Blame SOURCES/README.caveats

6c53eb
The microcode_ctl package contains microcode files (vendor-provided binary data
6c53eb
and/or code in proprietary format that affects behaviour of a device) for Intel
6c53eb
CPUs that may be loaded into the CPU during boot.
6c53eb
6c53eb
The microcode_ctl package contains provisions for some issues related
6c53eb
to microcode loading.  While those provisions are expected to suit most users,
6c53eb
several knobs are available in order to provide ability to override the default
6c53eb
behaviour.
4eb1a6
4eb1a6
4eb1a6
General behaviour
4eb1a6
=================
742279
In RHEL 7, there are currently two main handlers for CPU microcode update:
4eb1a6
 * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
4eb1a6
   placed at the beginning of an initramfs image
742279
   (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
742279
   version in the same format as provided by "uname -r") as a source
742279
   of microcode data, and is performed very early during the boot process
742279
   (if the relevant microcode file is available in the aforementioned file).
4eb1a6
 * On-demand (late) microcode update. It can be triggered by writing "1" to
4eb1a6
   /sys/devices/system/cpu/microcode/reload file (provided my the "microcode"
742279
   module). It relies on request_firmware infrastructure, which searches (and
742279
   loads, if found) microcode from a file present in one of the following
742279
   directories (in the search order):
4eb1a6
       /lib/firmware/updates/KERNEL_VERSION/
4eb1a6
       /lib/firmware/updates/
4eb1a6
       /lib/firmware/KERNEL_VERSION/
4eb1a6
       /lib/firmware/
4eb1a6
  (there is also an additional directory that can be configured via the
4eb1a6
  "fw_path_para" module option of the "firmware_class" module; as this module
4eb1a6
  is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para"
4eb1a6
  should be used for that purpose; this is out of the document's scope, however)
4eb1a6
4eb1a6
The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for
4eb1a6
AMD CPUs, a file under "amd-ucode" is searched.
4eb1a6
4eb1a6
For Intel CPUs, the name of the specific microcode file the kernel tries to load
4eb1a6
has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model
4eb1a6
number, and "SS" is the stepping. All those numbers are zero-filled to two digits
4eb1a6
and are written in hexadecimal (letters are in the lower case).  For AMD CPUs,
4eb1a6
the file name has the format "microcode_amd_famFFh.bin", where "FF" is the
4eb1a6
family number, written in hexadecimal, letters are in the lower case, not
4eb1a6
zero-filled.
4eb1a6
4eb1a6
The early microcode is placed into initramfs image by the "dracut" script, which
4eb1a6
scans the aforementioned subdirectories of the configured list of firmware
742279
directories (by default, the list consists of two directories in RHEL 7,
4eb1a6
"/lib/firmware/updates" and "/lib/firmware").
4eb1a6
742279
In RHEL 7, AMD CPU microcode is shipped as a part of the linux-firmware package,
4eb1a6
and Intel microcode is shipped as a part of the microcode_ctl package.
4eb1a6
4eb1a6
The microcode_ctl package currently includes the following:
742279
 * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode
742279
   directory (currently there are none);
4eb1a6
 * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override,
4eb1a6
   that controls which additional firmware directories will be added to dracut's
4eb1a6
   default configuration;
742279
 * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf,
742279
   that enables inclusion of early microcode to the generated initramfs
742279
   in dracut;
742279
 * A dracut configuration file,
742279
   /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way
742279
   to quickly disable 99microcode_ctl-fw_dir-override dracut module;
4eb1a6
 * A systemd service file, microcode.service, that triggers microcode reload
4eb1a6
   late during boot;
742279
 * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each
742279
   of which contains configuration and related data for various caveats related
742279
   to microcode:
742279
   * readme - description of caveat and related information,
742279
   * config - caveat configuration file, with syntax as described in "Caveat
742279
     configuration" section below,
742279
   * intel-ucode - directory containing microcode files related to the caveat;
4eb1a6
 * A set of support scripts, placed in /usr/libexec/microcode_ctl:
4eb1a6
   * "check_caveats" is an utility script that performs checks of the target
4eb1a6
     kernel (and running CPU) in accordance with caveat configuration files
742279
     in ucode_with_caveats directory and reports whether it passes them or not,
4eb1a6
   * "reload_microcode" is a script that is called by microcode.service and
4eb1a6
     triggers microcode reloading (by writing "1" to
4eb1a6
     /sys/devices/system/cpu/microcode/reload) if the running kernel passes
742279
     check_caveats checks,
4eb1a6
   * "update_ucode" is a script that populates symlinks to microcode files
4eb1a6
     in /lib/firmware, so it can be picked up by relevant kernels for the late
4eb1a6
     microcode loading.
