9db7ba
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
f9176a
stepping 3) had reports of possible system hangs when revision 0xdc
9db7ba
of microcode, that is included in microcode-20200609 update to address
f9176a
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
f9176a
to address this, microcode updates to the newer revision had been disabled
9db7ba
by default on these systems, and the previously published microcode revision
f9176a
0xd6 was used by default for the OS-driven microcode update.  The revision
f9176a
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
f9176a
by default (but can be disabled explicitly; see below).
9db7ba
9db7ba
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
f9176a
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
9db7ba
9d39cf
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
9db7ba
microcode revisions in question are listed below:
9db7ba
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
9db7ba
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
9d39cf
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
cc944f
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
fc0a9b
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
72a479
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
9db7ba
9db7ba
Please contact your system vendor for a BIOS/firmware update that contains
9db7ba
the latest microcode version.  For the information regarding microcode versions
9db7ba
required for mitigating specific side-channel cache attacks, please refer
9db7ba
to the following knowledge base articles:
9db7ba
 * CVE-2017-5715 ("Spectre"):
9db7ba
   https://access.redhat.com/articles/3436091
9db7ba
 * CVE-2018-3639 ("Speculative Store Bypass"):
9db7ba
   https://access.redhat.com/articles/3540901
9db7ba
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
9db7ba
   https://access.redhat.com/articles/3562741
9db7ba
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
9db7ba
   ("Microarchitectural Data Sampling"):
9db7ba
   https://access.redhat.com/articles/4138151
9db7ba
 * CVE-2019-0117 (Intel SGX Information Leak),
9db7ba
   CVE-2019-0123 (Intel SGX Privilege Escalation),
9db7ba
   CVE-2019-11135 (TSX Asynchronous Abort),
9db7ba
   CVE-2019-11139 (Voltage Setting Modulation):
9db7ba
   https://access.redhat.com/solutions/2019-microcode-nov
9db7ba
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
9db7ba
   CVE-2020-0548 (Vector Register Data Sampling),
9db7ba
   CVE-2020-0549 (L1D Cache Eviction Sampling):
9db7ba
   https://access.redhat.com/solutions/5142751
501af6
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
501af6
   CVE-2020-8696 (Vector Register Leakage-Active),
501af6
   CVE-2020-8698 (Fast Forward Store Predictor):
501af6
   https://access.redhat.com/articles/5569051
f9176a
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
f9176a
   CVE-2020-24511 (Improper Isolation of Shared Resources),
f9176a
   CVE-2020-24512 (Observable Timing Discrepancy),
f9176a
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
f9176a
   https://access.redhat.com/articles/6101171
fc0a9b
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
fc0a9b
   https://access.redhat.com/articles/6716541
72a479
 * CVE-2022-0005 (Informational disclosure via JTAG),
72a479
   CVE-2022-21123 (Shared Buffers Data Read),
72a479
   CVE-2022-21125 (Shared Buffers Data Sampling),
72a479
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
72a479
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
72a479
   CVE-2022-21166 (Device Register Partial Write):
72a479
   https://access.redhat.com/articles/6963124
9db7ba
f9176a
The information regarding disabling microcode update is provided below.
9db7ba
f9176a
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
f9176a
version, please create a file "disallow-intel-06-5e-03" inside
9db7ba
/lib/firmware/<kernel_version> directory, run
f9176a
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
f9176a
where microcode is available for late microcode update, and run
9db7ba
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
f9176a
is regenerated, for example:
9db7ba
f9176a
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
9db7ba
    /usr/libexec/microcode_ctl/update_ucode
9db7ba
    dracut -f --kver 3.10.0-862.9.1
9db7ba
f9176a
To avoid  addition of the latest microcode for all kernels, please create file
f9176a
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
f9176a
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
f9176a
and "dracut -f --regenerate-all" for early microcode updates:
9db7ba
9db7ba
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
f9176a
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
9db7ba
    /usr/libexec/microcode_ctl/update_ucode
9db7ba
    dracut -f --regenerate-all
9db7ba
9db7ba
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
9db7ba
information.