383126
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
383126
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
383126
of system hangs on reboot when revision 0x2000065 of microcode, that was included
383126
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
383126
In order to address this, microcode update to the newer revision had been
383126
disabled by default on these systems, and the previously published microcode
383126
revision 0x2000064 is used by default for the OS-driven microcode update.
383126
383126
Since revision 0x2006906 (included with the microcode-20200609 release)
383126
it is reported that the issue is no longer present, so the newer microcode
383126
revision is enabled by default now (but can be disabled explicitly; see below).
383126
383126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
383126
383126
For the reference, SHA1 checksums of 06-55-04 microcode files containing
383126
microcode revisions in question are listed below:
383126
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
383126
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
383126
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
383126
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
383126
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
383126
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
383126
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
e43e01
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
48a306
 * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
383126
383126
Please contact your system vendor for a BIOS/firmware update that contains
383126
the latest microcode version.  For the information regarding microcode versions
383126
required for mitigating specific side-channel cache attacks, please refer
383126
to the following knowledge base articles:
383126
 * CVE-2017-5715 ("Spectre"):
383126
   https://access.redhat.com/articles/3436091
383126
 * CVE-2018-3639 ("Speculative Store Bypass"):
383126
   https://access.redhat.com/articles/3540901
383126
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
383126
   https://access.redhat.com/articles/3562741
383126
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
383126
   ("Microarchitectural Data Sampling"):
383126
   https://access.redhat.com/articles/4138151
383126
 * CVE-2019-0117 (Intel SGX Information Leak),
383126
   CVE-2019-0123 (Intel SGX Privilege Escalation),
383126
   CVE-2019-11135 (TSX Asynchronous Abort),
383126
   CVE-2019-11139 (Voltage Setting Modulation):
383126
   https://access.redhat.com/solutions/2019-microcode-nov
383126
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
383126
   CVE-2020-0548 (Vector Register Data Sampling),
383126
   CVE-2020-0549 (L1D Cache Eviction Sampling):
383126
   https://access.redhat.com/solutions/5142751
383126
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
383126
   CVE-2020-8696 (Vector Register Leakage-Active),
383126
   CVE-2020-8698 (Fast Forward Store Predictor):
383126
   https://access.redhat.com/articles/5569051
383126
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
383126
   CVE-2020-24511 (Improper Isolation of Shared Resources),
383126
   CVE-2020-24512 (Observable Timing Discrepancy),
383126
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
383126
   https://access.redhat.com/articles/6101171
383126
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
383126
   https://access.redhat.com/articles/6716541
e43e01
 * CVE-2022-0005 (Informational disclosure via JTAG),
e43e01
   CVE-2022-21123 (Shared Buffers Data Read),
e43e01
   CVE-2022-21125 (Shared Buffers Data Sampling),
e43e01
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
e43e01
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
e43e01
   CVE-2022-21136 (Overclocking service access protection),
e43e01
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
e43e01
   CVE-2022-21166 (Device Register Partial Write):
e43e01
   https://access.redhat.com/articles/6963124
48a306
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
48a306
   https://access.redhat.com/articles/6976398
383126
383126
The information regarding disabling microcode update is provided below.
383126
383126
To disable usage of the newer microcode revision for a specific kernel
383126
version, please create a file "disallow-intel-06-55-04" inside
383126
/lib/firmware/<kernel_version> directory, run
383126
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
383126
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
383126
so initramfs for this kernel version is regenerated, for example:
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --kver 3.10.0-862.9.1
383126
383126
To disable usage of the newer microcode revision for all kernels, please create
383126
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
383126
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
383126
used for late microcode updates, and run "dracut -f --regenerate-all"
383126
so initramfs images get regenerated, for example:
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --regenerate-all
383126
383126
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
383126
information.