Blame SOURCES/06-5e-03_readme

383126
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
383126
stepping 3) had reports of possible system hangs when revision 0xdc
383126
of microcode, that is included in microcode-20200609 update to address
383126
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
383126
to address this, microcode updates to the newer revision had been disabled
383126
by default on these systems, and the previously published microcode revision
383126
0xd6 was used by default for the OS-driven microcode update.  The revision
383126
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
383126
by default (but can be disabled explicitly; see below).
383126
383126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
383126
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
383126
383126
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
383126
microcode revisions in question are listed below:
383126
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
383126
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
383126
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
383126
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
383126
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
e43e01
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
383126
383126
Please contact your system vendor for a BIOS/firmware update that contains
383126
the latest microcode version.  For the information regarding microcode versions
383126
required for mitigating specific side-channel cache attacks, please refer
383126
to the following knowledge base articles:
383126
 * CVE-2017-5715 ("Spectre"):
383126
   https://access.redhat.com/articles/3436091
383126
 * CVE-2018-3639 ("Speculative Store Bypass"):
383126
   https://access.redhat.com/articles/3540901
383126
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
383126
   https://access.redhat.com/articles/3562741
383126
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
383126
   ("Microarchitectural Data Sampling"):
383126
   https://access.redhat.com/articles/4138151
383126
 * CVE-2019-0117 (Intel SGX Information Leak),
383126
   CVE-2019-0123 (Intel SGX Privilege Escalation),
383126
   CVE-2019-11135 (TSX Asynchronous Abort),
383126
   CVE-2019-11139 (Voltage Setting Modulation):
383126
   https://access.redhat.com/solutions/2019-microcode-nov
383126
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
383126
   CVE-2020-0548 (Vector Register Data Sampling),
383126
   CVE-2020-0549 (L1D Cache Eviction Sampling):
383126
   https://access.redhat.com/solutions/5142751
383126
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
383126
   CVE-2020-8696 (Vector Register Leakage-Active),
383126
   CVE-2020-8698 (Fast Forward Store Predictor):
383126
   https://access.redhat.com/articles/5569051
383126
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
383126
   CVE-2020-24511 (Improper Isolation of Shared Resources),
383126
   CVE-2020-24512 (Observable Timing Discrepancy),
383126
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
383126
   https://access.redhat.com/articles/6101171
383126
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
383126
   https://access.redhat.com/articles/6716541
e43e01
 * CVE-2022-0005 (Informational disclosure via JTAG),
e43e01
   CVE-2022-21123 (Shared Buffers Data Read),
e43e01
   CVE-2022-21125 (Shared Buffers Data Sampling),
e43e01
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
e43e01
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
e43e01
   CVE-2022-21166 (Device Register Partial Write):
e43e01
   https://access.redhat.com/articles/6963124
383126
383126
The information regarding disabling microcode update is provided below.
383126
383126
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
383126
version, please create a file "disallow-intel-06-5e-03" inside
383126
/lib/firmware/<kernel_version> directory, run
383126
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
383126
where microcode is available for late microcode update, and run
383126
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
383126
is regenerated, for example:
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --kver 3.10.0-862.9.1
383126
383126
To avoid  addition of the latest microcode for all kernels, please create file
383126
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
383126
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
383126
and "dracut -f --regenerate-all" for early microcode updates:
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --regenerate-all
383126
383126
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
383126
information.