7826d1
The microcode_ctl package contains microcode files (vendor-provided binary data
7826d1
and/or code in proprietary format that affects behaviour of a device) for Intel
7826d1
CPUs that may be loaded into the CPU during boot.
7826d1
7826d1
The microcode_ctl package contains provisions for some issues related
7826d1
to microcode loading.  While those provisions are expected to suit most users,
7826d1
several knobs are available in order to provide ability to override the default
7826d1
behaviour.
7826d1
7826d1
7826d1
General behaviour
7826d1
=================
7826d1
In RHEL 9 (as well as in RHEL 7 and RHEL 8 before it), there are currently
7826d1
two main handlers for CPU microcode update:
7826d1
 * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
7826d1
   placed at the beginning of an initramfs image
7826d1
   (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
7826d1
   version in the same format as provided by "uname -r") as a source
7826d1
   of microcode data, and is performed very early during the boot process
7826d1
   (if the relevant microcode file is available in the aforementioned file).
7826d1
 * On-demand (late) microcode update. It can be triggered by writing "1" to
7826d1
   /sys/devices/system/cpu/microcode/reload file (provided my the "microcode"
7826d1
   module). It relies on request_firmware infrastructure, which searches (and
7826d1
   loads, if found) microcode from a file present in one of the following
7826d1
   directories (in the search order):
7826d1
       /lib/firmware/updates/KERNEL_VERSION/
7826d1
       /lib/firmware/updates/
7826d1
       /lib/firmware/KERNEL_VERSION/
7826d1
       /lib/firmware/
7826d1
  (there is also an additional directory that can be configured via the
7826d1
  "fw_path_para" module option of the "firmware_class" module; as this module
7826d1
  is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para"
7826d1
  should be used for that purpose; this is out of the document's scope, however)
7826d1
7826d1
The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for
7826d1
AMD CPUs, a file under "amd-ucode" is searched.
7826d1
7826d1
For Intel CPUs, the name of the specific microcode file the kernel tries to load
7826d1
has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model
7826d1
number, and "SS" is the stepping. All those numbers are zero-filled to two digits
7826d1
and are written in hexadecimal (letters are in the lower case).  For AMD CPUs,
7826d1
the file name has the format "microcode_amd_famFFh.bin", where "FF" is the
7826d1
family number, written in hexadecimal, letters are in the lower case, not
7826d1
zero-filled.
7826d1
7826d1
The early microcode is placed into initramfs image by the "dracut" script, which
7826d1
scans the aforementioned subdirectories of the configured list of firmware
7826d1
directories (by default, the list consists of two directories in RHEL 9,
7826d1
"/lib/firmware/updates" and "/lib/firmware").
7826d1
7826d1
In RHEL 9, AMD CPU microcode is shipped as a part of the linux-firmware package,
7826d1
and Intel microcode is shipped as a part of the microcode_ctl package.
7826d1
7826d1
The microcode_ctl package currently includes the following:
7826d1
 * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode
7826d1
   directory (currently there are none);
7826d1
 * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override,
7826d1
   that controls which additional firmware directories will be added to dracut's
7826d1
   default configuration;
7826d1
 * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf,
7826d1
   that enables inclusion of early microcode to the generated initramfs
7826d1
   in dracut;
7826d1
 * A dracut configuration file,
7826d1
   /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way
7826d1
   to quickly disable 99microcode_ctl-fw_dir-override dracut module;
7826d1
 * A systemd service file, microcode.service, that triggers microcode reload
7826d1
   late during boot;
7826d1
 * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each
7826d1
   of which contains configuration and related data for various caveats related
7826d1
   to microcode:
7826d1
   * readme - description of caveat and related information,
7826d1
   * config - caveat configuration file, with syntax as described in "Caveat
7826d1
     configuration" section below,
7826d1
   * intel-ucode - directory containing microcode files related to the caveat;
7826d1
 * A set of support scripts, placed in /usr/libexec/microcode_ctl:
7826d1
   * "check_caveats" is an utility script that performs checks of the target
7826d1
     kernel (and running CPU) in accordance with caveat configuration files
7826d1
     in ucode_with_caveats directory and reports whether it passes them or not,
7826d1
   * "reload_microcode" is a script that is called by microcode.service and
7826d1
     triggers microcode reloading (by writing "1" to
7826d1
     /sys/devices/system/cpu/microcode/reload) if the running kernel passes
7826d1
     check_caveats checks,
7826d1
   * "update_ucode" is a script that populates symlinks to microcode files
7826d1
     in /lib/firmware, so it can be picked up by relevant kernels for the late
7826d1
     microcode loading.
7826d1
7826d1
Also, microcode_ctl RPM includes triggers that run update_ucode script on every
7826d1
installation or removal of a kernel RPM in order to provide microcode files
7826d1
for newly installed kernels and cleanup symlinks for the uninstalled ones.
7826d1
7826d1
7826d1
Microcode file structure
7826d1
------------------------
7826d1
Intel x86 CPU microcode file (that is, one that can be directly consumed
7826d1
by the CPU/kernel, and not its text representation such as used in microcode.dat
7826d1
files) is a bundle of concatenated microcode blobs.  Each blob has a header,
7826d1
payload, and an optional additional data, as follows (for additional information
7826d1
please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual"
7826d1
[1], Volume 3A, Section 9.11.1 "Microcode Update"):
7826d1
 * Header (48 bytes)
7826d1
    * Header version (unsigned 32-bit integer): version number of the update
7826d1
      header.  Must be 0x1.
