Compare commits
No commits in common. 'i10c-beta' and 'c9' have entirely different histories.
@ -1 +1,7 @@
|
|||||||
|
SOURCES/06-2d-07
|
||||||
|
SOURCES/06-4e-03
|
||||||
|
SOURCES/06-55-04
|
||||||
|
SOURCES/06-5e-03
|
||||||
|
SOURCES/microcode-20190918.tar.gz
|
||||||
|
SOURCES/microcode-20191115.tar.gz
|
||||||
SOURCES/microcode-20240910.tar.gz
|
SOURCES/microcode-20240910.tar.gz
|
||||||
|
@ -1 +1,7 @@
|
|||||||
|
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
|
||||||
|
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
|
||||||
|
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
|
||||||
|
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
|
||||||
|
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
|
||||||
|
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
|
||||||
2815182aa376dba6d534bc087a27fe9f27def1d2 SOURCES/microcode-20240910.tar.gz
|
2815182aa376dba6d534bc087a27fe9f27def1d2 SOURCES/microcode-20240910.tar.gz
|
||||||
|
@ -0,0 +1,3 @@
|
|||||||
|
model GenuineIntel 06-2d-07
|
||||||
|
path intel-ucode/06-2d-07
|
||||||
|
dependency required intel
|
@ -0,0 +1,4 @@
|
|||||||
|
MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
|
||||||
|
stepping 7; CPUID 0x206d7) CPUs is disabled.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,58 @@
|
|||||||
|
Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
|
||||||
|
had issues with MDS-related microcode update that may lead to a system hang
|
||||||
|
after a microcode update[1][2]. In order to address this, microcode update
|
||||||
|
to the MDS-related revision 0x718 had been disabled, and the previously
|
||||||
|
published microcode revision 0x714 is used by default for the OS-driven
|
||||||
|
microcode update. The revision 0x71a of the microcode is intended to fix
|
||||||
|
the aforementioned issue, hence it is enabled by default (but can be disabled
|
||||||
|
explicitly; see below).
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
|
||||||
|
[2] https://access.redhat.com/solutions/4593951
|
||||||
|
|
||||||
|
For the reference, SHA1 checksums of 06-2d-07 microcode files containing
|
||||||
|
microcode revisions in question are listed below:
|
||||||
|
* 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
|
||||||
|
* 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
|
||||||
|
* 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for a specific kernel
|
||||||
|
version, please create file "disallow-intel-06-2d-07" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
|
||||||
|
where microcode will be available for late microcode update, and run
|
||||||
|
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||||
|
is regenerated and the microcode can be loaded early, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To avoid addition of the newer microcode revision for all kernels, please create
|
||||||
|
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||||
|
and "dracut -f --regenerate-all" for early microcode updates:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,4 @@
|
|||||||
|
model GenuineIntel 06-4e-03
|
||||||
|
path intel-ucode/06-4e-03
|
||||||
|
dependency required intel
|
||||||
|
disable early late
|
@ -0,0 +1,5 @@
|
|||||||
|
Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6,
|
||||||
|
model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system
|
||||||
|
instability; the previously published revision 0xd6 is used instead.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,90 @@
|
|||||||
|
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
|
||||||
|
have reports of system hangs when revision 0xdc of microcode, that is included
|
||||||
|
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
|
||||||
|
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
|
||||||
|
to the newer revision has been disabled by default on these systems,
|
||||||
|
and the previously published microcode revision 0xd6 is used by default
|
||||||
|
for the OS-driven microcode update.
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
|
||||||
|
|
||||||
|
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
|
||||||
|
microcode revisions in question are listed below:
|
||||||
|
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
|
||||||
|
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
|
||||||
|
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
|
||||||
|
* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
|
||||||
|
* 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
|
||||||
|
* 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||||
|
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||||
|
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||||
|
CVE-2019-11139 (Voltage Setting Modulation):
|
||||||
|
https://access.redhat.com/solutions/2019-microcode-nov
|
||||||
|
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||||
|
CVE-2020-0548 (Vector Register Data Sampling),
|
||||||
|
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||||
|
https://access.redhat.com/solutions/5142751
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||||
|
CVE-2022-21123 (Shared Buffers Data Read),
|
||||||
|
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||||
|
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||||
|
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||||
|
CVE-2022-21166 (Device Register Partial Write):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
|
||||||
|
The information regarding enforcing microcode update is provided below.
