README.caveats
The microcode_ctl package contains microcode files (vendor-provided binary data and/or code in proprietary format that affects behaviour of a device) for Intel CPUs that may be loaded into the CPU during boot. The microcode_ctl package contains provisions for some issues related to microcode loading. While those provisions are expected to suit most users, several knobs are available in order to provide ability to override the default behaviour. General behaviour ================= In RHEL 8 (as well as RHEL 7 before it), there are currently two main handlers for CPU microcode update: * Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file placed at the beginning of an initramfs image (/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel version in the same format as provided by "uname -r") as a source of microcode data, and is performed very early during the boot process (if the relevant microcode file is available in the aforementioned file). * On-demand (late) microcode update. It can be triggered by writing "1" to /sys/devices/system/cpu/microcode/reload file (provided my the "microcode" module). It relies on request_firmware infrastructure, which searches (and loads, if found) microcode from a file present in one of the following directories (in the search order): /lib/firmware/updates/KERNEL_VERSION/ /lib/firmware/updates/ /lib/firmware/KERNEL_VERSION/ /lib/firmware/ (there is also an additional directory that can be configured via the "fw_path_para" module option of the "firmware_class" module; as this module is built-in in RHEL kernel, a boot parameter "firmware_class.fw_path_para" should be used for that purpose; this is out of the document's scope, however) The firmware for Intel CPUs is searched in "intel-ucode" subdirectory, and for AMD CPUs, a file under "amd-ucode" is searched. For Intel CPUs, the name of the specific microcode file the kernel tries to load has the format "FF-MM-SS", where "FF" is the family number, "MM" is the model number, and "SS" is the stepping. All those numbers are zero-filled to two digits and are written in hexadecimal (letters are in the lower case). For AMD CPUs, the file name has the format "microcode_amd_famFFh.bin", where "FF" is the family number, written in hexadecimal, letters are in the lower case, not zero-filled. The early microcode is placed into initramfs image by the "dracut" script, which scans the aforementioned subdirectories of the configured list of firmware directories (by default, the list consists of two directories in RHEL 8, "/lib/firmware/updates" and "/lib/firmware"). In RHEL 8, AMD CPU microcode is shipped as a part of the linux-firmware package, and Intel microcode is shipped as a part of the microcode_ctl package. The microcode_ctl package currently includes the following: * Intel CPU microcode files, placed in /usr/share/microcode_ctl/intel-ucode directory (currently there are none); * A dracut module, /usr/lib/dracut/modules.d/99microcode_ctl-fw_dir_override, that controls which additional firmware directories will be added to dracut's default configuration; * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/01-microcode.conf, that enables inclusion of early microcode to the generated initramfs in dracut; * A dracut configuration file, /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf, that provides a way to quickly disable 99microcode_ctl-fw_dir-override dracut module; * A systemd service file, microcode.service, that triggers microcode reload late during boot; * A set of directories in /usr/share/microcode_ctl/ucode_with_caveats, each of which contains configuration and related data for various caveats related to microcode: * readme - description of caveat and related information, * config - caveat configuration file, with syntax as described in "Caveat configuration" section below, * intel-ucode - directory containing microcode files related to the caveat; * A set of support scripts, placed in /usr/libexec/microcode_ctl: * "check_caveats" is an utility script that performs checks of the target kernel (and running CPU) in accordance with caveat configuration files in ucode_with_caveats directory and reports whether it passes them or not, * "reload_microcode" is a script that is called by microcode.service and triggers microcode reloading (by writing "1" to /sys/devices/system/cpu/microcode/reload) if the running kernel passes check_caveats checks, * "update_ucode" is a script that populates symlinks to microcode files in /lib/firmware, so it can be picked up by relevant kernels for the late microcode loading. Also, microcode_ctl RPM includes triggers that run update_ucode script on every installation or removal of a kernel RPM in order to provide microcode files for newly installed kernels and cleanup symlinks for the uninstalled ones. Microcode file structure ------------------------ Intel x86 CPU microcode file (that is, one that can be directly consumed by the CPU/kernel, and not its text representation such as used in microcode.dat files) is a bundle of concatenated microcode blobs. Each blob has a