Discussion:
Processed: Re: Bug#990319: unblock: intel-microcode/3.20210608.2
(too old to reply)
Debian Bug Tracking System
2021-06-29 20:50:01 UTC
Permalink
clone -1 -2
Bug #990319 [release.debian.org] unblock: intel-microcode/3.20210608.2
Bug 990319 cloned as bug 990462
reassign -2 release-notes
Bug #990462 [release.debian.org] unblock: intel-microcode/3.20210608.2
Bug reassigned from package 'release.debian.org' to 'release-notes'.
Ignoring request to alter found versions of bug #990462 to the same values previously set
Ignoring request to alter fixed versions of bug #990462 to the same values previously set
retitle -2 release-notes: doocument intel-microcode update regression potential
Bug #990462 [release-notes] unblock: intel-microcode/3.20210608.2
Changed Bug title to 'release-notes: doocument intel-microcode update regression potential' from 'unblock: intel-microcode/3.20210608.2'.
--
990319: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990319
990462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990462
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Paul Gevers
2021-06-30 20:00:01 UTC
Permalink
Control: tags -1 moreinfo

Hi Sebastian
Please note that the current plans are that a Debian 10 (buster)
security update, intel-microcode/3.20210608.2~deb10u1, will be delivered
to Debian stable in the next couple days through debian-security, in
which case the version currently in Debian 11 "bullseye" would be
*OLDER* than what would be available in buster-security and unstable.
Also, please be warned that this update has the potential to cause
regressions when compared to the previous version of the intel-microcode
package. But do read the text below for the full rationale.
The regression potential seems worth adding to the release notes.
Cloning and reassigning accordingly.
I may be missing something, or your intentions, but if I understand
correctly, users that upgrade to bullseye will already have had the
regression and as such the release notes will not help them to prepare
for the upgrade. Hence, if this needs further documenting, I think we
should look for better places.

Paul
Debian Bug Tracking System
2021-06-30 20:00:01 UTC
Permalink
Post by Paul Gevers
tags -1 moreinfo
Bug #990462 [release-notes] release-notes: doocument intel-microcode update regression potential
Added tag(s) moreinfo.
--
990462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990462
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Sebastian Ramacher
2021-07-07 20:10:01 UTC
Permalink
Post by Paul Gevers
Control: tags -1 moreinfo
Hi Sebastian
Please note that the current plans are that a Debian 10 (buster)
security update, intel-microcode/3.20210608.2~deb10u1, will be delivered
to Debian stable in the next couple days through debian-security, in
which case the version currently in Debian 11 "bullseye" would be
*OLDER* than what would be available in buster-security and unstable.
Also, please be warned that this update has the potential to cause
regressions when compared to the previous version of the intel-microcode
package. But do read the text below for the full rationale.
The regression potential seems worth adding to the release notes.
Cloning and reassigning accordingly.
I may be missing something, or your intentions, but if I understand
correctly, users that upgrade to bullseye will already have had the
regression and as such the release notes will not help them to prepare
for the upgrade. Hence, if this needs further documenting, I think we
should look for better places.
We still don't have a fix for iwlwifi. So if people held back on
upgrading intel-microcode because of the warning in DSA-4934-1, I think
we should warn again in the release-notes. I'd rather have this
documented one time too much instead of people rebooting with broken
wifi after the upgrade or system failing to boot.

(I'm not sure if there are people out there that start from an up-to-date buster
without the security archive enabled. In that case they also have an
intel-firmware package installed without the regressions.)

What about the following text (adapted from the DSA)?

The intel-firmware package contained in bullseye and released as part of
DSA-4934-1 is known to contain two significant bugs. For some CoffeeLake
CPUs this update may break iwlwifi
(https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56)
and some for Skylake R0/D0 CPUs on systems using a very outdated
firmware/BIOS, the system may hang on boot:
(https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31)

If you held back the update from DSA-4934-1 due to any of these two
issues or do not have the security archive enabled, be aware that
upgrading to the intel-firwmare package in bullseye may cause your
system to hang on boot or break iwlwifi. In that case, you can recover by
disabling microcode loading on boot (as documented in README.Debian,
also available online at
https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)


