET
on mga7-64

package installed cleanly:

- microcode-0.20191112-1.mga7.nonfree.noarch

$ dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xd4, date = 2019-08-14
[    0.770736] microcode: sig=0x506e3, pf=0x2, revision=0xd4
[    0.770858] microcode: Microcode Update Driver: v2.2.

No regressions observed

OK for mga7-64 on this system:

Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 
CPU: Intel Core i7-6700
Graphics: Intel HD Graphics 530 (Skylake GT2)

CC: (none) => jim

Comment 2 Brian Rockwell 2019-11-14 20:11:54 CET
ON hardware - AMD X3, Nvidia 730GT (390 driver).

$ uname -a
Linux localhost 5.3.7-desktop-4.mga7 #1 SMP Thu Oct 24 20:11:12 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Installed microcode listed above.  It triggered a glibc install as well.

Nov 14 12:59:08 localhost [RPM][17713]: install microcode-0.20191112-1.mga7.nonfree.noarch: success
Nov 14 12:59:08 localhost [RPM][17713]: install glibc-6:2.29-18.mga7.x86_64: success
Nov 14 12:59:08 localhost [RPM][17713]: install glibc-devel-6:2.29-18.mga7.x86_64: success

no regressions

CC: (none) => brtians1

Comment 3 Thomas Andrews 2019-11-15 15:43:52 CET
Installed this in conjunction with a kernel test on a HP Probook 6550b which uses a first-generation i3 processor. Since I used the QA Repo tool to get only the packages I wanted to test, the glibc package in updates-testing was not installed.

Package installed cleanly. After a cold reboot, no regressions noted.

CC: (none) => andrewsfarm

Comment 4 Herman Viaene 2019-11-15 16:28:34 CET
MGA7-64 Plasma on Lenovo B50
No installation issues. Installed this after updating the kernel to 5.3.11.
Nothing special after rebooting, all seems OK.

CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2019-11-15 17:22:32 CET
Installed this in conjunction with a kernel test on an AMD Athlon X2 7750 system. Probably not on the list of affected cpus, but I am reporting that there are no issues, anyway.
Comment 6 Brian Rockwell 2019-11-17 02:26:55 CET
AMD A6 - APU (Radeon R4 graphics) - hardware

installed the following

- kernel-desktop-5.3.11-1.mga7-1-1.mga7.x86_64
- kernel-desktop-latest-5.3.11-1.mga7.x86_64
- microcode-0.20191112-1.mga7.nonfree.noarch

Rebooted the machine


libreoffice, web-browser, networking, suspend mode are all working properly

Seems to be functioning to me.
Comment 7 Len Lawrence 2019-11-17 09:59:42 CET
Mageia7, x86_64
Intel Core i7-4790 (-MT MCP-)
Nvidia GTX970 - nvidia 430.64

This machine has been running with the new microcode for several days - no problems.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2019-11-17 18:02:45 CET
To return to the problem with warm reboots referred to in bug 25696 comment 3:

Downgrading the microcode on the "bad" partition did not help - lots of messages from dracut like:
dracut module 'bootchart' will not be installed <command missing>
dracut module 'systemd' will not be installed , because it is in the list to be omitted!
systemd-initrd needs systemd in the initramfs
dracut module 'network' will not be installed .....

It goes on to build /boot/initrd and the initramfs file.

After that it is impossible to warm reboot.  For that partition every boot has to be a cold one.
Since the problem persists after reverting to the old microcode something else must be causing this.  All that can be done is to reinstall Mageia7 and hope for the best.

Sorry for the noise.
Comment 9 Thomas Backlund 2019-11-19 21:25:42 CET
Advisory, added to svn:

type: security
subject: Updated microcode packages fix security vulnerabilities
 - CVE-2019-0117
 - CVE-2019-11135
 - CVE-2019-11139
 - CVE-2018-12207
     - microcode-0.20191112-1.mga7.nonfree
description: |
  This update provides the Intel 20191112 microcode release that adds the
  microcode side fixes and mitigations for atleast the following security

  A flaw was found in the implementation of SGX around the access control
  of protected memory.  A local attacker of a system with SGX enabled and
  an affected intel GPU with the ability to execute code is able to infer
  the contents of the SGX protected memory (CVE-2019-0117).
  TSX Asynchronous Abort condition on some CPUs utilizing speculative
  execution may allow an authenticated user to potentially enable information
  disclosure via a side channel with local access. (CVE-2019-11135).

  Improper conditions check in the voltage modulation interface for some
  Intel(R) Xeon(R) Scalable Processors may allow a privileged user to
  potentially enable denial of service via local access (CVE-2019-11139).

  Improper invalidation for page table updates by a virtual guest operating
  system for multiple Intel(R) Processors may allow an authenticated user to
  potentially enable denial of service of the host system via local access

  TA Indirect Sharing Erratum (Information Leak)

  Incomplete fixes for previous MDS mitigations (VERW)

  SHUF* instruction implementation flaw (DoS)

  EGETKEY Erratum

  Conditional Jump Macro-fusion (DoS or Privilege Escalation)

  For the software side fixes and mitigations of theese issues, the kernel
  must be updated to 5.3.13-1.mga7 (mga¤25686) or later.
 - https://bugs.mageia.org/show_bug.cgi?id=25688
 - https://bugs.mageia.org/show_bug.cgi?id=25686
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00164.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
 - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
 - https://www.intel.com/content/www/us/en/support/articles/000055650/processors/intel-xeon-processors.html

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK, MGA7-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2019-11-19 22:19:13 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.