Blame SOURCES/06-55-04_readme

9db7ba
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
9db7ba
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
9db7ba
of system hangs on reboot when revision 0x2000065 of microcode, that was included
9db7ba
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
9db7ba
In order to address this, microcode update to the newer revision had been
9db7ba
disabled by default on these systems, and the previously published microcode
9db7ba
revision 0x2000064 is used by default for the OS-driven microcode update.
9db7ba
9db7ba
Since revision 0x2006906 (included with the microcode-20200609 release)
9db7ba
it is reported that the issue is no longer present, so the newer microcode
9db7ba
revision is enabled by default now (but can be disabled explicitly; see below).
f3c512
347126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
347126
f3c512
For the reference, SHA1 checksums of 06-55-04 microcode files containing
f3c512
microcode revisions in question are listed below:
f3c512
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
f3c512
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
9db7ba
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
9d39cf
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
50693b
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
cc944f
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
fc0a9b
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
72a479
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
f3c512
f3c512
Please contact your system vendor for a BIOS/firmware update that contains
f3c512
the latest microcode version.  For the information regarding microcode versions
f3c512
required for mitigating specific side-channel cache attacks, please refer
f3c512
to the following knowledge base articles:
f3c512
 * CVE-2017-5715 ("Spectre"):
f3c512
   https://access.redhat.com/articles/3436091
f3c512
 * CVE-2018-3639 ("Speculative Store Bypass"):
f3c512
   https://access.redhat.com/articles/3540901
f3c512
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
f3c512
   https://access.redhat.com/articles/3562741
f3c512
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
f3c512
   ("Microarchitectural Data Sampling"):
f3c512
   https://access.redhat.com/articles/4138151
f3c512
 * CVE-2019-0117 (Intel SGX Information Leak),
f3c512
   CVE-2019-0123 (Intel SGX Privilege Escalation),
f3c512
   CVE-2019-11135 (TSX Asynchronous Abort),
f3c512
   CVE-2019-11139 (Voltage Setting Modulation):
f3c512
   https://access.redhat.com/solutions/2019-microcode-nov
9db7ba
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
9db7ba
   CVE-2020-0548 (Vector Register Data Sampling),
9db7ba
   CVE-2020-0549 (L1D Cache Eviction Sampling):
9db7ba
   https://access.redhat.com/solutions/5142751
501af6
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
501af6
   CVE-2020-8696 (Vector Register Leakage-Active),
501af6
   CVE-2020-8698 (Fast Forward Store Predictor):
501af6
   https://access.redhat.com/articles/5569051
f9176a
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
f9176a
   CVE-2020-24511 (Improper Isolation of Shared Resources),
f9176a
   CVE-2020-24512 (Observable Timing Discrepancy),
f9176a
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
f9176a
   https://access.redhat.com/articles/6101171
fc0a9b
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
fc0a9b
   https://access.redhat.com/articles/6716541
72a479
 * CVE-2022-0005 (Informational disclosure via JTAG),
72a479
   CVE-2022-21123 (Shared Buffers Data Read),
72a479
   CVE-2022-21125 (Shared Buffers Data Sampling),
72a479
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
72a479
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
72a479
   CVE-2022-21136 (Overclocking service access protection),
72a479
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
72a479
   CVE-2022-21166 (Device Register Partial Write):
72a479
   https://access.redhat.com/articles/6963124
f3c512
9db7ba
The information regarding disabling microcode update is provided below.
f3c512
9db7ba
To disable usage of the newer microcode revision for a specific kernel
9db7ba
version, please create a file "disallow-intel-06-55-04" inside
f3c512
/lib/firmware/<kernel_version> directory, run
9db7ba
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
9db7ba
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
9db7ba
so initramfs for this kernel version is regenerated, for example:
f3c512
9db7ba
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
f3c512
    /usr/libexec/microcode_ctl/update_ucode
f3c512
    dracut -f --kver 3.10.0-862.9.1
f3c512
9db7ba
To disable usage of the newer microcode revision for all kernels, please create
9db7ba
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
9db7ba
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
9db7ba
used for late microcode updates, and run "dracut -f --regenerate-all"
9db7ba
so initramfs images get regenerated, for example:
f3c512
f3c512
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
9db7ba
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
f3c512
    /usr/libexec/microcode_ctl/update_ucode
f3c512
    dracut -f --regenerate-all
f3c512
f3c512
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
f3c512
information.