Cheers
Sebastian
--
Sebastian Ramacher
Justin B Rye
2021-07-08 05:30:01 UTC
Permalink
Post by Sebastian Ramacher
What about the following text (adapted from the DSA)?
The intel-firmware package contained in bullseye and released as part of
It's "intel-microcode" (eventually: <systemitem
role="package">intel-microcode</systemitem>).
Post by Sebastian Ramacher
DSA-4934-1 is known to contain two significant bugs. For some CoffeeLake
Readers unfamiliar with the way we label bugs using DSAs will find
this hard to follow. Could we make it something like

The intel-microcode package currently in bullseye and
buster-security (see DSA-4934-1) is known to contain two significant
bugs. For some CoffeeLake

And if it links to https://www.debian.org/security/2021/dsa-4934
then we can also reference the instructions there.
Post by Sebastian Ramacher
CPUs this update may break iwlwifi
^^^^^^^
We don't want users to think "dpkg says I have no such package
installed, so this can't be a problem for me". Maybe we should say
"this update may break network interfaces that use firmware-iwlwifi".
Post by Sebastian Ramacher
(https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56)
and some for Skylake R0/D0 CPUs on systems using a very outdated
^^^^
Typo for "so"?
Post by Sebastian Ramacher
(https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31)
If you held back the update from DSA-4934-1 due to any of these two
^^^^^^^^^^^^^^^^
"Either of these issues"
Post by Sebastian Ramacher
issues or do not have the security archive enabled, be aware that
upgrading to the intel-firwmare package in bullseye may cause your
^^^^^^^^
As above.
Post by Sebastian Ramacher
system to hang on boot or break iwlwifi. In that case, you can recover by
disabling microcode loading on boot (as documented in README.Debian,
also available online at
https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)
We could replace this with "See the instructions in the DSA (also in
the intel-microcode README.Debian)". Mind you, it would be nice if
that README started with "TLDR: boot with dis_ucode_ldr"!
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Paul Gevers
2021-07-08 14:10:01 UTC
Permalink
Hi Justin,
Post by Justin B Rye
Post by Sebastian Ramacher
(https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56)
and some for Skylake R0/D0 CPUs on systems using a very outdated
^^^^
Typo for "so"?
Yes, but I think "for some".
Post by Justin B Rye
Post by Sebastian Ramacher
If you held back the update from DSA-4934-1 due to any of these two
^^^^^^^^^^^^^^^^
"Either of these issues"
Post by Sebastian Ramacher
issues or do not have the security archive enabled, be aware that
upgrading to the intel-firwmare package in bullseye may cause your
^^^^^^^^
As above.
Post by Sebastian Ramacher
system to hang on boot or break iwlwifi. In that case, you can recover by
disabling microcode loading on boot (as documented in README.Debian,
also available online at
https://salsa.debian.org/hmh/intel-microcode/-/blob/master/debian/README.Debian)
We could replace this with "See the instructions in the DSA (also in
the intel-microcode README.Debian)". Mind you, it would be nice if
that README started with "TLDR: boot with dis_ucode_ldr"!
To get this straight, you only propose to replace the piece between
brackets (inclusive) with that right? I think it's worth saying "you can
recover".

Paul
Justin B Rye
2021-07-08 16:10:02 UTC
Permalink
Post by Paul Gevers
Post by Justin B Rye
We could replace this with "See the instructions in the DSA (also in
the intel-microcode README.Debian)". Mind you, it would be nice if
that README started with "TLDR: boot with dis_ucode_ldr"!
To get this straight, you only propose to replace the piece between
brackets (inclusive) with that right? I think it's worth saying "you can
recover".
Yes, though I was vaguely thinking that in the process of adding
markup we might reorganise the links, since we don't need full URLs in
the text. Something like

