Ubuntu
intel-microcode package

intel-microcode: update to 20180703 drop

  1. Xenial (16.04)
  2. Bug #1783385
Bug #1783385 reported by Steve Beattie
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
intel-microcode (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Steve Beattie
Xenial
Fix Released
Undecided
Steve Beattie
Bionic
Fix Released
Undecided
Steve Beattie

Bug Description

Intel has released a new version of their microcode, that starts to address Rogue System Register Read (RSRE, aka Spectre Variant 3a, CVE-2018-3640) and Speculative Store Bypass (SSB, aka Spectre Variant 4, CVE-2018-3639).

Reference: https://downloadcenter.intel.com/download/27945/Linux-Processor-Microcode-Data-File

CVE References

Revision history for this message
Steve Beattie (sbeattie) wrote :

This was fixed in cosmic in https://launchpad.net/ubuntu/+source/intel-microcode/3.20180703.2ubuntu1 ; pacakge for trusty, xenial, and bionic are available for testing in the ubuntu-security-proposed ppa: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ . Please note that packages in this ppa are for testing only and have not been widely tested, and thus should not be used in production.

Thanks.

Changed in intel-microcode (Ubuntu):
status: New → Fix Released
Changed in intel-microcode (Ubuntu Trusty):
status: New → In Progress
Changed in intel-microcode (Ubuntu Xenial):
status: New → In Progress
Changed in intel-microcode (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Steve Beattie (sbeattie)
Changed in intel-microcode (Ubuntu Xenial):
assignee: nobody → Steve Beattie (sbeattie)
Changed in intel-microcode (Ubuntu Trusty):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Danny Gershman (radius314) wrote :

Any update on the testing effort? The timeline on a release?

Revision history for this message
Markus Schade (lp-markusschade) wrote :

We have been running this microcode on Xenial in production for the last month on a few hundred SNB, IVB, HSW, BDW and SKL systems without seeing any regression.

Seems like Intel has gotten it right this time on the first try.

Revision history for this message
Markus Schade (lp-markusschade) wrote :

Since the L1TF has been disclosed yesterday, the update has become even more urgent. The MCU also contains the necessary mitigations for SGX as well.

Revision history for this message
Markus Schade (lp-markusschade) wrote :

As the 20180807 MCU can currently not be distributed due to licensing issues, this update is even more important as it at least provides the SSBD and L1TF fixes for server CPUs.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package intel-microcode - 3.20180807a.0ubuntu0.16.04.1

---------------
intel-microcode (3.20180807a.0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: New upstream microcode update to provide L1D cache
    flush support to mitigate L1TF (CVE-2018-3646)
    - New Microcodes:
      sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216
      sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360
      sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336
      sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240
    - Updated Microcodes:
      sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
      sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216
      sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216
      sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096
      sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288
      sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336
      sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312
      sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552
      sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432
      sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528
      sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600
      sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312
      sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328
      sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744
      sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528
      sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528
      sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384
      sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
      sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728
      sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304
      sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304
      sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304
      sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280
      sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304
    - Added back upstream but blacklisted by packaging due to the issues
      around addressing Intel SA-00030:
      sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
  * Remaining changes from Debian:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable (LP: #1783385). Remaining changes:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2) unstable; urgency=medium

  * source: fix badly named symlink that result...

Read more...

Changed in intel-microcode (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package intel-microcode - 3.20180807a.0ubuntu0.14.04.1

---------------
intel-microcode (3.20180807a.0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: New upstream microcode update to provide L1D cache
    flush support to mitigate L1TF (CVE-2018-3646)
    - New Microcodes:
      sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216
      sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360
      sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336
      sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240
    - Updated Microcodes:
      sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
      sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216
      sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216
      sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096
      sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288
      sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336
      sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312
      sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552
      sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432
      sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528
      sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600
      sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312
      sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328
      sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744
      sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528
      sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528
      sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384
      sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
      sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728
      sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304
      sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304
      sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304
      sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280
      sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304
    - Added back upstream but blacklisted by packaging due to the issues
      around addressing Intel SA-00030:
      sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
  * Remaining changes from Debian:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable (LP: #1783385). Remaining changes:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2) unstable; urgency=medium

  * source: fix badly named symlink that result...

