Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
9
.gitignore
vendored
9
.gitignore
vendored
@ -1,7 +1,2 @@
|
||||
SOURCES/06-2d-07
|
||||
SOURCES/06-4e-03
|
||||
SOURCES/06-55-04
|
||||
SOURCES/06-5e-03
|
||||
SOURCES/microcode-20190918.tar.gz
|
||||
SOURCES/microcode-20191115.tar.gz
|
||||
SOURCES/microcode-20240910.tar.gz
|
||||
/microcode-20240531.tar.gz
|
||||
/microcode-20240910.tar.gz
|
||||
|
@ -1,7 +0,0 @@
|
||||
bcf2173cd3dd499c37defbc2533703cfa6ec2430 SOURCES/06-2d-07
|
||||
06432a25053c823b0e2a6b8e84e2e2023ee3d43e SOURCES/06-4e-03
|
||||
2e405644a145de0f55517b6a9de118eec8ec1e5a SOURCES/06-55-04
|
||||
86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a SOURCES/06-5e-03
|
||||
bc20d6789e6614b9d9f88ee321ab82bed220f26f SOURCES/microcode-20190918.tar.gz
|
||||
774636f4d440623b0ee6a2dad65260e81208074d SOURCES/microcode-20191115.tar.gz
|
||||
2815182aa376dba6d534bc087a27fe9f27def1d2 SOURCES/microcode-20240910.tar.gz
|
@ -10,8 +10,8 @@ behaviour.
|
||||
|
||||
General behaviour
|
||||
=================
|
||||
In RHEL 8 (as well as RHEL 7 before it), there are currently two main handlers
|
||||
for CPU microcode update:
|
||||
In RHEL 9 (as well as in RHEL 7 and RHEL 8 before it), there are currently
|
||||
two main handlers for CPU microcode update:
|
||||
* Early microcode update. It uses GenuineIntel.bin or AuthenticAMD.bin file
|
||||
placed at the beginning of an initramfs image
|
||||
(/boot/initramfs-KERNEL_VERSION.img, where "KERNEL_VERSION" is a kernel
|
||||
@ -45,10 +45,10 @@ zero-filled.
|
||||
|
||||
The early microcode is placed into initramfs image by the "dracut" script, which
|
||||
scans the aforementioned subdirectories of the configured list of firmware
|
||||
directories (by default, the list consists of two directories in RHEL 8,
|
||||
directories (by default, the list consists of two directories in RHEL 9,
|
||||
"/lib/firmware/updates" and "/lib/firmware").
|
||||
|
||||
In RHEL 8, AMD CPU microcode is shipped as a part of the linux-firmware package,
|
||||
In RHEL 9, AMD CPU microcode is shipped as a part of the linux-firmware package,
|
||||
and Intel microcode is shipped as a part of the microcode_ctl package.
|
||||
|
||||
The microcode_ctl package currently includes the following:
|
||||
@ -613,7 +613,7 @@ Mitigation: microcode loading is disabled for the affected CPU model.
|
||||
|
||||
Minimum versions of the kernel package that contain the aforementioned patch
|
||||
series:
|
||||
- Upstream/RHEL 8: 4.17.0
|
||||
- Upstream/RHEL 8/RHEL 9: 4.17.0
|
||||
- RHEL 7.6 onwards: 3.10.0-894
|
||||
- RHEL 7.5: 3.10.0-862.6.1
|
||||
- RHEL 7.4: 3.10.0-693.35.1
|
||||
@ -628,7 +628,7 @@ series:
|
||||
|
||||
Early microcode load inside a virtual machine
|
||||
---------------------------------------------
|
||||
RHEL 8 kernel supports performing microcode update during early boot stage
|
||||
RHEL 9 kernel supports performing microcode update during early boot stage
|
||||
from a cpio archive placed at the beginning of the initramfs image. However,
|
||||
when an early microcode update is attempted inside some virtualised
|
||||
environments, that may result in unexpected system behaviour.
|
||||
@ -643,7 +643,7 @@ Mitigation: early microcode loading is disabled for all CPU models on kernels
|
||||
without the fix.
|
||||
|
||||
Minimum versions of the kernel package that contain the fix:
|
||||
- Upstream/RHEL 8: 4.10.0
|
||||
- Upstream/RHEL 8/RHEL 9: 4.10.0
|
||||
- RHEL 7.6 onwards: 3.10.0-930
|
||||
- RHEL 7.5: 3.10.0-862.14.1
|
||||
- RHEL 7.4: 3.10.0-693.38.1
|
||||
@ -651,178 +651,6 @@ Minimum versions of the kernel package that contain the fix:
|
||||
- RHEL 7.2: 3.10.0-327.73.1
|
||||
|
||||
|
||||
Intel Sandy Bridge-E/EN/EP caveat
|
||||
---------------------------------
|
||||
Microcode revision 0x718 for Intel Sandy Bridge-E/EN/EP (SNB-EP, family 6,
|
||||
model 45, stepping 7), that was released to address MDS vulnerability,
|
||||
and was available from microcode-20190618 up to microcode-20190508 release)
|
||||
could lead to system instability[1][2]. In order to address this,
|
||||
this microcode update was not used and the previous microcode revision
|
||||
was provided instead by default; the microcode file, however, was still shipped
|
||||
as part of microcode_ctl package and could be used for performing a microcode
|
||||
update if it is enforced via the aforementioned overrides. With the release
|
||||
of 0x71a revision of the microcode (as art of microcode-20200520 release)
|
||||
that aims at fixing the aforementioned stability issue, the latest microcode
|
||||
revision is again used by default; it is still provided via the caveat
|
||||
mechanism, hovewer, in order to enable ability to disable it in case such
|
||||
a need arises. (See the sections "check_caveats script" and "reload_microcode
|
||||
script" for details regarding caveats mechanism operation.)
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
|
||||
[2] https://access.redhat.com/solutions/4593951
|
||||
|
||||
Caveat name: intel-06-2d-07
|
||||
|
||||
Affected microcode: intel-ucode/06-2d-07.