7826d1
    * Microcode revision (signed 32-bit integer)
7826d1
    * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
7826d1
      (0x03141592 is 1592-03-14 in ISO 8601)
7826d1
    * CPU signature (unsigned 32-bit integer): CPU ID, as provided
7826d1
      by the CPUID (EAX = 0x1) instruction in the EAX register:
7826d1
       * bits 31..28: reserved
7826d1
       * bits 27..20: "Extended Family", summed with the Family field value
7826d1
       * bits 19..16: "Extended Model", bits 7..4 of the CPU model
7826d1
       * bits 15..14: reserved
7826d1
       * bits 13..12: "Processor Type", non-zero value (other than the "primary
7826d1
         processor") so far used only for the Deschutes (Pentium II) CPU family,
7826d1
         with the processor type of 1, to signify it is an Overdrive processor:
7826d1
         CPUID 0x1632.
7826d1
       * bits 11..08: Family, summed with the Extended Family field value
7826d1
       * bits 07..04: Model (bits 3..0)
7826d1
       * bits 03..00: Stepping
7826d1
      In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
7826d1
      to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
7826d1
      uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
7826d1
      into 0x000w06xz.  Please also refer to README.intel-ucode, section "About
7826d1
      Processor Signature, Family, Model, Stepping and Platform ID"
7826d1
      for additional information.
7826d1
    * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
7826d1
      the 32-bit integers comprising the microcode amounts to 0.
7826d1
    * Loader version (unsigned 32-bit integer): 0x1.
7826d1
    * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
7826d1
      of possible values of bits 52..50 of MSR 0x17 ("Platform ID").  In old
7826d1
      (up to Pentium II) microcode blobs the mask may be zero.
7826d1
    * Data size (unsigned 32-bit integer): size of the Payload in bytes,
7826d1
      has to be divisible by 4.  0 means 2000.
7826d1
    * Total size (unsigned 32-bit integer): total microcode blob size (including
7826d1
      header and extended header), has to be divisible by 1024.  0 means 2048.
7826d1
    * Reserved (12 bytes).
7826d1
 * Payload
7826d1
 * Additional data (optional, 20 + 12 * n bytes)
7826d1
    * Extended signature table header (20 bytes)
7826d1
       * Extended signature count (unsigned 32-bit integer)
7826d1
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
7826d1
         of all the 32-bit integers comprising the extender signature table
7826d1
         amounts to 0.
7826d1
       * Reserved (12 bytes).
7826d1
    * Extended signature (12 bytes each)
7826d1
       * CPU signature (unsigned 32-bit integer): see the description of the CPU
7826d1
         signature field in the Header above.
7826d1
       * Platform ID mask (unsigned 32-bit integer): see the description
7826d1
         of the Platform ID mask field in the Header above.
7826d1
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
7826d1
         of all the 32-bit integers comprising the Header (with CPU signature
7826d1
         and Platform ID mask fields replaced with the values from this signature)
7826d1
         and the Payload amounts to 0.  Note that since External signature table
7826d1
         header has its own checksum, sum of all its 32-bit values amounts to 0,
7826d1
         so the Checksum in the Header and in the Extended signature will be
7826d1
         the same if the values of CPU signature and Platform ID mask fields
7826d1
         are the same,
7826d1
7826d1
[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
7826d1
7826d1
7826d1
Caveat configuration
7826d1
--------------------
7826d1
There is a directory for each caveat under
7826d1
/usr/share/microcode_ctl/ucode_with_caveats, containing the following files:
7826d1
 * "config", a configuration file for the caveat;
7826d1
 * "readme", that contains description of the caveat;
7826d1
 * set of related associated microcode files.
7826d1
7826d1
"config" file is a set of lines each containing option name and its value,
7826d1
separated by white space.  Currently, the following options are supported:
7826d1
 * "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies
7826d1
   to which CPU model the caveat is applicable (check_caveats ignores caveats
7826d1
   with non-matching models if "-m" option is passed to it). Can be set
7826d1
   in the configuration file only once (the last provided value is used).
7826d1
 * "vendor" option specifies CPUs of which vendor (as provided
7826d1
   in the /proc/cpuinfo file) the caveat is applicable to (check_caveats
7826d1
   ignores caveats with non-matching models when it is invoked with "-m"
7826d1
   option). Can be set in the configuration file only once.
7826d1
 * "path" is a glob pattern that specifies set of microcode files associated
7826d1
   with the caveat as a relative path to the caveat directory. This option
7826d1
   is used for populating files in /lib/firmware by update_ucode script and
7826d1
   for matching microcode file when dracut is run in host-only mode
7826d1
   (as in that case it uses only the first directory in firmware directory list
7826d1
   to look for the microcode file applicable to the host CPU).  Can be set
7826d1
   in the configuration file multiple times.
7826d1
 * "kernel" is a minimal kernel version that supports proper handling
7826d1
   of the related microcode files during late microcode load.  It may be
7826d1
   provided in one of the following formats that affect the way it is compared
7826d1
   to the running kernel version:
7826d1
    * A.B.C (where A, B, and C are decimal numbers), "upstream version". In this
7826d1
      case, simple version comparison against the respective part of the running
7826d1
      kernel version is used, and the running kernel version should be greater
7826d1
      or equal than the version provided in the configuration option in order
7826d1
      for comparison to succeed (that is, the first part, major version number,
7826d1
      of the running kernel version should be greater than the value provided
7826d1
      in the configuration option, or those should be equal and the second part,
7826d1
      minor version number, should be greater than the minor version number
7826d1
      of the kernel version provided in the configuration option, or the first
7826d1
      two parts should be equal and the third part, patch level, should
7826d1
      be greater or equal the patch level of the version in the configuration
7826d1
      option).
