7826d1
Intel Broadwell-EP/EX (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues
7826d1
with microcode update that may lead to a system hang; while some changes
7826d1
to the Linux kernel have been made in an attempt to address these issues,
7826d1
they were not eliminated, so a possibility of unstable system behaviour
7826d1
after a microcode update performed on a running system is still present even
7826d1
on a kernels that contain aforementioned changes.  As a result, microcode update
7826d1
for this CPU model has been disabled by default.
7826d1
7826d1
For the reference, kernel versions for the respective RHEL minor versions
7826d1
that contain the aforementioned changes, are listed below:
7826d1
 * Upstream/RHEL 8: kernel-4.17.0 or newer;
7826d1
 * RHEL 7.6 onwards: kernel-3.10.0-894 or newer;
7826d1
 * RHEL 7.5.z: kernel-3.10.0-862.6.1 or newer;
7826d1
 * RHEL 7.4.z: kernel-3.10.0-693.35.1 or newer;
7826d1
 * RHEL 7.3.z: kernel-3.10.0-514.52.1 or newer;
7826d1
 * RHEL 7.2.z: kernel-3.10.0-327.70.1 or newer.
7826d1
7826d1
Please contact you system vendor for a BIOS/firmware update that contains
7826d1
the latest microcode version. For the information regarding microcode versions
7826d1
required for mitigating specific side-channel cache attacks, please refer
7826d1
to the following knowledge base articles:
7826d1
 * CVE-2017-5715 ("Spectre"):
7826d1
   https://access.redhat.com/articles/3436091
7826d1
 * CVE-2018-3639 ("Speculative Store Bypass"):
7826d1
   https://access.redhat.com/articles/3540901
7826d1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
7826d1
   https://access.redhat.com/articles/3562741
7826d1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
7826d1
   ("Microarchitectural Data Sampling"):
7826d1
   https://access.redhat.com/articles/4138151
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
7826d1
7826d1
The information regarding enforcing microcode load is provided below.
7826d1
7826d1
For enforcing addition of this microcode to the firmware directory
7826d1
for a specific kernel, where it is available for a late microcode update,
7826d1
please create a file "force-late-intel-06-4f-01" inside
7826d1
/lib/firmware/<kernel_version> directory and run
7826d1
"/usr/libexec/microcode_ctl/update_ucode":
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/force-late-intel-06-4f-01
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
7826d1
After that, it is possible to perform a late microcode update by executing
7826d1
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
7826d1
"/sys/devices/system/cpu/microcode/reload" directly.
7826d1
7826d1
For enforcing addition of this microcode to firmware directories for all
7826d1
kernels, please create a file
7826d1
"/etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01"
7826d1
and run "/usr/libexec/microcode_ctl/update_ucode":
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/force-late-intel-06-4f-01
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
7826d1
For enforcing early load of this microcode for a specific kernel, please
7826d1
create a file "force-early-intel-06-4f-01" inside
7826d1
"/lib/firmware/<kernel_version>" directory and run
7826d1
"dracut -f --kver <kernel_version>":
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/force-early-intel-06-4f-01
7826d1
    dracut -f --kver 3.10.0-862.9.1
7826d1
7826d1
For enforcing early load of this microcode for all kernels, please
7826d1
create a file "/etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01"
7826d1
and run dracut -f --regenerate-all:
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/force-early-intel-06-4f-01
7826d1
    dracut -f --regenerate-all
7826d1
7826d1
If you want to avoid removal of the microcode file during cleanup performed by
7826d1
/usr/libexec/microcode_ctl/update_ucode, please remove the corresponding readme
7826d1
file (/lib/firmware/<kernel_version>/readme-intel-06-4f-01).
7826d1
7826d1
7826d1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
7826d1
information.