header, payload, and an optional additional data, as follows (for additional information please refer to "Intel® 64 and IA-32 Architectures Software Developer’s Manual" [1], Volume 3A, Section 9.11.1 "Microcode Update"): * Header (48 bytes) * Header version (unsigned 32-bit integer): version number of the update header. Must be 0x1. * Microcode revision (signed 32-bit integer) * Microcode date (unsigned 32-bit integer): encoded as BCD in mmddyyyy format (0x03141592 is 1592-03-14 in ISO 8601) * CPU signature (unsigned 32-bit integer): CPU ID, as provided by the CPUID (EAX = 0x1) instruction in the EAX register: * bits 31..28: reserved * bits 27..20: "Extended Family", summed with the Family field value * bits 19..16: "Extended Model", bits 7..4 of the CPU model * bits 15..14: reserved * bits 13..12: "Processor Type", non-zero value (other than the "primary processor") so far used only for the Deschutes (Pentium II) CPU family, with the processor type of 1, to signify it is an Overdrive processor: CPUID 0x1632. * bits 11..08: Family, summed with the Extended Family field value * bits 07..04: Model (bits 3..0) * bits 03..00: Stepping In short, microcode file with Family-Model-Stepping of uv-wx-0z corresponds to CPUID 0x0TUw0Vxz, where uv = TU + V, with V usually being 0xF when uv >= 16; with Family being 6 on most of recent Intel CPUs this transforms into 0x000w06xz. Please also refer to README.intel-ucode, section "About Processor Signature, Family, Model, Stepping and Platform ID" for additional information. * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all the 32-bit integers comprising the microcode amounts to 0. * Loader version (unsigned 32-bit integer): 0x1. * Platform ID mask (unsigned 32-bit integer): lower 8 bits indicate the set of possible values of bits 52..50 of MSR 0x17 ("Platform ID"). In old (up to Pentium II) microcode blobs the mask may be zero. * Data size (unsigned 32-bit integer): size of the Payload in bytes, has to be divisible by 4. 0 means 2000. * Total size (unsigned 32-bit integer): total microcode blob size (including header and extended header), has to be divisible by 1024. 0 means 2048. * Reserved (12 bytes). * Payload * Additional data (optional, 20 + 12 * n bytes) * Extended signature table header (20 bytes) * Extended signature count (unsigned 32-bit integer) * Checksum (unsigned 32-bit integer): correct if sum (in base 1 << 32) of all the 32-bit integers comprising the extender signature table amounts to 0. * Reserved (12 bytes). * Extended signature (12 bytes each) * CPU signature (unsigned 32-bit integer): see the description of the CPU signature field in the Header above. * Platform ID mask (unsigned 32-bit integer): see the description of the Platform ID mask field in the Header above. * Checksum (unsigned 32-bit integer): correct if sum (in base 1<< 32) of all the 32-bit integers comprising the Header (with CPU signature and Platform ID mask fields replaced with the values from this signature) and the Payload amounts to 0. Note that since External signature table header has its own checksum, sum of all its 32-bit values amounts to 0, so the Checksum in the Header and in the Extended signature will be the same if the values of CPU signature and Platform ID mask fields are the same, [1] https://software.intel.com/content/www/us/en/develop/download/intel-64-and-ia-32-architectures-sdm-combined-volumes-1-2a-2b-2c-2d-3a-3b-3c-3d-and-4.html Caveat configuration -------------------- There is a directory for each caveat under /usr/share/microcode_ctl/ucode_with_caveats, containing the following files: * "config", a configuration file for the caveat; * "readme", that contains description of the caveat; * set of related associated microcode files. "config" file is a set of lines each containing option name and its value, separated by white space. Currently, the following options are supported: * "model" option, which has format "VENDOR_ID FF-MM-SS", that specifies to which CPU model the caveat is applicable (check_caveats ignores caveats with non-matching models if "-m" option is passed to it). Can be set in the configuration file only once (the last provided value is used). * "vendor" option specifies CPUs of which vendor (as provided in the /proc/cpuinfo file) the caveat is applicable to (check_caveats ignores caveats with non-matching models when it is invoked with "-m" option). Can be set in the configuration file only once. * "path" is a glob pattern that specifies set of microcode files associated with the caveat as a relative path to the caveat directory. This option is used for populating files in /lib/firmware by update_ucode script and for matching microcode file when dracut is run in host-only mode (as in that case it uses only the first directory in firmware directory list to look for the microcode file applicable to the host CPU). Can be set in the configuration file multiple times. * "kernel" is a minimal kernel version that supports proper handling of the related microcode files during late microcode load. It may be provided in one of the following formats that