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: None; the latest revision of the microcode file is used by default;
|
||||
previously published microcode revision 0x714 is still available as a fallback
|
||||
as part of "intel" caveat.
|
||||
|
||||
|
||||
Intel Skylake-SP/W/X caveat
|
||||
---------------------------
|
||||
Microcode revision 0x2000065 (that was provided with microcode releases
|
||||
microcode-20191112 up to microcode-20200520) for some CPU models that belong
|
||||
to Intel Skylake Scalable Platform (SKL-W/X, family 6, model 85, stepping 4,
|
||||
Workstation/HEDT segments) could lead to hangs during reboot[1]. In order
|
||||
to address this, by default this microcode update was disabled by default and
|
||||
and the previous 0x2000064 microcode revision was used instead; the microcode
|
||||
file with, however, is still shipped as part of microcode_ctl package and can
|
||||
be used for performing a microcode update if it is enforced
|
||||
via the aforementioned overrides. With the availability of 0x2006906 revision
|
||||
of the microcode (in the microcode-20200609 release) that fixes
|
||||
the aforementioned issue, the latest microcode revision is again used
|
||||
by default; it is still provided via caveat mechanism, hovewer, in order
|
||||
to enable ability to disable it in case such a need arises. (See the sections
|
||||
"check_caveats script" and "reload_microcode script" for details regarding
|
||||
caveats mechanism operation.)
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
||||
|
||||
Caveat name: intel-06-55-04
|
||||
|
||||
Affected microcode: intel-ucode/06-55-04.
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: None; the latest revision of the microcode file is used by default;
|
||||
previously published microcode revision 0x2000064 is still available
|
||||
as a fallback as part of "intel" caveat.
|
||||
|
||||
|
||||
Intel Skylake-U/Y caveat
|
||||
------------------------
|
||||
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
|
||||
have reports of system hangs when revision 0xdc of microcode, that is included
|
||||
in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
|
||||
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
|
||||
to the newer revision has been disabled by default on these systems,
|
||||
and the previously published microcode revision 0xd6 is used instead; the newer
|
||||
microcode files, however, are still shipped as part of microcode_ctl package
|
||||
and can be used for performing a microcode update if they are enforced
|
||||
via the aforementioned overrides. (See the sections "check_caveats script"
|
||||
and "reload_microcode script" for details.)
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
|
||||
|
||||
Caveat name: intel-06-4e-03
|
||||
|
||||
Affected microcode: intel-ucode/06-4e-03
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: previously published microcode revision 0xd6 is used by default.
|
||||
|
||||
|
||||
Intel Skylake-H/S/Xeon E3 v5 caveat
|
||||
-----------------------------------
|
||||
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
|
||||
stepping 3) had reports of system hangs when revision 0xdc of microcode,
|
||||
that is included in microcode-20200609 update to address CVE-2020-0543,
|
||||
CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order to address this,
|
||||
microcode update to the newer revision had been disabled by default on these
|
||||
systems, and the previously published microcode revision 0xd6 was used instead.
|
||||
The revision 0xea seems[2] to have fixed the aforementioned issue, hence
|
||||
the latest microcode revision usage it is enabled by default,
|
||||
but can be disabled explicitly via the aforementioned overrides. (See
|
||||
the sections "check_caveats script" and "reload_microcode script" for details.)
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
|
||||
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
|
||||
|
||||
Caveat names: intel-06-5e-03
|
||||
|
||||
Affected microcode: intel-ucode/06-5e-03.
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: None; the latest revision of the microcode file is used by default;
|
||||
previously published microcode revision 0xd6 is still available as a fallback
|
||||
as part of "intel" caveat.
|
||||
|
||||
|
||||
Dell caveats
|
||||
------------
|
||||
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||
and system instability during or after microcode update to revision 0xc6/0xca
|
||||
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
||||
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
||||
and/or revision 0xd6 (included as part of microcode-20200609 update
|
||||
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
||||
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
||||
revision has been disabled by default on these systems, and the previously
|
||||
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
||||
for the OS-driven microcode update.
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
||||
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
||||
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
||||
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
||||
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
||||
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
||||
|
||||
Caveat names: intel-06-8e-9e-0x-dell, intel-06-8e-9e-0x-0xca
|
||||
|
||||
Affected microcode: intel-ucode/06-8e-09, intel-ucode/06-8e-0a,
|
||||
intel-ucode/06-8e-0b, intel-ucode/06-8e-0c,
|
||||
intel-ucode/06-9e-09, intel-ucode/06-9e-0a,
|
||||
intel-ucode/06-9e-0b, intel-ucode/06-9e-0c,
|
||||
intel-ucode/06-9e-0d.
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: previously published microcode revision 0xac/0xb4/0xb8 is used
|
||||
by default if /sys/devices/virtual/dmi/id/bios_vendor reports
|
||||
"Dell Inc."; otherwise, the latest microcode revision is used.
|
||||
Caveat with revision 0xca of microcode files is provided
|
||||
as a convenience for the cases where it was working well before.
|
||||
|
||||
|
||||
Intel Tiger Lake-UP3/UP4 caveat
|
||||
-------------------------------
|
||||
Some systems with Intel Tiger Lake-UP3/UP4 CPUs (TGL, family 6, model 140,
|
||||
stepping 1) had reports of system hangs when a microcode update,
|
||||
that was included since microcode-20201110 release, was applied[1].
|
||||
In order to address this, microcode update to a newer revision had been disabled
|
||||
by default on these systems. The revision 0x88 seems to have fixed
|
||||
the aforementioned issue, hence it is enabled by default; however, it is still
|
||||
can be disabled via the aforementioned overrides. (See the sections
|
||||
"check_caveats script" and "reload_microcode script" for details.)
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
|
||||
|
||||
Caveat names: intel-06-8c-01
|
||||
|
||||
Affected microcode: intel-ucode/06-8c-01.
|
||||
|
||||
Dependencies: intel
|
||||
|
||||
Mitigation: None; the latest revision of the microcode file is used by default.
|
||||
|
||||
|
||||
|
||||
Additional information
|
||||
======================
|
@ -1,3 +0,0 @@
|
||||
model GenuineIntel 06-2d-07
|
||||
path intel-ucode/06-2d-07
|
||||
dependency required intel
|
@ -1,4 +0,0 @@
|
||||
MDS-related microcode update for Intel Sandy Bridge-EP (family 6, model 45,
|
||||
stepping 7; CPUID 0x206d7) CPUs is disabled.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-2d-07_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,58 +0,0 @@
|
||||
Intel Sandy Bridge-E/EN/EP CPU models (SNB-EP, family 6, model 45, stepping 7)
|
||||
had issues with MDS-related microcode update that may lead to a system hang
|
||||
after a microcode update[1][2]. In order to address this, microcode update
|
||||
to the MDS-related revision 0x718 had been disabled, and the previously
|
||||
published microcode revision 0x714 is used by default for the OS-driven
|
||||
microcode update. The revision 0x71a of the microcode is intended to fix
|
||||
the aforementioned issue, hence it is enabled by default (but can be disabled
|
||||
explicitly; see below).
