81200a
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
81200a
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
81200a
of system hangs on reboot when revision 0x2000065 of microcode, that was included
81200a
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
81200a
In order to address this, microcode update to the newer revision had been
81200a
disabled by default on these systems, and the previously published microcode
81200a
revision 0x2000064 is used by default for the OS-driven microcode update.
81200a
81200a
Since revision 0x2006906 (included with the microcode-20200609 release)
81200a
it is reported that the issue is no longer present, so the newer microcode
81200a
revision is enabled by default now (but can be disabled explicitly; see below).
81200a
81200a
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
078ac8
078ac8
For the reference, SHA1 checksums of 06-55-04 microcode files containing
078ac8
microcode revisions in question are listed below:
078ac8
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
078ac8
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
81200a
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
c56524
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
c56524
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
fe8809
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
76da8d
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
e03395
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
9c011f
 * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
078ac8
078ac8
Please contact your system vendor for a BIOS/firmware update that contains
078ac8
the latest microcode version.  For the information regarding microcode versions
078ac8
required for mitigating specific side-channel cache attacks, please refer
078ac8
to the following knowledge base articles:
078ac8
 * CVE-2017-5715 ("Spectre"):
078ac8
   https://access.redhat.com/articles/3436091
078ac8
 * CVE-2018-3639 ("Speculative Store Bypass"):
078ac8
   https://access.redhat.com/articles/3540901
078ac8
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
078ac8
   https://access.redhat.com/articles/3562741
078ac8
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
078ac8
   ("Microarchitectural Data Sampling"):
078ac8
   https://access.redhat.com/articles/4138151
078ac8
 * CVE-2019-0117 (Intel SGX Information Leak),
078ac8
   CVE-2019-0123 (Intel SGX Privilege Escalation),
078ac8
   CVE-2019-11135 (TSX Asynchronous Abort),
078ac8
   CVE-2019-11139 (Voltage Setting Modulation):
078ac8
   https://access.redhat.com/solutions/2019-microcode-nov
81200a
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
81200a
   CVE-2020-0548 (Vector Register Data Sampling),
81200a
   CVE-2020-0549 (L1D Cache Eviction Sampling):
81200a
   https://access.redhat.com/solutions/5142751
c56524
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
c56524
   CVE-2020-8696 (Vector Register Leakage-Active),
c56524
   CVE-2020-8698 (Fast Forward Store Predictor):
c56524
   https://access.redhat.com/articles/5569051
fe8809
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
fe8809
   CVE-2020-24511 (Improper Isolation of Shared Resources),
fe8809
   CVE-2020-24512 (Observable Timing Discrepancy),
fe8809
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
fe8809
   https://access.redhat.com/articles/6101171
76da8d
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
76da8d
   https://access.redhat.com/articles/6716541
e03395
 * CVE-2022-0005 (Informational disclosure via JTAG),
e03395
   CVE-2022-21123 (Shared Buffers Data Read),
e03395
   CVE-2022-21125 (Shared Buffers Data Sampling),
e03395
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
e03395
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
e03395
   CVE-2022-21136 (Overclocking service access protection),
e03395
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
e03395
   CVE-2022-21166 (Device Register Partial Write):
e03395
   https://access.redhat.com/articles/6963124
9c011f
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
9c011f
   https://access.redhat.com/articles/6976398
078ac8
81200a
The information regarding disabling microcode update is provided below.
078ac8
81200a
To disable usage of the newer microcode revision for a specific kernel
81200a
version, please create a file "disallow-intel-06-55-04" inside
078ac8
/lib/firmware/<kernel_version> directory, run
81200a
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
81200a
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
81200a
so initramfs for this kernel version is regenerated, for example:
078ac8
81200a
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --kver 3.10.0-862.9.1
078ac8
81200a
To disable usage of the newer microcode revision for all kernels, please create
81200a
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
81200a
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
81200a
used for late microcode updates, and run "dracut -f --regenerate-all"
81200a
so initramfs images get regenerated, for example:
078ac8
078ac8
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
81200a
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --regenerate-all
078ac8
078ac8
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
078ac8
information.