affect the way it is compared to the running kernel version: * A.B.C (where A, B, and C are decimal numbers), "upstream version". In this case, simple version comparison against the respective part of the running kernel version is used, and the running kernel version should be greater or equal than the version provided in the configuration option in order for comparison to succeed (that is, the first part, major version number, of the running kernel version should be greater than the value provided in the configuration option, or those should be equal and the second part, minor version number, should be greater than the minor version number of the kernel version provided in the configuration option, or the first two parts should be equal and the third part, patch level, should be greater or equal the patch level of the version in the configuration option). * A.B.C-Y (where A, B, C, and Y are decimal numbers), "Y-stream version". In this case, A.B.C part should be equal, and Y part of the running kernel version should be greater or equal than the Y part of the configuration option version in order to satisfy the comparison requirement. * A.B.C-Y.Z1.Z2 (where A, B, C, Y, Z1, and Z2 are decimal numbers), "Z-stream version". In this case, A.B.C-Y part should be equal and Z1.Z2 part of the running kernel should be greater or equal than the respective part of the configuration option version (when compared as a version) for comparison to succeed. Kernel version check passed if at least one comparison of the running kernel version against a kernel version provided in a configuration option succeeded. The "kernel" configuration option can be provided in the configuration file multiple times. * "kernel_early" is a minimal kernel version that supports proper handling of the related microcode during early microcode load. The format of the option and its semantics is similar to the "kernel" configuration options. This option can be provided multiple times as well. * "mc_min_ver_late" is the minimal version of the currently loaded microcode on the CPU (as reported in /proc/cpuinfo) that supports late microcode update. Microcode update will be attempted only if the currently loaded microcode version is greater or equal the microcode version provided in the configuration option. Can be set in the configuration file only once. * "disable" is a way to disable a specific caveat from inside its configuration. Argument for the argument is a list of stages ("early", "late") for which the caveat should be disable. The configuration option can be provided multiple times in a configuration file. * "pci_config_val" performs check for specific values in selected parts of configuration space of specified PCI devices. If "-m" option is not specified, then the actual check is skipped, and the check returns result in accordance with the provided "mode" option (se below). Check arguments are a white-space-separated list of "key=value" pairs. The following keys are supported: * "domain" - PCI domain number, or "*" (an asterisk) for any domain. Default is "*". * "bus" - PCI bus number, or "*" (an asterisk) for any bus. Default is "*". * "device" - PCI device number, or "*" (an asterisk) for any device. Default is "*". * "function" - PCI function number, or "*" (an asterisk) for any function. Default is "*". * "vid" - PCI vendor ID, or empty string for any vendor ID. Default is empty string. * "did" - PCI device ID, or empty string for any device ID. Default is empty string. * "offset" - offset in device's configuration space where the value resides. Default is 0. * "size" - field size. Possible values are 1, 2, 4, or 8. Default is 4. * "mask" - mask applied to the values during the check. Default is 0. * "val" - comma-separated list of matching values. Default is 0. * "mode" - check mode, the way matches are interpreted: * "success-any" - check succeeds if there was at least one match, otherwise it fails. * "success-all" - check succeeds if there was at least one device checked and all the checked devices have matches, otherwise the check fails. * "fail-any" - check fails if there was at least one match, otherwise it succeeds. * "fail-all" - check fails if there was at least one device checked and all the checked devices have matches, otherwise the check succeeds. Default is "success-any". An example of a check: pci_config_val mode=success-all device=30 function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8 It interprets 4 bytes at offset 0x84 of special files "config" under directories that match glob pattern "/sys/bus/pci/devices/*:*:1e.3" as an unsigned integer value, applies mask 0x38 (thus selecting bit 5..3 of it) and checks whether it is one of the values 0x38, 0x18, or 0x8 (0b111, 0b011, or 0b001 in bits 5..3, respectively); if there are such files, and all the checked values in every checked file has matched at least one of the aforementioned value, then the check is successful, otherwise it fails (in accordance with "mode=success-all" semantics). This check fails if "-m" option is not specified. * "dmi" performs checks for