b24a43
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
b24a43
with microcode update that may lead to a system hang; while some changes
b24a43
to the Linux kernel have been made in an attempt to address these issues,
b24a43
they were not eliminated, so a possibility of unstable system behaviour
b24a43
after a microcode update performed on a running system is still present even
b24a43
on a kernels that contain aforementioned changes.  As a result, microcode update
b24a43
for this CPU model has been disabled by default.
b24a43
c08efc
For the reference, kernel versions for the respective RHEL minor versions
b24a43
that contain the aforementioned changes, are listed below:
b24a43
 * Upstream/RHEL 8: kernel-4.17.0 or newer;
c08efc
 * RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
b24a43
 * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
b24a43
 * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
b24a43
 * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
b24a43
 * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.
b24a43
b24a43
Please contact you system vendor for a BIOS/firmware update that contains
b24a43
the latest microcode version. For the information regarding microcode versions
b24a43
required for mitigating specific side-channel cache attacks, please refer
b24a43
to the following knowledge base articles:
b24a43
 * CVE-2017-5715 ("Spectre"):
b24a43
   https://access.redhat.com/articles/3436091
b24a43
 * CVE-2018-3639 ("Speculative Store Bypass"):
b24a43
   https://access.redhat.com/articles/3540901
b24a43
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
b24a43
   https://access.redhat.com/articles/3562741
62b1c6
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
62b1c6
   ("Microarchitectural Data Sampling"):
62b1c6
   https://access.redhat.com/articles/4138151
b9f9de
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
b9f9de
   CVE-2020-24511 (Improper Isolation of Shared Resources),
b9f9de
   CVE-2020-24512 (Observable Timing Discrepancy),
b9f9de
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
b9f9de
   https://access.redhat.com/articles/6101171
b24a43
b24a43
The information regarding enforcing microcode load is provided below.
b24a43
b24a43
For enforcing addition of this microcode to the firmware directory
b24a43
for a specific kernel, where it is available for a late microcode update,
b24a43
please create a file "force-late-intel-06-4f-01" inside
b24a43
/lib/firmware/<kernel_version> directory and run
b24a43
"/usr/libexec/microcode_ctl/update_ucode":
b24a43
b24a43
    touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
b24a43
    /usr/libexec/microcode_ctl/update_ucode
b24a43
b24a43
After that, it is possible to perform a late microcode update by executing
b24a43
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
b24a43
"/sys/devices/system/cpu/microcode/reload" directly.
b24a43
b24a43
For enforcing addition of this microcode to firmware directories for all
b24a43
kernels, please create a file
b24a43
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
b24a43
and run "/usr/libexec/microcode_ctl/update_ucode":
b24a43
5ebb7f
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
b24a43
    touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
b24a43
    /usr/libexec/microcode_ctl/update_ucode
b24a43
b24a43
For enforcing early load of this microcode for a specific kernel, please
b24a43
create a file "force-early-intel-06-4f-01" inside
b24a43
"/lib/firmware/<kernel_version>" directory and run
b24a43
"dracut -f --kver <kernel_version>":
b24a43
b24a43
    touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
b24a43
    dracut -f --kver 3.10.0-862.9.1
b24a43
b24a43
For enforcing early load of this microcode for all kernels, please
b24a43
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
b24a43
and run dracut -f --regenerate-all:
b24a43
5ebb7f
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
b24a43
    touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
b24a43
    dracut -f --regenerate-all
b24a43
5ebb7f
If you want to avoid removal of the microcode file during cleanup performed by
b24a43
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
b24a43
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
b24a43
b24a43
b24a43
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
b24a43
information.