Blame SOURCES/06-8c-01_readme

7826d1
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
7826d1
had reports of system hangs when a microcode update, that was included
7826d1
since microcode-20201110 update, was applied[1].  In order to address this,
7826d1
microcode update had been disabled by default on these systems.  The revision
7826d1
0x88 seems to have fixed the aforementioned issue, hence it is enabled
7826d1
by default (but can be disabled explicitly; see below).
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
7826d1
7826d1
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
7826d1
microcode revisions in question are listed below:
7826d1
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
7826d1
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
08aaff
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
27ee4a
 * 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
7826d1
7826d1
Please contact your system vendor for a BIOS/firmware update that contains
7826d1
the latest microcode version.  For the information regarding microcode versions
7826d1
required for mitigating specific side-channel cache attacks, please refer
7826d1
to the following knowledge base articles:
7826d1
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
7826d1
   CVE-2020-8696 (Vector Register Leakage-Active),
7826d1
   CVE-2020-8698 (Fast Forward Store Predictor):
7826d1
   https://access.redhat.com/articles/5569051
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
08aaff
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
08aaff
   https://access.redhat.com/articles/6716541
27ee4a
 * CVE-2022-21123 (Shared Buffers Data Read):
27ee4a
   https://access.redhat.com/articles/6963124
7826d1
7826d1
The information regarding disabling microcode update is provided below.
7826d1
7826d1
To disable 06-8c-01 microcode updates for a specific kernel
7826d1
version, please create a file "disallow-intel-06-8c-01" inside
7826d1
/lib/firmware/<kernel_version> directory, run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
7826d1
directory where microcode is available for late microcode update, and run
7826d1
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
7826d1
is regenerated, for example:
7826d1
7826d1
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --kver 3.10.0-862.9.1
7826d1
7826d1
To avoid addition of this microcode for all kernels, please create file
7826d1
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
7826d1
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
7826d1
and "dracut -f --regenerate-all" for early microcode updates:
7826d1
7826d1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
7826d1
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
7826d1
    /usr/libexec/microcode_ctl/update_ucode
7826d1
    dracut -f --regenerate-all
7826d1
7826d1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
7826d1
information.