Blame SOURCES/06-55-04_readme

3a6b56
Intel Skulake Scalable Platform CPU models that belong to Workstation and HEDT
3a6b56
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) have reports
3a6b56
of system hangs on reboot when revision 0x2000065 of microcode, that is included
3a6b56
since microcode-20191112 update, is applied[1].  In order to address this,
3a6b56
microcode update to this revision has been disabled by default on these systems,
078ac8
and the previously published microcode revision 0x2000064 is used by default
078ac8
for the OS-driven microcode update.
078ac8
3a6b56
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
3a6b56
078ac8
For the reference, SHA1 checksums of 06-55-04 microcode files containing
078ac8
microcode revisions in question are listed below:
078ac8
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
078ac8
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
078ac8
078ac8
Please contact your system vendor for a BIOS/firmware update that contains
078ac8
the latest microcode version.  For the information regarding microcode versions
078ac8
required for mitigating specific side-channel cache attacks, please refer
078ac8
to the following knowledge base articles:
078ac8
 * CVE-2017-5715 ("Spectre"):
078ac8
   https://access.redhat.com/articles/3436091
078ac8
 * CVE-2018-3639 ("Speculative Store Bypass"):
078ac8
   https://access.redhat.com/articles/3540901
078ac8
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
078ac8
   https://access.redhat.com/articles/3562741
078ac8
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
078ac8
   ("Microarchitectural Data Sampling"):
078ac8
   https://access.redhat.com/articles/4138151
078ac8
 * CVE-2019-0117 (Intel SGX Information Leak),
078ac8
   CVE-2019-0123 (Intel SGX Privilege Escalation),
078ac8
   CVE-2019-11135 (TSX Asynchronous Abort),
078ac8
   CVE-2019-11139 (Voltage Setting Modulation):
078ac8
   https://access.redhat.com/solutions/2019-microcode-nov
078ac8
078ac8
The information regarding enforcing microcode update is provided below.
078ac8
078ac8
To enforce usage of the 0x2000065 microcode revision for a specific kernel
078ac8
version, please create a file "force-intel-06-55-04" inside
078ac8
/lib/firmware/<kernel_version> directory, run
078ac8
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
078ac8
where microcode will be available for late microcode update, and run
078ac8
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
078ac8
is regenerated and the microcode can be loaded early, for example:
078ac8
078ac8
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --kver 3.10.0-862.9.1
078ac8
078ac8
After that, it is possible to perform a late microcode update by executing
078ac8
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
078ac8
"/sys/devices/system/cpu/microcode/reload" directly.
078ac8
078ac8
To enforce addition of this microcode for all kernels, please create file
078ac8
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04", run
078ac8
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
078ac8
and "dracut -f --regenerate-all" for enabling early microcode updates:
078ac8
078ac8
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
078ac8
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-04
078ac8
    /usr/libexec/microcode_ctl/update_ucode
078ac8
    dracut -f --regenerate-all
078ac8
078ac8
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
078ac8
information.