Blame SOURCES/06-55-04_readme

6e6257
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
6e6257
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
6e6257
of system hangs on reboot when revision 0x2000065 of microcode, that was included
6e6257
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
6e6257
In order to address this, microcode update to the newer revision had been
6e6257
disabled by default on these systems, and the previously published microcode
6e6257
revision 0x2000064 is used by default for the OS-driven microcode update.
6e6257
6e6257
Since revision 0x2006906 (included with the microcode-20200609 release)
6e6257
it is reported that the issue is no longer present, so the newer microcode
6e6257
revision is enabled by default now (but can be disabled explicitly; see below).
078ac8
3a6b56
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
3a6b56
078ac8
For the reference, SHA1 checksums of 06-55-04 microcode files containing
078ac8
microcode revisions in question are listed below:
078ac8
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
078ac8
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
6e6257
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
36ce7f
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
8b76b1
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
5532bf
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
ea88b1
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
871b4f
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
bbefcb
 * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
078ac8
078ac8
Please contact your system vendor for a BIOS/firmware update that contains
078ac8
the latest microcode version.  For the information regarding microcode versions
078ac8
required for mitigating specific side-channel cache attacks, please refer
078ac8
to the following knowledge base articles:
078ac8
 * CVE-2017-5715 ("Spectre"):
078ac8
   https://access.redhat.com/articles/3436091
078ac8
 * CVE-2018-3639 ("Speculative Store Bypass"):
078ac8
   https://access.redhat.com/articles/3540901
078ac8
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
078ac8
   https://access.redhat.com/articles/3562741
078ac8
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
078ac8
   ("Microarchitectural Data Sampling"):
078ac8
   https://access.redhat.com/articles/4138151
078ac8
 * CVE-2019-0117 (Intel SGX Information Leak),
078ac8
   CVE-2019-0123 (Intel SGX Privilege Escalation),
078ac8
   CVE-2019-11135 (TSX Asynchronous Abort),
078ac8
   CVE-2019-11139 (Voltage Setting Modulation):
078ac8
   https://access.redhat.com/solutions/2019-microcode-nov
6e6257
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
6e6257
   CVE-2020-0548 (Vector Register Data Sampling),
6e6257
   CVE-2020-0549 (L1D Cache Eviction Sampling):
6e6257
   https://access.redhat.com/solutions/5142751
96af4f
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
96af4f
   CVE-2020-8696 (Vector Register Leakage-Active),
96af4f
   CVE-2020-8698 (Fast Forward Store Predictor):
96af4f
   https://access.redhat.com/articles/5569051
ca7245
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
ca7245
   CVE-2020-24511 (Improper Isolation of Shared Resources),
ca7245
   CVE-2020-24512 (Observable Timing Discrepancy),
ca7245
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
ca7245
   https://access.redhat.com/articles/6101171
548685
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
548685
   https://access.redhat.com/articles/6716541
871b4f
 * CVE-2022-0005 (Informational disclosure via JTAG),
871b4f
   CVE-2022-21123 (Shared Buffers Data Read),
871b4f
   CVE-2022-21125 (Shared Buffers Data Sampling),
871b4f
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
871b4f
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
871b4f
   CVE-2022-21136 (Overclocking service access protection),
871b4f
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
871b4f
   CVE-2022-21166 (Device Register Partial Write):
871b4f
   https://access.redhat.com/articles/6963124
bbefcb
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
bbefcb
   https://access.redhat.com/articles/6976398
078ac8
6e6257
The information regarding disabling microcode update is provided below.
078ac8
6e6257
To disable usage of the newer microcode revision for a specific kernel
6e6257
version, please create a file "disallow-intel-06-55-04" inside
078ac8
/lib/firmware/<kernel_version> directory, run
6e6257
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
6e6257
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
6e6257
so initramfs for this kernel version is regenerated, for example:
078ac8
6e6257
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --kver 3.10.0-862.9.1
078ac8
6e6257
To disable usage of the newer microcode revision for all kernels, please create
6e6257
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
6e6257
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
6e6257
used for late microcode updates, and run "dracut -f --regenerate-all"
6e6257
so initramfs images get regenerated, for example:
078ac8
078ac8
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
6e6257
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --regenerate-all
078ac8
078ac8
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
078ac8
information.