diff --git a/SPECS/06-4e-03_readme b/SPECS/06-4e-03_readme index 016364f..49373e2 100644 --- a/SPECS/06-4e-03_readme +++ b/SPECS/06-4e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SPECS/06-55-04_readme b/SPECS/06-55-04_readme index 7b8051a..5df5775 100644 --- a/SPECS/06-55-04_readme +++ b/SPECS/06-55-04_readme @@ -41,6 +41,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SPECS/06-5e-03_readme b/SPECS/06-5e-03_readme index 9255d3f..9e21ac0 100644 --- a/SPECS/06-5e-03_readme +++ b/SPECS/06-5e-03_readme @@ -36,6 +36,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding enforcing microcode update is provided below. diff --git a/SPECS/06-8c-01_config b/SPECS/06-8c-01_config new file mode 100644 index 0000000..c7c5d65 --- /dev/null +++ b/SPECS/06-8c-01_config @@ -0,0 +1,3 @@ +model GenuineIntel 06-8c-01 +path intel-ucode/06-8c-01 +disable early late diff --git a/SPECS/06-8c-01_disclaimer b/SPECS/06-8c-01_disclaimer new file mode 100644 index 0000000..6e02fa6 --- /dev/null +++ b/SPECS/06-8c-01_disclaimer @@ -0,0 +1,4 @@ +Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1; +CPUID 0x806c1) are disabled as they may cause system instability. +Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme +and /usr/share/doc/microcode_ctl/README.caveats for details. diff --git a/SPECS/06-8c-01_readme b/SPECS/06-8c-01_readme new file mode 100644 index 0000000..16afb9b --- /dev/null +++ b/SPECS/06-8c-01_readme @@ -0,0 +1,40 @@ +Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) +have reports of system hangs when a microcode update, that is included +since microcode-20201110 update, is applied[1]. In order to address this, +microcode update has been disabled by default on these systems. + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Please contact your system vendor for a BIOS/firmware update that contains +the latest microcode version. + +The information regarding enforcing microcode update is provided below. + +To enforce usage of the latest 06-8c-01 microcode revision for a specific kernel +version, please create a file "force-intel-06-8c-01" inside +/lib/firmware/ directory, run +"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory +where microcode will be available for late microcode update, and run +"dracut -f --kver ", so initramfs for this kernel version +is regenerated and the microcode can be loaded early, for example: + + touch /lib/firmware/3.10.0-862.9.1/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --kver 3.10.0-862.9.1 + +After that, it is possible to perform a late microcode update by executing +"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to +"/sys/devices/system/cpu/microcode/reload" directly. + +To enforce addition of this microcode for all kernels, please create file +"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01", run +"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates, +and "dracut -f --regenerate-all" for enabling early microcode updates: + + mkdir -p /etc/microcode_ctl/ucode_with_caveats + touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-8c-01 + /usr/libexec/microcode_ctl/update_ucode + dracut -f --regenerate-all + +Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional +information. diff --git a/SPECS/06-8e-9e-0x-0xca_readme b/SPECS/06-8e-9e-0x-0xca_readme index ef90fdb..cef8e9b 100644 --- a/SPECS/06-8e-9e-0x-0xca_readme +++ b/SPECS/06-8e-9e-0x-0xca_readme @@ -104,6 +104,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SPECS/06-8e-9e-0x-dell_readme b/SPECS/06-8e-9e-0x-dell_readme index d74c679..94b9bb6 100644 --- a/SPECS/06-8e-9e-0x-dell_readme +++ b/SPECS/06-8e-9e-0x-dell_readme @@ -104,6 +104,10 @@ to the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 The information regarding disabling microcode update is provided below. diff --git a/SPECS/README.caveats b/SPECS/README.caveats index 2220a09..d18c2a5 100644 --- a/SPECS/README.caveats +++ b/SPECS/README.caveats @@ -630,6 +630,26 @@ Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used as a convenience for the cases where it was working well before. +Intel Tiger Lake-UP3/UP4 caveat +------------------------------- +Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140, +stepping 1) have reports of system hangs when a microcode update, +that is included since microcode-20201110 release, is applied[1]. +In order to address this, microcode update to a newer revision has been disabled +by default on these systems; the newer microcode file, however, is still shipped +as a part of microcode_ctl package and can be used for performing a microcode +update if it is enforced via the aforementioned overrides. (See the sections +"check_caveats script" and "reload_microcode script" for details.) + +[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 + +Caveat names: intel-06-8c-01 + +Affected microcode: intel-ucode/06-8c-01. + +Mitigation: microcode loading is disabled for the affected CPU model. + + Additional information ====================== @@ -658,3 +678,7 @@ Intel CPU vulnerabilities is available in the following knowledge base articles: CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 + * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), + CVE-2020-8696 (Vector Register Leakage-Active), + CVE-2020-8698 (Fast Forward Store Predictor): + https://access.redhat.com/articles/5569051 diff --git a/SPECS/codenames.list b/SPECS/codenames.list index 502fc92..be1f3d2 100644 --- a/SPECS/codenames.list +++ b/SPECS/codenames.list @@ -297,6 +297,7 @@ Desktop;;Comet Lake;G1;22;a0653;CML;S 6+2;Core Gen10 Desktop; Desktop;;Comet Lake;Q0;22;a0655;CML;S 10+2;Core Gen10 Desktop; Mobile;;Comet Lake;A0;80;a0660;CML;U 6+2;Core Gen10 Mobile; Mobile;;Comet Lake;K0;80;a0661;CML;U 6+2 v2;Core Gen10 Mobile; +SOC;;Lakefield;B2,B3;10;806a1;LKF;;Core w/Hybrid Technology; # sources: # https://en.wikichip.org/wiki/intel/cpuid diff --git a/SPECS/microcode-20201112.tar.gz b/SPECS/microcode-20201112.tar.gz new file mode 100644 index 0000000..b85e64b Binary files /dev/null and b/SPECS/microcode-20201112.tar.gz differ