|
Packit Service |
91ce18 |
Latest microcode updates for Intel Skylake/Cascade Lake Scalable Platform CPUs
|
|
Packit Service |
91ce18 |
(family 6, model 85, steppings 4, 6, and 7; CPUID 0x50654/0x50656/0x50657)
|
|
Packit Service |
91ce18 |
may cause system instability on some systems, namely, HPE Superdome Flex
|
|
Packit Service |
91ce18 |
and Supermicro systems, when an update is performed with the resivions
|
|
Packit Service |
91ce18 |
that come with microcode-20201110 release, so the previously released microcode
|
|
Packit Service |
91ce18 |
(with revisions 0x2006906, 0x4001f01, and 0x5002f01, respectively)
|
|
Packit Service |
91ce18 |
from microcode-20200609 release are used on these systems by default instead
|
|
Packit Service |
91ce18 |
for the OS-driven microcode update.
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
For the reference, SHA1 checksums of the relevant microcode files containing
|
|
Packit Service |
91ce18 |
microcode revisions in question are listed below:
|
|
Packit Service |
91ce18 |
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
|
|
Packit Service |
91ce18 |
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
* 06-55-06, revision 0x4004f01: 8affd949151a0badd3f71e23cf9ad668d4c1d82f
|
|
Packit Service |
91ce18 |
* 06-55-06, revision 0x4003003: b187866d2570f90ea69f434c2b012a8c88d85f43
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
* 06-55-07, revision 0x5002f01: a7121c5f49753cc783f82135e268bc4efe85d4be
|
|
Packit Service |
91ce18 |
* 06-55-07, revision 0x5003003: 74e129b108e676f0286742f609b2c1fa65d73db1
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
Please contact your system vendor for a BIOS/firmware update that contains
|
|
Packit Service |
91ce18 |
the latest microcode version. For the information regarding microcode versions
|
|
Packit Service |
91ce18 |
required for mitigating specific side-channel cache attacks, please refer
|
|
Packit Service |
91ce18 |
to the following knowledge base articles:
|
|
Packit Service |
91ce18 |
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
|
Packit Service |
91ce18 |
CVE-2020-8696 (Vector Register Leakage-Active),
|
|
Packit Service |
91ce18 |
CVE-2020-8698 (Fast Forward Store Predictor):
|
|
Packit Service |
91ce18 |
https://access.redhat.com/articles/5569051
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
The information regarding enforcing microcode update is provided below.
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
To enforce usage of the latest microcode revision for a specific kernel
|
|
Packit Service |
91ce18 |
version, please create a file "force-intel-06-55-0x-ipu-2020.2" inside
|
|
Packit Service |
91ce18 |
/lib/firmware/<kernel_version> directory, run
|
|
Packit Service |
91ce18 |
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
|
|
Packit Service |
91ce18 |
where microcode will be available for late microcode update, and run
|
|
Packit Service |
91ce18 |
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
|
Packit Service |
91ce18 |
is regenerated and the microcode can be loaded early, for example:
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-55-0x-ipu-2020.2
|
|
Packit Service |
91ce18 |
/usr/libexec/microcode_ctl/update_ucode
|
|
Packit Service |
91ce18 |
dracut -f --kver 3.10.0-862.9.1
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
After that, it is possible to perform a late microcode update by executing
|
|
Packit Service |
91ce18 |
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
|
|
Packit Service |
91ce18 |
"/sys/devices/system/cpu/microcode/reload" directly.
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
To disallow usage of the latest microcode revision for a specific kernel
|
|
Packit Service |
91ce18 |
version, please create a file "disallow-intel-06-55-0x-ipu-2020.2" inside
|
|
Packit Service |
91ce18 |
/lib/firmware/<kernel_version> directory, run
|
|
Packit Service |
91ce18 |
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
|
Packit Service |
91ce18 |
used for late microcode updates, and run "dracut -f --kver <kernel_version>",
|
|
Packit Service |
91ce18 |
so initramfs for this kernel version is regenerated, for example:
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-0x-ipu-2020.2
|
|
Packit Service |
91ce18 |
/usr/libexec/microcode_ctl/update_ucode
|
|
Packit Service |
91ce18 |
dracut -f --kver 3.10.0-862.9.1
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
To enforce addition of this microcode for all kernels, please create a file
|
|
Packit Service |
91ce18 |
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2", run
|
|
Packit Service |
91ce18 |
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
|
|
Packit Service |
91ce18 |
and "dracut -f --regenerate-all" for enabling early microcode updates:
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
|
Packit Service |
91ce18 |
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-55-0x-ipu-2020.2
|
|
Packit Service |
91ce18 |
/usr/libexec/microcode_ctl/update_ucode
|
|
Packit Service |
91ce18 |
dracut -f --regenerate-all
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
To disallow usage of the latest microcode revision for all kernels, please
|
|
Packit Service |
91ce18 |
create a file
|
|
Packit Service |
91ce18 |
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2",
|
|
Packit Service |
91ce18 |
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
|
Packit Service |
91ce18 |
used for late microcode updates, and run "dracut -f --regenerate-all"
|
|
Packit Service |
91ce18 |
so initramfs images get regenerated, for example:
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
|
Packit Service |
91ce18 |
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-0x-ipu-2020.2
|
|
Packit Service |
91ce18 |
/usr/libexec/microcode_ctl/update_ucode
|
|
Packit Service |
91ce18 |
dracut -f --regenerate-all
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
|
|
Packit Service |
91ce18 |
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
|
Packit Service |
91ce18 |
information.
|