Blame SOURCES/06-5e-03_readme

27aa66
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
b9f9de
stepping 3) had reports of possible system hangs when revision 0xdc
27aa66
of microcode, that is included in microcode-20200609 update to address
b9f9de
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
b9f9de
to address this, microcode updates to the newer revision had been disabled
27aa66
by default on these systems, and the previously published microcode revision
b9f9de
0xd6 was used by default for the OS-driven microcode update.  The revision
b9f9de
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
b9f9de
by default (but can be disabled explicitly; see below).
27aa66
27aa66
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
b9f9de
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
27aa66
da1320
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
27aa66
microcode revisions in question are listed below:
27aa66
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
27aa66
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
da1320
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
2c8f3d
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
27aa66
27aa66
Please contact your system vendor for a BIOS/firmware update that contains
27aa66
the latest microcode version.  For the information regarding microcode versions
27aa66
required for mitigating specific side-channel cache attacks, please refer
27aa66
to the following knowledge base articles:
27aa66
 * CVE-2017-5715 ("Spectre"):
27aa66
   https://access.redhat.com/articles/3436091
27aa66
 * CVE-2018-3639 ("Speculative Store Bypass"):
27aa66
   https://access.redhat.com/articles/3540901
27aa66
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
27aa66
   https://access.redhat.com/articles/3562741
27aa66
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
27aa66
   ("Microarchitectural Data Sampling"):
27aa66
   https://access.redhat.com/articles/4138151
27aa66
 * CVE-2019-0117 (Intel SGX Information Leak),
27aa66
   CVE-2019-0123 (Intel SGX Privilege Escalation),
27aa66
   CVE-2019-11135 (TSX Asynchronous Abort),
27aa66
   CVE-2019-11139 (Voltage Setting Modulation):
27aa66
   https://access.redhat.com/solutions/2019-microcode-nov
27aa66
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
27aa66
   CVE-2020-0548 (Vector Register Data Sampling),
27aa66
   CVE-2020-0549 (L1D Cache Eviction Sampling):
27aa66
   https://access.redhat.com/solutions/5142751
3bf6c4
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
3bf6c4
   CVE-2020-8696 (Vector Register Leakage-Active),
3bf6c4
   CVE-2020-8698 (Fast Forward Store Predictor):
3bf6c4
   https://access.redhat.com/articles/5569051
b9f9de
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
b9f9de
   CVE-2020-24511 (Improper Isolation of Shared Resources),
b9f9de
   CVE-2020-24512 (Observable Timing Discrepancy),
b9f9de
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
b9f9de
   https://access.redhat.com/articles/6101171
27aa66
b9f9de
The information regarding disabling microcode update is provided below.
27aa66
b9f9de
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
b9f9de
version, please create a file "disallow-intel-06-5e-03" inside
27aa66
/lib/firmware/<kernel_version> directory, run
b9f9de
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
b9f9de
where microcode is available for late microcode update, and run
27aa66
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
b9f9de
is regenerated, for example:
27aa66
b9f9de
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
27aa66
    /usr/libexec/microcode_ctl/update_ucode
27aa66
    dracut -f --kver 3.10.0-862.9.1
27aa66
b9f9de
To avoid  addition of the latest microcode for all kernels, please create file
b9f9de
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
b9f9de
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
b9f9de
and "dracut -f --regenerate-all" for early microcode updates:
27aa66
27aa66
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
b9f9de
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
27aa66
    /usr/libexec/microcode_ctl/update_ucode
27aa66
    dracut -f --regenerate-all
27aa66
27aa66
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
27aa66
information.