Blame SOURCES/06-5e-03_readme

81200a
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
fe8809
stepping 3) had reports of possible system hangs when revision 0xdc
81200a
of microcode, that is included in microcode-20200609 update to address
fe8809
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
fe8809
to address this, microcode updates to the newer revision had been disabled
81200a
by default on these systems, and the previously published microcode revision
fe8809
0xd6 was used by default for the OS-driven microcode update.  The revision
fe8809
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
fe8809
by default (but can be disabled explicitly; see below).
81200a
81200a
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
fe8809
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
81200a
c56524
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
81200a
microcode revisions in question are listed below:
81200a
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
81200a
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
c56524
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
fe8809
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
81200a
81200a
Please contact your system vendor for a BIOS/firmware update that contains
81200a
the latest microcode version.  For the information regarding microcode versions
81200a
required for mitigating specific side-channel cache attacks, please refer
81200a
to the following knowledge base articles:
81200a
 * CVE-2017-5715 ("Spectre"):
81200a
   https://access.redhat.com/articles/3436091
81200a
 * CVE-2018-3639 ("Speculative Store Bypass"):
81200a
   https://access.redhat.com/articles/3540901
81200a
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
81200a
   https://access.redhat.com/articles/3562741
81200a
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
81200a
   ("Microarchitectural Data Sampling"):
81200a
   https://access.redhat.com/articles/4138151
81200a
 * CVE-2019-0117 (Intel SGX Information Leak),
81200a
   CVE-2019-0123 (Intel SGX Privilege Escalation),
81200a
   CVE-2019-11135 (TSX Asynchronous Abort),
81200a
   CVE-2019-11139 (Voltage Setting Modulation):
81200a
   https://access.redhat.com/solutions/2019-microcode-nov
81200a
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
81200a
   CVE-2020-0548 (Vector Register Data Sampling),
81200a
   CVE-2020-0549 (L1D Cache Eviction Sampling):
81200a
   https://access.redhat.com/solutions/5142751
c56524
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
c56524
   CVE-2020-8696 (Vector Register Leakage-Active),
c56524
   CVE-2020-8698 (Fast Forward Store Predictor):
c56524
   https://access.redhat.com/articles/5569051
fe8809
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
fe8809
   CVE-2020-24511 (Improper Isolation of Shared Resources),
fe8809
   CVE-2020-24512 (Observable Timing Discrepancy),
fe8809
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
fe8809
   https://access.redhat.com/articles/6101171
81200a
fe8809
The information regarding disabling microcode update is provided below.
81200a
fe8809
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
fe8809
version, please create a file "disallow-intel-06-5e-03" inside
81200a
/lib/firmware/<kernel_version> directory, run
fe8809
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
fe8809
where microcode is available for late microcode update, and run
81200a
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
fe8809
is regenerated, for example:
81200a
fe8809
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
81200a
    /usr/libexec/microcode_ctl/update_ucode
81200a
    dracut -f --kver 3.10.0-862.9.1
81200a
fe8809
To avoid  addition of the latest microcode for all kernels, please create file
fe8809
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
fe8809
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
fe8809
and "dracut -f --regenerate-all" for early microcode updates:
81200a
81200a
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
fe8809
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
81200a
    /usr/libexec/microcode_ctl/update_ucode
81200a
    dracut -f --regenerate-all
81200a
81200a
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
81200a
information.