383126
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
383126
had reports of system hangs when a microcode update, that was included
383126
since microcode-20201110 update, was applied[1].  In order to address this,
383126
microcode update had been disabled by default on these systems.  The revision
383126
0x88 seems to have fixed the aforementioned issue, hence it is enabled
383126
by default (but can be disabled explicitly; see below).
383126
383126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
383126
383126
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
383126
microcode revisions in question are listed below:
383126
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
383126
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
383126
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
e43e01
 * 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
383126
383126
Please contact your system vendor for a BIOS/firmware update that contains
383126
the latest microcode version.  For the information regarding microcode versions
383126
required for mitigating specific side-channel cache attacks, please refer
383126
to the following knowledge base articles:
383126
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
383126
   CVE-2020-8696 (Vector Register Leakage-Active),
383126
   CVE-2020-8698 (Fast Forward Store Predictor):
383126
   https://access.redhat.com/articles/5569051
383126
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
383126
   CVE-2020-24511 (Improper Isolation of Shared Resources),
383126
   CVE-2020-24512 (Observable Timing Discrepancy),
383126
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
383126
   https://access.redhat.com/articles/6101171
383126
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
383126
   https://access.redhat.com/articles/6716541
e43e01
 * CVE-2022-21123 (Shared Buffers Data Read):
e43e01
   https://access.redhat.com/articles/6963124
383126
383126
The information regarding disabling microcode update is provided below.
383126
383126
To disable 06-8c-01 microcode updates for a specific kernel
383126
version, please create a file "disallow-intel-06-8c-01" inside
383126
/lib/firmware/<kernel_version> directory, run
383126
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
383126
directory where microcode is available for late microcode update, and run
383126
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
383126
is regenerated, for example:
383126
383126
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --kver 3.10.0-862.9.1
383126
383126
To avoid addition of this microcode for all kernels, please create file
383126
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
383126
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
383126
and "dracut -f --regenerate-all" for early microcode updates:
383126
383126
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
383126
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
383126
    /usr/libexec/microcode_ctl/update_ucode
383126
    dracut -f --regenerate-all
383126
383126
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
383126
information.