Blame SOURCES/06-55-04_readme

27aa66
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
27aa66
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
27aa66
of system hangs on reboot when revision 0x2000065 of microcode, that was included
27aa66
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
27aa66
In order to address this, microcode update to the newer revision had been
27aa66
disabled by default on these systems, and the previously published microcode
27aa66
revision 0x2000064 is used by default for the OS-driven microcode update.
27aa66
27aa66
Since revision 0x2006906 (included with the microcode-20200609 release)
27aa66
it is reported that the issue is no longer present, so the newer microcode
27aa66
revision is enabled by default now (but can be disabled explicitly; see below).
175f9a
494736
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
494736
175f9a
For the reference, SHA1 checksums of 06-55-04 microcode files containing
175f9a
microcode revisions in question are listed below:
175f9a
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
175f9a
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
27aa66
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
da1320
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
c0f195
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
2c8f3d
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
175f9a
175f9a
Please contact your system vendor for a BIOS/firmware update that contains
175f9a
the latest microcode version.  For the information regarding microcode versions
175f9a
required for mitigating specific side-channel cache attacks, please refer
175f9a
to the following knowledge base articles:
175f9a
 * CVE-2017-5715 ("Spectre"):
175f9a
   https://access.redhat.com/articles/3436091
175f9a
 * CVE-2018-3639 ("Speculative Store Bypass"):
175f9a
   https://access.redhat.com/articles/3540901
175f9a
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
175f9a
   https://access.redhat.com/articles/3562741
175f9a
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
175f9a
   ("Microarchitectural Data Sampling"):
175f9a
   https://access.redhat.com/articles/4138151
175f9a
 * CVE-2019-0117 (Intel SGX Information Leak),
175f9a
   CVE-2019-0123 (Intel SGX Privilege Escalation),
175f9a
   CVE-2019-11135 (TSX Asynchronous Abort),
175f9a
   CVE-2019-11139 (Voltage Setting Modulation):
175f9a
   https://access.redhat.com/solutions/2019-microcode-nov
27aa66
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
27aa66
   CVE-2020-0548 (Vector Register Data Sampling),
27aa66
   CVE-2020-0549 (L1D Cache Eviction Sampling):
27aa66
   https://access.redhat.com/solutions/5142751
3bf6c4
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
3bf6c4
   CVE-2020-8696 (Vector Register Leakage-Active),
3bf6c4
   CVE-2020-8698 (Fast Forward Store Predictor):
3bf6c4
   https://access.redhat.com/articles/5569051
175f9a
27aa66
The information regarding disabling microcode update is provided below.
175f9a
27aa66
To disable usage of the newer microcode revision for a specific kernel
27aa66
version, please create a file "disallow-intel-06-55-04" inside
175f9a
/lib/firmware/<kernel_version> directory, run
27aa66
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
27aa66
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
27aa66
so initramfs for this kernel version is regenerated, for example:
175f9a
27aa66
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
175f9a
    /usr/libexec/microcode_ctl/update_ucode
175f9a
    dracut -f --kver 3.10.0-862.9.1
175f9a
27aa66
To disable usage of the newer microcode revision for all kernels, please create
27aa66
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
27aa66
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
27aa66
used for late microcode updates, and run "dracut -f --regenerate-all"
27aa66
so initramfs images get regenerated, for example:
175f9a
175f9a
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
27aa66
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
175f9a
    /usr/libexec/microcode_ctl/update_ucode
175f9a
    dracut -f --regenerate-all
175f9a
175f9a
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
175f9a
information.