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/15
|
||||
[2] https://access.redhat.com/solutions/4593951
|
||||
|
||||
For the reference, SHA1 checksums of 06-2d-07 microcode files containing
|
||||
microcode revisions in question are listed below:
|
||||
* 06-2d-07, revision 0x714: bcf2173cd3dd499c37defbc2533703cfa6ec2430
|
||||
* 06-2d-07, revision 0x718: 837cfebbfc09b911151dfd179082ad99cf87e85d
|
||||
* 06-2d-07, revision 0x71a: 4512c8149e63e5ed15f45005d7fb5be0041f66f6
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To disable usage of the newer microcode revision for a specific kernel
|
||||
version, please create file "disallow-intel-06-2d-07" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
|
||||
where microcode will be available for late microcode update, and run
|
||||
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||
is regenerated and the microcode can be loaded early, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-2d-07
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To avoid addition of the newer microcode revision for all kernels, please create
|
||||
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07", run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||
and "dracut -f --regenerate-all" for early microcode updates:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-2d-07
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,4 +0,0 @@
|
||||
model GenuineIntel 06-4e-03
|
||||
path intel-ucode/06-4e-03
|
||||
dependency required intel
|
||||
disable early late
|
@ -1,5 +0,0 @@
|
||||
Microcode revisions 0xda and higher for Intel Skylake-U/Y (family 6,
|
||||
model 78, stepping 3; CPUID 0x406e3) are disabled as they may cause system
|
||||
instability; the previously published revision 0xd6 is used instead.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,90 +0,0 @@
|
||||
Some Intel Skylake CPU models (SKL-U/Y, family 6, model 78, stepping 3)
|
||||
have reports of system hangs when revision 0xdc of microcode, that is included
|
||||
since microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548,
|
||||
and CVE-2020-0549, is applied[1]. In order to address this, microcode update
|
||||
to the newer revision has been disabled by default on these systems,
|
||||
and the previously published microcode revision 0xd6 is used by default
|
||||
for the OS-driven microcode update.
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
|
||||
|
||||
For the reference, SHA1 checksums of 06-4e-03 microcode files containing
|
||||
microcode revisions in question are listed below:
|
||||
* 06-4e-03, revision 0xd6: 06432a25053c823b0e2a6b8e84e2e2023ee3d43e
|
||||
* 06-4e-03, revision 0xdc: cd1733458d187486999337ff8b51eeaa0cfbca6c
|
||||
* 06-4e-03, revision 0xe2: 41f4513cf563605bc85db38056ac430dec948366
|
||||
* 06-4e-03, revision 0xea: 5a54cab9f22f69b819d663e5747ed6ea2a326c55
|
||||
* 06-4e-03, revision 0xec: d949a8543d2464d955f5dc4b0777cac863f48729
|
||||
* 06-4e-03, revision 0xf0: 37475bac70457ba8df2c1a32bba81bd7bd27d5e8
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||
CVE-2019-11139 (Voltage Setting Modulation):
|
||||
https://access.redhat.com/solutions/2019-microcode-nov
|
||||
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||
CVE-2020-0548 (Vector Register Data Sampling),
|
||||
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||
https://access.redhat.com/solutions/5142751
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||
CVE-2022-21123 (Shared Buffers Data Read),
|
||||
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||
CVE-2022-21166 (Device Register Partial Write):
|
||||
https://access.redhat.com/articles/6963124
|
||||
|
||||
The information regarding enforcing microcode update is provided below.
|
||||
|
||||
To enforce usage of the latest 06-4e-03 microcode revision for a specific kernel
|
||||
version, please create a file "force-intel-06-4e-03" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to add it to firmware directory
|
||||
where microcode will be available for late microcode update, and run
|
||||
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||
is regenerated and the microcode can be loaded early, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/force-intel-06-4e-03
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
After that, it is possible to perform a late microcode update by executing
|
||||
"/usr/libexec/microcode_ctl/reload_microcode" or by writing value "1" to
|
||||
"/sys/devices/system/cpu/microcode/reload" directly.
|
||||
|
||||
To enforce addition of this microcode for all kernels, please create file
|
||||
"/etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03", run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" for enabling late microcode updates,
|
||||
and "dracut -f --regenerate-all" for enabling early microcode updates:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-4e-03
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,12 +0,0 @@
|
||||
model GenuineIntel 06-55-04
|
||||
path intel-ucode/06-55-04
|
||||
## Bug https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
||||
## affects only SKX-W/X (Workstation and HEDT segments); product segment
|
||||
## can be determined by checking bits 5..3 of the CAPID0 field in PCU registers
|
||||
## device (see https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
|
||||
## for Server/FPGA/Fabric segments description; for SKX-W/X no public
|
||||
## documentation seems to be available). Specific device/function numbers
|
||||
## are provided for speeding up the search only, VID:DID is the real selector.
|
||||
## Commented out since revision 0x2006906 seems to fix the issue.
|
||||
#pci_config_val mode=success-all device=0x1e function=3 vid=0x8086 did=0x2083 offset=0x84 size=4 mask=0x38 val=0x38,0x18,0x8
|
||||
dependency required intel
|
@ -1,5 +0,0 @@
|
||||
Microcode revisions 0x2000065 and higher for Intel Skylake-X/W (family 6,
|
||||
model 85, stepping 4; CPUID 0x50654) were disabled as they could cause system
|
||||
hangs on reboot, so the previous revision 0x2000064 was used instead.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-55-04_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,99 +0,0 @@
|
||||
Intel Skylake Scalable Platform CPU models that belong to Workstation and HEDT
|
||||
(Basin Falls) segment (SKL-W/X, family 6, model 85, stepping 4) had reports
|
||||
of system hangs on reboot when revision 0x2000065 of microcode, that was included
|
||||
from microcode-20191112 update up to microcode-20200520 update, was applied[1].
|
||||
In order to address this, microcode update to the newer revision had been
|
||||
disabled by default on these systems, and the previously published microcode
|
||||
revision 0x2000064 is used by default for the OS-driven microcode update.
|
||||
|
||||
Since revision 0x2006906 (included with the microcode-20200609 release)
|
||||
it is reported that the issue is no longer present, so the newer microcode
|
||||
revision is enabled by default now (but can be disabled explicitly; see below).
