source-git / microcode_ctl

Clone
Source Code
GIT

Blame SPECS/06-2d-07_readme

c8 c8s master
  1.   2ad00ce45bc4c54fa81d3ef0c848eefe122a9ff3
  2.   SPECS
  3.   06-2d-07_readme
Blob History Raw
Packit Service 2ad00c 
Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
Packit Service 2ad00c 
had issues with MDS-related microcode update that may lead to a system hang
Packit Service 2ad00c 
after a microcode update[1][2].  In order to address this, microcode update
Packit Service 2ad00c 
to the MDS-related revision 0x718 had been disabled, and the previously
Packit Service 2ad00c 
published microcode revision 0x714 is used by default for the OS-driven
Packit Service 2ad00c 
microcode update.  The revision 0x71a of the microcode is intended to fix
Packit Service 2ad00c 
the aforementioned issue, hence it is enabled by default (but can be disabled
Packit Service 2ad00c 
explicitly; see below).
Packit Service 2ad00c
Packit Service 2ad00c 
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
Packit Service 2ad00c 
[2] https://access.redhat.com/solutions/4593951
Packit Service 2ad00c
Packit Service 2ad00c 
For the reference, SHA1 checksums of 06-2d-07 microcode files containing
Packit Service 2ad00c 
microcode revisions in question are listed below:
Packit Service 2ad00c 
 * 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
Packit Service 2ad00c 
 * 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
Packit Service 2ad00c 
 * 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6
Packit Service 2ad00c
Packit Service 2ad00c 
Please contact your system vendor for a BIOS/firmware update that contains
Packit Service 2ad00c 
the latest microcode version.  For the information regarding microcode versions
Packit Service 2ad00c 
required for mitigating specific side-channel cache attacks, please refer
Packit Service 2ad00c 
to the following knowledge base articles:
Packit Service 2ad00c 
 * CVE-2017-5715 ("Spectre"):
Packit Service 2ad00c 
   https://access.redhat.com/articles/3436091
Packit Service 2ad00c 
 * CVE-2018-3639 ("Speculative Store Bypass"):
Packit Service 2ad00c 
   https://access.redhat.com/articles/3540901
Packit Service 2ad00c 
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
Packit Service 2ad00c 
   https://access.redhat.com/articles/3562741
Packit Service 2ad00c 
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
Packit Service 2ad00c 
   ("Microarchitectural Data Sampling"):
Packit Service 2ad00c 
   https://access.redhat.com/articles/4138151
Packit Service 2ad00c
Packit Service 2ad00c 
The information regarding disabling microcode update is provided below.
Packit Service 2ad00c
Packit Service 2ad00c 
To disable usage of the newer microcode revision for a specific kernel
Packit Service 2ad00c 
version, please create file "disallow-intel-06-2d-07" inside
Packit Service 2ad00c 
/lib/firmware/<kernel_version> directory, run
Packit Service 2ad00c 
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
Packit Service 2ad00c 
where microcode will be available for late microcode update, and run
Packit Service 2ad00c 
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
Packit Service 2ad00c 
is regenerated and the microcode can be loaded early, for example:
Packit Service 2ad00c
Packit Service 2ad00c 
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07
Packit Service 2ad00c 
    /usr/libexec/microcode_ctl/update_ucode
Packit Service 2ad00c 
    dracut -f --kver 3.10.0-862.9.1
Packit Service 2ad00c
Packit Service 2ad00c 
To avoid addition of the newer microcode revision for all kernels, please create
Packit Service 2ad00c 
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run
Packit Service 2ad00c 
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
Packit Service 2ad00c 
and "dracut -f --regenerate-all" for early microcode updates:
Packit Service 2ad00c
Packit Service 2ad00c 
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
Packit Service 2ad00c 
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07
Packit Service 2ad00c 
    /usr/libexec/microcode_ctl/update_ucode
Packit Service 2ad00c 
    dracut -f --regenerate-all
Packit Service 2ad00c
Packit Service 2ad00c 
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
Packit Service 2ad00c 
information.

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation