Compare commits

..

No commits in common. 'c10-beta' and 'c9' have entirely different histories.
c10-beta ... c9

6
.gitignore vendored

@ -1 +1,7 @@
SOURCES/06-2d-07
SOURCES/06-4e-03
SOURCES/06-55-04
SOURCES/06-5e-03
SOURCES/microcode-20190918.tar.gz
SOURCES/microcode-20191115.tar.gz
SOURCES/microcode-20240910.tar.gz

@ -1 +1,7 @@
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
2815182aa376dba6d534bc087a27fe9f27def1d2 SOURCES/microcode-20240910.tar.gz

@ -0,0 +1,3 @@
model GenuineIntel 06-2d-07
path intel-ucode/06-2d-07
dependency required intel

@ -0,0 +1,4 @@
MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
stepping 7; CPUID 0x206d7) CPUs is disabled.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,58 @@
Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
had issues with MDS-related microcode update that may lead to a system hang
after a microcode update[1][2]. In order to address this, microcode update
to the MDS-related revision 0x718 had been disabled, and the previously
published microcode revision 0x714 is used by default for the OS-driven
microcode update. The revision 0x71a of the microcode is intended to fix
the aforementioned issue, hence it is enabled by default (but can be disabled
explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
[2] https://access.redhat.com/solutions/4593951
For the reference, SHA1 checksums of 06-2d-07 microcode files containing
microcode revisions in question are listed below:
* 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
* 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
* 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create file "disallow-intel-06-2d-07" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To avoid addition of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,4 @@
model GenuineIntel 06-4e-03
path intel-ucode/06-4e-03
dependency required intel
disable early late

@ -0,0 +1,5 @@
Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6,
model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system
instability; the previously published revision 0xd6 is used instead.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,90 @@
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
have reports of system hangs when revision 0xdc of microcode, that is included
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
to the newer revision has been disabled by default on these systems,
and the previously published microcode revision 0xd6 is used by default
for the OS-driven microcode update.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
microcode revisions in question are listed below:
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
* 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
* 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding enforcing microcode update is provided below.
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
version, please create a file "force-intel-06-4e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
where microcode will be available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated and the microcode can be loaded early, for example:
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
After that, it is possible to perform a late microcode update by executing
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
"/sys/devices/system/cpu/microcode/reload" directly.
To enforce addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
and "dracut -f --regenerate-all" for enabling early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,12 @@
model GenuineIntel 06-55-04
path intel-ucode/06-55-04
## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
## affects only SKX-W/X (Workstation and HEDT segments); product segment
## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers
## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
## for Server/FPGA/Fabric segments description; for SKX-W/X no public
## documentation seems to be available). Specific device/function numbers
## are provided for speeding up the search only, VID:DID is the real selector.
## Commented out since revision 0x2006906 seems to fix the issue.
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
dependency required intel

@ -0,0 +1,5 @@
Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6,
model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system
hangs on reboot, so the previous revision 0x2000064 was used instead.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,99 @@
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
of system hangs on reboot when revision 0x2000065 of microcode, that was included
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
In order to address this, microcode update to the newer revision had been
disabled by default on these systems, and the previously published microcode
revision 0x2000064 is used by default for the OS-driven microcode update.
Since revision 0x2006906 (included with the microcode-20200609 release)
it is reported that the issue is no longer present, so the newer microcode
revision is enabled by default now (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
For the reference, SHA1 checksums of 06-55-04 microcode files containing
microcode revisions in question are listed below:
* 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
* 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
* 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
* 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
* 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
* 06-55-04, revision 0x2006f05: c47277a6a47caedb518f311ce5d339528a8347e2
* 06-55-04, revision 0x2007006: 68ae0f321685ff97b50266bc20818f31563fc67c
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
CVE-2022-21136 (Overclocking service access protection),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
https://access.redhat.com/articles/6976398
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create a file "disallow-intel-06-55-04" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
so initramfs for this kernel version is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To disable usage of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
used for late microcode updates, and run "dracut -f --regenerate-all"
so initramfs images get regenerated, for example:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,3 @@
model GenuineIntel 06-5e-03
path intel-ucode/06-5e-03
dependency required intel

