Blame SOURCES/06-8c-01_readme

c56524
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
fe8809
had reports of system hangs when a microcode update, that was included
fe8809
since microcode-20201110 update, was applied[1].  In order to address this,
fe8809
microcode update had been disabled by default on these systems.  The revision
fe8809
0x88 seems to have fixed the aforementioned issue, hence it is enabled
fe8809
by default (but can be disabled explicitly; see below).
c56524
c56524
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
c56524
fe8809
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
fe8809
microcode revisions in question are listed below:
fe8809
 * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
fe8809
 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
c56524
fe8809
Please contact your system vendor for a BIOS/firmware update that contains
fe8809
the latest microcode version.  For the information regarding microcode versions
fe8809
required for mitigating specific side-channel cache attacks, please refer
fe8809
to the following knowledge base articles:
fe8809
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
fe8809
   CVE-2020-8696 (Vector Register Leakage-Active),
fe8809
   CVE-2020-8698 (Fast Forward Store Predictor):
fe8809
   https://access.redhat.com/articles/5569051
fe8809
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
fe8809
   CVE-2020-24511 (Improper Isolation of Shared Resources),
fe8809
   CVE-2020-24512 (Observable Timing Discrepancy),
fe8809
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
fe8809
   https://access.redhat.com/articles/6101171
fe8809
fe8809
The information regarding disabling microcode update is provided below.
fe8809
fe8809
To disable 06-8c-01 microcode updates for a specific kernel
fe8809
version, please create a file "disallow-intel-06-8c-01" inside
c56524
/lib/firmware/<kernel_version> directory, run
fe8809
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
fe8809
directory where microcode is available for late microcode update, and run
c56524
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
fe8809
is regenerated, for example:
c56524
fe8809
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
c56524
    /usr/libexec/microcode_ctl/update_ucode
c56524
    dracut -f --kver 3.10.0-862.9.1
c56524
fe8809
To avoid addition of this microcode for all kernels, please create file
fe8809
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
fe8809
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
fe8809
and "dracut -f --regenerate-all" for early microcode updates:
c56524
c56524
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
fe8809
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
c56524
    /usr/libexec/microcode_ctl/update_ucode
c56524
    dracut -f --regenerate-all
c56524
c56524
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
c56524
information.