3bf6c4
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
b9f9de
had reports of system hangs when a microcode update, that was included
b9f9de
since microcode-20201110 update, was applied[1].  In order to address this,
b9f9de
microcode update had been disabled by default on these systems.  The revision
b9f9de
0x88 seems to have fixed the aforementioned issue, hence it is enabled
b9f9de
by default (but can be disabled explicitly; see below).
3bf6c4
3bf6c4
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
3bf6c4
2c8f3d
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
2c8f3d
microcode revisions in question are listed below:
2c8f3d
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
2c8f3d
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
79687e
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
d205e1
 * 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
2c8f3d
3bf6c4
Please contact your system vendor for a BIOS/firmware update that contains
b9f9de
the latest microcode version.  For the information regarding microcode versions
b9f9de
required for mitigating specific side-channel cache attacks, please refer
b9f9de
to the following knowledge base articles:
b9f9de
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
b9f9de
   CVE-2020-8696 (Vector Register Leakage-Active),
b9f9de
   CVE-2020-8698 (Fast Forward Store Predictor):
b9f9de
   https://access.redhat.com/articles/5569051
b9f9de
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
b9f9de
   CVE-2020-24511 (Improper Isolation of Shared Resources),
b9f9de
   CVE-2020-24512 (Observable Timing Discrepancy),
b9f9de
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
b9f9de
   https://access.redhat.com/articles/6101171
79687e
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
79687e
   https://access.redhat.com/articles/6716541
d205e1
 * CVE-2022-21123 (Shared Buffers Data Read):
d205e1
   https://access.redhat.com/articles/6963124
b9f9de
b9f9de
The information regarding disabling microcode update is provided below.
b9f9de
b9f9de
To disable 06-8c-01 microcode updates for a specific kernel
b9f9de
version, please create a file "disallow-intel-06-8c-01" inside
3bf6c4
/lib/firmware/<kernel_version> directory, run
b9f9de
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
b9f9de
directory where microcode is available for late microcode update, and run
3bf6c4
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
b9f9de
is regenerated, for example:
3bf6c4
b9f9de
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
3bf6c4
    /usr/libexec/microcode_ctl/update_ucode
3bf6c4
    dracut -f --kver 3.10.0-862.9.1
3bf6c4
b9f9de
To avoid addition of this microcode for all kernels, please create file
b9f9de
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
b9f9de
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
b9f9de
and "dracut -f --regenerate-all" for early microcode updates:
3bf6c4
3bf6c4
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
b9f9de
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
3bf6c4
    /usr/libexec/microcode_ctl/update_ucode
3bf6c4
    dracut -f --regenerate-all
3bf6c4
3bf6c4
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
3bf6c4
information.