533a6a
Intel Skulake Scalable Platform CPU models (SKL-SP/W/X, family 6, model 85,
533a6a
stepping 4) have reports of system hangs when revision 0x2000065 of microcode,
533a6a
that is included since microcode-20191112 update, is applied.  In order
533a6a
to address this, microcode update to this revision has been disabled,
533a6a
and the previously published microcode revision 0x2000064 is used by default
533a6a
for the OS-driven microcode update.
533a6a
533a6a
For the reference, SHA1 checksums of 06-55-04 microcode files containing
533a6a
microcode revisions in question are listed below:
533a6a
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
533a6a
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
533a6a
533a6a
Please contact your system vendor for a BIOS/firmware update that contains
533a6a
the latest microcode version.  For the information regarding microcode versions
533a6a
required for mitigating specific side-channel cache attacks, please refer
533a6a
to the following knowledge base articles:
533a6a
 * CVE-2017-5715 ("Spectre"):
533a6a
   https://access.redhat.com/articles/3436091
533a6a
 * CVE-2018-3639 ("Speculative Store Bypass"):
533a6a
   https://access.redhat.com/articles/3540901
533a6a
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
533a6a
   https://access.redhat.com/articles/3562741
533a6a
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
533a6a
   ("Microarchitectural Data Sampling"):
533a6a
   https://access.redhat.com/articles/4138151
533a6a
 * CVE-2019-0117 (Intel SGX Information Leak),
533a6a
   CVE-2019-0123 (Intel SGX Privilege Escalation),
533a6a
   CVE-2019-11135 (TSX Asynchronous Abort),
533a6a
   CVE-2019-11139 (Voltage Setting Modulation):
533a6a
   https://access.redhat.com/solutions/2019-microcode-nov
533a6a
533a6a
The information regarding enforcing microcode update is provided below.
533a6a
533a6a
To enforce usage of the 0x2000065 microcode revision for a specific kernel
533a6a
version, please create a file "force-intel-06-55-04" inside
533a6a
/lib/firmware/<kernel_version> directory, run
533a6a
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
533a6a
where microcode will be available for late microcode update, and run
533a6a
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
533a6a
is regenerated and the microcode can be loaded early, for example:
533a6a
533a6a
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04
533a6a
    /usr/libexec/microcode_ctl/update_ucode
533a6a
    dracut -f --kver 3.10.0-862.9.1
533a6a
533a6a
After that, it is possible to perform a late microcode update by executing
533a6a
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
533a6a
"/sys/devices/system/cpu/microcode/reload" directly.
533a6a
533a6a
To enforce addition of this microcode for all kernels, please create file
533a6a
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run
533a6a
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
533a6a
and "dracut -f --regenerate-all" for enabling early microcode updates:
533a6a
533a6a
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
533a6a
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04
533a6a
    /usr/libexec/microcode_ctl/update_ucode
533a6a
    dracut -f --regenerate-all
533a6a
533a6a
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
533a6a
information.