|
||||||
|
|
||||||
|
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
|
||||||
|
version, please create a file "force-intel-06-4e-03" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
|
||||||
|
where microcode will be available for late microcode update, and run
|
||||||
|
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||||
|
is regenerated and the microcode can be loaded early, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
After that, it is possible to perform a late microcode update by executing
|
||||||
|
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
|
||||||
|
"/sys/devices/system/cpu/microcode/reload" directly.
|
||||||
|
|
||||||
|
To enforce addition of this microcode for all kernels, please create file
|
||||||
|
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
|
||||||
|
and "dracut -f --regenerate-all" for enabling early microcode updates:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,12 @@
|
|||||||
|
model GenuineIntel 06-55-04
|
||||||
|
path intel-ucode/06-55-04
|
||||||
|
## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
||||||
|
## affects only SKX-W/X (Workstation and HEDT segments); product segment
|
||||||
|
## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers
|
||||||
|
## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
|
||||||
|
## for Server/FPGA/Fabric segments description; for SKX-W/X no public
|
||||||
|
## documentation seems to be available). Specific device/function numbers
|
||||||
|
## are provided for speeding up the search only, VID:DID is the real selector.
|
||||||
|
## Commented out since revision 0x2006906 seems to fix the issue.
|
||||||
|
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
|
||||||
|
dependency required intel
|
@ -0,0 +1,5 @@
|
|||||||
|
Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6,
|
||||||
|
model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system
|
||||||
|
hangs on reboot, so the previous revision 0x2000064 was used instead.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,99 @@
|
|||||||
|
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
|
||||||
|
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
|
||||||
|
of system hangs on reboot when revision 0x2000065 of microcode, that was included
|
||||||
|
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
|
||||||
|
In order to address this, microcode update to the newer revision had been
|
||||||
|
disabled by default on these systems, and the previously published microcode
|
||||||
|
revision 0x2000064 is used by default for the OS-driven microcode update.
|
||||||
|
|
||||||
|
Since revision 0x2006906 (included with the microcode-20200609 release)
|
||||||
|
it is reported that the issue is no longer present, so the newer microcode
|
||||||
|
revision is enabled by default now (but can be disabled explicitly; see below).
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
||||||
|
|
||||||
|
For the reference, SHA1 checksums of 06-55-04 microcode files containing
|
||||||
|
microcode revisions in question are listed below:
|
||||||
|
* 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
|
||||||
|
* 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
|
||||||
|
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
|
||||||
|
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
|
||||||
|
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
|
||||||
|
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
|
||||||
|
* 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
|
||||||
|
* 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
|
||||||
|
* 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
|
||||||
|
* 06-55-04, revision 0x2006f05: c47277a6a47caedb518f311ce5d339528a8347e2
|
||||||
|
* 06-55-04, revision 0x2007006: 68ae0f321685ff97b50266bc20818f31563fc67c
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||||
|
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||||
|
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||||
|
CVE-2019-11139 (Voltage Setting Modulation):
|
||||||
|
https://access.redhat.com/solutions/2019-microcode-nov
|
||||||
|
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||||
|
CVE-2020-0548 (Vector Register Data Sampling),
|
||||||
|
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||||
|
https://access.redhat.com/solutions/5142751
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||||
|
CVE-2022-21123 (Shared Buffers Data Read),
|
||||||
|
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||||
|
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||||
|
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
|
||||||
|
CVE-2022-21136 (Overclocking service access protection),
|
||||||
|
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||||
|
CVE-2022-21166 (Device Register Partial Write):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
|
||||||
|
https://access.redhat.com/articles/6976398
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for a specific kernel
|
||||||
|
version, please create a file "disallow-intel-06-55-04" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||||
|
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||||
|
so initramfs for this kernel version is regenerated, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for all kernels, please create
|
||||||
|
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||||
|
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||||
|
so initramfs images get regenerated, for example:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,3 @@
|
|||||||
|
model GenuineIntel 06-5e-03
|
||||||
|
path intel-ucode/06-5e-03
|
||||||
|
dependency required intel
|
@ -0,0 +1,5 @@
|
|||||||
|
Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6,
|
||||||
|
model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system
|
||||||
|
instability; the previously published revision 0xd6 is used instead.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,89 @@
|
|||||||
|
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
|
||||||
|
stepping 3) had reports of possible system hangs when revision 0xdc
|
||||||
|
of microcode, that is included in microcode-20200609 update to address
|
||||||
|
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
|
||||||
|
to address this, microcode updates to the newer revision had been disabled
|
||||||
|
by default on these systems, and the previously published microcode revision
|
||||||
|
0xd6 was used by default for the OS-driven microcode update. The revision
|
||||||
|
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
|
||||||
|
by default (but can be disabled explicitly; see below).
