|
|
a5370a |
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
|
|
a5370a |
and system instability during or after microcode update to revision 0xc6/0xca
|
|
|
a5370a |
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
|
|
a5370a |
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
|
|
a5370a |
and/or revision 0xd6 (included as part of microcode-20200609 update
|
|
|
a5370a |
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
|
|
a5370a |
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
|
|
a5370a |
revision has been disabled by default on these systems, and the previously
|
|
|
a5370a |
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
|
|
a5370a |
for the OS-driven microcode update.
|
|
|
a5370a |
|
|
|
a5370a |
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
|
|
a5370a |
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
|
|
a5370a |
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
|
|
a5370a |
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
|
|
a5370a |
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
|
|
a5370a |
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
|
|
a5370a |
|
|
|
a5370a |
This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released
|
|
|
a5370a |
by Intel; for the latest revision of the microcode files, please refer to caveat
|
|
|
a5370a |
06-8e-9e-0x-dell.
|
|
|
a5370a |
|
|
|
a5370a |
For the reference, microarchitectures of the affected CPU models:
|
|
|
a5370a |
* Amber Lake-Y
|
|
|
a5370a |
* Kaby Lake-G/H/S/U/Y/Xeon E3
|
|
|
a5370a |
* Coffee Lake-H/S/U/Xeon E
|
|
|
a5370a |
* Comet Lake-U 4+2
|
|
|
a5370a |
* Whiskey Lake-U
|
|
|
a5370a |
|
|
|
a5370a |
Family names of the affected CPU models:
|
|
|
a5370a |
* 7th Generation Intel® Core™ Processor Family
|
|
|
a5370a |
* 8th Generation Intel® Core™ Processor Family
|
|
|
a5370a |
* 9th Generation Intel® Core™ Processor Family
|
|
|
a5370a |
* 10th Generation Intel® Core™ Processor Family (selected models)
|
|
|
a5370a |
* Intel® Celeron® Processor G Series
|
|
|
a5370a |
* Intel® Celeron® Processor 5000 Series
|
|
|
a5370a |
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
|
|
|
a5370a |
* Intel® Pentium® Gold Processor Series
|
|
|
a5370a |
* Intel® Pentium® Processor Series (selected models)
|
|
|
a5370a |
* Intel® Xeon® Processor E Family
|
|
|
a5370a |
* Intel® Xeon® Processor E3 v6 Family
|
|
|
a5370a |
|
|
|
a5370a |
SHA1 checksums of the microcode files containing microcode revisions
|
|
|
a5370a |
in question:
|
|
|
a5370a |
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
|
|
|
a5370a |
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
|
|
|
a5370a |
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
|
|
|
a5370a |
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
|
|
|
a5370a |
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
|
|
|
a5370a |
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
|
|
|
a5370a |
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
|
|
|
a5370a |
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
|
|
|
a5370a |
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
|
|
|
a5370a |
|
|
|
a5370a |
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
|
|
|
a5370a |
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
|
|
|
a5370a |
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
|
|
|
a5370a |
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
|
|
|
a5370a |
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
|
|
|
a5370a |
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
|
|
|
a5370a |
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
|
|
|
a5370a |
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
|
|
|
a5370a |
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
|
|
|
a5370a |
|
|
|
a5370a |
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
|
|
|
a5370a |
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
|
|
|
a5370a |
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
|
|
|
a5370a |
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
|
|
|
a5370a |
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
|
|
|
a5370a |
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
|
|
|
a5370a |
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
|
|
|
a5370a |
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
|
|
|
a5370a |
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
|
|
|
a5370a |
|
|
|
a5370a |
Please contact your system vendor for a BIOS/firmware update that contains
|
|
|
a5370a |
the latest microcode version. For the information regarding microcode versions
|
|
|
a5370a |
required for mitigating specific side-channel cache attacks, please refer
|
|
|
a5370a |
to the following knowledge base articles:
|
|
|
a5370a |
* CVE-2017-5715 ("Spectre"):
|
|
|
a5370a |
https://access.redhat.com/articles/3436091
|
|
|
a5370a |
* CVE-2018-3639 ("Speculative Store Bypass"):
|
|
|
a5370a |
https://access.redhat.com/articles/3540901
|
|
|
a5370a |
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
|
|
a5370a |
https://access.redhat.com/articles/3562741
|
|
|
a5370a |
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
|
|
a5370a |
("Microarchitectural Data Sampling"):
|
|
|
a5370a |
https://access.redhat.com/articles/4138151
|
|
|
a5370a |
* CVE-2019-0117 (Intel SGX Information Leak),
|
|
|
a5370a |
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
|
|
a5370a |
CVE-2019-11135 (TSX Asynchronous Abort),
|
|
|
a5370a |
CVE-2019-11139 (Voltage Setting Modulation):
|
|
|
a5370a |
https://access.redhat.com/solutions/2019-microcode-nov
|
|
|
a5370a |
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
|
|
a5370a |
CVE-2020-0548 (Vector Register Data Sampling),
|
|
|
a5370a |
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
|
|
a5370a |
https://access.redhat.com/solutions/5142751
|
|
|
a5370a |
|
|
|
a5370a |
The information regarding disabling microcode update is provided below.
|
|
|
a5370a |
|
|
|
a5370a |
To disable usage of the newer microcode revision for a specific kernel
|
|
|
a5370a |
version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside
|
|
|
a5370a |
/lib/firmware/<kernel_version> directory, run
|
|
|
a5370a |
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
|
|
a5370a |
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
|
|
a5370a |
so initramfs for this kernel version is regenerated, for example:
|
|
|
a5370a |
|
|
|
a5370a |
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca
|
|
|
a5370a |
/usr/libexec/microcode_ctl/update_ucode
|
|
|
a5370a |
dracut -f --kver 3.10.0-862.9.1
|
|
|
a5370a |
|
|
|
a5370a |
To disable usage of the newer microcode revision for all kernels, please create
|
|
|
a5370a |
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca",
|
|
|
a5370a |
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
|
|
a5370a |
used for late microcode updates, and run "dracut -f --regenerate-all"
|
|
|
a5370a |
so initramfs images get regenerated, for example:
|
|
|
a5370a |
|
|
|
a5370a |
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
|
|
a5370a |
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca
|
|
|
a5370a |
/usr/libexec/microcode_ctl/update_ucode
|
|
|
a5370a |
dracut -f --regenerate-all
|
|
|
a5370a |
|
|
|
a5370a |
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
|
|
a5370a |
information.
|