Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

microcodeIntel: 20171117 -> 20170108 (should fix CVE-2017-5715 (Spectre)) #33684

Merged
merged 1 commit into from Jan 10, 2018
Merged

microcodeIntel: 20171117 -> 20170108 (should fix CVE-2017-5715 (Spectre)) #33684

merged 1 commit into from Jan 10, 2018

Conversation

andir
Copy link
Member

@andir andir commented Jan 10, 2018
edited

Motivation for this change

This is a followup of #33563. Since there are now official microcode updates we do no longer need the other PR.

This PR should address CVE-2017-5715 (Spectre) but the changelog is as vauge as always with these:

Intel Processor Microcode Package for Linux
20180108 Release

-- Updates upon 20171117 release --
IVT C0          (06-3e-04:ed) 428->42a
SKL-U/Y D0      (06-4e-03:c0) ba->c2
BDW-U/Y E/F     (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx   (06-45-01:72) 20->21
Crystalwell Cx  (06-46-01:32) 17->18
BDW-H E/G       (06-47-01:22) 17->1b
HSX-EX E0       (06-3f-04:80) 0f->10
SKL-H/S R0      (06-5e-03:36) ba->c2
HSW Cx/Dx       (06-3c-03:32) 22->23
HSX C0          (06-3f-02:6f) 3a->3b
BDX-DE V0/V1    (06-56-02:10) 0f->14
BDX-DE V2       (06-56-03:10) 700000d->7000011
KBL-U/Y H0      (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0      (06-9e-09:2a) 5e->80
CFL U0          (06-9e-0a:22) 70->80
CFL B0          (06-9e-0b:02) 72->80
SKX H0          (06-55-04:b7) 2000035->200003c
GLK B0          (06-7a-01:01) 1e->22
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@andir
Copy link
Member Author

andir commented Jan 10, 2018

@GrahamcOfBorg build microcodeIntel

1 similar comment
@grahamc
Copy link
Member

grahamc commented Jan 10, 2018

@GrahamcOfBorg build microcodeIntel

GrahamcOfBorg
GrahamcOfBorg reviewed Jan 10, 2018
View reviewed changes
Copy link

@GrahamcOfBorg GrahamcOfBorg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failure for system: x86_64-darwin

Package ‘microcode-intel-20180108’ in /nix-test-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/ankhers-mbp/pkgs/os-specific/linux/microcode/intel.nix:29 is not supported on ‘x86_64-darwin’, refusing to evaluate.

a) For `nixos-rebuild` you can set
  { nixpkgs.config.allowBroken = true; }
in configuration.nix to override this.

b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
  { allowBroken = true; }
to ~/.config/nixpkgs/config.nix.

GrahamcOfBorg
GrahamcOfBorg reviewed Jan 10, 2018
View reviewed changes
Copy link

@GrahamcOfBorg GrahamcOfBorg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success for system: aarch64-linux

size:      16384

installing
3153 blocks
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/yg9fygkav6y111dkdpmgz7y0vcba8ii2-microcode-intel-20180108
strip is /nix/store/c6qj0j45xizkrx58i65j75a5ysmqhgrs-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/yg9fygkav6y111dkdpmgz7y0vcba8ii2-microcode-intel-20180108
checking for references to /build in /nix/store/yg9fygkav6y111dkdpmgz7y0vcba8ii2-microcode-intel-20180108...
/nix/store/yg9fygkav6y111dkdpmgz7y0vcba8ii2-microcode-intel-20180108

GrahamcOfBorg
GrahamcOfBorg reviewed Jan 10, 2018
View reviewed changes
Copy link

@GrahamcOfBorg GrahamcOfBorg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Success for system: x86_64-linux

size:      16384

installing
3153 blocks
post-installation fixup
shrinking RPATHs of ELF executables and libraries in /nix/store/35mxsszgnym3d1r2c304fqd0pjspjjx1-microcode-intel-20180108
strip is /nix/store/wxn5gn8amxm1w0ikcx4gbs8a17wvss4j-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/35mxsszgnym3d1r2c304fqd0pjspjjx1-microcode-intel-20180108
checking for references to /tmp/nix-build-microcode-intel-20180108.drv-0 in /nix/store/35mxsszgnym3d1r2c304fqd0pjspjjx1-microcode-intel-20180108...
/nix/store/35mxsszgnym3d1r2c304fqd0pjspjjx1-microcode-intel-20180108

@adisbladis adisbladis self-assigned this Jan 10, 2018
@andir andir merged commit 3314c42 into NixOS:master Jan 10, 2018
@adisbladis
Copy link
Member

Tested on my laptop (Thinkpad 25 with i7-7500U) and it works fine.
Thanks!

@andir andir deleted the intel-ucode-20180108 branch January 10, 2018 02:40
@andir
Copy link
Member Author

andir commented Jan 10, 2018

Backported in ea1cf95

@harshanarayana harshanarayana mentioned this pull request Jan 10, 2018
Closed
@vcunat vcunat mentioned this pull request Jan 10, 2018
Closed
@samueldr samueldr removed the 9.needs: port to stable A PR needs a backport to the stable release. label Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GrahamcOfBorg GrahamcOfBorg GrahamcOfBorg left review comments

Assignees

@adisbladis adisbladis

Labels
1.severity: security 8.has: package (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@andir @grahamc @adisbladis @GrahamcOfBorg @samueldr