4eb1a6
4eb1a6
Also, microcode_ctl RPM includes triggers that run update_ucode script on every
4eb1a6
installation or removal of a kernel RPM in order to provide microcode files
4eb1a6
for newly installed kernels and cleanup symlinks for the uninstalled ones.
4eb1a6
4eb1a6
cc944f
Microcode file structure
cc944f
------------------------
cc944f
Intel x86 CPU microcode file (that is, one that can be directly consumed
cc944f
by the CPU/kernel, and not its text representation such as used in microcode.dat
cc944f
files) is a bundle of concatenated microcode blobs.  Each blob has a header,
cc944f
payload, and an optional additional data, as follows (for additional information
cc944f
please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual"
cc944f
[1], Volume 3A, Section 9.11.1 "Microcode Update"):
cc944f
 * Header (48 bytes)
cc944f
    * Header version (unsigned 32-bit integer): version number of the update
cc944f
      header.  Must be 0x1.
cc944f
    * Microcode revision (signed 32-bit integer)
cc944f
    * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format
cc944f
      (0x03141592 is 1592-03-14 in ISO 8601)
cc944f
    * CPU signature (unsigned 32-bit integer): CPU ID, as provided
cc944f
      by the CPUID (EAX = 0x1) instruction in the EAX register:
cc944f
       * bits 31..28: reserved
cc944f
       * bits 27..20: "Extended Family", summed with the Family field value
cc944f
       * bits 19..16: "Extended Model", bits 7..4 of the CPU model
cc944f
       * bits 15..14: reserved
cc944f
       * bits 13..12: "Processor Type", non-zero value (other than the "primary
cc944f
         processor") so far used only for the Deschutes (Pentium II) CPU family,
cc944f
         with the processor type of 1, to signify it is an Overdrive processor:
cc944f
         CPUID 0x1632.
cc944f
       * bits 11..08: Family, summed with the Extended Family field value
cc944f
       * bits 07..04: Model (bits 3..0)
cc944f
       * bits 03..00: Stepping
cc944f
      In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds
cc944f
      to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when
cc944f
      uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms
cc944f
      into 0x000w06xz.  Please also refer to README.intel-ucode, section "About
cc944f
      Processor Signature, Family, Model, Stepping and Platform ID"
cc944f
      for additional information.
cc944f
    * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all
cc944f
      the 32-bit integers comprising the microcode amounts to 0.
cc944f
    * Loader version (unsigned 32-bit integer): 0x1.
cc944f
    * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set
cc944f
      of possible values of bits 52..50 of MSR 0x17 ("Platform ID").  In old
cc944f
      (up to Pentium II) microcode blobs the mask may be zero.
cc944f
    * Data size (unsigned 32-bit integer): size of the Payload in bytes,
cc944f
      has to be divisible by 4.  0 means 2000.
cc944f
    * Total size (unsigned 32-bit integer): total microcode blob size (including
cc944f
      header and extended header), has to be divisible by 1024.  0 means 2048.
cc944f
    * Reserved (12 bytes).
cc944f
 * Payload
cc944f
 * Additional data (optional, 20 + 12 * n bytes)
cc944f
    * Extended signature table header (20 bytes)
cc944f
       * Extended signature count (unsigned 32-bit integer)
cc944f
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32)
cc944f
         of all the 32-bit integers comprising the extender signature table
cc944f
         amounts to 0.
cc944f
       * Reserved (12 bytes).
cc944f
    * Extended signature (12 bytes each)
cc944f
       * CPU signature (unsigned 32-bit integer): see the description of the CPU
cc944f
         signature field in the Header above.
cc944f
       * Platform ID mask (unsigned 32-bit integer): see the description
cc944f
         of the Platform ID mask field in the Header above.
cc944f
       * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32)
cc944f
         of all the 32-bit integers comprising the Header (with CPU signature
cc944f
         and Platform ID mask fields replaced with the values from this signature)
cc944f
         and the Payload amounts to 0.  Note that since External signature table
cc944f
         header has its own checksum, sum of all its 32-bit values amounts to 0,
cc944f
         so the Checksum in the Header and in the Extended signature will be
cc944f
         the same if the values of CPU signature and Platform ID mask fields
cc944f
         are the same,
cc944f
cc944f
[1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html
cc944f
cc944f
4eb1a6
Caveat configuration
4eb1a6
--------------------
4eb1a6
There is a directory for each caveat under
4eb1a6
/usr/share/microcode_ctl/ucode_with_caveats, containing the following files:
4eb1a6
 * "config", a configuration file for the caveat;
4eb1a6
 * "readme", that contains description of the caveat;
4eb1a6
 * set of related associated microcode files.
4eb1a6
4eb1a6
"config" file is a set of lines each containing option name and its value,
4eb1a6
separated by white space.  Currently, the following options are supported:
4eb1a6
 * "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies
4eb1a6
   to which CPU model the caveat is applicable (check_caveats ignores caveats
4eb1a6
   with non-matching models if "-m" option is passed to it). Can be set
4eb1a6
   in the configuration file only once (the last provided value is used).