7826d1
    * A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version".
7826d1
      In this case, A.B.C part should be equal, and Y part of the running kernel
7826d1
      version should be greater or equal than the Y part of the configuration
7826d1
      option version in order to satisfy the comparison requirement.
7826d1
    * A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers),
7826d1
      "Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2
7826d1
      part of the running kernel should be greater or equal than the respective
7826d1
      part of the configuration option version (when compared as a version)
7826d1
      for comparison to succeed.
7826d1
   Kernel version check passed if at least one comparison of the running kernel
7826d1
   version against a kernel version provided in a configuration option
7826d1
   succeeded.  The "kernel" configuration option can be provided
7826d1
   in the configuration file multiple times.
7826d1
 * "kernel_early" is a minimal kernel version that supports proper handling
7826d1
   of the related microcode during early microcode load. The format of the
7826d1
   option and its semantics is similar to the "kernel" configuration options.
7826d1
   This option can be provided multiple times as well.
7826d1
 * "mc_min_ver_late" is the minimal version of the currently loaded microcode
7826d1
   on the CPU (as reported in /proc/cpuinfo) that supports late microcode
7826d1
   update.  Microcode update will be attempted only if the currently loaded
7826d1
   microcode version is greater or equal the microcode version provided
7826d1
   in the configuration option. Can be set in the configuration file only once.
7826d1
 * "disable" is a way to disable a specific caveat from inside its
7826d1
   configuration. Argument for the argument is a list of stages ("early",
7826d1
   "late") for which the caveat should be disable. The configuration option
7826d1
   can be provided multiple times in a configuration file.
7826d1
 * "pci_config_val" performs check for specific values in selected parts
7826d1
   of configuration space of specified PCI devices.  If "-m" option
7826d1
   is not specified, then the actual check is skipped, and the check returns
7826d1
   result in accordance with the provided "mode" option (se below).  Check
7826d1
   arguments are a white-space-separated list of "key=value" pairs.
7826d1
   The following keys are supported:
7826d1
    * "domain" - PCI domain number, or "*" (an asterisk) for any domain.
7826d1
      Default is "*".
7826d1
    * "bus" - PCI bus number, or "*" (an asterisk) for any bus.  Default is "*".
7826d1
    * "device" - PCI device number, or "*" (an asterisk) for any device.
7826d1
      Default is "*".
7826d1
    * "function" - PCI function number, or "*" (an asterisk) for any function.
7826d1
      Default is "*".
7826d1
    * "vid" - PCI vendor ID, or empty string for any vendor ID.  Default
7826d1
      is empty string.
7826d1
    * "did" - PCI device ID, or empty string for any device ID.  Default
7826d1
      is empty string.
7826d1
    * "offset" - offset in device's configuration space where the value resides.
7826d1
      Default is 0.
7826d1
    * "size" - field size.  Possible values are 1, 2, 4, or 8.  Default is 4.
7826d1
    * "mask" - mask applied to the values during the check.  Default is 0.
7826d1
    * "val" - comma-separated list of matching values.  Default is 0.
7826d1
    * "mode" - check mode, the way matches are interpreted:
7826d1
       * "success-any" - check succeeds if there was at least one match,
7826d1
         otherwise it fails.
7826d1
       * "success-all" - check succeeds if there was at least one device checked
7826d1
         and all the checked devices have matches, otherwise the check fails.
7826d1
       * "fail-any" - check fails if there was at least one match, otherwise
7826d1
         it succeeds.
7826d1
       * "fail-all" - check fails if there was at least one device checked
7826d1
         and all the checked devices have matches, otherwise the check succeeds.
7826d1
      Default is "success-any".
7826d1
   An example of a check:
7826d1
       pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
7826d1
   It interprets 4 bytes at offset 0x84 of special files "config" under
7826d1
   directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3"
7826d1
   as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3
7826d1
   of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111,
7826d1
   0b011, or 0b001 in bits 5..3, respectively); if there are such files,
7826d1
   and all the checked values in every checked file has matched at least one
7826d1
   of the aforementioned value, then the check is successful, otherwise
7826d1
   it fails (in accordance with "mode=success-all" semantics).  This check fails
7826d1
   if "-m" option is not specified.
7826d1
 * "dmi" performs checks for specific values available in DMI sysfs files
7826d1
   (present under /sys/devices/virtual/dmi/id/).  The check (when it is actually
7826d1
   performed; see a not about "no-model-mode" below) fails if one of the files
7826d1
   is not readable.  If "-m" option is not specified, then the actual check
7826d1
   is skipped, and the check returns value in accordance with "no-model-mode"
7826d1
   parameter value (see below).  Check arguments are a white-space-separated
7826d1
   list of "key=value" pairs.  The following keys are supported:
7826d1
    * "key" - DMI file to check. Value can be one of the following: bios_date,
7826d1
      bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
7826d1
      board_vendor, board_version, chassis_asset_tag, chassis_serial,
7826d1
      chassis_type, chassis_vendor, chassis_version, product_family,
7826d1
      product_name, product_serial, product_uuid, product_version, sys_vendor.
7826d1
      Default is empty string.
7826d1
    * "val" - a string to match DMI data present in "key" against.
7826d1
      Can be enclosed in single or double quotes.  Default is empty string.
7826d1
    * "keyval" - a pair of "key" and "val" values (with semantics described
7826d1
      above), separated with either "=", ":", "!=", or "!:" characters.  Enables
7826d1
      providing of multiple key-value pairs by means of supplying multiple
7826d1
      keyval= parameters.  The exclamation sign ("!") character in separator
7826d1
      enables negated matching (so, non-equality of the value in DMI "key" file
7826d1
      and the value of "val" is).  The match considered successful when all
7826d1
      the key/val (non-)equalities are in effect.  This parameter works
7826d1
      in addition to the pair provided in "key" and "val" parameters
7826d1
      (but allows to avoid using them).  Default is empty.
7826d1
    * "mode" - check mode, the way successful matches are interpreted:
7826d1
       * "success-equal" - returns 0 if the value present in the file
7826d1
         with the name supplied via the "key" parameter file under
7826d1
	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
7826d1
	 of "val" parameter and all the pairs provided in "keyval" parameters
7826d1
	 are equal and non-equal in accordance with their definition,
7826d1
	 otherwise 1.
7826d1
       * "fail-equal" - returns 1 if the value present in the file
7826d1
         with the name supplied via the "key" parameter file under
7826d1
	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
7826d1
	 of "val" parameter and all the pairs provided in "keyval" parameters
7826d1
	 are equal and non-equal in accordance with their definition,
7826d1
	 otherwise 0.
7826d1
      Default is "success-any".
7826d1
    * "no-model-mode" - return value if model filter ("-m" option)
7826d1
      is not enabled:
7826d1
       * "success" - return 0.
7826d1
       * "fail" - return 1.
7826d1
      Default is "success".
7826d1
   An example of a check:
7826d1
       dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
7826d1
   It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
7826d1
   content is "Dell Inc." (without quotes).  It succeeds if "-m" option
7826d1
   is not enabled.
7826d1
   Another example:
7826d1
       dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal"
7826d1
       dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950"
7826d1
   It blocks the caveat from using when either both
7826d1
   /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2"
7826d1
   and /sys/devices/virtual/dmi/id/product_name contains the string
7826d1
   "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains
7826d1
   the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains
7826d1
   the string "ThinkSystem SR950", but enables caveat loading for other products
7826d1
   with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values,
7826d1
   for example.
7826d1
 * "dependency" allows conditional enablement of a caveat based on the check
7826d1
   status of some other caveat(s).  It has the following format:
7826d1
       dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...]
7826d1
   where DEPENDENCY_NAME is the configuration to be checked, OPTIONs
7826d1
   are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported
7826d1
   currently is "required".
7826d1
   Options for the "required" dependency type:
7826d1
    * "match-model-mode" - whether model matching mode ("-m" option)
7826d1
      has to be used for the nested configuration check. Possible values:
7826d1
       * "on" - model-matching mode is always used during the nested check;
7826d1
       * "off" - model-matching mode is never used during the nested check;
7826d1
       * "same" - used the same model-matching mode as it is now.
7826d1
      Default is "same".
7826d1
    * "skip" - controls result of the check when the nested check indicated
7826d1
      skipping of the configuration.
7826d1
       * "fail" - the dependent check fails;
7826d1
       * "success" - the dependent check succeeds;
7826d1
       * "skip" - the dependent check indicates that the configuration
7826d1
         is to be skipped.
7826d1
      Default is "skip".
7826d1
    * "force-skip" - controls result of the check when the nested check
7826d1
      indicated skipping of the configuration caused by the presence
7826d1
      of an override file (see "check_caveats script" section for details).
7826d1
       * "fail" - the dependent check fails;
7826d1
       * "success" - the dependent check succeeds;
7826d1
       * "skip" - the dependent check indicates that the configuration
7826d1
         is to be skipped.
7826d1
      Default is "skip".
7826d1
    * "nesting-too-deep" - as a measure against dependency loop, configuration
7826d1
      checking logic implements nesting limit on dependency checks (currently
7826d1
      set at 8).  This option controls the behaviour of the check
7826d1
      when the nested check cannot be performed due to this limit.
7826d1
       * "fail" - the dependent check fails;
7826d1
       * "success" - the dependent check succeeds;
7826d1
       * "skip" - the dependent check indicates that the configuration
7826d1
         is to be skipped.
7826d1
      Default is "fail".
7826d1
   An example of a check:
7826d1
       dependency required intel skip=success match-model-mode=off
7826d1
   It checks "intel" caveat configuration (see the "Early microcode load
7826d1
   inside a virtual machine" section) with model-matching mode being disabled,
7826d1
   treats skipping of the configuration as a success (unless the configuration
7826d1
   is forced to be skipped, in that case the dependent configuration
7826d1
   is to be skipped as well).
7826d1
7826d1
7826d1
check_caveats script
7826d1
--------------------
7826d1
"check_caveats" is an utility script (called by update_ucode, reload_microcode,
7826d1
dracut module) that performs checks of the target kernel (and running CPU)
7826d1
in accordance with caveat configuration files in directory
7826d1
"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether
7826d1
the system passes the checks, or not.
7826d1
7826d1
Usage:
7826d1
    check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]'
7826d1
7826d1
Options:
7826d1
  -e - check for early microcode load possibility (instead of late microcode
7826d1
       load). "kernel_early" caveat configuration options are used for checking
7826d1
       instead of "kernel", and "mc_min_ver_late" is not checked.
7826d1
  -k - target kernel version to check against, $(uname -r) is used otherwise.
7826d1
  -c - caveat(s) to check, all caveat configurations found inside
7826d1
       $MC_CAVEATS_DATA_DIR are checked otherwise.
7826d1
  -m - ignore caveats that do not apply to the current CPU model.
7826d1
  -v - verbose output.