<section id="intel-microcode">
<!-- buster to bullseye -->
<title>Intel CPU microcode issues</title>
<para>
The <systemitem role="package">intel-microcode</systemitem> package
currently in bullseye and buster-security (see <ulink
url="https://www.debian.org/security/2021/dsa-4934">DSA-4934-1</ulink>)
is known to contain two significant bugs. For some CoffeeLake CPUs this
update <ulink
url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56">may
break network interfaces</ulink> that use <systemitem
role="package">firmware-iwlwifi</systemitem>, and for some Skylake
R0/D0 CPUs on systems using a very outdated firmware/BIOS, <ulink
url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31">the
system may hang on boot</ulink>.
</para>
<para>
If you held back the update from DSA-4934-1 due to either of these
issues, or do not have the security archive enabled, be aware that
upgrading to the <systemitem
role="package">intel-microcode</systemitem> package in bullseye may
cause your system to hang on boot or break iwlwifi. In that case, you
can recover by disabling microcode loading on boot; see the
instructions in the DSA, which are also in the <systemitem
role="package">intel-microcode</systemitem>
<filename>README.Debian</filename>.
</para>
</section>

(When it says "currently in bullseye and buster-security", are there
plans for this to change? If not, drop the "currently"; if so, we
have to remember to update the release notes when it happens.)
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Sebastian Ramacher
2021-07-08 16:20:01 UTC
Permalink
Post by Justin B Rye
Post by Paul Gevers
Post by Justin B Rye
We could replace this with "See the instructions in the DSA (also in
the intel-microcode README.Debian)". Mind you, it would be nice if
that README started with "TLDR: boot with dis_ucode_ldr"!
To get this straight, you only propose to replace the piece between
brackets (inclusive) with that right? I think it's worth saying "you can
recover".
Yes, though I was vaguely thinking that in the process of adding
markup we might reorganise the links, since we don't need full URLs in
the text. Something like
<section id="intel-microcode">
<!-- buster to bullseye -->
<title>Intel CPU microcode issues</title>
<para>
The <systemitem role="package">intel-microcode</systemitem> package
currently in bullseye and buster-security (see <ulink
url="https://www.debian.org/security/2021/dsa-4934">DSA-4934-1</ulink>)
is known to contain two significant bugs. For some CoffeeLake CPUs this
update <ulink
url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/56">may
break network interfaces</ulink> that use <systemitem
role="package">firmware-iwlwifi</systemitem>, and for some Skylake
R0/D0 CPUs on systems using a very outdated firmware/BIOS, <ulink
url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31">the
system may hang on boot</ulink>.
</para>
<para>
If you held back the update from DSA-4934-1 due to either of these
issues, or do not have the security archive enabled, be aware that
upgrading to the <systemitem
role="package">intel-microcode</systemitem> package in bullseye may
cause your system to hang on boot or break iwlwifi. In that case, you
can recover by disabling microcode loading on boot; see the
instructions in the DSA, which are also in the <systemitem
role="package">intel-microcode</systemitem>
<filename>README.Debian</filename>.
</para>
</section>
(When it says "currently in bullseye and buster-security", are there
plans for this to change? If not, drop the "currently"; if so, we
have to remember to update the release notes when it happens.)
This will change, yes. After the next buster release, it should read
buster instead of buster-security. Once there is a fixed
firmware-iwlwifi available, affected users no longer need to disable
microcode loading to work around broken wifi.

Cheers
--
Sebastian Ramacher
Henrique de Moraes Holschuh
2021-07-08 19:00:01 UTC
Permalink
Just to be clear: the iwlwifi regression has not been fixed. That happens on processor 0x906ea.
--
Henrique de Moraes Holschuh <***@debian.org>
Henrique de Moraes Holschuh
2021-07-08 19:00:02 UTC
Permalink
Update re. the intel-microcode regressions.

According to Intel, the newest microcode update for Skylake (0x406e3 and 0x506e3) should *NOT* hang on boot anymore, even when applied to very old systems with too-outdated microcode in BIOS. The new information about this issue was posted to the upstream bug report a few hours ago.

However, to be safe, it requires that one updates directly from the BIOS ucode to the new microcode using the kernel's "early update" method. This is exactly what we do in Debian, so it should just work.
--
Henrique de Moraes Holschuh <***@debian.org>
Debian Bug Tracking System
2021-08-01 17:30:01 UTC
Permalink
Your message dated Sun, 1 Aug 2021 19:24:45 +0200
with message-id <72b6e490-1351-2073-6da4-***@debian.org>
and subject line Re: Bug#990462: Bug#990319: unblock: intel-microcode/3.20210608.2
has caused the Debian Bug report #990462,
regarding release-notes: doocument intel-microcode update regression potential
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
990462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990462
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...