microcode_ctl/SOURCES/06-5e-03_readme

Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
stepping 3) had reports of possible system hangs when revision 0xdc
of microcode, that is included in microcode-20200609 update to address
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1].  In order
to address this, microcode updates to the newer revision had been disabled
by default on these systems, and the previously published microcode revision
0xd6 was used by default for the OS-driven microcode update.  The revision
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
by default (but can be disabled explicitly; see below).

[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014

For the reference, SHA1 checksums of 06-5e-03 microcode files containing
microcode revisions in question are listed below:
 * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
 * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
 * 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
 * 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
 * 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616

Please contact your system vendor for a BIOS/firmware update that contains
the latest microcode version.  For the information regarding microcode versions
required for mitigating specific side-channel cache attacks, please refer
to the following knowledge base articles:
 * CVE-2017-5715 ("Spectre"):
   https://access.redhat.com/articles/3436091
 * CVE-2018-3639 ("Speculative Store Bypass"):
   https://access.redhat.com/articles/3540901
 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
   https://access.redhat.com/articles/3562741
 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
   ("Microarchitectural Data Sampling"):
   https://access.redhat.com/articles/4138151
 * CVE-2019-0117 (Intel SGX Information Leak),
   CVE-2019-0123 (Intel SGX Privilege Escalation),
   CVE-2019-11135 (TSX Asynchronous Abort),
   CVE-2019-11139 (Voltage Setting Modulation):
   https://access.redhat.com/solutions/2019-microcode-nov
 * CVE-2020-0543 (Special Register Buffer Data Sampling),
   CVE-2020-0548 (Vector Register Data Sampling),
   CVE-2020-0549 (L1D Cache Eviction Sampling):
   https://access.redhat.com/solutions/5142751
 * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
   CVE-2020-8696 (Vector Register Leakage-Active),
   CVE-2020-8698 (Fast Forward Store Predictor):
   https://access.redhat.com/articles/5569051
 * CVE-2020-24489 (VT-d-related Privilege Escalation),
   CVE-2020-24511 (Improper Isolation of Shared Resources),
   CVE-2020-24512 (Observable Timing Discrepancy),
   CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
   https://access.redhat.com/articles/6101171
 * CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
   https://access.redhat.com/articles/6716541
 * CVE-2022-0005 (Informational disclosure via JTAG),
   CVE-2022-21123 (Shared Buffers Data Read),
   CVE-2022-21125 (Shared Buffers Data Sampling),
   CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
   CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
   CVE-2022-21166 (Device Register Partial Write):
   https://access.redhat.com/articles/6963124

The information regarding disabling microcode update is provided below.

To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
version, please create a file "disallow-intel-06-5e-03" inside
/lib/firmware/<kernel_version> directory, run
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
where microcode is available for late microcode update, and run
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
is regenerated, for example:

    touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --kver 3.10.0-862.9.1

To avoid  addition of the latest microcode for all kernels, please create file
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
and "dracut -f --regenerate-all" for early microcode updates:

    mkdir -p /etc/microcode_ctl/ucode_with_caveats
    touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
    /usr/libexec/microcode_ctl/update_ucode
    dracut -f --regenerate-all

Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
information.
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`stepping 3) had reports of possible system hangs when revision 0xdc`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`of microcode, that is included in microcode-20200609 update to address`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order`
			`to address this, microcode updates to the newer revision had been disabled`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`by default on these systems, and the previously published microcode revision`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`0xd6 was used by default for the OS-driven microcode update. The revision`
			`0xea seems[2] to have fixed the aforementioned issue, hence it is enabled`
			`by default (but can be disabled explicitly; see below).`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
			`[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
			`For the reference, SHA1 checksums of 06-5e-03 microcode files containing`
			`microcode revisions in question are listed below:`
			`* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a`
			`* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7`
			`* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c`
import microcode_ctl-20210216-1.20210525.1.el8_4 2021-06-02 12:12:50 +00:00			`* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8`
import microcode_ctl-20210608-1.20220204.1.el8_5 2022-02-11 05:30:42 +00:00			`* 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01`
import microcode_ctl-20220510-1.el8 2022-06-23 17:27:29 +00:00			`* 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
			`Please contact your system vendor for a BIOS/firmware update that contains`
			`the latest microcode version. For the information regarding microcode versions`
			`required for mitigating specific side-channel cache attacks, please refer`
			`to the following knowledge base articles:`
			`* CVE-2017-5715 ("Spectre"):`
			`https://access.redhat.com/articles/3436091`
			`* CVE-2018-3639 ("Speculative Store Bypass"):`
			`https://access.redhat.com/articles/3540901`
			`* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):`
			`https://access.redhat.com/articles/3562741`
			`* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091`
			`("Microarchitectural Data Sampling"):`
			`https://access.redhat.com/articles/4138151`
			`* CVE-2019-0117 (Intel SGX Information Leak),`
			`CVE-2019-0123 (Intel SGX Privilege Escalation),`
			`CVE-2019-11135 (TSX Asynchronous Abort),`
			`CVE-2019-11139 (Voltage Setting Modulation):`
			`https://access.redhat.com/solutions/2019-microcode-nov`
			`* CVE-2020-0543 (Special Register Buffer Data Sampling),`
			`CVE-2020-0548 (Vector Register Data Sampling),`
			`CVE-2020-0549 (L1D Cache Eviction Sampling):`
			`https://access.redhat.com/solutions/5142751`
			`* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),`
			`CVE-2020-8696 (Vector Register Leakage-Active),`
			`CVE-2020-8698 (Fast Forward Store Predictor):`
			`https://access.redhat.com/articles/5569051`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`* CVE-2020-24489 (VT-d-related Privilege Escalation),`
			`CVE-2020-24511 (Improper Isolation of Shared Resources),`
			`CVE-2020-24512 (Observable Timing Discrepancy),`
			`CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):`
			`https://access.redhat.com/articles/6101171`
import microcode_ctl-20220207-1.el8 2022-02-16 04:20:42 +00:00			`* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):`
			`https://access.redhat.com/articles/6716541`
import microcode_ctl-20220510-1.el8 2022-06-23 17:27:29 +00:00			`* CVE-2022-0005 (Informational disclosure via JTAG),`
			`CVE-2022-21123 (Shared Buffers Data Read),`
			`CVE-2022-21125 (Shared Buffers Data Sampling),`
			`CVE-2022-21127 (Update to Special Register Buffer Data Sampling),`
			`CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),`
			`CVE-2022-21166 (Device Register Partial Write):`
			`https://access.redhat.com/articles/6963124`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`The information regarding disabling microcode update is provided below.`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel`
			`version, please create a file "disallow-intel-06-5e-03" inside`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`/lib/firmware/<kernel_version> directory, run`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory`
			`where microcode is available for late microcode update, and run`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`"dracut -f --kver <kernel_version>", so initramfs for this kernel version`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`is regenerated, for example:`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`/usr/libexec/microcode_ctl/update_ucode`
			`dracut -f --kver 3.10.0-862.9.1`

import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`To avoid addition of the latest microcode for all kernels, please create file`
			`"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run`
			`"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,`
			`and "dracut -f --regenerate-all" for early microcode updates:`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00
			`mkdir -p /etc/microcode_ctl/ucode_with_caveats`
import microcode_ctl-20210608-1.el8 2021-07-24 06:19:08 +00:00			`touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03`
import microcode_ctl-20201112-1.el8 2020-11-16 06:09:24 +00:00			`/usr/libexec/microcode_ctl/update_ucode`
			`dracut -f --regenerate-all`

			`Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional`
			`information.`