4eb1a6
 * "vendor" option specifies CPUs of which vendor (as provided
4eb1a6
   in the /proc/cpuinfo file) the caveat is applicable to (check_caveats
4eb1a6
   ignores caveats with non-matching models when it is invoked with "-m"
4eb1a6
   option). Can be set in the configuration file only once.
4eb1a6
 * "path" is a glob pattern that specifies set of microcode files associated
4eb1a6
   with the caveat as a relative path to the caveat directory. This option
4eb1a6
   is used for populating files in /lib/firmware by update_ucode script and
4eb1a6
   for matching microcode file when dracut is run in host-only mode
4eb1a6
   (as in that case it uses only the first directory in firmware directory list
4eb1a6
   to look for the microcode file applicable to the host CPU).  Can be set
4eb1a6
   in the configuration file multiple times.
4eb1a6
 * "kernel" is a minimal kernel version that supports proper handling
4eb1a6
   of the related microcode files during late microcode load.  It may be
4eb1a6
   provided in one of the following formats that affect the way it is compared
4eb1a6
   to the running kernel version:
4eb1a6
    * A.B.C (where A, B, and C are decimal numbers), "upstream version". In this
4eb1a6
      case, simple version comparison against the respective part of the running
4eb1a6
      kernel version is used, and the running kernel version should be greater
4eb1a6
      or equal than the version provided in the configuration option in order
4eb1a6
      for comparison to succeed (that is, the first part, major version number,
4eb1a6
      of the running kernel version should be greater than the value provided
4eb1a6
      in the configuration option, or those should be equal and the second part,
4eb1a6
      minor version number, should be greater than the minor version number
4eb1a6
      of the kernel version provided in the configuration option, or the first
4eb1a6
      two parts should be equal and the third part, patch level, should
4eb1a6
      be greater or equal the patch level of the version in the configuration
4eb1a6
      option).
4eb1a6
    * A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version".
4eb1a6
      In this case, A.B.C part should be equal, and Y part of the running kernel
4eb1a6
      version should be greater or equal than the Y part of the configuration
4eb1a6
      option version in order to satisfy the comparison requirement.
4eb1a6
    * A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers),
4eb1a6
      "Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2
4eb1a6
      part of the running kernel should be greater or equal than the respective
4eb1a6
      part of the configuration option version (when compared as a version)
4eb1a6
      for comparison to succeed.
4eb1a6
   Kernel version check passed if at least one comparison of the running kernel
4eb1a6
   version against a kernel version provided in a configuration option
4eb1a6
   succeeded.  The "kernel" configuration option can be provided
4eb1a6
   in the configuration file multiple times.
4eb1a6
 * "kernel_early" is a minimal kernel version that supports proper handling
4eb1a6
   of the related microcode during early microcode load. The format of the
4eb1a6
   option and its semantics is similar to the "kernel" configuration options.
4eb1a6
   This option can be provided multiple times as well.
4eb1a6
 * "mc_min_ver_late" is the minimal version of the currently loaded microcode
4eb1a6
   on the CPU (as reported in /proc/cpuinfo) that supports late microcode
4eb1a6
   update.  Microcode update will be attempted only if the currently loaded
4eb1a6
   microcode version is greater or equal the microcode version provided
4eb1a6
   in the configuration option. Can be set in the configuration file only once.
4eb1a6
 * "disable" is a way to disable a specific caveat from inside its
4eb1a6
   configuration. Argument for the argument is a list of stages ("early",
4eb1a6
   "late") for which the caveat should be disable. The configuration option
4eb1a6
   can be provided multiple times in a configuration file.
347126
 * "pci_config_val" performs check for specific values in selected parts
347126
   of configuration space of specified PCI devices.  If "-m" option
347126
   is not specified, then the actual check is skipped, and the check returns
347126
   result in accordance with the provided "mode" option (se below).  Check
347126
   arguments are a white-space-separated list of "key=value" pairs.
347126
   The following keys are supported:
347126
    * "domain" - PCI domain number, or "*" (an asterisk) for any domain.
347126
      Default is "*".
347126
    * "bus" - PCI bus number, or "*" (an asterisk) for any bus.  Default is "*".
347126
    * "device" - PCI device number, or "*" (an asterisk) for any device.
347126
      Default is "*".
347126
    * "function" - PCI function number, or "*" (an asterisk) for any function.
347126
      Default is "*".
347126
    * "vid" - PCI vendor ID, or empty string for any vendor ID.  Default
347126
      is empty string.
347126
    * "did" - PCI device ID, or empty string for any device ID.  Default
347126
      is empty string.
347126
    * "offset" - offset in device's configuration space where the value resides.
347126
      Default is 0.