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
|
||||
|
||||
For the reference, SHA1 checksums of 06-55-04 microcode files containing
|
||||
microcode revisions in question are listed below:
|
||||
* 06-55-04, revision 0x2000064: 2e405644a145de0f55517b6a9de118eec8ec1e5a
|
||||
* 06-55-04, revision 0x2000065: f27f12b9d53f492c297afd856cdbc596786fad23
|
||||
* 06-55-04, revision 0x2006906: 5f18f985f6d5ad369b5f6549b7f3ee55acaef967
|
||||
* 06-55-04, revision 0x2006a08: 4059fb1f60370297454177f63cd7cc20b3fa1212
|
||||
* 06-55-04, revision 0x2006a0a: 7ec27025329c82de9553c14a78733ad1013e5462
|
||||
* 06-55-04, revision 0x2006b06: cb5bec976cb9754e3a22ab6828b3262a8f9eccf7
|
||||
* 06-55-04, revision 0x2006c0a: 76b641375d136c08f5feb46aacebee40468ac085
|
||||
* 06-55-04, revision 0x2006d05: dc4207cf4eb916ff34acbdddc474db0df781234f
|
||||
* 06-55-04, revision 0x2006e05: bc67d247ad1c9a834bec5e452606db1381d6bc7e
|
||||
* 06-55-04, revision 0x2006f05: c47277a6a47caedb518f311ce5d339528a8347e2
|
||||
* 06-55-04, revision 0x2007006: 68ae0f321685ff97b50266bc20818f31563fc67c
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||
CVE-2019-11139 (Voltage Setting Modulation):
|
||||
https://access.redhat.com/solutions/2019-microcode-nov
|
||||
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||
CVE-2020-0548 (Vector Register Data Sampling),
|
||||
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||
https://access.redhat.com/solutions/5142751
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||
CVE-2022-21123 (Shared Buffers Data Read),
|
||||
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||
CVE-2022-21131 (Protected Processor Inventory Number (PPIN) access protection),
|
||||
CVE-2022-21136 (Overclocking service access protection),
|
||||
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||
CVE-2022-21166 (Device Register Partial Write):
|
||||
https://access.redhat.com/articles/6963124
|
||||
* CVE-2022-21233 (Stale Data Read from legacy xAPIC):
|
||||
https://access.redhat.com/articles/6976398
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To disable usage of the newer microcode revision for a specific kernel
|
||||
version, please create a file "disallow-intel-06-55-04" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||
so initramfs for this kernel version is regenerated, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-55-04
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To disable usage of the newer microcode revision for all kernels, please create
|
||||
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04", run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||
so initramfs images get regenerated, for example:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-55-04
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,3 +0,0 @@
|
||||
model GenuineIntel 06-5e-03
|
||||
path intel-ucode/06-5e-03
|
||||
dependency required intel
|
@ -1,5 +0,0 @@
|
||||
Microcode revisions 0xda and higher for Intel Skylake-H/S/Xeon E3 v5 (family 6,
|
||||
model 94, stepping 3; CPUID 0x506e3) are disabled as they may cause system
|
||||
instability; the previously published revision 0xd6 is used instead.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,89 +0,0 @@
|
||||
Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94,
|
||||
stepping 3) had reports of possible system hangs when revision 0xdc
|
||||
of microcode, that is included in microcode-20200609 update to address
|
||||
CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, was applied[1]. In order
|
||||
to address this, microcode updates to the newer revision had been disabled
|
||||
by default on these systems, and the previously published microcode revision
|
||||
0xd6 was used by default for the OS-driven microcode update. The revision
|
||||
0xea seems[2] to have fixed the aforementioned issue, hence it is enabled
|
||||
by default (but can be disabled explicitly; see below).
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826
|
||||
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-857806014
|
||||
|
||||
For the reference, SHA1 checksums of 06-5e-03 microcode files containing
|
||||
microcode revisions in question are listed below:
|
||||
* 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a
|
||||
* 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7
|
||||
* 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c
|
||||
* 06-5e-03, revision 0xea: e6c37056a849fd281f2fdb975361a914e07b86c8
|
||||
* 06-5e-03, revision 0xec: 6458bf25da4906479a01ffdcaa6d466e22722e01
|
||||
* 06-5e-03, revision 0xf0: 0683706bbbf470abbdad4b9923aa9647bfec9616
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||
CVE-2019-11139 (Voltage Setting Modulation):
|
||||
https://access.redhat.com/solutions/2019-microcode-nov
|
||||
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||
CVE-2020-0548 (Vector Register Data Sampling),
|
||||
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||
https://access.redhat.com/solutions/5142751
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||
CVE-2022-21123 (Shared Buffers Data Read),
|
||||
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||
CVE-2022-21166 (Device Register Partial Write):
|
||||
https://access.redhat.com/articles/6963124
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To prevent usage of the latest 06-5e-03 microcode revision for a specific kernel
|
||||
version, please create a file "disallow-intel-06-5e-03" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to remove it to firmware directory
|
||||
where microcode is available for late microcode update, and run
|
||||
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||
is regenerated, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-5e-03
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To avoid addition of the latest microcode for all kernels, please create file
|
||||
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03", run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||
and "dracut -f --regenerate-all" for early microcode updates:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-5e-03
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,3 +0,0 @@
|
||||
model GenuineIntel 06-8c-01
|
||||
path intel-ucode/06-8c-01
|
||||
dependency required intel skip=success match-model-mode=off
|
@ -1,4 +0,0 @@
|
||||
Microcode updates for Intel Tiger Lake-UP3/UP4 (family 6, model 140, stepping 1;
|
||||
CPUID 0x806c1) are disabled as they may cause system instability.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8c-01_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,66 +0,0 @@
|
||||
Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1)
|
||||
had reports of system hangs when a microcode update, that was included
|
||||
since microcode-20201110 update, was applied[1]. In order to address this,
|
||||
microcode update had been disabled by default on these systems. The revision
|
||||
0x88 seems to have fixed the aforementioned issue, hence it is enabled
|
||||
by default (but can be disabled explicitly; see below).
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44
|
||||
|
||||
For the reference, SHA1 checksums of 06-8c-01 microcode files containing
|
||||
microcode revisions in question are listed below:
|
||||
* 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04
|
||||
* 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290
|
||||
* 06-8c-01, revision 0x9a: 48b3ae8d27d8138b5b47052d2f8184bf555ad18e
|
||||
* 06-8c-01, revision 0xa4: 70753f54f5be84376bdebeb710595e4dc2f6d92f
|
||||
* 06-8c-01, revision 0xa6: fdcf89e3a15a20df8aeee215b78bf5d13d731044
|
||||
* 06-8c-01, revision 0xaa: cf84883f6b3184690c25ccade0b10fa839ac8657
|
||||
* 06-8c-01, revision 0xac: b9f342e564a0be372ed1f4709263bf811feb022a
|
||||
* 06-8c-01, revision 0xb4: 6596bb8696cde85538bb833d090f0b7a42d6ae14
|
||||
* 06-8c-01, revision 0xb6: 76556e8248a89f38cd55a6c83dccc995ba176091
|
||||
* 06-8c-01, revision 0xb8: 6e9b138d1db2934479b179af4a3a19e843c4b4e4
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0145 (Fast store forward predictor - Cross Domain Training):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-21123 (Shared Buffers Data Read):
|
||||
https://access.redhat.com/articles/6963124
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To disable 06-8c-01 microcode updates for a specific kernel
|
||||
version, please create a file "disallow-intel-06-8c-01" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware
|
||||
directory where microcode is available for late microcode update, and run
|
||||
"dracut -f --kver <kernel_version>", so initramfs for this kernel version
|
||||
is regenerated, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To avoid addition of this microcode for all kernels, please create file
|
||||
"/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" for late microcode updates,
|
||||
and "dracut -f --regenerate-all" for early microcode updates:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,5 +0,0 @@
|
||||
path intel-ucode/*
|
||||
vendor GenuineIntel
|
||||
dmi mode=fail-equal key=bios_vendor val="Dell Inc."