specific values available in DMI sysfs files (present under /sys/devices/virtual/dmi/id/). The check (when it is actually performed; see a not about "no-model-mode" below) fails if one of the files is not readable. If "-m" option is not specified, then the actual check is skipped, and the check returns value in accordance with "no-model-mode" parameter value (see below). Check arguments are a white-space-separated list of "key=value" pairs. The following keys are supported: * "key" - DMI file to check. Value can be one of the following: bios_date, bios_vendor, bios_version, board_asset_tag, board_name, board_serial, board_vendor, board_version, chassis_asset_tag, chassis_serial, chassis_type, chassis_vendor, chassis_version, product_family, product_name, product_serial, product_uuid, product_version, sys_vendor. Default is empty string. * "val" - a string to match DMI data present in "key" against. Can be enclosed in single or double quotes. Default is empty string. * "keyval" - a pair of "key" and "val" values (with semantics described above), separated with either "=", ":", "!=", or "!:" characters. Enables providing of multiple key-value pairs by means of supplying multiple keyval= parameters. The exclamation sign ("!") character in separator enables negated matching (so, non-equality of the value in DMI "key" file and the value of "val" is). The match considered successful when all the key/val (non-)equalities are in effect. This parameter works in addition to the pair provided in "key" and "val" parameters (but allows to avoid using them). Default is empty. * "mode" - check mode, the way successful matches are interpreted: * "success-equal" - returns 0 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value of "val" parameter and all the pairs provided in "keyval" parameters are equal and non-equal in accordance with their definition, otherwise 1. * "fail-equal" - returns 1 if the value present in the file with the name supplied via the "key" parameter file under /sys/devices/virtual/dmi/id/ is equal to the value supplied as a value of "val" parameter and all the pairs provided in "keyval" parameters are equal and non-equal in accordance with their definition, otherwise 0. Default is "success-any". * "no-model-mode" - return value if model filter ("-m" option) is not enabled: * "success" - return 0. * "fail" - return 1. Default is "success". An example of a check: dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc." It checks file /sys/devices/virtual/dmi/id/bios_vendor and fails if its content is "Dell Inc." (without quotes). It succeeds if "-m" option is not enabled. Another example: dmi mode=fail-equal keyval="sys_vendor=Amazon EC2" keyval="product_name=u-18tb1.metal" dmi mode=fail-equal keyval="sys_vendor=Lenovo" keyval="product_name=ThinkSystem SR950" It blocks the caveat from using when either both /sys/devices/virtual/dmi/id/sys_vendor contains the string "Amazon EC2" and /sys/devices/virtual/dmi/id/product_name contains the string "u-18tb1.metal" or both /sys/devices/virtual/dmi/id/sys_vendor contains the string "Lenovo" and /sys/devices/virtual/dmi/id/product_name contains the string "ThinkSystem SR950", but enables caveat loading for other products with the aforementioned /sys/devices/virtual/dmi/id/sys_vendor values, for example. * "dependency" allows conditional enablement of a caveat based on the check status of some other caveat(s). It has the following format: dependency DEPENDENCY_TYPE DEPENDENCY_NAME [OPTION...] where DEPENDENCY_NAME is the configuration to be checked, OPTIONs are per-DEPENDENCY_TYPE, and the only DEPENDENCY_TYPE that is supported currently is "required". Options for the "required" dependency type: * "match-model-mode" - whether model matching mode ("-m" option) has to be used for the nested configuration check. Possible values: * "on" - model-matching mode is always used during the nested check; * "off" - model-matching mode is never used during the nested check; * "same" - used the same model-matching mode as it is now. Default is "same". * "skip" - controls result of the check when the nested check indicated skipping of the configuration. * "fail" - the dependent check fails; * "success" - the dependent check succeeds; * "skip" - the dependent check indicates that the configuration is to be skipped. Default is "skip". * "force-skip" - controls result of the check when the nested check indicated skipping of the configuration caused by the presence of an override file (see "check_caveats script" section for details). * "fail" - the dependent check fails; * "success" - the dependent check succeeds; * "skip" - the dependent check indicates that the configuration is to be skipped. Default is "skip". * "nesting-too-deep" - as a measure against dependency loop, configuration checking logic implements nesting limit on dependency checks (currently set at 8). This option controls the behaviour of the check when the nested check cannot be performed due to this limit. * "fail" - the dependent check fails; * "success" - the dependent check succeeds; * "skip" - the dependent