742279
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
742279
with microcode update that may lead to a system hang; while some changes
742279
to the Linux kernel have been made in an attempt to address these issues,
742279
they were not eliminated, so a possibility of unstable system behaviour
742279
after a microcode update performed on a running system is still present even
742279
on a kernels that contain aforementioned changes.  As a result, microcode update
742279
for this CPU model has been disabled by default.
742279
742279
For the reference, kernel versions for the respective RHEL minor versions
742279
that contain the aforementioned changes, are listed below:
742279
 * Upstream/RHEL 8: kernel-4.17.0 or newer;
742279
 * RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
742279
 * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
742279
 * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
742279
 * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
742279
 * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.
742279
742279
Please contact you system vendor for a BIOS/firmware update that contains
742279
the latest microcode version. For the information regarding microcode versions
742279
required for mitigating specific side-channel cache attacks, please refer
742279
to the following knowledge base articles:
742279
 * CVE-2017-5715 ("Spectre"):
742279
   https://access.redhat.com/articles/3436091
742279
 * CVE-2018-3639 ("Speculative Store Bypass"):
742279
   https://access.redhat.com/articles/3540901
742279
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
742279
   https://access.redhat.com/articles/3562741
6c53eb
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
6c53eb
   ("Microarchitectural Data Sampling"):
6c53eb
   https://access.redhat.com/articles/4138151
f9176a
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
f9176a
   CVE-2020-24511 (Improper Isolation of Shared Resources),
f9176a
   CVE-2020-24512 (Observable Timing Discrepancy),
f9176a
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
f9176a
   https://access.redhat.com/articles/6101171
742279
742279
The information regarding enforcing microcode load is provided below.
742279
742279
For enforcing addition of this microcode to the firmware directory
742279
for a specific kernel, where it is available for a late microcode update,
742279
please create a file "force-late-intel-06-4f-01" inside
742279
/lib/firmware/<kernel_version> directory and run
742279
"/usr/libexec/microcode_ctl/update_ucode":
742279
742279
    touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
4eb1a6
    /usr/libexec/microcode_ctl/update_ucode
539655
742279
After that, it is possible to perform a late microcode update by executing
742279
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
742279
"/sys/devices/system/cpu/microcode/reload" directly.
4eb1a6
742279
For enforcing addition of this microcode to firmware directories for all
742279
kernels, please create a file
742279
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
742279
and run "/usr/libexec/microcode_ctl/update_ucode":
742279
ee041c
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
742279
    touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
4eb1a6
    /usr/libexec/microcode_ctl/update_ucode
4eb1a6
742279
For enforcing early load of this microcode for a specific kernel, please
742279
create a file "force-early-intel-06-4f-01" inside
742279
"/lib/firmware/<kernel_version>" directory and run
742279
"dracut -f --kver <kernel_version>":
4eb1a6
742279
    touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
4eb1a6
    dracut -f --kver 3.10.0-862.9.1
4eb1a6
742279
For enforcing early load of this microcode for all kernels, please
742279
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
742279
and run dracut -f --regenerate-all:
4eb1a6
ee041c
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
742279
    touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
4eb1a6
    dracut -f --regenerate-all
539655
ee041c
If you want to avoid removal of the microcode file during cleanup performed by
742279
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
742279
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
4eb1a6
4eb1a6
742279
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
742279
information.