|
||||
dependency required intel
|
||||
disable early late
|
@ -1,219 +0,0 @@
|
||||
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||
and system instability during or after microcode update to revision 0xc6/0xca
|
||||
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
||||
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
||||
and/or revision 0xd6 (included as part of microcode-20200609 update
|
||||
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
||||
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
||||
revision has been disabled by default on these systems, and the previously
|
||||
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
||||
for the OS-driven microcode update.
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
||||
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
||||
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
||||
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
||||
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
||||
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
||||
|
||||
This caveat contains revision 0xca of 06-[89]e-0x microcode publicly released
|
||||
by Intel; for the latest revision of the microcode files, please refer to caveat
|
||||
06-8e-9e-0x-dell.
|
||||
|
||||
For the reference, microarchitectures of the affected CPU models:
|
||||
* Amber Lake-Y
|
||||
* Kaby Lake-G/H/S/U/Y/Xeon E3
|
||||
* Coffee Lake-H/S/U/Xeon E
|
||||
* Comet Lake-U 4+2
|
||||
* Whiskey Lake-U
|
||||
|
||||
Family names of the affected CPU models:
|
||||
* 7th Generation Intel® Core™ Processor Family
|
||||
* 8th Generation Intel® Core™ Processor Family
|
||||
* 9th Generation Intel® Core™ Processor Family
|
||||
* 10th Generation Intel® Core™ Processor Family (selected models)
|
||||
* Intel® Celeron® Processor G Series
|
||||
* Intel® Celeron® Processor 5000 Series
|
||||
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
|
||||
* Intel® Pentium® Gold Processor Series
|
||||
* Intel® Pentium® Processor Series (selected models)
|
||||
* Intel® Xeon® Processor E Family
|
||||
* Intel® Xeon® Processor E3 v6 Family
|
||||
|
||||
SHA1 checksums of the microcode files containing microcode revisions
|
||||
in question:
|
||||
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
|
||||
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
|
||||
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
|
||||
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
|
||||
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
|
||||
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
|
||||
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
|
||||
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
|
||||
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
|
||||
|
||||
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
|
||||
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
|
||||
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
|
||||
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
|
||||
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
|
||||
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
|
||||
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
|
||||
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
|
||||
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
|
||||
|
||||
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
|
||||
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
|
||||
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
|
||||
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
|
||||
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
|
||||
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
|
||||
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
|
||||
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
|
||||
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
|
||||
|
||||
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
|
||||
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
|
||||
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
|
||||
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
|
||||
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
|
||||
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
|
||||
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
|
||||
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
|
||||
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
|
||||
|
||||
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
|
||||
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
|
||||
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
|
||||
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
|
||||
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
|
||||
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
|
||||
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
|
||||
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
|
||||
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
|
||||
|
||||
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
|
||||
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
|
||||
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
|
||||
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
|
||||
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
|
||||
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
|
||||
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
|
||||
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
|
||||
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
|
||||
|
||||
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
|
||||
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
|
||||
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
|
||||
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
|
||||
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
|
||||
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
|
||||
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
|
||||
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
|
||||
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
|
||||
|
||||
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
|
||||
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
|
||||
|
||||
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
|
||||
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
|
||||
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
|
||||
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
|
||||
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
|
||||
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
|
||||
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
|
||||
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
|
||||
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
|
||||
|
||||
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
|
||||
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
|
||||
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
|
||||
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
|
||||
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
|
||||
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
|
||||
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
|
||||
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
|
||||
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
|
||||
|
||||
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
|
||||
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
|
||||
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
|
||||
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
|
||||
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
|
||||
|
||||
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
|
||||
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
|
||||
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
|
||||
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
|
||||
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
|
||||
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
|
||||
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
|
||||
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||
CVE-2019-11139 (Voltage Setting Modulation):
|
||||
https://access.redhat.com/solutions/2019-microcode-nov
|
||||
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||
CVE-2020-0548 (Vector Register Data Sampling),
|
||||
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||
https://access.redhat.com/solutions/5142751
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||
CVE-2022-21123 (Shared Buffers Data Read),
|
||||
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||
CVE-2022-21166 (Device Register Partial Write):
|
||||
https://access.redhat.com/articles/6963124
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To disable usage of the newer microcode revision for a specific kernel
|
||||
version, please create a file "disallow-intel-06-8e-9e-0x-0xca" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||
so initramfs for this kernel version is regenerated, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-0xca
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To disable usage of the newer microcode revision for all kernels, please create
|
||||
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-0xca",
|
||||
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||
so initramfs images get regenerated, for example:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0xca
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
@ -1,7 +0,0 @@
|
||||
path intel-ucode/*
|
||||
vendor GenuineIntel
|
||||
## It is deemed that blacklisting all 06-[89]e-0x models on all hardware
|
||||
## in cases where no model filter is used is too broad, hence
|
||||
## no-model-mode=success.
|
||||
dmi mode=fail-equal no-model-mode=success key=bios_vendor val="Dell Inc."
|
||||
dependency required intel
|
@ -1,7 +0,0 @@
|
||||
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||
and system instability during or after microcode update to newer revisions.
|
||||
In order to address this, microcode update to these newer revision
|
||||
has been disabled by default on these systems, and the previously published
|
||||
microcode revisions are used by default for the OS-driven microcode update.
|
||||
Please refer to /usr/share/doc/microcode_ctl/caveats/06-8e-9e-0x-dell_readme
|
||||
and /usr/share/doc/microcode_ctl/README.caveats for details.