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
|
||||||
|
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
|
||||||
|
|
||||||
|
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
|
||||||
|
microcode revisions in question are listed below:
|
||||||
|
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
|
||||||
|
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
|
||||||
|
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
|
||||||
|
* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
|
||||||
|
* 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
|
||||||
|
* 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||||
|
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||||
|
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||||
|
CVE-2019-11139 (Voltage Setting Modulation):
|
||||||
|
https://access.redhat.com/solutions/2019-microcode-nov
|
||||||
|
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||||
|
CVE-2020-0548 (Vector Register Data Sampling),
|
||||||
|
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||||
|
https://access.redhat.com/solutions/5142751
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||||
|
CVE-2022-21123 (Shared Buffers Data Read),
|
||||||
|
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||||
|
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||||
|
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||||
|
CVE-2022-21166 (Device Register Partial Write):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
|
||||||
|
version, please create a file "disallow-intel-06-5e-03" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
|
||||||
|
where microcode is available for late microcode update, and run
|
||||||
|
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||||
|
is regenerated, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To avoid addition of the latest microcode for all kernels, please create file
|
||||||
|
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||||
|
and "dracut -f --regenerate-all" for early microcode updates:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,3 @@
|
|||||||
|
model GenuineIntel 06-8c-01
|
||||||
|
path intel-ucode/06-8c-01
|
||||||
|
dependency required intel skip=success match-model-mode=off
|
@ -0,0 +1,4 @@
|
|||||||
|
Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1;
|
||||||
|
CPUID 0x806c1) are disabled as they may cause system instability.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,66 @@
|
|||||||
|
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
|
||||||
|
had reports of system hangs when a microcode update, that was included
|
||||||
|
since microcode-20201110 update, was applied[1]. In order to address this,
|
||||||
|
microcode update had been disabled by default on these systems. The revision
|
||||||
|
0x88 seems to have fixed the aforementioned issue, hence it is enabled
|
||||||
|
by default (but can be disabled explicitly; see below).
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
|
||||||
|
|
||||||
|
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
|
||||||
|
microcode revisions in question are listed below:
|
||||||
|
* 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
|
||||||
|
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
|
||||||
|
* 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
|
||||||
|
* 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
|
||||||
|
* 06-8c-01, revision 0xa6: fdcf89e3a15a20df8aeee215b78bf5d13d731044
|
||||||
|
* 06-8c-01, revision 0xaa: cf84883f6b3184690c25ccade0b10fa839ac8657
|
||||||
|
* 06-8c-01, revision 0xac: b9f342e564a0be372ed1f4709263bf811feb022a
|
||||||
|
* 06-8c-01, revision 0xb4: 6596bb8696cde85538bb833d090f0b7a42d6ae14
|
||||||
|
* 06-8c-01, revision 0xb6: 76556e8248a89f38cd55a6c83dccc995ba176091
|
||||||
|
* 06-8c-01, revision 0xb8: 6e9b138d1db2934479b179af4a3a19e843c4b4e4
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-21123 (Shared Buffers Data Read):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To disable 06-8c-01 microcode updates for a specific kernel
|
||||||
|
version, please create a file "disallow-intel-06-8c-01" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
|
||||||
|
directory where microcode is available for late microcode update, and run
|
||||||
|
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||||
|
is regenerated, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To avoid addition of this microcode for all kernels, please create file
|
||||||
|
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||||
|
and "dracut -f --regenerate-all" for early microcode updates:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,5 @@
|
|||||||
|
path intel-ucode/*
|
||||||
|
vendor GenuineIntel
|
||||||
|
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
|
||||||
|
dependency required intel
|
||||||
|
disable early late
|
@ -0,0 +1,219 @@
|
|||||||
|
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||||
|
and system instability during or after microcode update to revision 0xc6/0xca
|
||||||
|
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
||||||
|
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
||||||
|
and/or revision 0xd6 (included as part of microcode-20200609 update
|
||||||
|
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
||||||
|
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
||||||
|
revision has been disabled by default on these systems, and the previously
|
||||||
|
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
||||||
|
for the OS-driven microcode update.
