Blame SOURCES/06-8c-01_readme

501af6
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
f9176a
had reports of system hangs when a microcode update, that was included
f9176a
since microcode-20201110 update, was applied[1].  In order to address this,
f9176a
microcode update had been disabled by default on these systems.  The revision
f9176a
0x88 seems to have fixed the aforementioned issue, hence it is enabled
f9176a
by default (but can be disabled explicitly; see below).
501af6
501af6
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
501af6
cc944f
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
cc944f
microcode revisions in question are listed below:
cc944f
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
cc944f
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
fc0a9b
 * 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
cc944f
501af6
Please contact your system vendor for a BIOS/firmware update that contains
f9176a
the latest microcode version.  For the information regarding microcode versions
f9176a
required for mitigating specific side-channel cache attacks, please refer
f9176a
to the following knowledge base articles:
f9176a
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
f9176a
   CVE-2020-8696 (Vector Register Leakage-Active),
f9176a
   CVE-2020-8698 (Fast Forward Store Predictor):
f9176a
   https://access.redhat.com/articles/5569051
f9176a
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
f9176a
   CVE-2020-24511 (Improper Isolation of Shared Resources),
f9176a
   CVE-2020-24512 (Observable Timing Discrepancy),
f9176a
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
f9176a
   https://access.redhat.com/articles/6101171
fc0a9b
 * CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
fc0a9b
   https://access.redhat.com/articles/6716541
f9176a
f9176a
The information regarding disabling microcode update is provided below.
f9176a
f9176a
To disable 06-8c-01 microcode updates for a specific kernel
f9176a
version, please create a file "disallow-intel-06-8c-01" inside
501af6
/lib/firmware/<kernel_version> directory, run
f9176a
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
f9176a
directory where microcode is available for late microcode update, and run
501af6
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
f9176a
is regenerated, for example:
501af6
f9176a
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
501af6
    /usr/libexec/microcode_ctl/update_ucode
501af6
    dracut -f --kver 3.10.0-862.9.1
501af6
f9176a
To avoid addition of this microcode for all kernels, please create file
f9176a
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
f9176a
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
f9176a
and "dracut -f --regenerate-all" for early microcode updates:
501af6
501af6
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
f9176a
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
501af6
    /usr/libexec/microcode_ctl/update_ucode
501af6
    dracut -f --regenerate-all
501af6
501af6
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
501af6
information.