347126
    * "size" - field size.  Possible values are 1, 2, 4, or 8.  Default is 4.
347126
    * "mask" - mask applied to the values during the check.  Default is 0.
347126
    * "val" - comma-separated list of matching values.  Default is 0.
347126
    * "mode" - check mode, the way matches are interpreted:
347126
       * "success-any" - check succeeds if there was at least one match,
347126
         otherwise it fails.
347126
       * "success-all" - check succeeds if there was at least one device checked
347126
         and all the checked devices have matches, otherwise the check fails.
347126
       * "fail-any" - check fails if there was at least one match, otherwise
347126
         it succeeds.
347126
       * "fail-all" - check fails if there was at least one device checked
347126
         and all the checked devices have matches, otherwise the check succeeds.
347126
   An example of a check:
347126
       pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
347126
   It interprets 4 bytes at offset 0x84 of special files "config" under
347126
   directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3"
347126
   as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3
347126
   of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111,
347126
   0b011, or 0b001 in bits 5..3, respectively); if there are such files,
347126
   and all the checked values in every checked file has matched at least one
347126
   of the aforementioned value, then the check is successful, otherwise
347126
   it fails (in accordance with "mode=success-all" semantics).  This check fails
347126
   if "-m" option is not specified.
50693b
 * "dmi" performs checks for specific values available in DMI sysfs files
50693b
   (present under /sys/devices/virtual/dmi/id/).  The check fails if file
50693b
   is not readable.  If "-m" option is specified, then the actual check
50693b
   is skipped, and the check returns value in accordance with "no-model-mode"
50693b
   parameter value (see below).  Check arguments are a white-space-separated
50693b
   list of "key=value" pairs.  The following keys are supported:
50693b
    * "key" - DMI file to check. Value can be one of the following: bios_date,
50693b
      bios_vendor, bios_version, board_asset_tag, board_name, board_serial,
50693b
      board_vendor, board_version, chassis_asset_tag, chassis_serial,
50693b
      chassis_type, chassis_vendor, chassis_version, product_family,
50693b
      product_name, product_serial, product_uuid, product_version, sys_vendor.
50693b
      Default is empty string.
50693b
    * "val" - a string to match DMI data against.  Can be enclosed in single
50693b
      or double quotes.  Default is empty string.
50693b
    * "mode" - check mode, the way matches are interpreted:
50693b
       * "success-equal" - returns 0 if the value present in the file
50693b
         with the name supplied via the "key" parameter file under
50693b
	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
50693b
	 of "val" parameter, otherwise 1.
50693b
       * "success-equal" - returns 1 if the value present in the file
50693b
         with the name supplied via the "key" parameter file under
50693b
	 /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value
50693b
	 of "val" parameter, otherwise 0.
50693b
      Default is "success-any".
50693b
    * "no-model-mode" - return value if model filter ("-m" option)
50693b
      is not enabled:
50693b
       * "success" - return 0.
50693b
       * "fail" - return 1.
50693b
      Default is "success".
50693b
   An example of a check:
50693b
       dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
50693b
   It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its
50693b
   content is "Dell Inc." (without quotes).  It succeeds if "-m" option
50693b
   is not enabled.
4eb1a6
4eb1a6
4eb1a6
check_caveats script
4eb1a6
--------------------
4eb1a6
"check_caveats" is an utility script (called by update_ucode, reload_microcode,
4eb1a6
dracut module) that performs checks of the target kernel (and running CPU)
4eb1a6
in accordance with caveat configuration files in directory
4eb1a6
"/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether
4eb1a6
the system passes the checks, or not.
4eb1a6
4eb1a6
Usage:
4eb1a6
    check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]'
4eb1a6
4eb1a6
Options:
4eb1a6
  -e - check for early microcode load possibility (instead of late microcode
4eb1a6
       load). "kernel_early" caveat configuration options are used for checking
4eb1a6
       instead of "kernel", and "mc_min_ver_late" is not checked.
4eb1a6
  -k - target kernel version to check against, $(uname -r) is used otherwise.
4eb1a6
  -c - caveat(s) to check, all caveat configurations found inside
4eb1a6
       $MC_CAVEATS_DATA_DIR are checked otherwise.
4eb1a6
  -m - ignore caveats that do not apply to the current CPU model.
4eb1a6
  -v - verbose output.
4eb1a6
4eb1a6
Environment:
742279
  MC_CAVEATS_DATA_DIR - directory that contains caveats configurations,
742279
                        "/usr/share/microcode_ctl/ucode_with_caveats"
742279
			by default.
4eb1a6
  FW_DIR - directory containing firmware files (per-kernel configuration
742279
           overrides are checked there), "/lib/firmware" by default.
742279
  CFG_DIR - directory containing global caveats overrides,
742279
            "/etc/microcode_ctl/ucode_with_caveats" by default.
