retitle 907402 intel-microcode: sig 0x206c2 (2nd Gen i7, Xeon 5600) update missing thanks
> Then I checked the contents of the package and I noticed that the > microcode file (intel-ucode/06-2c-02) for my CPU (Xeon E5620) is > missing. This microcode is present in the archive > (microcode-20180807.tgz) downloaded from Intel's site and can be > loaded manually. > > Is this intentional and should we expect a new package with additional > microcodes included? Yes, it is intentional. The text for Intel SA-00030 makes it clear that some platforms are not to have that specific microcode updated without the corresponding BIOS update, as the microcode requires an up-to-date SINIT ACM (Intel TXT/vPRO firmware component). When you update just the microcode in such a machine, according to my reading of the text in the Intel SA-00030 advisory, it will disable Intel TXT until you somehow manage to update the BIOS. Worse, that change cannot be undone by just removing the microcode update: it supposedly modifies the contents of the platform TPM, which is a persistent change that cannot be undone. If the BIOS is using Intel TXT to implement secure boot, that may brick the machine since it will disable Intel TXT, etc. If the BIOS is not in secure mode, it should not cause issues -- but this is *not* certain. References: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00030.html Intel SA-00030 excerpt: Recommendations: [...] If your BIOS includes an SINIT ACM, which is more common for Intel® TXT server platforms, a BIOS update that includes the updated SINIT ACM should be installed; please contact your platform OEM. Intel is also providing microcode updates, which will revoke vulnerable SINIT ACMs by causing GETSEC[SENTER] to fail. The BIOS update that contains the new microcode patch should be installed on all affected systems. Note that prior to installing the microcode update, an updated SINIT ACM must be installed to launch your Intel TXT enabled software. Contact your solutions provider or Intel®TXT software vendor if your Intel®TXT environment fails to launch and to determine how to update your software with the new SINIT ACM. Intel highly recommends that these updates be applied to mitigate this issue. Evidently, just about everyone else is distributing this microcode update (0x206c2) since Intel did finally include it in a public distribution (after an hiatus of *years* refusing to distribute any of the dozens of microcode updates 0x206c2 had in the meantime, and those were *security* fixes that they distributed for several other processors including 1st gen i7 and Xeon 5500). The fact is that Debian has had that blacklisting in place for a while now, and Intel for a long time acted as if that microcode update was something not to be trifled with. There is no way we can simply remove it without being reasonably sure it is safe to do so. If you are *not* using Intel TXT in your 2nd gen Core i7 or Xeon 5600 (as in: it is not present at all, or it is very much *disabled* in the BIOS *and* all secure-<anything> is also disabled in the BIOS) as far as I know it should be reasonably safe to manually add the 0x206c2 update to "/usr/share/misc/intel-microcode-206c2.bin". The intel-microcode package will detect, and use it (issue "update-initramfs -u" to refresh the microcode in the initramfs). If you do this, please ensure that data file is owned by root, and can only be written to by root. -- Henrique Holschuh