check indicates that the configuration is to be skipped. Default is "fail". An example of a check: dependency required intel skip=success match-model-mode=off It checks "intel" caveat configuration (see the "Early microcode load inside a virtual machine" section) with model-matching mode being disabled, treats skipping of the configuration as a success (unless the configuration is forced to be skipped, in that case the dependent configuration is to be skipped as well). check_caveats script -------------------- "check_caveats" is an utility script (called by update_ucode, reload_microcode, dracut module) that performs checks of the target kernel (and running CPU) in accordance with caveat configuration files in directory "/usr/share/microcode_ctl/ucode_with_caveats", and returns information, whether the system passes the checks, or not. Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG]* [-m] [-v]' Options: -e - check for early microcode load possibility (instead of late microcode load). "kernel_early" caveat configuration options are used for checking instead of "kernel", and "mc_min_ver_late" is not checked. -k - target kernel version to check against, $(uname -r) is used otherwise. -c - caveat(s) to check, all caveat configurations found inside $MC_CAVEATS_DATA_DIR are checked otherwise. -m - ignore caveats that do not apply to the current CPU model. -v - verbose output. Environment: MC_CAVEATS_DATA_DIR - directory that contains caveats configurations, "/usr/share/microcode_ctl/ucode_with_caveats" by default. FW_DIR - directory containing firmware files (per-kernel configuration overrides are checked there), "/lib/firmware" by default. CFG_DIR - directory containing global caveats overrides, "/etc/microcode_ctl/ucode_with_caveats" by default. Output: Script returns information about caveats check results. Output has a format of "KEY VALUE1 VALUE2 ..." with KEY defining the semantics of the VALUEs. Currently, the following data is issued: - "cfgs" - list of caveats that have been processed (and not skipped due to missing "config", "readme", or a disallow-* override described below); - "skip_cfgs" - list of caveats that have been skipped (due to missing config/readme file, or because of overrides); - "paths" - list of glob patterns matching files associated with caveats that have been processed; - "ok_cfgs" - list of caveat configurations that have all the checks passed (or have enforced by one of force-* overrides described below); - "ok_paths" - list of glob patterns associated with caveat files from the "ok_cfgs" list; - "fail_cfgs" - list of caveats that have one of the checks failed. - "fail_paths" - list of glob patterns associated with caveats from the "fail_cfgs" list. Return value: - 0 in case caveats check has passed, 1 otherwise. - In "-d" mode, 0 is always returned. Overrides: When check_caveats perform its checks, it also checks for presence of files in specific places, and, if they exist, check_caveats skips a caveat or ignores its checks; that mechanism allows overriding the information provided in configuration on local systems and affect the behaviour of the microcode update process. Current list of overrides (where $FW_DIR and $CFG_DIR are the environment options described earlier; $kver - the currently processed kernel version, $s is the requested stage ("early" or "late"), $cfg is the caveat directory name): $FW_DIR/$kver/disallow-$s-$cfg - skip a caveat for the requested stage for a specific kernel version.. $FW_DIR/$kver/force-$s-$cfg - apply a specific caveat file for a specific kernel version for the requested stage without performing any checks. $FW_DIR/$kver/disallow-$cfg - skip a caveat for any stage for a specific kernel version. $FW_DIR/$kver/force-$cfg - apply a specific caveat for any stage for a specific kernel version without checks. $FW_DIR/$kver/disallow-$s - skip all caveats for a specific stage for a specific kernel version. $CFG_DIR/disallow-$s-$cfg - skip a caveat for a specific stage for all kernel versions. $FW_DIR/$kver/force-$s - apply all caveats for a specific stage for a specific kernel version without checks. $CFG_DIR/force-$s-$cfg - apply a specific caveat for a specific stage for all kernel versions without checks. $FW_DIR/$kver/disallow - skip all caveats for all stages for a specific kernel version. $CFG_DIR/disallow-$cfg - skip a caveat for all stages for all kernel versions. $FW_DIR/$kver/force - apply all caveats for all stages for a specific kernel version without checks. $CFG_DIR/force-$cfg - apply a caveat for all stages for all kernel versions without checks. $CFG_DIR/disallow-$s - skip all caveat for all kernel versions for a specific stage. $CFG_DIR/force-$s - apply all caveats for all kernel versions for specific stage without checks. $CFG_DIR/disallow - skip all caveats for all stages for all kernel versions (disable everything). $CFG_DIR/force - force all caveats for all stages for all kernel versions (enable everything). The "apply" action above means creating symlinks in /lib/firmware by update_ucode in case of the "late" stage and adding