Tree - rpms/microcode_ctl - CentOS Git server

rpms / microcode_ctl

Files

Blob Blame History Raw

 Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
have reports of system hangs when revision 0xdc of microcode, that is included
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
and CVE-2020-0549, is applied[1].  In order to address this, microcode update
to the newer revision has been disabled by default on these systems,
and the previously published microcode revision 0xd6 is used by default
for the OS-driven microcode update.
 
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
 
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
microcode revisions in question are listed below:
 * 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
 * 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
 * 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
 * 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
 * 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
 * 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
 
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version.  For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
 * CVE-2017-5715 ("Spectre"):
   https://access.redhat.com/articles/3436091
 * CVE-2018-3639 ("Speculative Store Bypass"):
   https://access.redhat.com/articles/3540901
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
   https://access.redhat.com/articles/3562741
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
   ("Microarchitectural Data Sampling"):
   https://access.redhat.com/articles/4138151
 * CVE-2019-0117 (Intel SGX Information Leak),
   CVE-2019-0123 (Intel SGX Privilege Escalation),
   CVE-2019-11135 (TSX Asynchronous Abort),
   CVE-2019-11139 (Voltage Setting Modulation):
   https://access.redhat.com/solutions/2019-microcode-nov
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
   CVE-2020-0548 (Vector Register Data Sampling),
   CVE-2020-0549 (L1D Cache Eviction Sampling):
   https://access.redhat.com/solutions/5142751
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124
 
The information regarding enforcing microcode update is provided below.
 
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
version, please create a file "force-intel-06-4e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
 
    touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1
 
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
 
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
 
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
    touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all
 
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

	Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
	have reports of system hangs when revision 0xdc of microcode, that is included
	since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
	and CVE-2020-0549, is applied[1]. In order to address this, microcode update
	to the newer revision has been disabled by default on these systems,
	and the previously published microcode revision 0xd6 is used by default
	for the OS-driven microcode update.

	[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31

	For the reference, SHA1 checksums of 06-4e-03 microcode files containing
	microcode revisions in question are listed below:
	* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
	* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
	* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
	* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
	* 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
	* 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8

	Please contact your system vendor for a BIOS/firmware update that contains
	the latest microcode version. For the information regarding microcode versions
	required for mitigating specific side-channel cache attacks, please refer
	to the following knowledge base articles:
	* CVE-2017-5715 ("Spectre"):
	https://access.redhat.com/articles/3436091
	* CVE-2018-3639 ("Speculative Store Bypass"):
	https://access.redhat.com/articles/3540901
	* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
	https://access.redhat.com/articles/3562741
	* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
	("Microarchitectural Data Sampling"):
	https://access.redhat.com/articles/4138151
	* CVE-2019-0117 (Intel SGX Information Leak),
	CVE-2019-0123 (Intel SGX Privilege Escalation),
	CVE-2019-11135 (TSX Asynchronous Abort),
	CVE-2019-11139 (Voltage Setting Modulation):
	https://access.redhat.com/solutions/2019-microcode-nov
	* CVE-2020-0543 (Special Register Buffer Data Sampling),
	CVE-2020-0548 (Vector Register Data Sampling),
	CVE-2020-0549 (L1D Cache Eviction Sampling):
	https://access.redhat.com/solutions/5142751
	* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
	CVE-2020-8696 (Vector Register Leakage-Active),
	CVE-2020-8698 (Fast Forward Store Predictor):
	https://access.redhat.com/articles/5569051
	* CVE-2020-24489 (VT-d-related Privilege Escalation),
	CVE-2020-24511 (Improper Isolation of Shared Resources),
	CVE-2020-24512 (Observable Timing Discrepancy),
	CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
	https://access.redhat.com/articles/6101171
	* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
	https://access.redhat.com/articles/6716541
	* CVE-2022-0005 (Informational disclosure via JTAG),
	CVE-2022-21123 (Shared Buffers Data Read),
	CVE-2022-21125 (Shared Buffers Data Sampling),
	CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
	CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
	CVE-2022-21166 (Device Register Partial Write):
	https://access.redhat.com/articles/6963124

	The information regarding enforcing microcode update is provided below.

	To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
	version, please create a file "force-intel-06-4e-03" inside
	/lib/firmware/<kernel_version> directory, run
	"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
	where microcode will be available for late microcode update, and run
	"dracut -f --kver <kernel_version>", so initramfs for this kernel version
	is regenerated and the microcode can be loaded early, for example:

	touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
	/usr/libexec/microcode_ctl/update_ucode
	dracut -f --kver 3.10.0-862.9.1

	After that, it is possible to perform a late microcode update by executing
	"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
	"/sys/devices/system/cpu/microcode/reload" directly.

	To enforce addition of this microcode for all kernels, please create file
	"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
	"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
	and "dracut -f --regenerate-all" for enabling early microcode updates:

	mkdir -p /etc/microcode_ctl/ucode_with_caveats
	touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
	/usr/libexec/microcode_ctl/update_ucode
	dracut -f --regenerate-all

	Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
	information.

rpms / microcode_ctl

Source Code

Files