4eb1a6
4eb1a6
Output:
4eb1a6
  Script returns information about caveats check results. Output has a format
4eb1a6
  of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs.
4eb1a6
  Currently, the following data is issued:
4eb1a6
   - "cfgs" - list of caveats that have been processed (and not skipped
4eb1a6
      due to missing "config", "readme", or a disallow-* override described
4eb1a6
      below);
4eb1a6
   - "skip_cfgs" - list of caveats that have been skipped (due to missing
4eb1a6
     config/readme file, or because of overrides);
4eb1a6
   - "paths" - list of glob patterns matching files associated with caveats
4eb1a6
     that have been processed;
4eb1a6
   - "ok_cfgs" - list of caveat configurations that have all the checks passed
4eb1a6
     (or have enforced by one of force-* overrides described below);
4eb1a6
   - "ok_paths" - list of glob patterns associated with caveat files from
4eb1a6
     the "ok_cfgs" list;
4eb1a6
   - "fail_cfgs" - list of caveats that have one of the checks failed.
4eb1a6
   - "fail_paths" - list of glob patterns associated with caveats from the
4eb1a6
     "fail_cfgs" list.
4eb1a6
4eb1a6
Return value:
4eb1a6
  - 0 in case caveats check has passed, 1 otherwise.
4eb1a6
  - In "-d" mode, 0 is always returned.
4eb1a6
4eb1a6
Overrides:
4eb1a6
4eb1a6
When check_caveats perform its checks, it also checks for presence of files
4eb1a6
in specific places, and, if they exist, check_caveats skips a caveat or ignores
4eb1a6
its checks; that mechanism allows overriding the information provided
4eb1a6
in configuration on local systems and affect the behaviour of the microcode
4eb1a6
update process.
4eb1a6
4eb1a6
Current list of overrides (where $FW_DIR and $CFG_DIR are the environment
4eb1a6
options described earlier; $kver - the currently processed kernel version,
4eb1a6
$s is the requested stage ("early" or "late"), $cfg is the caveat directory
4eb1a6
name):
4eb1a6
    $FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for
4eb1a6
                                     a specific kernel version..
4eb1a6
    $FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific
4eb1a6
                                  kernel version for the requested stage without
4eb1a6
				  performing any checks.
4eb1a6
    $FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific
4eb1a6
                                  kernel version.
4eb1a6
    $FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage
4eb1a6
                               for a specific kernel version without checks.
4eb1a6
    $FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage
4eb1a6
                                for a specific kernel version.
4eb1a6
    $CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all
4eb1a6
                                kernel versions.
4eb1a6
    $FW_DIR/$kver/force-$s - apply all caveats for a specific stage
4eb1a6
                             for a specific kernel version without checks.
4eb1a6
    $CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for
4eb1a6
                             all kernel versions without checks.
4eb1a6
    $FW_DIR/$kver/disallow - skip all caveats for all stages for a specific
4eb1a6
                             kernel version.
4eb1a6
    $CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel
4eb1a6
                             versions.
4eb1a6
    $FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel
4eb1a6
                          version without checks.
4eb1a6
    $CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions
4eb1a6
                          without checks.
4eb1a6
    $CFG_DIR/disallow-$s - skip all caveat for all kernel versions
4eb1a6
                           for a specific stage.
4eb1a6
    $CFG_DIR/force-$s - apply all caveats for all kernel versions for  specific
4eb1a6
                        stage without checks.
4eb1a6
    $CFG_DIR/disallow - skip all caveats for all stages for all kernel versions
4eb1a6
                        (disable everything).
4eb1a6
    $CFG_DIR/force - force all caveats for all stages for all kernel versions
4eb1a6
                     (enable everything).
4eb1a6
4eb1a6
The "apply" action above means creating symlinks in /lib/firmware by
4eb1a6
update_ucode in case of the "late" stage and adding caveat directory to the list
4eb1a6
of firmware directories by dracut plugin in case of the "early" stage.
4eb1a6
4eb1a6
The files are checked for existence until the first match, so more specific
4eb1a6
overrides can override more broad ones.
4eb1a6
4eb1a6
Also, a caveat is ignored if it lacks either config or readme file.
4eb1a6
4eb1a6
4eb1a6
update_ucode script
4eb1a6
-------------------
4eb1a6
"update_ucode" populates symlinks to microcode files in accordance with caveats
4eb1a6
configuration.  It enables late microcode loading that is invoked by triggering
4eb1a6
/sys/devices/system/cpu/microcode/reload file.  Since caveats depend
4eb1a6
on the kernel version, symlinks are populated inside
4eb1a6
"/lib/firmware/KERNEL_VERSION" directory for each installed kernel.
4eb1a6
As a consequence, this script is triggered upon each kernel package installation
4eb1a6
and removal.
