Blame SOURCES/06-4f-01_readme

c59b13
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
c59b13
with microcode update that may lead to a system hang; while some changes
c59b13
to the Linux kernel have been made in an attempt to address these issues,
c59b13
they were not eliminated, so a possibility of unstable system behaviour
c59b13
after a microcode update performed on a running system is still present even
c59b13
on a kernels that contain aforementioned changes.  As a result, microcode update
c59b13
for this CPU model has been disabled by default.
c59b13
c59b13
For the reference, kernel versions for the respective RHEL minor versions
c59b13
that contain the aforementioned changes, are listed below:
c59b13
 * Upstream/RHEL 8: kernel-4.17.0 or newer;
c59b13
 * RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
c59b13
 * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
c59b13
 * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
c59b13
 * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
c59b13
 * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.
c59b13
c59b13
Please contact you system vendor for a BIOS/firmware update that contains
c59b13
the latest microcode version. For the information regarding microcode versions
c59b13
required for mitigating specific side-channel cache attacks, please refer
c59b13
to the following knowledge base articles:
c59b13
 * CVE-2017-5715 ("Spectre"):
c59b13
   https://access.redhat.com/articles/3436091
c59b13
 * CVE-2018-3639 ("Speculative Store Bypass"):
c59b13
   https://access.redhat.com/articles/3540901
c59b13
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
c59b13
   https://access.redhat.com/articles/3562741
c59b13
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
c59b13
   ("Microarchitectural Data Sampling"):
c59b13
   https://access.redhat.com/articles/4138151
ca7245
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
ca7245
   CVE-2020-24511 (Improper Isolation of Shared Resources),
ca7245
   CVE-2020-24512 (Observable Timing Discrepancy),
ca7245
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
ca7245
   https://access.redhat.com/articles/6101171
c59b13
c59b13
The information regarding enforcing microcode load is provided below.
c59b13
c59b13
For enforcing addition of this microcode to the firmware directory
c59b13
for a specific kernel, where it is available for a late microcode update,
c59b13
please create a file "force-late-intel-06-4f-01" inside
c59b13
/lib/firmware/<kernel_version> directory and run
c59b13
"/usr/libexec/microcode_ctl/update_ucode":
c59b13
c59b13
    touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
c59b13
    /usr/libexec/microcode_ctl/update_ucode
c59b13
c59b13
After that, it is possible to perform a late microcode update by executing
c59b13
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
c59b13
"/sys/devices/system/cpu/microcode/reload" directly.
c59b13
c59b13
For enforcing addition of this microcode to firmware directories for all
c59b13
kernels, please create a file
c59b13
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
c59b13
and run "/usr/libexec/microcode_ctl/update_ucode":
c59b13
078ac8
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
c59b13
    touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
c59b13
    /usr/libexec/microcode_ctl/update_ucode
c59b13
c59b13
For enforcing early load of this microcode for a specific kernel, please
c59b13
create a file "force-early-intel-06-4f-01" inside
c59b13
"/lib/firmware/<kernel_version>" directory and run
c59b13
"dracut -f --kver <kernel_version>":
c59b13
c59b13
    touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
c59b13
    dracut -f --kver 3.10.0-862.9.1
c59b13
c59b13
For enforcing early load of this microcode for all kernels, please
c59b13
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
c59b13
and run dracut -f --regenerate-all:
c59b13
078ac8
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
c59b13
    touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
c59b13
    dracut -f --regenerate-all
c59b13
078ac8
If you want to avoid removal of the microcode file during cleanup performed by
c59b13
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
c59b13
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
c59b13
c59b13
c59b13
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
c59b13
information.