@ -0,0 +1,5 @@
Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6,
model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system
instability; the previously published revision 0xd6 is used instead.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,89 @@
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
0xd6 was used by default for the OS-driven microcode update. The revision
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
* 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
* 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below.
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To avoid addition of the latest microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,3 @@
model GenuineIntel 06-8c-01
path intel-ucode/06-8c-01
dependency required intel skip=success match-model-mode=off

@ -0,0 +1,4 @@
Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1;
CPUID 0x806c1) are disabled as they may cause system instability.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,66 @@
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
had reports of system hangs when a microcode update, that was included
since microcode-20201110 update, was applied[1]. In order to address this,
microcode update had been disabled by default on these systems. The revision
0x88 seems to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
microcode revisions in question are listed below:
* 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
* 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
* 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
* 06-8c-01, revision 0xa6: fdcf89e3a15a20df8aeee215b78bf5d13d731044
* 06-8c-01, revision 0xaa: cf84883f6b3184690c25ccade0b10fa839ac8657
* 06-8c-01, revision 0xac: b9f342e564a0be372ed1f4709263bf811feb022a
* 06-8c-01, revision 0xb4: 6596bb8696cde85538bb833d090f0b7a42d6ae14
* 06-8c-01, revision 0xb6: 76556e8248a89f38cd55a6c83dccc995ba176091
* 06-8c-01, revision 0xb8: 6e9b138d1db2934479b179af4a3a19e843c4b4e4
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
https://access.redhat.com/articles/6716541
* CVE-2022-21123 (Shared Buffers Data Read):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below.
To disable 06-8c-01 microcode updates for a specific kernel
version, please create a file "disallow-intel-06-8c-01" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
directory where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To avoid addition of this microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,5 @@
path intel-ucode/*
vendor GenuineIntel
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
dependency required intel
disable early late

@ -0,0 +1,219 @@
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
and system instability during or after microcode update to revision 0xc6/0xca
(included as part of microcode-20191113/microcode-20191115 update that addressed
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
and/or revision 0xd6 (included as part of microcode-20200609 update
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
revision has been disabled by default on these systems, and the previously
published microcode revisions 0xae/0xb4/0xb8 are used by default
for the OS-driven microcode update.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released
by Intel; for the latest revision of the microcode files, please refer to caveat
06-8e-9e-0x-dell.
For the reference, microarchitectures of the affected CPU models:
* Amber Lake-Y
* Kaby Lake-G/H/S/U/Y/Xeon E3
* Coffee Lake-H/S/U/Xeon E
* Comet Lake-U 4+2
* Whiskey Lake-U
Family names of the affected CPU models:
* 7th Generation Intel® Core™ Processor Family
* 8th Generation Intel® Core™ Processor Family
* 9th Generation Intel® Core™ Processor Family
* 10th Generation Intel® Core™ Processor Family (selected models)
* Intel® Celeron® Processor G Series
* Intel® Celeron® Processor 5000 Series
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
* Intel® Pentium® Gold Processor Series
* Intel® Pentium® Processor Series (selected models)
* Intel® Xeon® Processor E Family
* Intel® Xeon® Processor E3 v6 Family
SHA1 checksums of the microcode files containing microcode revisions
in question:
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
so initramfs for this kernel version is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To disable usage of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca",
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
used for late microcode updates, and run "dracut -f --regenerate-all"
so initramfs images get regenerated, for example:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -0,0 +1,7 @@
path intel-ucode/*
vendor GenuineIntel
## It is deemed that blacklisting all 06-[89]e-0x models on all hardware
## in cases where no model filter is used is too broad, hence
## no-model-mode=success.
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
dependency required intel

@ -0,0 +1,7 @@
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
and system instability during or after microcode update to newer revisions.
In order to address this, microcode update to these newer revision
has been disabled by default on these systems, and the previously published
microcode revisions are used by default for the OS-driven microcode update.
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme
and /usr/share/doc/microcode_ctl/README.caveats for details.

