Blame SOURCES/06-4e-03_readme

81200a
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
81200a
have reports of system hangs when revision 0xdc of microcode, that is included
81200a
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
81200a
and CVE-2020-0549, is applied[1].  In order to address this, microcode update
81200a
to the newer revision has been disabled by default on these systems,
81200a
and the previously published microcode revision 0xd6 is used by default
81200a
for the OS-driven microcode update.
81200a
81200a
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
81200a
c56524
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
81200a
microcode revisions in question are listed below:
81200a
 * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
81200a
 * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
c56524
 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
fe8809
 * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
76da8d
 * 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
e03395
 * 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
81200a
81200a
Please contact your system vendor for a BIOS/firmware update that contains
81200a
the latest microcode version.  For the information regarding microcode versions
81200a
required for mitigating specific side-channel cache attacks, please refer
81200a
to the following knowledge base articles:
81200a
 * CVE-2017-5715 ("Spectre"):
81200a
   https://access.redhat.com/articles/3436091
81200a
 * CVE-2018-3639 ("Speculative Store Bypass"):
81200a
   https://access.redhat.com/articles/3540901
81200a
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
81200a
   https://access.redhat.com/articles/3562741
81200a
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
81200a
   ("Microarchitectural Data Sampling"):
81200a
   https://access.redhat.com/articles/4138151
81200a
 * CVE-2019-0117 (Intel SGX Information Leak),
81200a
   CVE-2019-0123 (Intel SGX Privilege Escalation),
81200a
   CVE-2019-11135 (TSX Asynchronous Abort),
81200a
   CVE-2019-11139 (Voltage Setting Modulation):
81200a
   https://access.redhat.com/solutions/2019-microcode-nov
81200a
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
81200a
   CVE-2020-0548 (Vector Register Data Sampling),
81200a
   CVE-2020-0549 (L1D Cache Eviction Sampling):
81200a
   https://access.redhat.com/solutions/5142751
c56524
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
c56524
   CVE-2020-8696 (Vector Register Leakage-Active),
c56524
   CVE-2020-8698 (Fast Forward Store Predictor):
c56524
   https://access.redhat.com/articles/5569051
fe8809
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
fe8809
   CVE-2020-24511 (Improper Isolation of Shared Resources),
fe8809
   CVE-2020-24512 (Observable Timing Discrepancy),
fe8809
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
fe8809
   https://access.redhat.com/articles/6101171
76da8d
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
76da8d
   https://access.redhat.com/articles/6716541
e03395
 * CVE-2022-0005 (Informational disclosure via JTAG),
e03395
   CVE-2022-21123 (Shared Buffers Data Read),
e03395
   CVE-2022-21125 (Shared Buffers Data Sampling),
e03395
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
e03395
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
e03395
   CVE-2022-21166 (Device Register Partial Write):
e03395
   https://access.redhat.com/articles/6963124
81200a
81200a
The information regarding enforcing microcode update is provided below.
81200a
81200a
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
81200a
version, please create a file "force-intel-06-4e-03" inside
81200a
/lib/firmware/<kernel_version> directory, run
81200a
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
81200a
where microcode will be available for late microcode update, and run
81200a
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
81200a
is regenerated and the microcode can be loaded early, for example:
81200a
81200a
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
81200a
    /usr/libexec/microcode_ctl/update_ucode
81200a
    dracut -f --kver 3.10.0-862.9.1
81200a
81200a
After that, it is possible to perform a late microcode update by executing
81200a
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
81200a
"/sys/devices/system/cpu/microcode/reload" directly.
81200a
81200a
To enforce addition of this microcode for all kernels, please create file
81200a
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
81200a
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
81200a
and "dracut -f --regenerate-all" for enabling early microcode updates:
81200a
81200a
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
81200a
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
81200a
    /usr/libexec/microcode_ctl/update_ucode
81200a
    dracut -f --regenerate-all
81200a
81200a
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
81200a
information.