7826d1
7826d1
Environment:
7826d1
  MC_CAVEATS_DATA_DIR - directory that contains caveats configurations,
7826d1
                        "/usr/share/microcode_ctl/ucode_with_caveats"
7826d1
			by default.
7826d1
  FW_DIR - directory containing firmware files (per-kernel configuration
7826d1
           overrides are checked there), "/lib/firmware" by default.
7826d1
  CFG_DIR - directory containing global caveats overrides,
7826d1
            "/etc/microcode_ctl/ucode_with_caveats" by default.
7826d1
7826d1
Output:
7826d1
  Script returns information about caveats check results. Output has a format
7826d1
  of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs.
7826d1
  Currently, the following data is issued:
7826d1
   - "cfgs" - list of caveats that have been processed (and not skipped
7826d1
      due to missing "config", "readme", or a disallow-* override described
7826d1
      below);
7826d1
   - "skip_cfgs" - list of caveats that have been skipped (due to missing
7826d1
     config/readme file, or because of overrides);
7826d1
   - "paths" - list of glob patterns matching files associated with caveats
7826d1
     that have been processed;
7826d1
   - "ok_cfgs" - list of caveat configurations that have all the checks passed
7826d1
     (or have enforced by one of force-* overrides described below);
7826d1
   - "ok_paths" - list of glob patterns associated with caveat files from
7826d1
     the "ok_cfgs" list;
7826d1
   - "fail_cfgs" - list of caveats that have one of the checks failed.
7826d1
   - "fail_paths" - list of glob patterns associated with caveats from the
7826d1
     "fail_cfgs" list.
7826d1
7826d1
Return value:
7826d1
  - 0 in case caveats check has passed, 1 otherwise.
7826d1
  - In "-d" mode, 0 is always returned.
7826d1
7826d1
Overrides:
7826d1
7826d1
When check_caveats perform its checks, it also checks for presence of files
7826d1
in specific places, and, if they exist, check_caveats skips a caveat or ignores
7826d1
its checks; that mechanism allows overriding the information provided
7826d1
in configuration on local systems and affect the behaviour of the microcode
7826d1
update process.
7826d1
7826d1
Current list of overrides (where $FW_DIR and $CFG_DIR are the environment
7826d1
options described earlier; $kver - the currently processed kernel version,
7826d1
$s is the requested stage ("early" or "late"), $cfg is the caveat directory
7826d1
name):
7826d1
    $FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for
7826d1
                                     a specific kernel version..
7826d1
    $FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific
7826d1
                                  kernel version for the requested stage without
7826d1
				  performing any checks.
7826d1
    $FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific
7826d1
                                  kernel version.
7826d1
    $FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage
7826d1
                               for a specific kernel version without checks.
7826d1
    $FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage
7826d1
                                for a specific kernel version.
7826d1
    $CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all
7826d1
                                kernel versions.
7826d1
    $FW_DIR/$kver/force-$s - apply all caveats for a specific stage
7826d1
                             for a specific kernel version without checks.
7826d1
    $CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for
7826d1
                             all kernel versions without checks.
7826d1
    $FW_DIR/$kver/disallow - skip all caveats for all stages for a specific
7826d1
                             kernel version.
7826d1
    $CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel
7826d1
                             versions.
7826d1
    $FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel
7826d1
                          version without checks.
7826d1
    $CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions
7826d1
                          without checks.
7826d1
    $CFG_DIR/disallow-$s - skip all caveat for all kernel versions
7826d1
                           for a specific stage.
7826d1
    $CFG_DIR/force-$s - apply all caveats for all kernel versions for  specific
7826d1
                        stage without checks.
7826d1
    $CFG_DIR/disallow - skip all caveats for all stages for all kernel versions
7826d1
                        (disable everything).
7826d1
    $CFG_DIR/force - force all caveats for all stages for all kernel versions
7826d1
                     (enable everything).
7826d1
7826d1
The "apply" action above means creating symlinks in /lib/firmware by
7826d1
update_ucode in case of the "late" stage and adding caveat directory to the list
7826d1
of firmware directories by dracut plugin in case of the "early" stage.
7826d1
7826d1
The files are checked for existence until the first match, so more specific
7826d1
overrides can override more broad ones.
7826d1
7826d1
Also, a caveat is ignored if it lacks either config or readme file.
7826d1
7826d1
7826d1
update_ucode script
7826d1
-------------------
7826d1
"update_ucode" populates symlinks to microcode files in accordance with caveats
7826d1
configuration.  It enables late microcode loading that is invoked by triggering
7826d1
/sys/devices/system/cpu/microcode/reload file.  Since caveats depend
7826d1
on the kernel version, symlinks are populated inside
7826d1
"/lib/firmware/KERNEL_VERSION" directory for each installed kernel.
7826d1
As a consequence, this script is triggered upon each kernel package installation
7826d1
and removal.
7826d1
7826d1
The script has two parts: common and kernel-version-specific.
7826d1
7826d1
During the common part, files are populated from
7826d1
/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are
7826d1
several possibilities to affect the process:
7826d1
 * Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping
7826d1
   the common part of the script.
7826d1
 * The same for "/lib/firmware/intel-ucode-disallow".
7826d1
7826d1
During the kernel-version-specific part, each caveat is checked against every
7826d1
kernel version, and those combinations, for which caveat check succeeds,
7826d1
gets the symlinks to the associated microcode files populated.
7826d1
 * Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode
7826d1
   from removing symlinks related to the caveat for specific kernel version.
7826d1
 * Since the check is being done by check_caveats, all the overrides that
7826d1
   described there also stay.