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
||||||
|
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
||||||
|
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
||||||
|
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
||||||
|
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
||||||
|
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
||||||
|
|
||||||
|
This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released
|
||||||
|
by Intel; for the latest revision of the microcode files, please refer to caveat
|
||||||
|
06-8e-9e-0x-dell.
|
||||||
|
|
||||||
|
For the reference, microarchitectures of the affected CPU models:
|
||||||
|
* Amber Lake-Y
|
||||||
|
* Kaby Lake-G/H/S/U/Y/Xeon E3
|
||||||
|
* Coffee Lake-H/S/U/Xeon E
|
||||||
|
* Comet Lake-U 4+2
|
||||||
|
* Whiskey Lake-U
|
||||||
|
|
||||||
|
Family names of the affected CPU models:
|
||||||
|
* 7th Generation Intel® Core™ Processor Family
|
||||||
|
* 8th Generation Intel® Core™ Processor Family
|
||||||
|
* 9th Generation Intel® Core™ Processor Family
|
||||||
|
* 10th Generation Intel® Core™ Processor Family (selected models)
|
||||||
|
* Intel® Celeron® Processor G Series
|
||||||
|
* Intel® Celeron® Processor 5000 Series
|
||||||
|
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
|
||||||
|
* Intel® Pentium® Gold Processor Series
|
||||||
|
* Intel® Pentium® Processor Series (selected models)
|
||||||
|
* Intel® Xeon® Processor E Family
|
||||||
|
* Intel® Xeon® Processor E3 v6 Family
|
||||||
|
|
||||||
|
SHA1 checksums of the microcode files containing microcode revisions
|
||||||
|
in question:
|
||||||
|
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
|
||||||
|
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
|
||||||
|
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
|
||||||
|
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
|
||||||
|
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
|
||||||
|
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
|
||||||
|
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
|
||||||
|
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
|
||||||
|
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
|
||||||
|
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
|
||||||
|
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
|
||||||
|
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
|
||||||
|
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
|
||||||
|
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
|
||||||
|
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
|
||||||
|
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
|
||||||
|
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
|
||||||
|
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
|
||||||
|
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
|
||||||
|
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
|
||||||
|
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
|
||||||
|
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
|
||||||
|
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
|
||||||
|
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
|
||||||
|
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
|
||||||
|
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
|
||||||
|
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
|
||||||
|
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
|
||||||
|
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
|
||||||
|
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
|
||||||
|
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
|
||||||
|
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
|
||||||
|
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
|
||||||
|
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
|
||||||
|
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
|
||||||
|
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
|
||||||
|
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
|
||||||
|
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
|
||||||
|
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
|
||||||
|
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
|
||||||
|
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
|
||||||
|
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
|
||||||
|
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
|
||||||
|
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
|
||||||
|
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
|
||||||
|
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
|
||||||
|
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
|
||||||
|
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
|
||||||
|
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
|
||||||
|
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
|
||||||
|
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
|
||||||
|
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
|
||||||
|
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
|
||||||
|
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
|
||||||
|
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
|
||||||
|
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
|
||||||
|
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
|
||||||
|
|
||||||
|
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
|
||||||
|
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
|
||||||
|
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
|
||||||
|
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
|
||||||
|
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
|
||||||
|
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
|
||||||
|
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
|
||||||
|
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
|
||||||
|
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
|
||||||
|
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
|
||||||
|
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
|
||||||
|
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
|
||||||
|
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
|
||||||
|
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
|
||||||
|
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
|
||||||
|
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
|
||||||
|
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
|
||||||
|
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
|
||||||
|
|
||||||
|
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
|
||||||
|
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
|
||||||
|
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
|
||||||
|
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
|
||||||
|
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
|
||||||
|
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
|
||||||
|
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
|
||||||
|
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
|
||||||
|
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
|
||||||
|
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
|
||||||
|
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
|
||||||
|
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||||
|
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||||
|
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||||
|
CVE-2019-11139 (Voltage Setting Modulation):
|
||||||
|
https://access.redhat.com/solutions/2019-microcode-nov
|
||||||
|
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||||
|
CVE-2020-0548 (Vector Register Data Sampling),
|
||||||
|
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||||
|
https://access.redhat.com/solutions/5142751
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||||
|
CVE-2022-21123 (Shared Buffers Data Read),
|
||||||
|
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||||
|
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||||
|
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||||
|
CVE-2022-21166 (Device Register Partial Write):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for a specific kernel
|
||||||
|
version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||||
|
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||||
|
so initramfs for this kernel version is regenerated, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for all kernels, please create
|
||||||
|
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca",
|
||||||
|
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||||
|
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||||
|
so initramfs images get regenerated, for example:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