|
@ -1,219 +0,0 @@
|
||||
Some Dell systems that use some models of Intel CPUs are susceptible to hangs
|
||||
and system instability during or after microcode update to revision 0xc6/0xca
|
||||
(included as part of microcode-20191113/microcode-20191115 update that addressed
|
||||
CVE-2019-0117, CVE-2019-0123, CVE-2019-11135, and CVE-2019-11139)
|
||||
and/or revision 0xd6 (included as part of microcode-20200609 update
|
||||
that addressed CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549)
|
||||
[1][2][3][4][5][6]. In order to address this, microcode update to the newer
|
||||
revision has been disabled by default on these systems, and the previously
|
||||
published microcode revisions 0xae/0xb4/0xb8 are used by default
|
||||
for the OS-driven microcode update.
|
||||
|
||||
[1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/23
|
||||
[2] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/24
|
||||
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/33
|
||||
[4] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/34
|
||||
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/35
|
||||
[6] https://bugzilla.redhat.com/show_bug.cgi?id=1846097
|
||||
|
||||
This caveat contains latest microcode revisions publicly released by Intel;
|
||||
for the revision 0xca of the microcode files, please refer to caveat
|
||||
06-8e-9e-0x-0xca.
|
||||
|
||||
For the reference, microarchitectures of the affected CPU models:
|
||||
* Amber Lake-Y
|
||||
* Kaby Lake-G/H/S/U/X/Y/Xeon E3
|
||||
* Coffee Lake-H/S/U/Xeon E
|
||||
* Comet Lake-U 4+2
|
||||
* Whiskey Lake-U
|
||||
|
||||
Family names of the affected CPU models:
|
||||
* 7th Generation Intel® Core™ Processor Family
|
||||
* 8th Generation Intel® Core™ Processor Family
|
||||
* 9th Generation Intel® Core™ Processor Family
|
||||
* 10th Generation Intel® Core™ Processor Family (selected models)
|
||||
* Intel® Celeron® Processor G Series
|
||||
* Intel® Celeron® Processor 5000 Series
|
||||
* Intel® Core™ X-series Processors (i7-7740X, i5-7640X only)
|
||||
* Intel® Pentium® Gold Processor Series
|
||||
* Intel® Pentium® Processor Series (selected models)
|
||||
* Intel® Xeon® Processor E Family
|
||||
* Intel® Xeon® Processor E3 v6 Family
|
||||
|
||||
SHA1 checksums of the microcode files containing microcode revisions
|
||||
in question:
|
||||
* 06-8e-09, revision 0xb4: e253c95c29c3eef6576db851dfa069d82a91256f
|
||||
* 06-8e-0a, revision 0xb4: 45bcba494be07df9eeccff9627578095a97fba4d
|
||||
* 06-8e-0b, revision 0xb8: 3e54bf91d642ad81ff07fe274d0cfb5d10d09c43
|
||||
* 06-8e-0c, revision 0xb8: bf635c87177d6dc4e067ec11e1caeb19d3c325f0
|
||||
* 06-9e-09, revision 0xb4: 42f68eec4ddb79dd6be0c95c4ce60e514e4504b1
|
||||
* 06-9e-0a, revision 0xb4: 37c7cb394dd36610b57943578343723da67d50f0
|
||||
* 06-9e-0b, revision 0xb4: b5399109d0a5ce8f5fb623ff942da0322b438b95
|
||||
* 06-9e-0c, revision 0xae: 131bce89e4d210de8322ffbc6bd787f1af66a7df
|
||||
* 06-9e-0d, revision 0xb8: 22511b007d1df55558d115abb13a1c23ea398317
|
||||
|
||||
* 06-8e-09, revision 0xca: 9afa1bae40995207afef13247f114be042d88083
|
||||
* 06-8e-0a, revision 0xca: 1d90291cc25e17dc6c36c764cf8c06b41fed4c16
|
||||
* 06-8e-0b, revision 0xca: 3fb1246a6594eff5e2c2076c63c600d734f10777
|
||||
* 06-8e-0c, revision 0xca: e871540671f59b4fa5d0d454798f09a4d412aace
|
||||
* 06-9e-09, revision 0xca: b5eed11108ab7ac1e675fe75d0e7454a400ddd35
|
||||
* 06-9e-0a, revision 0xca: e472304aaa2f3815a32822cb111ab3f43bf3dfe4
|
||||
* 06-9e-0b, revision 0xca: 78f47c5162da680878ed057dc7c853f9737c524b
|
||||
* 06-9e-0c, revision 0xca: f23848a009928796a153cb9e8f44522136969408
|
||||
* 06-9e-0d, revision 0xca: c7a3d469469ee828ba9faf91b67af881fceec3b7
|
||||
|
||||
* 06-8e-09, revision 0xd6: 2272c621768437d20e602207752201e0966e5a8c
|
||||
* 06-8e-0a, revision 0xd6: 0b145afb88e028e612f04c2a86385e7d7c3fefc4
|
||||
* 06-8e-0b, revision 0xd6: c3831b05da83be54f3acc451a1bce90f75e2e9e5
|
||||
* 06-8e-0c, revision 0xd6: 4b8938a93e23f4b5a2d9de40b87f6afcfdc27c05
|
||||
* 06-9e-09, revision 0xd6: 4bacba8c598508e7dd4e87e179586abe7a1a987f
|
||||
* 06-9e-0a, revision 0xd6: 4c236afeef9f80ff3a286698fe7cef72926722f0
|
||||
* 06-9e-0b, revision 0xd6: 2f9ab9b2ba29559ce177632281d7290a24fed2ef
|
||||
* 06-9e-0c, revision 0xd6: 4b9059e519bcab6085b6c103f5d99e509fe0b2bb
|
||||
* 06-9e-0d, revision 0xd6: 3a3b7edfd8126bb34b761b46a32102a622047899
|
||||
|
||||
* 06-8e-09, revision 0xde: 84d7514101eb8904834a3dacdee684b3c574245f
|
||||
* 06-8e-0a, revision 0xe0: 080b9e3ebbcf6bb1eca0fb5f640e6bfbfe3a1e6e
|
||||
* 06-8e-0b, revision 0xde: 80fed976231bbff4c7103e373498e07eef0bff31
|
||||
* 06-8e-0c, revision 0xde: 84f160587fea4acb81451c8ff53dc51afba06343
|
||||
* 06-9e-09, revision 0xde: 422026ffb2cca446693c586be98d0d9e7dfeb116
|
||||
* 06-9e-0a, revision 0xde: b6c44b9fe26e1d6bafa27f37ffe010284294bf1c