@ -0,0 +1,219 @@
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
and system instability during or after microcode update to revision 0xc6/0xca
(included as part of microcode-20191113/microcode-20191115 update that addressed
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
and/or revision 0xd6 (included as part of microcode-20200609 update
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
revision has been disabled by default on these systems, and the previously
published microcode revisions 0xae/0xb4/0xb8 are used by default
for the OS-driven microcode update.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
This caveat contains latest microcode revisions publicly released by Intel;
for the revision 0xca of the microcode files, please refer to caveat
06-8e-9e-0x-0xca.
For the reference, microarchitectures of the affected CPU models:
* Amber Lake-Y
* Kaby Lake-G/H/S/U/X/Y/Xeon E3
* Coffee Lake-H/S/U/Xeon E
* Comet Lake-U 4+2
* Whiskey Lake-U
Family names of the affected CPU models:
* 7th Generation Intel® Core™ Processor Family
* 8th Generation Intel® Core™ Processor Family
* 9th Generation Intel® Core™ Processor Family
* 10th Generation Intel® Core™ Processor Family (selected models)
* Intel® Celeron® Processor G Series
* Intel® Celeron® Processor 5000 Series
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
* Intel® Pentium® Gold Processor Series
* Intel® Pentium® Processor Series (selected models)
* Intel® Xeon® Processor E Family
* Intel® Xeon® Processor E3 v6 Family
SHA1 checksums of the microcode files containing microcode revisions
in question:
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version. For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
* CVE-2017-5715 ("Spectre"):
https://access.redhat.com/articles/3436091
* CVE-2018-3639 ("Speculative Store Bypass"):
https://access.redhat.com/articles/3540901
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
https://access.redhat.com/articles/3562741
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
("Microarchitectural Data Sampling"):
https://access.redhat.com/articles/4138151
* CVE-2019-0117 (Intel SGX Information Leak),
CVE-2019-0123 (Intel SGX Privilege Escalation),
CVE-2019-11135 (TSX Asynchronous Abort),
CVE-2019-11139 (Voltage Setting Modulation):
https://access.redhat.com/solutions/2019-microcode-nov
* CVE-2020-0543 (Special Register Buffer Data Sampling),
CVE-2020-0548 (Vector Register Data Sampling),
CVE-2020-0549 (L1D Cache Eviction Sampling):
https://access.redhat.com/solutions/5142751
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
CVE-2020-8696 (Vector Register Leakage-Active),
CVE-2020-8698 (Fast Forward Store Predictor):
https://access.redhat.com/articles/5569051
* CVE-2020-24489 (VT-d-related Privilege Escalation),
CVE-2020-24511 (Improper Isolation of Shared Resources),
CVE-2020-24512 (Observable Timing Discrepancy),
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
https://access.redhat.com/articles/6101171
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
https://access.redhat.com/articles/6716541
* CVE-2022-0005 (Informational disclosure via JTAG),
CVE-2022-21123 (Shared Buffers Data Read),
CVE-2022-21125 (Shared Buffers Data Sampling),
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
CVE-2022-21166 (Device Register Partial Write):
https://access.redhat.com/articles/6963124
The information regarding disabling microcode update is provided below.
To disable usage of the newer microcode revision for a specific kernel
version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
so initramfs for this kernel version is regenerated, for example:
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell
/usr/libexec/microcode_ctl/update_ucode
dracut -f --kver 3.10.0-862.9.1
To disable usage of the newer microcode revision for all kernels, please create
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell",
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
used for late microcode updates, and run "dracut -f --regenerate-all"
so initramfs images get regenerated, for example:
mkdir -p /etc/microcode_ctl/ucode_with_caveats
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell
/usr/libexec/microcode_ctl/update_ucode
dracut -f --regenerate-all
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.