7826d1
7826d1
Usage:
7826d1
    update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]*
7826d1
                 [--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode]
7826d1
                 [--skip-common] [--skip-kernel-specific]
7826d1
7826d1
Options:
7826d1
  --action - action to perform. Currently, the following actions are supported:
7826d1
              * "add" - create new symlinks.
7826d1
              * "remove" - remove old symlinks that are no longer needed.
7826d1
              * "refresh" - re-populate symlinks.
7826d1
              * "list" - list files under control of update_ucode.
7826d1
             By default, "refresh" action is executed.
7826d1
  --kernel - kernel version to process. By default, list of kernel versions
7826d1
             is formed based on contents of /lib/firmware and /lib/modules
7826d1
             directories.
7826d1
  --verbose - verbose output.
7826d1
  --dry-run - do not call commands, just print the invocation lines.
7826d1
  --cleanup - cleanup mode. Used by post-uninstall script during package
7826d1
              upgrades. Removes excess files in accordance to the contents
7826d1
              of the files provided in the arguments to the option.
7826d1
  --skip-common - do not process /lib/firmware directory.
7826d1
  --skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION
7826d1
                           directories.
7826d1
7826d1
Return value:
7826d1
  0 on success, 1 on error.
7826d1
7826d1
7826d1
reload_microcode script
7826d1
-----------------------
7826d1
"reload_microcode" is a script that is called by microcode.service and
7826d1
triggers late microcode reloading (by writing "1" to
7826d1
/sys/devices/system/cpu/microcode/reload) if the following check are passed:
7826d1
 * the microcode update performed not in a virtualised environment;
7826d1
 * running kernel passes "check_caveats" checks that applicable to the current
7826d1
   CPU model.
7826d1
7826d1
For a virtualised environment check, the script searches the "/proc/cpuinfo"
7826d1
file for presence of the "hypervisor" flag among CPU features (it corresponds
7826d1
to a CPUID feature bit set by hypervisors in order to inform that the kernel
7826d1
operates inside a virtual machine).  This check can be overridden and skipped
7826d1
by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag".
7826d1
7826d1
The script has no options and always returns 0.
7826d1
7826d1
7826d1
99microcode_ctl-fw_dir_override dracut module
7826d1
---------------------------------------------
7826d1
This dracut module injects directories with microcode files for caveats
7826d1
that pass "early" check_caveats check (with "-e" flag). In addition
7826d1
to "check_caveats" overrides, the following abilities to control module's
7826d1
behaviour are present:
7826d1
 * Presence of one of the following files:
7826d1
   - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check
7826d1
   - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg
7826d1
   - /lib/firmware/$kver/skip-host-only-check
7826d1
   - /lib/firmware/$kver/skip-host-only-check-$cfg
7826d1
   (where "$kver" is the kernel version in question and "$cfg" is the caveat
7826d1
   directory name) allows skipping matching of microcode file name when dracut's
7826d1
   Host-Only mode is enabled.
7826d1
7826d1
When caveats_check succeeds, caveats directory (not its possibly populated
7826d1
version for late microcode update: "/lib/firmware/KERNEL_VERSION";
7826d1
it is done so in order
7826d1
to have ability to configure list of caveats enabled for early and late
7826d1
microcode update, independently) is added to dracut's list of firmware search
7826d1
directories.
7826d1
7826d1
The module can be disabled by running dracut with
7826d1
"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can
7826d1
be disabled permanently by uncommenting string
7826d1
"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in
7826d1
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file.
7826d1
7826d1
See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable
7826d1
"omit_dracutmodules" for additional information.
7826d1
7826d1
7826d1
Caveats
7826d1
=======
7826d1
7826d1
Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat
7826d1
----------------------------------------------
7826d1
Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0,
7826d1
family 6, model 79, stepping 1) has issues that lead to system instability.
7826d1
A series of changes for the Linux kernel has been developed in order to work
7826d1
around those issues; however, as it turned out, some systems have issues even
7826d1
when a microcode update performed on a kernel that contains those changes.
7826d1
As a result, microcode update for this CPU model is disabled by default;
7826d1
the microcode file, however, is still shipped as a part of microcode_ctl
7826d1
package and can be used for performing a microcode update if it is enforced
7826d1
via the aforementioned overrides. (See the sections "check_caveats script"
7826d1
and "reload_microcode script" for details.)
7826d1
7826d1
Caveat name: intel-06-4f-01
7826d1
7826d1
Affected microcode: intel-ucode/06-4f-01.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: microcode loading is disabled for the affected CPU model.
7826d1
7826d1
Minimum versions of the kernel package that contain the aforementioned patch
7826d1
series:
7826d1
 - Upstream/RHEL 8/RHEL 9: 4.17.0
7826d1
 - RHEL 7.6 onwards:  3.10.0-894
7826d1
 - RHEL 7.5:  3.10.0-862.6.1
7826d1
 - RHEL 7.4:  3.10.0-693.35.1
7826d1
 - RHEL 7.3:  3.10.0-514.52.1
7826d1
 - RHEL 7.2:  3.10.0-327.70.1
7826d1
 - RHEL 6.10: 2.6.32-754.1.1
7826d1
 - RHEL 6.7:  2.6.32-573.58.1
7826d1
 - RHEL 6.6:  2.6.32-504.71.1
7826d1
 - RHEL 6.5:  2.6.32-431.90.1
7826d1
 - RHEL 6.4:  2.6.32-358.90.1
7826d1
7826d1
7826d1
Early microcode load inside a virtual machine
7826d1
---------------------------------------------
7826d1
RHEL 9 kernel supports performing microcode update during early boot stage
7826d1
from a cpio archive placed at the beginning of the initramfs image.  However,
7826d1
when an early microcode update is attempted inside some virtualised
7826d1
environments, that may result in unexpected system behaviour.