|
||||
* 06-9e-0b, revision 0xde: 6452937a0d359066b95f9e679a41a15490770312
|
||||
* 06-9e-0c, revision 0xde: a95021a4e497e0bf3691ecf3d020728f25a3f542
|
||||
* 06-9e-0d, revision 0xde: 03b20fdc2fa3f9586f93a7e40d3b61be5b7b788c
|
||||
|
||||
* 06-8e-09, revision 0xea: caa7192fb2223e3e52389aca84930aee326b384d
|
||||
* 06-8e-0a, revision 0xea: ab4d5d3b51445d055763796a0362f8ab249cf4c8
|
||||
* 06-8e-0b, revision 0xea: 5406c513f90286c02476ee0d4a6c8010a263c3ac
|
||||
* 06-8e-0c, revision 0xea: 8c045b9056443862c95573efd4646e331a2310d3
|
||||
* 06-9e-09, revision 0xea: a9f8a14ca3808f6380d6dff92e1fd693cc909668
|
||||
* 06-9e-0a, revision 0xea: b7726bdba2fe74d8f419c68f417d796d569b9ec4
|
||||
* 06-9e-0b, revision 0xea: 963dca66aedf2bfb0613d0d9515c6bcfb0589e0c
|
||||
* 06-9e-0c, revision 0xea: 1329a4d8166fe7d70833d21428936254e11efbb4
|
||||
* 06-9e-0d, revision 0xea: 9c73f2ac6c4edbf8b0aefdd5d6780c7219be702a
|
||||
|
||||
* 06-8e-09, revision 0xec: 78eb624be5e8084e438318bdad99f9ddc082def7
|
||||
* 06-8e-0a, revision 0xec: 6c41a6ad412f48f81a9d5edf59dcdecc358398bf
|
||||
* 06-8e-0b, revision 0xec: 89dd0de598c83eb9714f6839499f322dfce2b693
|
||||
* 06-8e-0c, revision 0xec: 225ea349b9cb3b1b94e237deb797e0c60d14a84c
|
||||
* 06-9e-09, revision 0xec: fc5c0206fe392a0ddad4dc9363fde2d3e3d1e681
|
||||
* 06-9e-0a, revision 0xec: 128002076e4ac3c75697fb4efdf1f8ddcc971fbe
|
||||
* 06-9e-0b, revision 0xec: ac8c3865a143b2e03869f15a5b86e560f60ad632
|
||||
* 06-9e-0c, revision 0xec: 6e3d695290def517857c8e743dc65161479f0c04
|
||||
* 06-9e-0d, revision 0xec: 58b1ec5fee7dd1a761ed901b374ccb978737a979
|
||||
|
||||
* 06-8e-09, revision 0xf0: 219e2b9168a09451b17813b97995cc59cc78b414
|
||||
* 06-8e-0a, revision 0xf0: 3c4241d0b9d1a1a1e82d03b365fdd3b843006a7c
|
||||
* 06-8e-0b, revision 0xf0: 79b61f034cba86e61641114bbab49ec0166c0f35
|
||||
* 06-8e-0c, revision 0xf0: 11d166de440dbe9c440e90cb610ef4b9d48242b1
|
||||
* 06-9e-09, revision 0xf0: 49e142da74e7298b2db738ff7dd1a9b0fa4e0c3e
|
||||
* 06-9e-0a, revision 0xf0: 8de1d4a80cd683bf09854c33905c69d3d7ac7730
|
||||
* 06-9e-0b, revision 0xf0: ff092c6ac8333f0abcd94f7d2e2088f31d960e62
|
||||
* 06-9e-0c, revision 0xf0: 3702f21e87b75bea6f4b1ee0407b941ef31d4ad1
|
||||
* 06-9e-0d, revision 0xf0: 226feaaa431eb76e734ab68efc2ea7b07aa3c7d9
|
||||
|
||||
* 06-8e-0c, revision 0xf4: 6a5e140bf8c046acb6958bad1db1fee66c8601ad
|
||||
* 06-9e-0d, revision 0xf4: 3433d4394b05a9c8aefb9c46674bad7b7e934f11
|
||||
|
||||
* 06-8e-09, revision 0xf2: 2e67e55d7b805edcfaac57898088323df7315b25
|
||||
* 06-8e-0a, revision 0xf2: f9e1dbeb969ded845b726c62336f243099714bcf
|
||||
* 06-8e-0b, revision 0xf2: 3d45fbcbefd92dbbedf0eed04aeb29c7430c7c0e
|
||||
* 06-8e-0c, revision 0xf6: bd37be38dbd046d4d66f126cfaa79e43bfe88c0d
|
||||
* 06-9e-09, revision 0xf2: 716257544acf2c871d74e4627e7de86ee1024185
|
||||
* 06-9e-0a, revision 0xf2: 933c5d6710195336381e15a160d36aaa52d358fd
|
||||
* 06-9e-0b, revision 0xf2: 92eaafdb72f6d4231046aadb92caa0038e94fca8
|
||||
* 06-9e-0c, revision 0xf2: ad8922b4f91b5214dd88c56c0a12d15edb9cea5b
|
||||
* 06-9e-0d, revision 0xf8: 8fdea727c6ce46b26e0cffa6ee4ff1ba0c45cf14
|
||||
|
||||
* 06-8e-09, revision 0xf4: e059ab6b168f3831d624acc153e18ab1c8488570
|
||||
* 06-8e-0a, revision 0xf4: d1ade1ccfe5c6105d0786dfe887696808954f8b4
|
||||
* 06-8e-0b, revision 0xf4: 0bc93736f3f5b8b6569bebac4e9627ab923621e0
|
||||
* 06-8e-0c, revision 0xf8: be93b4826a3f40219a9fc4fc5afa87b320279f6e
|
||||
* 06-9e-09, revision 0xf4: 317564f3ac7b99b5900b91e2be3e23b9b66bc2c0
|
||||
* 06-9e-0a, revision 0xf4: 9659f73e2c6081eb5c146c5ed763fa5db21df901
|
||||
* 06-9e-0b, revision 0xf4: e60b567ad54da129d05a77e305cae4488579979d
|
||||
* 06-9e-0c, revision 0xf4: 74d52a11a905dd7b254fa72b014c3bab8022ba3d
|
||||
* 06-9e-0d, revision 0xfa: 484738563e793d5b90b94869dc06edf0407182f1
|
||||
|
||||
* 06-8e-0c, revision 0xfa: d2c2ed4634b2f345382991237bedb90430fcc0b3
|
||||
* 06-9e-09, revision 0xf8: 69b8a5435bfb976ef5ec5930dae870e26835442e
|
||||
* 06-9e-0a, revision 0xf6: c1f0f556cd203aa6e1d0d1ffb0a65b32f32692be
|
||||
* 06-9e-0c, revision 0xf6: a8dfddd009f750b6528f93556b67d4eeca1e5dfa
|
||||
* 06-9e-0d, revision 0xfc: a0ad865fd2d3b9d955a889c96fabc67da0235dda
|
||||
|
||||
* 06-8e-09, revision 0xf6: c2786ef2eb4feb8ac3e3efae83c361de3ad8df0d
|
||||
* 06-8e-0a, revision 0xf6: 9bb2839d451ecee40c1eb08f40e4baec9a159e90
|
||||
* 06-8e-0b, revision 0xf6: 7b60fc7d44654976df32971a45399b3b910f3390
|
||||
* 06-8e-0c, revision 0xfc: 34efc9a54dc32082b898116840c0a1a1cef59e69
|
||||
* 06-9e-0a, revision 0xf8: 880163a2da13ed1eae1654535d751a788de6fa3f
|
||||
* 06-9e-0b, revision 0xf6: ca90c9139d0c1554f6d17ae1bdcf94d0faa6ece7
|
||||
* 06-9e-0c, revision 0xf8: 97dcc36772894619ab28be8c35c4ff9f15d684ae
|
||||
* 06-9e-0d, revision 0x100: 1a00b6a4373b95811c6396f2a0d8d497f4006fb7
|
||||
|
||||
