383126
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
383126
have reports of system hangs when revision 0xdc of microcode, that is included
383126
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
383126
and CVE-2020-0549, is applied[1].  In order to address this, microcode update
383126
to the newer revision has been disabled by default on these systems,
383126
and the previously published microcode revision 0xd6 is used by default
383126
for the OS-driven microcode update.
383126
383126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
383126
383126
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
383126
microcode revisions in question are listed below:
383126
 * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
383126
 * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
383126
 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
383126
 * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
383126
 * 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
e43e01
 * 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
383126
383126
Please contact your system vendor for a BIOS/firmware update that contains
383126
the latest microcode version.  For the information regarding microcode versions
383126
required for mitigating specific side-channel cache attacks, please refer
383126
to the following knowledge base articles:
383126
 * CVE-2017-5715 ("Spectre"):
383126
   https://access.redhat.com/articles/3436091
383126
 * CVE-2018-3639 ("Speculative Store Bypass"):
383126
   https://access.redhat.com/articles/3540901
383126
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
383126
   https://access.redhat.com/articles/3562741
383126
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
383126
   ("Microarchitectural Data Sampling"):
383126
   https://access.redhat.com/articles/4138151
383126
 * CVE-2019-0117 (Intel SGX Information Leak),
383126
   CVE-2019-0123 (Intel SGX Privilege Escalation),
383126
   CVE-2019-11135 (TSX Asynchronous Abort),
383126
   CVE-2019-11139 (Voltage Setting Modulation):
383126
   https://access.redhat.com/solutions/2019-microcode-nov
383126
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
383126
   CVE-2020-0548 (Vector Register Data Sampling),
383126
   CVE-2020-0549 (L1D Cache Eviction Sampling):
383126
   https://access.redhat.com/solutions/5142751
383126
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
383126
   CVE-2020-8696 (Vector Register Leakage-Active),
383126
   CVE-2020-8698 (Fast Forward Store Predictor):
383126
   https://access.redhat.com/articles/5569051
383126
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
383126
   CVE-2020-24511 (Improper Isolation of Shared Resources),
383126
   CVE-2020-24512 (Observable Timing Discrepancy),
383126
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
383126
   https://access.redhat.com/articles/6101171
383126
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
383126
   https://access.redhat.com/articles/6716541
e43e01
 * CVE-2022-0005 (Informational disclosure via JTAG),
e43e01
   CVE-2022-21123 (Shared Buffers Data Read),
e43e01
   CVE-2022-21125 (Shared Buffers Data Sampling),
e43e01
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
e43e01
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
e43e01
   CVE-2022-21166 (Device Register Partial Write):
e43e01
   https://access.redhat.com/articles/6963124
383126
383126
The information regarding enforcing microcode update is provided below.
383126
383126
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
383126
version, please create a file "force-intel-06-4e-03" inside
383126
/lib/firmware/<kernel_version> directory, run
383126
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
383126
where microcode will be available for late microcode update, and run
383126
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
383126
is regenerated and the microcode can be loaded early, for example:
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --kver 3.10.0-862.9.1
383126
383126
After that, it is possible to perform a late microcode update by executing
383126
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
383126
"/sys/devices/system/cpu/microcode/reload" directly.
383126
383126
To enforce addition of this microcode for all kernels, please create file
383126
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
383126
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
383126
and "dracut -f --regenerate-all" for enabling early microcode updates:
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --regenerate-all
383126
383126
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
383126
information.