7826d1
7826d1
Caveat name: intel
7826d1
7826d1
Affected microcode: all.
7826d1
7826d1
Dependencies: (none)
7826d1
7826d1
Mitigation: early microcode loading is disabled for all CPU models on kernels
7826d1
without the fix.
7826d1
7826d1
Minimum versions of the kernel package that contain the fix:
7826d1
 - Upstream/RHEL 8/RHEL 9: 4.10.0
7826d1
 - RHEL 7.6 onwards: 3.10.0-930
7826d1
 - RHEL 7.5: 3.10.0-862.14.1
7826d1
 - RHEL 7.4: 3.10.0-693.38.1
7826d1
 - RHEL 7.3: 3.10.0-514.57.1
7826d1
 - RHEL 7.2: 3.10.0-327.73.1
7826d1
7826d1
7826d1
Intel Sandy Bridge-E/EN/EP caveat
7826d1
---------------------------------
7826d1
Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6,
7826d1
model 45, stepping 7), that was released to address MDS vulnerability,
7826d1
and was available from microcode-20190618 up to microcode-20190508 release)
7826d1
could lead to system instability[1][2].  In order to address this,
7826d1
this microcode update was not used and the previous microcode revision
7826d1
was provided instead by default; the microcode file, however, was still shipped
7826d1
as part of microcode_ctl package and could be used for performing a microcode
7826d1
update if it is enforced via the aforementioned overrides.  With the release
7826d1
of 0x71a revision of the microcode (as art of microcode-20200520 release)
7826d1
that aims at fixing the aforementioned stability issue, the latest microcode
7826d1
revision is again used by default; it is still provided via the caveat
7826d1
mechanism, hovewer, in order to enable ability to disable it in case such
7826d1
a need arises.  (See the sections "check_caveats script" and "reload_microcode
7826d1
script" for details regarding caveats mechanism operation.)
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
7826d1
[2] https://access.redhat.com/solutions/4593951
7826d1
7826d1
Caveat name: intel-06-2d-07
7826d1
7826d1
Affected microcode: intel-ucode/06-2d-07.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: None; the latest revision of the microcode file is used by default;
7826d1
previously published microcode revision 0x714 is still available as a fallback
7826d1
as part of "intel" caveat.
7826d1
7826d1
7826d1
Intel Skylake-SP/W/X caveat
7826d1
---------------------------
7826d1
Microcode revision 0x2000065 (that was provided with microcode releases
7826d1
microcode-20191112 up to microcode-20200520) for some CPU models that belong
7826d1
to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4,
7826d1
Workstation/HEDT segments) could lead to hangs during reboot[1].  In order
7826d1
to address this, by default this microcode update was disabled by default and
7826d1
and the previous 0x2000064 microcode revision was used instead; the microcode
7826d1
file with, however, is still shipped as part of microcode_ctl package and can
7826d1
be used for performing a microcode update if it is enforced
7826d1
via the aforementioned overrides. With the availability of 0x2006906 revision
7826d1
of the microcode (in the microcode-20200609 release) that fixes
7826d1
the aforementioned issue, the latest microcode revision is again used
7826d1
by default; it is still provided via caveat mechanism, hovewer, in order
7826d1
to enable ability to disable it in case such a need arises.  (See the sections
7826d1
"check_caveats script" and "reload_microcode script" for details regarding
7826d1
caveats mechanism operation.)
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
7826d1
7826d1
Caveat name: intel-06-55-04
7826d1
7826d1
Affected microcode: intel-ucode/06-55-04.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: None; the latest revision of the microcode file is used by default;
7826d1
previously published microcode revision 0x2000064 is still available
7826d1
as a fallback as part of "intel" caveat.
7826d1
7826d1
7826d1
Intel Skylake-U/Y caveat
7826d1
------------------------
7826d1
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
7826d1
have reports of system hangs when revision 0xdc of microcode, that is included
7826d1
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
7826d1
and CVE-2020-0549, is applied[1].  In order to address this, microcode update
7826d1
to the newer revision has been disabled by default on these systems,
7826d1
and the previously published microcode revision 0xd6 is used instead; the newer
7826d1
microcode files, however, are still shipped as part of microcode_ctl package
7826d1
and can be used for performing a microcode update if they are enforced
7826d1
via the aforementioned overrides.  (See the sections "check_caveats script"
7826d1
and "reload_microcode script" for details.)
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
7826d1
7826d1
Caveat name: intel-06-4e-03
7826d1
7826d1
Affected microcode: intel-ucode/06-4e-03
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: previously published microcode revision 0xd6 is used by default.
7826d1
7826d1
7826d1
Intel Skylake-H/S/Xeon E3 v5 caveat
7826d1
-----------------------------------
7826d1
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
7826d1
stepping 3) had reports of system hangs when revision 0xdc of microcode,
7826d1
that is included in microcode-20200609 update to address CVE-2020-0543,
7826d1
CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order to address this,
7826d1
microcode update to the newer revision had been disabled by default on these
7826d1
systems, and the previously published microcode revision 0xd6 was used instead.
7826d1
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
7826d1
the latest microcode revision usage it is enabled by default,
7826d1
but can be disabled explicitly via the aforementioned overrides.  (See
7826d1
the sections "check_caveats script" and "reload_microcode script" for details.)
