Blame SOURCES/06-55-04_readme

9db7ba
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
9db7ba
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
9db7ba
of system hangs on reboot when revision 0x2000065 of microcode, that was included
9db7ba
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
9db7ba
In order to address this, microcode update to the newer revision had been
9db7ba
disabled by default on these systems, and the previously published microcode
9db7ba
revision 0x2000064 is used by default for the OS-driven microcode update.
9db7ba
9db7ba
Since revision 0x2006906 (included with the microcode-20200609 release)
9db7ba
it is reported that the issue is no longer present, so the newer microcode
9db7ba
revision is enabled by default now (but can be disabled explicitly; see below).
f3c512
347126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
347126
f3c512
For the reference, SHA1 checksums of 06-55-04 microcode files containing
f3c512
microcode revisions in question are listed below:
f3c512
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
f3c512
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
9db7ba
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
f3c512
f3c512
Please contact your system vendor for a BIOS/firmware update that contains
f3c512
the latest microcode version.  For the information regarding microcode versions
f3c512
required for mitigating specific side-channel cache attacks, please refer
f3c512
to the following knowledge base articles:
f3c512
 * CVE-2017-5715 ("Spectre"):
f3c512
   https://access.redhat.com/articles/3436091
f3c512
 * CVE-2018-3639 ("Speculative Store Bypass"):
f3c512
   https://access.redhat.com/articles/3540901
f3c512
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
f3c512
   https://access.redhat.com/articles/3562741
f3c512
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
f3c512
   ("Microarchitectural Data Sampling"):
f3c512
   https://access.redhat.com/articles/4138151
f3c512
 * CVE-2019-0117 (Intel SGX Information Leak),
f3c512
   CVE-2019-0123 (Intel SGX Privilege Escalation),
f3c512
   CVE-2019-11135 (TSX Asynchronous Abort),
f3c512
   CVE-2019-11139 (Voltage Setting Modulation):
f3c512
   https://access.redhat.com/solutions/2019-microcode-nov
9db7ba
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
9db7ba
   CVE-2020-0548 (Vector Register Data Sampling),
9db7ba
   CVE-2020-0549 (L1D Cache Eviction Sampling):
9db7ba
   https://access.redhat.com/solutions/5142751
f3c512
9db7ba
The information regarding disabling microcode update is provided below.
f3c512
9db7ba
To disable usage of the newer microcode revision for a specific kernel
9db7ba
version, please create a file "disallow-intel-06-55-04" inside
f3c512
/lib/firmware/<kernel_version> directory, run
9db7ba
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
9db7ba
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
9db7ba
so initramfs for this kernel version is regenerated, for example:
f3c512
9db7ba
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
f3c512
    /usr/libexec/microcode_ctl/update_ucode
f3c512
    dracut -f --kver 3.10.0-862.9.1
f3c512
9db7ba
To disable usage of the newer microcode revision for all kernels, please create
9db7ba
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
9db7ba
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
9db7ba
used for late microcode updates, and run "dracut -f --regenerate-all"
9db7ba
so initramfs images get regenerated, for example:
f3c512
f3c512
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
9db7ba
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
f3c512
    /usr/libexec/microcode_ctl/update_ucode
f3c512
    dracut -f --regenerate-all
f3c512
f3c512
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
f3c512
information.