@ -0,0 +1,7 @@
|
|||||||
|
path intel-ucode/*
|
||||||
|
vendor GenuineIntel
|
||||||
|
## It is deemed that blacklisting all 06-[89]e-0x models on all hardware
|
||||||
|
## in cases where no model filter is used is too broad, hence
|
||||||
|
## no-model-mode=success.
|
||||||
|
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
|
||||||
|
dependency required intel
|
@ -0,0 +1,7 @@
|
|||||||
|
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||||
|
and system instability during or after microcode update to newer revisions.
|
||||||
|
In order to address this, microcode update to these newer revision
|
||||||
|
has been disabled by default on these systems, and the previously published
|
||||||
|
microcode revisions are used by default for the OS-driven microcode update.
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme
|
||||||
|
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -0,0 +1,219 @@
|
|||||||
|
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||||
|
and system instability during or after microcode update to revision 0xc6/0xca
|
||||||
|
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
||||||
|
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
||||||
|
and/or revision 0xd6 (included as part of microcode-20200609 update
|
||||||
|
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
||||||
|
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
||||||
|
revision has been disabled by default on these systems, and the previously
|
||||||
|
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
||||||
|
for the OS-driven microcode update.
|
||||||
|
|
||||||
|
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
||||||
|
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
||||||
|
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
||||||
|
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
||||||
|
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
||||||
|
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
||||||
|
|
||||||
|
This caveat contains latest microcode revisions publicly released by Intel;
|
||||||
|
for the revision 0xca of the microcode files, please refer to caveat
|
||||||
|
06-8e-9e-0x-0xca.
|
||||||
|
|
||||||
|
For the reference, microarchitectures of the affected CPU models:
|
||||||
|
* Amber Lake-Y
|
||||||
|
* Kaby Lake-G/H/S/U/X/Y/Xeon E3
|
||||||
|
* Coffee Lake-H/S/U/Xeon E
|
||||||
|
* Comet Lake-U 4+2
|
||||||
|
* Whiskey Lake-U
|
||||||
|
|
||||||
|
Family names of the affected CPU models:
|
||||||
|
* 7th Generation Intel® Core™ Processor Family
|
||||||
|
* 8th Generation Intel® Core™ Processor Family
|
||||||
|
* 9th Generation Intel® Core™ Processor Family
|
||||||
|
* 10th Generation Intel® Core™ Processor Family (selected models)
|
||||||
|
* Intel® Celeron® Processor G Series
|
||||||
|
* Intel® Celeron® Processor 5000 Series
|
||||||
|
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
|
||||||
|
* Intel® Pentium® Gold Processor Series
|
||||||
|
* Intel® Pentium® Processor Series (selected models)
|
||||||
|
* Intel® Xeon® Processor E Family
|
||||||
|
* Intel® Xeon® Processor E3 v6 Family
|
||||||
|
|
||||||
|
SHA1 checksums of the microcode files containing microcode revisions
|
||||||
|
in question:
|
||||||
|
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
|
||||||
|
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
|
||||||
|
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
|
||||||
|
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
|
||||||
|
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
|
||||||
|
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
|
||||||
|
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
|
||||||
|
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
|
||||||
|
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
|
||||||
|
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
|
||||||
|
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
|
||||||
|
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
|
||||||
|
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
|
||||||
|
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
|
||||||
|
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
|
||||||
|
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
|
||||||
|
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
|
||||||
|
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
|
||||||
|
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
|
||||||
|
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
|
||||||
|
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
|
||||||
|
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
|
||||||
|
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
|
||||||
|
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
|
||||||
|
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
|
||||||
|
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
|
||||||
|
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
|
||||||
|
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
|
||||||
|
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
|
||||||
|
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
|
||||||
|
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
|
||||||
|
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
|
||||||
|
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
|
||||||
|
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
|
||||||
|
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
|
||||||
|
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
|
||||||
|
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
|
||||||
|
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
|
||||||
|
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
|
||||||
|
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
|
||||||
|
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
|
||||||
|
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
|
||||||
|
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
|
||||||
|
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
|
||||||
|
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
|
||||||
|
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
|
||||||
|
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
|
||||||
|
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
