Blame SOURCES/06-8c-01_readme

96af4f
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
ca7245
had reports of system hangs when a microcode update, that was included
ca7245
since microcode-20201110 update, was applied[1].  In order to address this,
ca7245
microcode update had been disabled by default on these systems.  The revision
ca7245
0x88 seems to have fixed the aforementioned issue, hence it is enabled
ca7245
by default (but can be disabled explicitly; see below).
96af4f
96af4f
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
96af4f
5532bf
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
5532bf
microcode revisions in question are listed below:
5532bf
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
5532bf
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
ea88b1
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
5532bf
96af4f
Please contact your system vendor for a BIOS/firmware update that contains
ca7245
the latest microcode version.  For the information regarding microcode versions
ca7245
required for mitigating specific side-channel cache attacks, please refer
ca7245
to the following knowledge base articles:
ca7245
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
ca7245
   CVE-2020-8696 (Vector Register Leakage-Active),
ca7245
   CVE-2020-8698 (Fast Forward Store Predictor):
ca7245
   https://access.redhat.com/articles/5569051
ca7245
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
ca7245
   CVE-2020-24511 (Improper Isolation of Shared Resources),
ca7245
   CVE-2020-24512 (Observable Timing Discrepancy),
ca7245
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
ca7245
   https://access.redhat.com/articles/6101171
548685
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
548685
   https://access.redhat.com/articles/6716541
ca7245
ca7245
The information regarding disabling microcode update is provided below.
ca7245
ca7245
To disable 06-8c-01 microcode updates for a specific kernel
ca7245
version, please create a file "disallow-intel-06-8c-01" inside
96af4f
/lib/firmware/<kernel_version> directory, run
ca7245
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
ca7245
directory where microcode is available for late microcode update, and run
96af4f
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
ca7245
is regenerated, for example:
96af4f
ca7245
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
96af4f
    /usr/libexec/microcode_ctl/update_ucode
96af4f
    dracut -f --kver 3.10.0-862.9.1
96af4f
ca7245
To avoid addition of this microcode for all kernels, please create file
ca7245
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
ca7245
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
ca7245
and "dracut -f --regenerate-all" for early microcode updates:
96af4f
96af4f
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
ca7245
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
96af4f
    /usr/libexec/microcode_ctl/update_ucode
96af4f
    dracut -f --regenerate-all
96af4f
96af4f
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
96af4f
information.