caveat directory to the list of firmware directories by dracut plugin in case of the "early" stage. The files are checked for existence until the first match, so more specific overrides can override more broad ones. Also, a caveat is ignored if it lacks either config or readme file. update_ucode script ------------------- "update_ucode" populates symlinks to microcode files in accordance with caveats configuration. It enables late microcode loading that is invoked by triggering /sys/devices/system/cpu/microcode/reload file. Since caveats depend on the kernel version, symlinks are populated inside "/lib/firmware/KERNEL_VERSION" directory for each installed kernel. As a consequence, this script is triggered upon each kernel package installation and removal. The script has two parts: common and kernel-version-specific. During the common part, files are populated from /usr/share/microcode_ctl/intel-ucode in /lib/firmware/intel-ucode. There are several possibilities to affect the process: * Presence of "/etc/microcode_ctl/intel-ucode-disallow" file leads to skipping the common part of the script. * The same for "/lib/firmware/intel-ucode-disallow". During the kernel-version-specific part, each caveat is checked against every kernel version, and those combinations, for which caveat check succeeds, gets the symlinks to the associated microcode files populated. * Absence of "/lib/firmware/KERNEL_VERSION/readme-CAVEAT" prevents update_ucode from removing symlinks related to the caveat for specific kernel version. * Since the check is being done by check_caveats, all the overrides that described there also stay. Usage: update_ucode [--action {add|remove|refresh|list}] [--kernel KERNELVER]* [--verbose] [--dry-run] [--cleanup intel_ucode caveats_ucode] [--skip-common] [--skip-kernel-specific] Options: --action - action to perform. Currently, the following actions are supported: * "add" - create new symlinks. * "remove" - remove old symlinks that are no longer needed. * "refresh" - re-populate symlinks. * "list" - list files under control of update_ucode. By default, "refresh" action is executed. --kernel - kernel version to process. By default, list of kernel versions is formed based on contents of /lib/firmware and /lib/modules directories. --verbose - verbose output. --dry-run - do not call commands, just print the invocation lines. --cleanup - cleanup mode. Used by post-uninstall script during package upgrades. Removes excess files in accordance to the contents of the files provided in the arguments to the option. --skip-common - do not process /lib/firmware directory. --skip-kernel-specific - do not process /lib/firmware/KERNEL_VERSION directories. Return value: 0 on success, 1 on error. reload_microcode script ----------------------- "reload_microcode" is a script that is called by microcode.service and triggers late microcode reloading (by writing "1" to /sys/devices/system/cpu/microcode/reload) if the following check are passed: * the microcode update performed not in a virtualised environment; * running kernel passes "check_caveats" checks that applicable to the current CPU model. For a virtualised environment check, the script searches the "/proc/cpuinfo" file for presence of the "hypervisor" flag among CPU features (it corresponds to a CPUID feature bit set by hypervisors in order to inform that the kernel operates inside a virtual machine). This check can be overridden and skipped by creation of a file "/etc/microcode_ctl/ignore-hypervisor-flag". The script has no options and always returns 0. 99microcode_ctl-fw_dir_override dracut module --------------------------------------------- This dracut module injects directories with microcode files for caveats that pass "early" check_caveats check (with "-e" flag). In addition to "check_caveats" overrides, the following abilities to control module's behaviour are present: * Presence of one of the following files: - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check - /etc/microcode_ctl/ucode_with_caveats/skip-host-only-check-$cfg - /lib/firmware/$kver/skip-host-only-check - /lib/firmware/$kver/skip-host-only-check-$cfg (where "$kver" is the kernel version in question and "$cfg" is the caveat directory name) allows skipping matching of microcode file name when dracut's Host-Only mode is enabled. When caveats_check succeeds, caveats directory (not its possibly populated version for late microcode update: "/lib/firmware/KERNEL_VERSION"; it is done so in order to have ability to configure list of caveats enabled for early and late microcode update, independently) is added to dracut's list of firmware search directories. The module can be disabled by running dracut with "-o microcode_ctl-fw_dir_override" (for one-time exclusion), or it can be disabled permanently by uncommenting string "omit_dracutmodules+=' microcode_ctl-fw_dir_override '" in /usr/lib/dracut/dracut.conf.d/99-microcode-override.conf configuration file. See dracut(8), section "Omitting dracut Modules", and dracut.conf(5), variable "omit_dracutmodules" for additional information. Caveats ======= Intel