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
7826d1
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
7826d1
7826d1
Caveat names: intel-06-5e-03
7826d1
7826d1
Affected microcode: intel-ucode/06-5e-03.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: None; the latest revision of the microcode file is used by default;
7826d1
previously published microcode revision 0xd6 is still available as a fallback
7826d1
as part of "intel" caveat.
7826d1
7826d1
7826d1
Dell caveats
7826d1
------------
7826d1
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
7826d1
and system instability during or after microcode update to revision 0xc6/0xca
7826d1
(included as part of microcode-20191113/microcode-20191115 update that addressed
7826d1
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
7826d1
and/or revision 0xd6 (included as part of microcode-20200609 update
7826d1
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
7826d1
[1][2][3][4][5][6].  In order to address this, microcode update to the newer
7826d1
revision has been disabled by default on these systems, and the previously
7826d1
published microcode revisions 0xae/0xb4/0xb8 are used by default
7826d1
for the OS-driven microcode update.
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
7826d1
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
7826d1
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
7826d1
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
7826d1
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
7826d1
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
7826d1
7826d1
Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca
7826d1
7826d1
Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
7826d1
                    intel-ucode/06-8e-0b, intel-ucode/06-8e-0c,
7826d1
                    intel-ucode/06-9e-09, intel-ucode/06-9e-0a,
7826d1
                    intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
7826d1
                    intel-ucode/06-9e-0d.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
7826d1
            by default if /sys/devices/virtual/dmi/id/bios_vendor reports
7826d1
	    "Dell Inc."; otherwise, the latest microcode revision is used.
7826d1
	    Caveat with revision 0xca of microcode files is provided
7826d1
	    as a convenience for the cases where it was working well before.
7826d1
7826d1
7826d1
Intel Tiger Lake-UP3/UP4 caveat
7826d1
-------------------------------
7826d1
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
7826d1
stepping 1) had reports of system hangs when a microcode update,
7826d1
that was included since microcode-20201110 release, was applied[1].
7826d1
In order to address this, microcode update to a newer revision had been disabled
7826d1
by default on these systems.  The revision 0x88 seems to have fixed
7826d1
the aforementioned issue, hence it is enabled by default; however, it is still
7826d1
can be disabled via the aforementioned overrides.  (See the sections
7826d1
"check_caveats script" and "reload_microcode script" for details.)
7826d1
7826d1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
7826d1
7826d1
Caveat names: intel-06-8c-01
7826d1
7826d1
Affected microcode: intel-ucode/06-8c-01.
7826d1
7826d1
Dependencies: intel
7826d1
7826d1
Mitigation: None; the latest revision of the microcode file is used by default.
7826d1
7826d1
7826d1
7826d1
Additional information
7826d1
======================
7826d1
Red Hat provides updated microcode, developed by its microprocessor partners,
7826d1
as a customer convenience.  Please contact your hardware vendor to determine
7826d1
whether more recent BIOS/firmware updates are recommended because additional
7826d1
improvements may be available.
7826d1
7826d1
Information regarding microcode revisions required for mitigating specific
7826d1
Intel CPU vulnerabilities is available in the following knowledge base articles:
7826d1
 * CVE-2017-5715 ("Spectre"):
7826d1
   https://access.redhat.com/articles/3436091
7826d1
 * CVE-2018-3639 ("Speculative Store Bypass"):
7826d1
   https://access.redhat.com/articles/3540901
7826d1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
7826d1
   https://access.redhat.com/articles/3562741
7826d1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
7826d1
   ("Microarchitectural Data Sampling"):
7826d1
   https://access.redhat.com/articles/4138151
7826d1
 * CVE-2019-0117 (Intel SGX Information Leak),
7826d1
   CVE-2019-0123 (Intel SGX Privilege Escalation),
7826d1
   CVE-2019-11135 (TSX Asynchronous Abort),
7826d1
   CVE-2019-11139 (Voltage Setting Modulation):
7826d1
   https://access.redhat.com/solutions/2019-microcode-nov
7826d1
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
7826d1
   CVE-2020-0548 (Vector Register Data Sampling),
7826d1
   CVE-2020-0549 (L1D Cache Eviction Sampling):
7826d1
   https://access.redhat.com/solutions/5142751
7826d1
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
7826d1
   CVE-2020-8696 (Vector Register Leakage-Active),
7826d1
   CVE-2020-8698 (Fast Forward Store Predictor):
7826d1
   https://access.redhat.com/articles/5569051
7826d1
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
7826d1
   CVE-2020-24511 (Improper Isolation of Shared Resources),
7826d1
   CVE-2020-24512 (Observable Timing Discrepancy),
7826d1
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
7826d1
   https://access.redhat.com/articles/6101171
08aaff
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow),
08aaff
   CVE-2021-0145 (Fast store forward predictor - Cross Domain Training),
08aaff
   CVE-2021-0146 (VT-d-related Privilege Escalation),
08aaff
   CVE-2021-33120 (Out of bounds read for some Intel Atom processors):
08aaff
   https://access.redhat.com/articles/6716541
27ee4a
 * CVE-2022-0005 (Informational disclosure via JTAG),
27ee4a
   CVE-2022-21123 (Shared Buffers Data Read),
27ee4a
   CVE-2022-21125 (Shared Buffers Data Sampling),
27ee4a
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
27ee4a
   CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
27ee4a
   CVE-2022-21136 (Overclocking service access protection),
27ee4a
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
27ee4a
   CVE-2022-21166 (Device Register Partial Write):
27ee4a
   https://access.redhat.com/articles/6963124
dd8597
 * CVE-2022-21233 (Stale Data Read from legacy xAPIC):
dd8597
   https://access.redhat.com/articles/6976398