Blame SOURCES/06-5e-03_readme

6e6257
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
ca7245
stepping 3) had reports of possible system hangs when revision 0xdc
6e6257
of microcode, that is included in microcode-20200609 update to address
ca7245
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
ca7245
to address this, microcode updates to the newer revision had been disabled
6e6257
by default on these systems, and the previously published microcode revision
ca7245
0xd6 was used by default for the OS-driven microcode update.  The revision
ca7245
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
ca7245
by default (but can be disabled explicitly; see below).
6e6257
6e6257
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
ca7245
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
6e6257
36ce7f
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
6e6257
microcode revisions in question are listed below:
6e6257
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
6e6257
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
36ce7f
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
5532bf
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
ea88b1
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
871b4f
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
6e6257
6e6257
Please contact your system vendor for a BIOS/firmware update that contains
6e6257
the latest microcode version.  For the information regarding microcode versions
6e6257
required for mitigating specific side-channel cache attacks, please refer
6e6257
to the following knowledge base articles:
6e6257
 * CVE-2017-5715 ("Spectre"):
6e6257
   https://access.redhat.com/articles/3436091
6e6257
 * CVE-2018-3639 ("Speculative Store Bypass"):
6e6257
   https://access.redhat.com/articles/3540901
6e6257
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
6e6257
   https://access.redhat.com/articles/3562741
6e6257
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
6e6257
   ("Microarchitectural Data Sampling"):
6e6257
   https://access.redhat.com/articles/4138151
6e6257
 * CVE-2019-0117 (Intel SGX Information Leak),
6e6257
   CVE-2019-0123 (Intel SGX Privilege Escalation),
6e6257
   CVE-2019-11135 (TSX Asynchronous Abort),
6e6257
   CVE-2019-11139 (Voltage Setting Modulation):
6e6257
   https://access.redhat.com/solutions/2019-microcode-nov
6e6257
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
6e6257
   CVE-2020-0548 (Vector Register Data Sampling),
6e6257
   CVE-2020-0549 (L1D Cache Eviction Sampling):
6e6257
   https://access.redhat.com/solutions/5142751
96af4f
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
96af4f
   CVE-2020-8696 (Vector Register Leakage-Active),
96af4f
   CVE-2020-8698 (Fast Forward Store Predictor):
96af4f
   https://access.redhat.com/articles/5569051
ca7245
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
ca7245
   CVE-2020-24511 (Improper Isolation of Shared Resources),
ca7245
   CVE-2020-24512 (Observable Timing Discrepancy),
ca7245
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
ca7245
   https://access.redhat.com/articles/6101171
548685
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
548685
   https://access.redhat.com/articles/6716541
871b4f
 * CVE-2022-0005 (Informational disclosure via JTAG),
871b4f
   CVE-2022-21123 (Shared Buffers Data Read),
871b4f
   CVE-2022-21125 (Shared Buffers Data Sampling),
871b4f
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
871b4f
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
871b4f
   CVE-2022-21166 (Device Register Partial Write):
871b4f
   https://access.redhat.com/articles/6963124
6e6257
ca7245
The information regarding disabling microcode update is provided below.
6e6257
ca7245
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
ca7245
version, please create a file "disallow-intel-06-5e-03" inside
6e6257
/lib/firmware/<kernel_version> directory, run
ca7245
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
ca7245
where microcode is available for late microcode update, and run
6e6257
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
ca7245
is regenerated, for example:
6e6257
ca7245
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
6e6257
    /usr/libexec/microcode_ctl/update_ucode
6e6257
    dracut -f --kver 3.10.0-862.9.1
6e6257
ca7245
To avoid  addition of the latest microcode for all kernels, please create file
ca7245
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
ca7245
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
ca7245
and "dracut -f --regenerate-all" for early microcode updates:
6e6257
6e6257
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
ca7245
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
6e6257
    /usr/libexec/microcode_ctl/update_ucode
6e6257
    dracut -f --regenerate-all
6e6257
6e6257
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
6e6257
information.