Broadwell-EP/EX ("BDX-ML B/M/R0") caveat ---------------------------------------------- Microcode update process on Intel Broadwell-EP/EX CPUs (BDX-ML B/M/R0, family 6, model 79, stepping 1) has issues that lead to system instability. A series of changes for the Linux kernel has been developed in order to work around those issues; however, as it turned out, some systems have issues even when a microcode update performed on a kernel that contains those changes. As a result, microcode update for this CPU model is disabled by default; the microcode file, however, is still shipped as a part of microcode_ctl package and can be used for performing a microcode update if it is enforced via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) Caveat name: intel-06-4f-01 Affected microcode: intel-ucode/06-4f-01. Dependencies: intel Mitigation: microcode loading is disabled for the affected CPU model. Minimum versions of the kernel package that contain the aforementioned patch series: - Upstream/RHEL 8: 4.17.0 - RHEL 7.6 onwards: 3.10.0-894 - RHEL 7.5: 3.10.0-862.6.1 - RHEL 7.4: 3.10.0-693.35.1 - RHEL 7.3: 3.10.0-514.52.1 - RHEL 7.2: 3.10.0-327.70.1 - RHEL 6.10: 2.6.32-754.1.1 - RHEL 6.7: 2.6.32-573.58.1 - RHEL 6.6: 2.6.32-504.71.1 - RHEL 6.5: 2.6.32-431.90.1 - RHEL 6.4: 2.6.32-358.90.1 Early microcode load inside a virtual machine --------------------------------------------- RHEL 8 kernel supports performing microcode update during early boot stage from a cpio archive placed at the beginning of the initramfs image. However, when an early microcode update is attempted inside some virtualised environments, that may result in unexpected system behaviour. Caveat name: intel Affected microcode: all. Dependencies: (none) Mitigation: early microcode loading is disabled for all CPU models on kernels without the fix. Minimum versions of the kernel package that contain the fix: - Upstream/RHEL 8: 4.10.0 - RHEL 7.6 onwards: 3.10.0-930 - RHEL 7.5: 3.10.0-862.14.1 - RHEL 7.4: 3.10.0-693.38.1 - RHEL 7.3: 3.10.0-514.57.1 - RHEL 7.2: 3.10.0-327.73.1 Intel Sandy Bridge-E/EN/EP caveat --------------------------------- Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6, model 45, stepping 7), that was released to address MDS vulnerability, and was available from microcode-20190618 up to microcode-20190508 release) could lead to system instability[1][2]. In order to address this, this microcode update was not used and the previous microcode revision was provided instead by default; the microcode file, however, was still shipped as part of microcode_ctl package and could be used for performing a microcode update if it is enforced via the aforementioned overrides. With the release of 0x71a revision of the microcode (as art of microcode-20200520 release) that aims at fixing the aforementioned stability issue, the latest microcode revision is again used by default; it is still provided via the caveat mechanism, hovewer, in order to enable ability to disable it in case such a need arises. (See the sections "check_caveats script" and "reload_microcode script" for details regarding caveats mechanism operation.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15 [2] https://access.redhat.com/solutions/4593951 Caveat name: intel-06-2d-07 Affected microcode: intel-ucode/06-2d-07. Dependencies: intel Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x714 is still available as a fallback as part of "intel" caveat. Intel Skylake-SP/W/X caveat --------------------------- Microcode revision 0x2000065 (that was provided with microcode releases microcode-20191112 up to microcode-20200520) for some CPU models that belong to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4, Workstation/HEDT segments) could lead to hangs during reboot[1]. In order to address this, by default this microcode update was disabled by default and and the previous 0x2000064 microcode revision was used instead; the microcode file with, however, is still shipped as part of microcode_ctl package and can be used for performing a microcode update if it is enforced via the aforementioned overrides. With the availability of 0x2006906 revision of the microcode (in the microcode-20200609 release) that fixes the aforementioned issue, the latest microcode revision is again used by default; it is still provided via caveat mechanism, hovewer, in order to enable ability to disable it in case such a need arises. (See the sections "check_caveats script" and "reload_microcode script" for details regarding caveats mechanism operation.