4eb1a6
4eb1a6
The script has two parts: common and kernel-version-specific.
4eb1a6
4eb1a6
During the common part, files are populated from
4eb1a6
/usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are
4eb1a6
several possibilities to affect the process:
4eb1a6
 * Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping
4eb1a6
   the common part of the script.
4eb1a6
 * The same for "/lib/firmware/intel-ucode-disallow".
4eb1a6
4eb1a6
During the kernel-version-specific part, each caveat is checked against every
4eb1a6
kernel version, and those combinations, for which caveat check succeeds,
4eb1a6
gets the symlinks to the associated microcode files populated.
4eb1a6
 * Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode
4eb1a6
   from removing symlinks related to the caveat for specific kernel version.
4eb1a6
 * Since the check is being done by check_caveats, all the overrides that
4eb1a6
   described there also stay.
4eb1a6
4eb1a6
Usage:
4eb1a6
    update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]*
4eb1a6
                 [--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode]
4eb1a6
                 [--skip-common] [--skip-kernel-specific]
4eb1a6
4eb1a6
Options:
4eb1a6
  --action - action to perform. Currently, the following actions are supported:
4eb1a6
              * "add" - create new symlinks.
4eb1a6
              * "remove" - remove old symlinks that are no longer needed.
4eb1a6
              * "refresh" - re-populate symlinks.
4eb1a6
              * "list" - list files under control of update_ucode.
4eb1a6
             By default, "refresh" action is executed.
4eb1a6
  --kernel - kernel version to process. By default, list of kernel versions
4eb1a6
             is formed based on contents of /lib/firmware and /lib/modules
4eb1a6
             directories.
4eb1a6
  --verbose - verbose output.
4eb1a6
  --dry-run - do not call commands, just print the invocation lines.
4eb1a6
  --cleanup - cleanup mode. Used by post-uninstall script during package
4eb1a6
              upgrades. Removes excess files in accordance to the contents
4eb1a6
              of the files provided in the arguments to the option.
4eb1a6
  --skip-common - do not process /lib/firmware directory.
4eb1a6
  --skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION
4eb1a6
                           directories.
4eb1a6
4eb1a6
Return value:
4eb1a6
  0 on success, 1 on error.
4eb1a6
4eb1a6
4eb1a6
reload_microcode script
4eb1a6
-----------------------
4eb1a6
"reload_microcode" is a script that is called by microcode.service and
4eb1a6
triggers late microcode reloading (by writing "1" to
742279
/sys/devices/system/cpu/microcode/reload) if the following check are passed:
742279
 * the microcode update performed not in a virtualised environment;
742279
 * running kernel passes "check_caveats" checks that applicable to the current
742279
   CPU model.
4eb1a6
742279
For a virtualised environment check, the script searches the "/proc/cpuinfo"
742279
file for presence of the "hypervisor" flag among CPU features (it corresponds
742279
to a CPUID feature bit set by hypervisors in order to inform that the kernel
742279
operates inside a virtual machine).  This check can be overridden and skipped
742279
by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag".
4eb1a6
4eb1a6
The script has no options and always returns 0.
4eb1a6
4eb1a6
4eb1a6
99microcode_ctl-fw_dir_override dracut module
4eb1a6
---------------------------------------------
4eb1a6
This dracut module injects directories with microcode files for caveats
4eb1a6
that pass "early" check_caveats check (with "-e" flag). In addition
742279
to "check_caveats" overrides, the following abilities to control module's
742279
behaviour are present:
4eb1a6
 * Presence of one of the following files:
4eb1a6
   - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check
4eb1a6
   - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg
4eb1a6
   - /lib/firmware/$kver/skip-host-only-check
4eb1a6
   - /lib/firmware/$kver/skip-host-only-check-$cfg
4eb1a6
   (where "$kver" is the kernel version in question and "$cfg" is the caveat
4eb1a6
   directory name) allows skipping matching of microcode file name when dracut's
4eb1a6
   Host-Only mode is enabled.
4eb1a6
742279
When caveats_check succeeds, caveats directory (not its possibly populated
742279
version for late microcode update: "/lib/firmware/KERNEL_VERSION";
742279
it is done so in order
742279
to have ability to configure list of caveats enabled for early and late
742279
microcode update, independently) is added to dracut's list of firmware search
742279
directories.
4eb1a6
4eb1a6
The module can be disabled by running dracut with
742279
"-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can
742279
be disabled permanently by uncommenting string
742279
"omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in
742279
/usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file.
742279
742279
See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable
742279
"omit_dracutmodules" for additional information.
4eb1a6
4eb1a6
4eb1a6
Caveats
4eb1a6
=======
4eb1a6
4eb1a6
Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat
4eb1a6
----------------------------------------------
742279
Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0,
742279
family 6, model 79, stepping 1) has issues that lead to system instability.
