7826d1
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
7826d1
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
7826d1
of system hangs on reboot when revision 0x2000065 of microcode, that was included
7826d1
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
7826d1
In order to address this, microcode update to the newer revision had been
7826d1
disabled by default on these systems, and the previously published microcode
7826d1
revision 0x2000064 is used by default for the OS-driven microcode update.
7826d1
7826d1
Since revision 0x2006906 (included with the microcode-20200609 release)
7826d1
it is reported that the issue is no longer present, so the newer microcode
7826d1
revision is enabled by default now (but can be disabled explicitly; see below).
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
7826d1
7826d1
For the reference, SHA1 checksums of 06-55-04 microcode files containing
7826d1
microcode revisions in question are listed below:
7826d1
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
7826d1
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
7826d1
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
7826d1
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
7826d1
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
7826d1
 * 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
08aaff
 * 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
27ee4a
 * 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
dd8597
 * 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
7826d1
7826d1
Please contact your system vendor for a BIOS/firmware update that contains
7826d1
the latest microcode version.  For the information regarding microcode versions
7826d1
required for mitigating specific side-channel cache attacks, please refer
7826d1
to the following knowledge base articles:
7826d1
 * CVE-2017-5715 ("Spectre"):
7826d1
   https://access.redhat.com/articles/3436091
7826d1
 * CVE-2018-3639 ("Speculative Store Bypass"):
7826d1
   https://access.redhat.com/articles/3540901
7826d1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
7826d1
   https://access.redhat.com/articles/3562741
7826d1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
7826d1
   ("Microarchitectural Data Sampling"):
7826d1
   https://access.redhat.com/articles/4138151
7826d1
 * CVE-2019-0117 (Intel SGX Information Leak),
7826d1
   CVE-2019-0123 (Intel SGX Privilege Escalation),
7826d1
   CVE-2019-11135 (TSX Asynchronous Abort),
7826d1
   CVE-2019-11139 (Voltage Setting Modulation):
7826d1
   https://access.redhat.com/solutions/2019-microcode-nov
7826d1
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
7826d1
   CVE-2020-0548 (Vector Register Data Sampling),
7826d1
   CVE-2020-0549 (L1D Cache Eviction Sampling):
7826d1
   https://access.redhat.com/solutions/5142751
7826d1
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
7826d1
   CVE-2020-8696 (Vector Register Leakage-Active),
7826d1
   CVE-2020-8698 (Fast Forward Store Predictor):
7826d1
   https://access.redhat.com/articles/5569051
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
08aaff
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
08aaff
   https://access.redhat.com/articles/6716541
27ee4a
 * CVE-2022-0005 (Informational disclosure via JTAG),
27ee4a
   CVE-2022-21123 (Shared Buffers Data Read),
27ee4a
   CVE-2022-21125 (Shared Buffers Data Sampling),
27ee4a
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
27ee4a
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
27ee4a
   CVE-2022-21136 (Overclocking service access protection),
27ee4a
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
27ee4a
   CVE-2022-21166 (Device Register Partial Write):
27ee4a
   https://access.redhat.com/articles/6963124
dd8597
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
dd8597
   https://access.redhat.com/articles/6976398
7826d1
7826d1
The information regarding disabling microcode update is provided below.
7826d1
7826d1
To disable usage of the newer microcode revision for a specific kernel
7826d1
version, please create a file "disallow-intel-06-55-04" inside
7826d1
/lib/firmware/<kernel_version> directory, run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
7826d1
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
7826d1
so initramfs for this kernel version is regenerated, for example:
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --kver 3.10.0-862.9.1
7826d1
7826d1
To disable usage of the newer microcode revision for all kernels, please create
7826d1
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
7826d1
used for late microcode updates, and run "dracut -f --regenerate-all"
7826d1
so initramfs images get regenerated, for example:
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --regenerate-all
7826d1
7826d1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
7826d1
information.