Blame SPECS/06-55-04_readme

Packit e3b5e1
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
Packit e3b5e1
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
Packit e3b5e1
of system hangs on reboot when revision 0x2000065 of microcode, that was included
Packit e3b5e1
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
Packit e3b5e1
In order to address this, microcode update to the newer revision had been
Packit e3b5e1
disabled by default on these systems, and the previously published microcode
Packit e3b5e1
revision 0x2000064 is used by default for the OS-driven microcode update.
Packit e3b5e1
Packit e3b5e1
Since revision 0x2006906 (included with the microcode-20200609 release)
Packit e3b5e1
it is reported that the issue is no longer present, so the newer microcode
Packit e3b5e1
revision is enabled by default now (but can be disabled explicitly; see below).
Packit e3b5e1
Packit e3b5e1
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
Packit e3b5e1
Packit e3b5e1
For the reference, SHA1 checksums of 06-55-04 microcode files containing
Packit e3b5e1
microcode revisions in question are listed below:
Packit e3b5e1
 * 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
Packit e3b5e1
 * 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
Packit e3b5e1
 * 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
Packit Service 10856b
 * 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
Packit Service f840d5
 * 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
Packit e3b5e1
Packit e3b5e1
Please contact your system vendor for a BIOS/firmware update that contains
Packit e3b5e1
the latest microcode version.  For the information regarding microcode versions
Packit e3b5e1
required for mitigating specific side-channel cache attacks, please refer
Packit e3b5e1
to the following knowledge base articles:
Packit e3b5e1
 * CVE-2017-5715 ("Spectre"):
Packit e3b5e1
   https://access.redhat.com/articles/3436091
Packit e3b5e1
 * CVE-2018-3639 ("Speculative Store Bypass"):
Packit e3b5e1
   https://access.redhat.com/articles/3540901
Packit e3b5e1
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
Packit e3b5e1
   https://access.redhat.com/articles/3562741
Packit e3b5e1
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
Packit e3b5e1
   ("Microarchitectural Data Sampling"):
Packit e3b5e1
   https://access.redhat.com/articles/4138151
Packit e3b5e1
 * CVE-2019-0117 (Intel SGX Information Leak),
Packit e3b5e1
   CVE-2019-0123 (Intel SGX Privilege Escalation),
Packit e3b5e1
   CVE-2019-11135 (TSX Asynchronous Abort),
Packit e3b5e1
   CVE-2019-11139 (Voltage Setting Modulation):
Packit e3b5e1
   https://access.redhat.com/solutions/2019-microcode-nov
Packit e3b5e1
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
Packit e3b5e1
   CVE-2020-0548 (Vector Register Data Sampling),
Packit e3b5e1
   CVE-2020-0549 (L1D Cache Eviction Sampling):
Packit e3b5e1
   https://access.redhat.com/solutions/5142751
Packit Service 10856b
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
Packit Service 10856b
   CVE-2020-8696 (Vector Register Leakage-Active),
Packit Service 10856b
   CVE-2020-8698 (Fast Forward Store Predictor):
Packit Service 10856b
   https://access.redhat.com/articles/5569051
Packit e3b5e1
Packit e3b5e1
The information regarding disabling microcode update is provided below.
Packit e3b5e1
Packit e3b5e1
To disable usage of the newer microcode revision for a specific kernel
Packit e3b5e1
version, please create a file "disallow-intel-06-55-04" inside
Packit e3b5e1
/lib/firmware/<kernel_version> directory, run
Packit e3b5e1
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
Packit e3b5e1
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
Packit e3b5e1
so initramfs for this kernel version is regenerated, for example:
Packit e3b5e1
Packit e3b5e1
    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
Packit e3b5e1
    /usr/libexec/microcode_ctl/update_ucode
Packit e3b5e1
    dracut -f --kver 3.10.0-862.9.1
Packit e3b5e1
Packit e3b5e1
To disable usage of the newer microcode revision for all kernels, please create
Packit e3b5e1
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
Packit e3b5e1
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
Packit e3b5e1
used for late microcode updates, and run "dracut -f --regenerate-all"
Packit e3b5e1
so initramfs images get regenerated, for example:
Packit e3b5e1
Packit e3b5e1
    mkdir -p /etc/microcode_ctl/ucode_with_caveats
Packit e3b5e1
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
Packit e3b5e1
    /usr/libexec/microcode_ctl/update_ucode
Packit e3b5e1
    dracut -f --regenerate-all
Packit e3b5e1
Packit e3b5e1
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
Packit e3b5e1
information.