@ -651,6 +651,178 @@ Minimum versions of the kernel package that contain the fix:
- RHEL 7.2: 3.10.0-327.73.1
Intel Sandy Bridge-E/EN/EP caveat
---------------------------------
Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6,
model 45, stepping 7), that was released to address MDS vulnerability,
and was available from microcode-20190618 up to microcode-20190508 release)
could lead to system instability[1][2]. In order to address this,
this microcode update was not used and the previous microcode revision
was provided instead by default; the microcode file, however, was still shipped
as part of microcode_ctl package and could be used for performing a microcode
update if it is enforced via the aforementioned overrides. With the release
of 0x71a revision of the microcode (as art of microcode-20200520 release)
that aims at fixing the aforementioned stability issue, the latest microcode
revision is again used by default; it is still provided via the caveat
mechanism, hovewer, in order to enable ability to disable it in case such
a need arises. (See the sections "check_caveats script" and "reload_microcode
script" for details regarding caveats mechanism operation.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
[2] https://access.redhat.com/solutions/4593951
Caveat name: intel-06-2d-07
Affected microcode: intel-ucode/06-2d-07.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x714 is still available as a fallback
as part of "intel" caveat.
Intel Skylake-SP/W/X caveat
---------------------------
Microcode revision 0x2000065 (that was provided with microcode releases
microcode-20191112 up to microcode-20200520) for some CPU models that belong
to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4,
Workstation/HEDT segments) could lead to hangs during reboot[1]. In order
to address this, by default this microcode update was disabled by default and
and the previous 0x2000064 microcode revision was used instead; the microcode
file with, however, is still shipped as part of microcode_ctl package and can
be used for performing a microcode update if it is enforced
via the aforementioned overrides. With the availability of 0x2006906 revision
of the microcode (in the microcode-20200609 release) that fixes
the aforementioned issue, the latest microcode revision is again used
by default; it is still provided via caveat mechanism, hovewer, in order
to enable ability to disable it in case such a need arises. (See the sections
"check_caveats script" and "reload_microcode script" for details regarding
caveats mechanism operation.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
Caveat name: intel-06-55-04
Affected microcode: intel-ucode/06-55-04.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0x2000064 is still available
as a fallback as part of "intel" caveat.
Intel Skylake-U/Y caveat
------------------------
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
have reports of system hangs when revision 0xdc of microcode, that is included
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
to the newer revision has been disabled by default on these systems,
and the previously published microcode revision 0xd6 is used instead; the newer
microcode files, however, are still shipped as part of microcode_ctl package
and can be used for performing a microcode update if they are enforced
via the aforementioned overrides. (See the sections "check_caveats script"
and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
Caveat name: intel-06-4e-03
Affected microcode: intel-ucode/06-4e-03
Dependencies: intel
Mitigation: previously published microcode revision 0xd6 is used by default.
Intel Skylake-H/S/Xeon E3 v5 caveat
-----------------------------------
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of system hangs when revision 0xdc of microcode,
that is included in microcode-20200609 update to address CVE-2020-0543,
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
microcode update to the newer revision had been disabled by default on these
systems, and the previously published microcode revision 0xd6 was used instead.
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
the latest microcode revision usage it is enabled by default,
but can be disabled explicitly via the aforementioned overrides. (See
the sections "check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
Caveat names: intel-06-5e-03
Affected microcode: intel-ucode/06-5e-03.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default;
previously published microcode revision 0xd6 is still available as a fallback
as part of "intel" caveat.
Dell caveats
------------
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
and system instability during or after microcode update to revision 0xc6/0xca
(included as part of microcode-20191113/microcode-20191115 update that addressed
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
and/or revision 0xd6 (included as part of microcode-20200609 update
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
revision has been disabled by default on these systems, and the previously
published microcode revisions 0xae/0xb4/0xb8 are used by default
for the OS-driven microcode update.
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca
Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
intel-ucode/06-8e-0b, intel-ucode/06-8e-0c,
intel-ucode/06-9e-09, intel-ucode/06-9e-0a,
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
intel-ucode/06-9e-0d.
Dependencies: intel
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
by default if /sys/devices/virtual/dmi/id/bios_vendor reports
"Dell Inc."; otherwise, the latest microcode revision is used.
Caveat with revision 0xca of microcode files is provided
as a convenience for the cases where it was working well before.
Intel Tiger Lake-UP3/UP4 caveat
-------------------------------
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
stepping 1) had reports of system hangs when a microcode update,
that was included since microcode-20201110 release, was applied[1].
In order to address this, microcode update to a newer revision had been disabled
by default on these systems. The revision 0x88 seems to have fixed
the aforementioned issue, hence it is enabled by default; however, it is still
can be disabled via the aforementioned overrides. (See the sections
"check_caveats script" and "reload_microcode script" for details.)
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
Caveat names: intel-06-8c-01
Affected microcode: intel-ucode/06-8c-01.
Dependencies: intel
Mitigation: None; the latest revision of the microcode file is used by default.
Additional information
======================

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save