7826d1
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
7826d1
stepping 3) had reports of possible system hangs when revision 0xdc
7826d1
of microcode, that is included in microcode-20200609 update to address
7826d1
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
7826d1
to address this, microcode updates to the newer revision had been disabled
7826d1
by default on these systems, and the previously published microcode revision
7826d1
0xd6 was used by default for the OS-driven microcode update.  The revision
7826d1
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
7826d1
by default (but can be disabled explicitly; see below).
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
7826d1
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
7826d1
7826d1
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
7826d1
microcode revisions in question are listed below:
7826d1
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
7826d1
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
7826d1
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
7826d1
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
08aaff
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
27ee4a
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
7826d1
7826d1
Please contact your system vendor for a BIOS/firmware update that contains
7826d1
the latest microcode version.  For the information regarding microcode versions
7826d1
required for mitigating specific side-channel cache attacks, please refer
7826d1
to the following knowledge base articles:
7826d1
 * CVE-2017-5715 ("Spectre"):
7826d1
   https://access.redhat.com/articles/3436091
7826d1
 * CVE-2018-3639 ("Speculative Store Bypass"):
7826d1
   https://access.redhat.com/articles/3540901
7826d1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
7826d1
   https://access.redhat.com/articles/3562741
7826d1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
7826d1
   ("Microarchitectural Data Sampling"):
7826d1
   https://access.redhat.com/articles/4138151
7826d1
 * CVE-2019-0117 (Intel SGX Information Leak),
7826d1
   CVE-2019-0123 (Intel SGX Privilege Escalation),
7826d1
   CVE-2019-11135 (TSX Asynchronous Abort),
7826d1
   CVE-2019-11139 (Voltage Setting Modulation):
7826d1
   https://access.redhat.com/solutions/2019-microcode-nov
7826d1
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
7826d1
   CVE-2020-0548 (Vector Register Data Sampling),
7826d1
   CVE-2020-0549 (L1D Cache Eviction Sampling):
7826d1
   https://access.redhat.com/solutions/5142751
7826d1
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
7826d1
   CVE-2020-8696 (Vector Register Leakage-Active),
7826d1
   CVE-2020-8698 (Fast Forward Store Predictor):
7826d1
   https://access.redhat.com/articles/5569051
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
08aaff
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
08aaff
   https://access.redhat.com/articles/6716541
27ee4a
 * CVE-2022-0005 (Informational disclosure via JTAG),
27ee4a
   CVE-2022-21123 (Shared Buffers Data Read),
27ee4a
   CVE-2022-21125 (Shared Buffers Data Sampling),
27ee4a
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
27ee4a
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
27ee4a
   CVE-2022-21166 (Device Register Partial Write):
27ee4a
   https://access.redhat.com/articles/6963124
7826d1
7826d1
The information regarding disabling microcode update is provided below.
7826d1
7826d1
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
7826d1
version, please create a file "disallow-intel-06-5e-03" inside
7826d1
/lib/firmware/<kernel_version> directory, run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
7826d1
where microcode is available for late microcode update, and run
7826d1
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
7826d1
is regenerated, for example:
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --kver 3.10.0-862.9.1
7826d1
7826d1
To avoid  addition of the latest microcode for all kernels, please create file
7826d1
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
7826d1
and "dracut -f --regenerate-all" for early microcode updates:
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --regenerate-all
7826d1
7826d1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
7826d1
information.