742279
A series of changes for the Linux kernel has been developed in order to work
742279
around those issues; however, as it turned out, some systems have issues even
742279
when a microcode update performed on a kernel that contains those changes.
742279
As a result, microcode update for this CPU model is disabled by default;
742279
the microcode file, however, is still shipped as a part of microcode_ctl
742279
package and can be used for performing a microcode update if it is enforced
f3c512
via the aforementioned overrides. (See the sections "check_caveats script"
ee041c
and "reload_microcode script" for details.)
4eb1a6
f3c512
Caveat name: intel-06-4f-01
f3c512
4eb1a6
Affected microcode: intel-ucode/06-4f-01.
4eb1a6
6c53eb
Mitigation: microcode loading is disabled for the affected CPU model.
4eb1a6
742279
Minimum versions of the kernel package that contain the aforementioned patch
742279
series:
742279
 - Upstream/RHEL 8: 4.17.0
742279
 - RHEL 7.6 onwards:  3.10.0-894
4eb1a6
 - RHEL 7.5:  3.10.0-862.6.1
4eb1a6
 - RHEL 7.4:  3.10.0-693.35.1
4eb1a6
 - RHEL 7.3:  3.10.0-514.52.1
4eb1a6
 - RHEL 7.2:  3.10.0-327.70.1
4eb1a6
 - RHEL 6.10: 2.6.32-754.1.1
4eb1a6
 - RHEL 6.7:  2.6.32-573.58.1
4eb1a6
 - RHEL 6.6:  2.6.32-504.71.1
4eb1a6
 - RHEL 6.5:  2.6.32-431.90.1
4eb1a6
 - RHEL 6.4:  2.6.32-358.90.1
4eb1a6
4eb1a6
4eb1a6
Early microcode load inside a virtual machine
4eb1a6
---------------------------------------------
742279
RHEL 7 kernel supports performing microcode update during early boot stage
742279
from a cpio archive placed at the beginning of the initramfs image.  However,
742279
when an early microcode update is attempted inside some virtualised
742279
environments, that may result in unexpected system behaviour.
4eb1a6
f3c512
Caveat name: intel
f3c512
4eb1a6
Affected microcode: all.
4eb1a6
f3c512
Mitigation: early microcode loading is disabled for all CPU models on kernels
f3c512
without the fix.
4eb1a6
6c53eb
Minimum versions of the kernel package that contain the fix:
742279
 - Upstream/RHEL 8: 4.10.0
742279
 - RHEL 7.6 onwards: 3.10.0-930
4eb1a6
 - RHEL 7.5: 3.10.0-862.14.1
4eb1a6
 - RHEL 7.4: 3.10.0-693.38.1
4eb1a6
 - RHEL 7.3: 3.10.0-514.57.1
6c53eb
 - RHEL 7.2: 3.10.0-327.73.1
742279
742279
ee041c
Intel Sandy Bridge-E/EN/EP caveat
ee041c
---------------------------------
9db7ba
Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6,
9db7ba
model 45, stepping 7), that was released to address MDS vulnerability,
9db7ba
and was available from microcode-20190618 up to microcode-20190508 release)
9db7ba
could lead to system instability[1][2].  In order to address this,
9db7ba
this microcode update was not used and the previous microcode revision
9db7ba
was provided instead by default; the microcode file, however, was still shipped
9db7ba
as part of microcode_ctl package and could be used for performing a microcode
9db7ba
update if it is enforced via the aforementioned overrides.  With the release
9db7ba
of 0x71a revision of the microcode (as art of microcode-20200520 release)
9db7ba
that aims at fixing the aforementioned stability issue, the latest microcode
9db7ba
revision is again used by default; it is still provided via the caveat
9db7ba
mechanism, hovewer, in order to enable ability to disable it in case such
9db7ba
a need arises.  (See the sections "check_caveats script" and "reload_microcode
9db7ba
script" for details regarding caveats mechanism operation.)
f3c512
347126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
347126
[2] https://access.redhat.com/solutions/4593951
347126
f3c512
Caveat name: intel-06-2d-07
ee041c
ee041c
Affected microcode: intel-ucode/06-2d-07.
ee041c
9db7ba
Mitigation: None; the latest revision of the microcode file is used by default;
9db7ba
previously published microcode revision 0x714 is still available as a fallback
9db7ba
as part of "intel" caveat.
ee041c
ee041c
f3c512
Intel Skylake-SP/W/X caveat
f3c512
---------------------------
9db7ba
Microcode revision 0x2000065 (that was provided with microcode releases
9db7ba
microcode-20191112 up to microcode-20200520) for some CPU models that belong
9db7ba
to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4,
9db7ba
Workstation/HEDT segments) could lead to hangs during reboot[1].  In order
9db7ba
to address this, by default this microcode update was disabled by default and
9db7ba
and the previous 0x2000064 microcode revision was used instead; the microcode
9db7ba
file with, however, is still shipped as part of microcode_ctl package and can
9db7ba
be used for performing a microcode update if it is enforced
9db7ba
via the aforementioned overrides. With the availability of 0x2006906 revision
9db7ba
of the microcode (in the microcode-20200609 release) that fixes
9db7ba
the aforementioned issue, the latest microcode revision is again used
9db7ba
by default; it is still provided via caveat mechanism, hovewer, in order
9db7ba
to enable ability to disable it in case such a need arises.  (See the sections
9db7ba
"check_caveats script" and "reload_microcode script" for details regarding
9db7ba
caveats mechanism operation.)
347126
347126
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
f3c512
f3c512
Caveat name: intel-06-55-04
f3c512
f3c512
Affected microcode: intel-ucode/06-55-04.
f3c512
9db7ba
Mitigation: None; the latest revision of the microcode file is used by default;
9db7ba
previously published microcode revision 0x2000064 is still available
9db7ba
as a fallback as part of "intel" caveat.
9db7ba
9db7ba
9db7ba
Intel Skylake-U/Y/H/S/Xeon E3 v5 caveats
9db7ba
----------------------------------------
9db7ba
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3;
9db7ba
and SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of system
9db7ba
hangs when revision 0xdc of microcode, that is included in microcode-20200609
9db7ba
update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549,
9db7ba
is applied[1][2].  In order to address this, microcode update to the newer
9db7ba
revision has been disabled by default on these systems, and the previously
9db7ba
published microcode revision 0xd6 is used instead; the newer microcode files,
9db7ba
however, are still shipped as part of microcode_ctl package and can be used
9db7ba
for performing a microcode update if they are enforced via the aforementioned
9db7ba
overrides.  (See the sections "check_caveats script" and "reload_microcode
9db7ba
script" for details.)
9db7ba
9db7ba
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
9db7ba
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
9db7ba
9db7ba
Caveat names: intel-06-4e-03, intel-06-5e-03
9db7ba
9db7ba
Affected microcode: intel-ucode/06-4e-03, intel-ucode/06-5e-03.
9db7ba
9db7ba
Mitigation: previously published microcode revision 0xd6 is used by default.
f3c512
f3c512
501af6
Intel Tiger Lake-UP3/UP4 caveat
501af6
-------------------------------
501af6
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
501af6
stepping 1) have reports of system hangs when a microcode update,
501af6
that is included since microcode-20201110 release, is applied[1].
501af6
In order to address this, microcode update to a newer revision has been disabled
501af6
by default on these systems; the newer microcode file, however, is still shipped
501af6
as a part of microcode_ctl package and can be used for performing a microcode
501af6
update if it is enforced via the aforementioned overrides.  (See the sections
501af6
"check_caveats script" and "reload_microcode script" for details.)
501af6
501af6
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
501af6
501af6
Caveat names: intel-06-8c-01
501af6
501af6
Affected microcode: intel-ucode/06-8c-01.
501af6
501af6
Mitigation: microcode loading is disabled for the affected CPU model.
501af6
501af6
ee041c
742279
Additional information
742279
======================
ee041c
Red Hat provides updated microcode, developed by its microprocessor partners,
ee041c
as a customer convenience.  Please contact your hardware vendor to determine
ee041c
whether more recent BIOS/firmware updates are recommended because additional
ee041c
improvements may be available.
6c53eb
6c53eb
Information regarding microcode revisions required for mitigating specific
f3c512
Intel CPU vulnerabilities is available in the following knowledge base articles:
742279
 * CVE-2017-5715 ("Spectre"):
742279
   https://access.redhat.com/articles/3436091
742279
 * CVE-2018-3639 ("Speculative Store Bypass"):
742279
   https://access.redhat.com/articles/3540901
742279
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
742279
   https://access.redhat.com/articles/3562741
6c53eb
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
6c53eb
   ("Microarchitectural Data Sampling"):
6c53eb
   https://access.redhat.com/articles/4138151
f3c512
 * CVE-2019-0117 (Intel SGX Information Leak),
f3c512
   CVE-2019-0123 (Intel SGX Privilege Escalation),
f3c512
   CVE-2019-11135 (TSX Asynchronous Abort),
f3c512
   CVE-2019-11139 (Voltage Setting Modulation):
f3c512
   https://access.redhat.com/solutions/2019-microcode-nov
9db7ba
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
9db7ba
   CVE-2020-0548 (Vector Register Data Sampling),
9db7ba
   CVE-2020-0549 (L1D Cache Eviction Sampling):
9db7ba
   https://access.redhat.com/solutions/5142751
501af6
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
501af6
   CVE-2020-8696 (Vector Register Leakage-Active),
501af6
   CVE-2020-8698 (Fast Forward Store Predictor):
501af6
   https://access.redhat.com/articles/5569051