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 Caveat name: intel-06-55-04 Affected microcode: intel-ucode/06-55-04. Dependencies: intel Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0x2000064 is still available as a fallback as part of "intel" caveat. Intel Skylake-U/Y caveat ------------------------ Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3) have reports of system hangs when revision 0xdc of microcode, that is included in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order to address this, microcode update to the newer revision has been disabled by default on these systems, and the previously published microcode revision 0xd6 is used instead; the newer microcode files, however, are still shipped as part of microcode_ctl package and can be used for performing a microcode update if they are enforced via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31 Caveat name: intel-06-4e-03 Affected microcode: intel-ucode/06-4e-03 Dependencies: intel Mitigation: previously published microcode revision 0xd6 is used by default. Intel Skylake-H/S/Xeon E3 v5 caveat ----------------------------------- Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) had reports of system hangs when revision 0xdc of microcode, that is included in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this, microcode update to the newer revision had been disabled by default on these systems, and the previously published microcode revision 0xd6 was used instead. The revision 0xea seems[2] to have fixed the aforementioned issue, hence the latest microcode revision usage it is enabled by default, but can be disabled explicitly via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014 Caveat names: intel-06-5e-03 Affected microcode: intel-ucode/06-5e-03. Dependencies: intel Mitigation: None; the latest revision of the microcode file is used by default; previously published microcode revision 0xd6 is still available as a fallback as part of "intel" caveat. Dell caveats ------------ Some Dell systems that use some models of Intel CPUs are susceptible to hangs and system instability during or after microcode update to revision 0xc6/0xca (included as part of microcode-20191113/microcode-20191115 update that addressed CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139) and/or revision 0xd6 (included as part of microcode-20200609 update that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549) [1][2][3][4][5][6]. In order to address this, microcode update to the newer revision has been disabled by default on these systems, and the previously published microcode revisions 0xae/0xb4/0xb8 are used by default for the OS-driven microcode update. [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23 [2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24 [3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33 [4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34 [5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35 [6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097 Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a, intel-ucode/06-8e-0b, intel-ucode/06-8e-0c, intel-ucode/06-9e-09, intel-ucode/06-9e-0a, intel-ucode/06-9e-0b, intel-ucode/06-9e-0c, intel-ucode/06-9e-0d. Dependencies: intel Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used by default if /sys/devices/virtual/dmi/id/bios_vendor reports "Dell Inc."; otherwise, the latest microcode revision is used. Caveat with revision 0xca of microcode files is provided as a convenience for the cases where it was working well before. Intel Tiger Lake-UP3/UP4 caveat ------------------------------- Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, stepping 1) had reports of system hangs when a microcode update, that was included since microcode-20201110 release, was applied[1]. In order to address this, microcode update to a newer revision had been disabled by default on these systems. The revision 0x88 seems to have fixed the aforementioned issue, hence it is enabled by default; however, it is still can be disabled via the aforementioned overrides. (See the sections "check_caveats script" and "reload_microcode script" for details.) [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 Caveat names: intel-06-8c-01 Affected microcode: intel-ucode/06-8c-01. Dependencies: intel Mitigation: None; the latest revision of the microcode file is used by default. Additional information ====================== Red Hat provides updated microcode, developed by its microprocessor partners, as a customer convenience. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended because additional improvements may be available. Information regarding microcode revisions required for mitigating specific Intel CPU vulnerabilities is available in the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 * CVE-2019-0117 (Intel SGX Information Leak), CVE-2019-0123 (Intel SGX Privilege Escalation), CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov * CVE-2020-0543 (Special Register Buffer Data Sampling), CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 * CVE-2020-24489 (VT-d-related Privilege Escalation), CVE-2020-24511 (Improper Isolation of Shared Resources), CVE-2020-24512 (Observable Timing Discrepancy), CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): https://access.redhat.com/articles/6101171 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow), CVE-2021-0145 (Fast store forward predictor - Cross Domain Training), CVE-2021-0146 (VT-d-related Privilege Escalation), CVE-2021-33120 (Out of bounds read for some Intel Atom processors): https://access.redhat.com/articles/6716541