Read more...

Changed in intel-microcode (Ubuntu Trusty):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.4 KiB)

This bug was fixed in the package intel-microcode - 3.20180807a.0ubuntu0.18.04.1

---------------
intel-microcode (3.20180807a.0ubuntu0.18.04.1) bionic-security; urgency=medium

  * SECURITY UPDATE: New upstream microcode update to provide L1D cache
    flush support to mitigate L1TF (CVE-2018-3646)
    - New Microcodes:
      sig 0x000206e6, pf_mask 0x04, 2018-05-15, rev 0x000d, size 9216
      sig 0x000506c2, pf_mask 0x01, 2018-05-11, rev 0x0014, size 15360
      sig 0x000506ca, pf_mask 0x03, 2018-05-11, rev 0x000c, size 14336
      sig 0x000506f1, pf_mask 0x01, 2018-05-11, rev 0x0024, size 10240
    - Updated Microcodes:
      sig 0x000106a5, pf_mask 0x03, 2018-05-11, rev 0x001d, size 12288
      sig 0x000106e5, pf_mask 0x13, 2018-05-08, rev 0x000a, size 9216
      sig 0x00020652, pf_mask 0x12, 2018-05-08, rev 0x0011, size 9216
      sig 0x00020655, pf_mask 0x92, 2018-04-23, rev 0x0007, size 4096
      sig 0x000206a7, pf_mask 0x12, 2018-04-10, rev 0x002e, size 12288
      sig 0x000206f2, pf_mask 0x05, 2018-05-16, rev 0x003b, size 14336
      sig 0x000306a9, pf_mask 0x12, 2018-04-10, rev 0x0020, size 13312
      sig 0x000306c3, pf_mask 0x32, 2018-04-02, rev 0x0025, size 23552
      sig 0x000306d4, pf_mask 0xc0, 2018-03-22, rev 0x002b, size 18432
      sig 0x00040651, pf_mask 0x72, 2018-04-02, rev 0x0024, size 22528
      sig 0x00040661, pf_mask 0x32, 2018-04-02, rev 0x001a, size 25600
      sig 0x00040671, pf_mask 0x22, 2018-04-03, rev 0x001e, size 13312
      sig 0x000406e3, pf_mask 0xc0, 2018-04-17, rev 0x00c6, size 99328
      sig 0x00050662, pf_mask 0x10, 2018-05-25, rev 0x0017, size 31744
      sig 0x00050663, pf_mask 0x10, 2018-04-20, rev 0x7000013, size 22528
      sig 0x00050664, pf_mask 0x10, 2018-04-20, rev 0xf000012, size 22528
      sig 0x000506c9, pf_mask 0x03, 2018-05-11, rev 0x0032, size 16384
      sig 0x000506e3, pf_mask 0x36, 2018-04-17, rev 0x00c6, size 99328
      sig 0x000706a1, pf_mask 0x01, 2018-05-22, rev 0x0028, size 73728
      sig 0x000806e9, pf_mask 0xc0, 2018-03-24, rev 0x008e, size 98304
      sig 0x000806ea, pf_mask 0xc0, 2018-05-15, rev 0x0096, size 98304
      sig 0x000906e9, pf_mask 0x2a, 2018-03-24, rev 0x008e, size 98304
      sig 0x000906ea, pf_mask 0x22, 2018-05-02, rev 0x0096, size 97280
      sig 0x000906eb, pf_mask 0x02, 2018-03-24, rev 0x008e, size 98304
    - Added back upstream but blacklisted by packaging due to the issues
      around addressing Intel SA-00030:
      sig 0x000206c2, pf_mask 0x03, 2018-05-08, rev 0x001f, size 11264
  * Remaining changes from Debian:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable (LP: #1783385). Remaining changes:
    - debian/initramfs.hook: Default to early instead of auto, and
      install all of the microcode, not just the one matching the
      current CPU, if MODULES=most is set in the initramfs-tools config

intel-microcode (3.20180703.2) unstable; urgency=medium

  * source: fix badly named symlink that result...

Read more...

Changed in intel-microcode (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.