|
||||||
|
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
|
||||||
|
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
|
||||||
|
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
|
||||||
|
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
|
||||||
|
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
|
||||||
|
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
|
||||||
|
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
|
||||||
|
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
|
||||||
|
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
|
||||||
|
|
||||||
|
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
|
||||||
|
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
|
||||||
|
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
|
||||||
|
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
|
||||||
|
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
|
||||||
|
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
|
||||||
|
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
|
||||||
|
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
|
||||||
|
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
|
||||||
|
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
|
||||||
|
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
|
||||||
|
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
|
||||||
|
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
|
||||||
|
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
|
||||||
|
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
|
||||||
|
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
|
||||||
|
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
|
||||||
|
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
|
||||||
|
|
||||||
|
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
|
||||||
|
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
|
||||||
|
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
|
||||||
|
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
|
||||||
|
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
|
||||||
|
|
||||||
|
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
|
||||||
|
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
|
||||||
|
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
|
||||||
|
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
|
||||||
|
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
|
||||||
|
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
|
||||||
|
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
|
||||||
|
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
|
||||||
|
|
||||||
|
Please contact your system vendor for a BIOS/firmware update that contains
|
||||||
|
the latest microcode version. For the information regarding microcode versions
|
||||||
|
required for mitigating specific side-channel cache attacks, please refer
|
||||||
|
to the following knowledge base articles:
|
||||||
|
* CVE-2017-5715 ("Spectre"):
|
||||||
|
https://access.redhat.com/articles/3436091
|
||||||
|
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||||
|
https://access.redhat.com/articles/3540901
|
||||||
|
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||||
|
https://access.redhat.com/articles/3562741
|
||||||
|
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||||
|
("Microarchitectural Data Sampling"):
|
||||||
|
https://access.redhat.com/articles/4138151
|
||||||
|
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||||
|
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||||
|
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||||
|
CVE-2019-11139 (Voltage Setting Modulation):
|
||||||
|
https://access.redhat.com/solutions/2019-microcode-nov
|
||||||
|
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||||
|
CVE-2020-0548 (Vector Register Data Sampling),
|
||||||
|
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||||
|
https://access.redhat.com/solutions/5142751
|
||||||
|
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||||
|
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||||
|
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||||
|
https://access.redhat.com/articles/5569051
|
||||||
|
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||||
|
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||||
|
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||||
|
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||||
|
https://access.redhat.com/articles/6101171
|
||||||
|
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||||
|
https://access.redhat.com/articles/6716541
|
||||||
|
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||||
|
CVE-2022-21123 (Shared Buffers Data Read),
|
||||||
|
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||||
|
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||||
|
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||||
|
CVE-2022-21166 (Device Register Partial Write):
|
||||||
|
https://access.redhat.com/articles/6963124
|
||||||
|
|
||||||
|
The information regarding disabling microcode update is provided below.
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for a specific kernel
|
||||||
|
version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside
|
||||||
|
/lib/firmware/<kernel_version> directory, run
|
||||||
|
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||||
|
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||||
|
so initramfs for this kernel version is regenerated, for example:
|
||||||
|
|
||||||
|
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --kver 3.10.0-862.9.1
|
||||||
|
|
||||||
|
To disable usage of the newer microcode revision for all kernels, please create
|
||||||
|
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell",
|
||||||
|
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||||
|
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||||
|
so initramfs images get regenerated, for example:
|
||||||
|
|
||||||
|
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||||
|
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell
|
||||||
|
/usr/libexec/microcode_ctl/update_ucode
|
||||||
|
dracut -f --regenerate-all
|
||||||
|
|
||||||
|
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||||
|
information.
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue