Blame SOURCES/06-4f-01_readme

383126
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
383126
with microcode update that may lead to a system hang; while some changes
383126
to the Linux kernel have been made in an attempt to address these issues,
383126
they were not eliminated, so a possibility of unstable system behaviour
383126
after a microcode update performed on a running system is still present even
383126
on a kernels that contain aforementioned changes.  As a result, microcode update
383126
for this CPU model has been disabled by default.
383126
383126
For the reference, kernel versions for the respective RHEL minor versions
383126
that contain the aforementioned changes, are listed below:
383126
 * Upstream/RHEL 8: kernel-4.17.0 or newer;
383126
 * RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
383126
 * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
383126
 * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
383126
 * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
383126
 * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.
383126
383126
Please contact you system vendor for a BIOS/firmware update that contains
383126
the latest microcode version. For the information regarding microcode versions
383126
required for mitigating specific side-channel cache attacks, please refer
383126
to the following knowledge base articles:
383126
 * CVE-2017-5715 ("Spectre"):
383126
   https://access.redhat.com/articles/3436091
383126
 * CVE-2018-3639 ("Speculative Store Bypass"):
383126
   https://access.redhat.com/articles/3540901
383126
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
383126
   https://access.redhat.com/articles/3562741
383126
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
383126
   ("Microarchitectural Data Sampling"):
383126
   https://access.redhat.com/articles/4138151
383126
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
383126
   CVE-2020-24511 (Improper Isolation of Shared Resources),
383126
   CVE-2020-24512 (Observable Timing Discrepancy),
383126
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
383126
   https://access.redhat.com/articles/6101171
383126
383126
The information regarding enforcing microcode load is provided below.
383126
383126
For enforcing addition of this microcode to the firmware directory
383126
for a specific kernel, where it is available for a late microcode update,
383126
please create a file "force-late-intel-06-4f-01" inside
383126
/lib/firmware/<kernel_version> directory and run
383126
"/usr/libexec/microcode_ctl/update_ucode":
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
383126
After that, it is possible to perform a late microcode update by executing
383126
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
383126
"/sys/devices/system/cpu/microcode/reload" directly.
383126
383126
For enforcing addition of this microcode to firmware directories for all
383126
kernels, please create a file
383126
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
383126
and run "/usr/libexec/microcode_ctl/update_ucode":
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
383126
For enforcing early load of this microcode for a specific kernel, please
383126
create a file "force-early-intel-06-4f-01" inside
383126
"/lib/firmware/<kernel_version>" directory and run
383126
"dracut -f --kver <kernel_version>":
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
383126
    dracut -f --kver 3.10.0-862.9.1
383126
383126
For enforcing early load of this microcode for all kernels, please
383126
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
383126
and run dracut -f --regenerate-all:
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
383126
    dracut -f --regenerate-all
383126
383126
If you want to avoid removal of the microcode file during cleanup performed by
383126
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
383126
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
383126
383126
383126
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
383126
information.