Blame SOURCES/06-4e-03_readme

7826d1
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
7826d1
have reports of system hangs when revision 0xdc of microcode, that is included
7826d1
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
7826d1
and CVE-2020-0549, is applied[1].  In order to address this, microcode update
7826d1
to the newer revision has been disabled by default on these systems,
7826d1
and the previously published microcode revision 0xd6 is used by default
7826d1
for the OS-driven microcode update.
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
7826d1
7826d1
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
7826d1
microcode revisions in question are listed below:
7826d1
 * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
7826d1
 * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
7826d1
 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
7826d1
 * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
08aaff
 * 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
27ee4a
 * 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
7826d1
7826d1
Please contact your system vendor for a BIOS/firmware update that contains
7826d1
the latest microcode version.  For the information regarding microcode versions
7826d1
required for mitigating specific side-channel cache attacks, please refer
7826d1
to the following knowledge base articles:
7826d1
 * CVE-2017-5715 ("Spectre"):
7826d1
   https://access.redhat.com/articles/3436091
7826d1
 * CVE-2018-3639 ("Speculative Store Bypass"):
7826d1
   https://access.redhat.com/articles/3540901
7826d1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
7826d1
   https://access.redhat.com/articles/3562741
7826d1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
7826d1
   ("Microarchitectural Data Sampling"):
7826d1
   https://access.redhat.com/articles/4138151
7826d1
 * CVE-2019-0117 (Intel SGX Information Leak),
7826d1
   CVE-2019-0123 (Intel SGX Privilege Escalation),
7826d1
   CVE-2019-11135 (TSX Asynchronous Abort),
7826d1
   CVE-2019-11139 (Voltage Setting Modulation):
7826d1
   https://access.redhat.com/solutions/2019-microcode-nov
7826d1
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
7826d1
   CVE-2020-0548 (Vector Register Data Sampling),
7826d1
   CVE-2020-0549 (L1D Cache Eviction Sampling):
7826d1
   https://access.redhat.com/solutions/5142751
7826d1
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
7826d1
   CVE-2020-8696 (Vector Register Leakage-Active),
7826d1
   CVE-2020-8698 (Fast Forward Store Predictor):
7826d1
   https://access.redhat.com/articles/5569051
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
08aaff
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
08aaff
   https://access.redhat.com/articles/6716541
27ee4a
 * CVE-2022-0005 (Informational disclosure via JTAG),
27ee4a
   CVE-2022-21123 (Shared Buffers Data Read),
27ee4a
   CVE-2022-21125 (Shared Buffers Data Sampling),
27ee4a
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
27ee4a
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
27ee4a
   CVE-2022-21166 (Device Register Partial Write):
27ee4a
   https://access.redhat.com/articles/6963124
7826d1
7826d1
The information regarding enforcing microcode update is provided below.
7826d1
7826d1
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
7826d1
version, please create a file "force-intel-06-4e-03" inside
7826d1
/lib/firmware/<kernel_version> directory, run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
7826d1
where microcode will be available for late microcode update, and run
7826d1
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
7826d1
is regenerated and the microcode can be loaded early, for example:
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --kver 3.10.0-862.9.1
7826d1
7826d1
After that, it is possible to perform a late microcode update by executing
7826d1
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
7826d1
"/sys/devices/system/cpu/microcode/reload" directly.
7826d1
7826d1
To enforce addition of this microcode for all kernels, please create file
7826d1
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
7826d1
and "dracut -f --regenerate-all" for enabling early microcode updates:
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --regenerate-all
7826d1
7826d1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
7826d1
information.