Please contact your system vendor for a BIOS/firmware update that contains
|
||||
the latest microcode version. For the information regarding microcode versions
|
||||
required for mitigating specific side-channel cache attacks, please refer
|
||||
to the following knowledge base articles:
|
||||
* CVE-2017-5715 ("Spectre"):
|
||||
https://access.redhat.com/articles/3436091
|
||||
* CVE-2018-3639 ("Speculative Store Bypass"):
|
||||
https://access.redhat.com/articles/3540901
|
||||
* CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"):
|
||||
https://access.redhat.com/articles/3562741
|
||||
* CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091
|
||||
("Microarchitectural Data Sampling"):
|
||||
https://access.redhat.com/articles/4138151
|
||||
* CVE-2019-0117 (Intel SGX Information Leak),
|
||||
CVE-2019-0123 (Intel SGX Privilege Escalation),
|
||||
CVE-2019-11135 (TSX Asynchronous Abort),
|
||||
CVE-2019-11139 (Voltage Setting Modulation):
|
||||
https://access.redhat.com/solutions/2019-microcode-nov
|
||||
* CVE-2020-0543 (Special Register Buffer Data Sampling),
|
||||
CVE-2020-0548 (Vector Register Data Sampling),
|
||||
CVE-2020-0549 (L1D Cache Eviction Sampling):
|
||||
https://access.redhat.com/solutions/5142751
|
||||
* CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface),
|
||||
CVE-2020-8696 (Vector Register Leakage-Active),
|
||||
CVE-2020-8698 (Fast Forward Store Predictor):
|
||||
https://access.redhat.com/articles/5569051
|
||||
* CVE-2020-24489 (VT-d-related Privilege Escalation),
|
||||
CVE-2020-24511 (Improper Isolation of Shared Resources),
|
||||
CVE-2020-24512 (Observable Timing Discrepancy),
|
||||
CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors):
|
||||
https://access.redhat.com/articles/6101171
|
||||
* CVE-2021-0127 (Intel Processor Breakpoint Control Flow):
|
||||
https://access.redhat.com/articles/6716541
|
||||
* CVE-2022-0005 (Informational disclosure via JTAG),
|
||||
CVE-2022-21123 (Shared Buffers Data Read),
|
||||
CVE-2022-21125 (Shared Buffers Data Sampling),
|
||||
CVE-2022-21127 (Update to Special Register Buffer Data Sampling),
|
||||
CVE-2022-21151 (Optimization Removal-Induced Informational Disclosure),
|
||||
CVE-2022-21166 (Device Register Partial Write):
|
||||
https://access.redhat.com/articles/6963124
|
||||
|
||||
The information regarding disabling microcode update is provided below.
|
||||
|
||||
To disable usage of the newer microcode revision for a specific kernel
|
||||
version, please create a file "disallow-intel-06-8e-9e-0x-dell" inside
|
||||
/lib/firmware/<kernel_version> directory, run
|
||||
"/usr/libexec/microcode_ctl/update_ucode" to update firmware directory
|
||||
used for late microcode updates, and run "dracut -f --kver <kernel_version>"
|
||||
so initramfs for this kernel version is regenerated, for example:
|
||||
|
||||
touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8e-9e-0x-dell
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --kver 3.10.0-862.9.1
|
||||
|
||||
To disable usage of the newer microcode revision for all kernels, please create
|
||||
file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-0x-dell",
|
||||
run "/usr/libexec/microcode_ctl/update_ucode" to update firmware directories
|
||||
used for late microcode updates, and run "dracut -f --regenerate-all"
|
||||
so initramfs images get regenerated, for example:
|
||||
|
||||
mkdir -p /etc/microcode_ctl/ucode_with_caveats
|
||||
touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8e-9e-dell
|
||||
/usr/libexec/microcode_ctl/update_ucode
|
||||
dracut -f --regenerate-all
|
||||
|
||||
Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional
|
||||
information.
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-microcode_ctl.tier0.functional}
|
@ -43,25 +43,43 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
|
||||
|
||||
# ext_sig, 12 bytes in size
|
||||
IFS=' ' read cpuid pf_mask <<- EOF
|
||||
$(hexdump -s "$skip" -n 8 \
|
||||
-e '"" 1/4 "%08x " 1/4 "%u" "\n"' "$f")
|
||||
$(dd if="$f" ibs=1 skip="$skip" count=8 status=none \
|
||||
| xxd -e -g4 | xxd -r | hexdump -n 8 \
|
||||
-e '"" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
|
||||
EOF
|
||||
# Converting values from the constructed %#08x format
|
||||
pf_mask="$((pf_mask))"
|
||||
|
||||
skip="$((skip + 12))"
|
||||
ext_sig_pos="$((ext_sig_pos + 1))"
|
||||
else
|
||||
# Microcode header, 48 bytes, last 3 fields reserved
|
||||
# cksum, ldrver are ignored
|
||||
IFS=' ' read hdrver rev \
|
||||
date_y date_d date_m \
|
||||
date_m date_d date_y \
|
||||
cpuid cksum ldrver \
|
||||
pf_mask datasz totalsz <<- EOF
|
||||
$(hexdump -s "$skip" -n 36 \
|
||||
-e '"" 1/4 "%u " 1/4 "%#x " \
|
||||
1/2 "%04x " 1/1 "%02x " 1/1 "%02x " \
|
||||
1/4 "%08x " 1/4 "%x " 1/4 "%#x " \
|
||||
1/4 "%u " 1/4 "%u " 1/4 "%u" "\n"' "$f")
|
||||
$(dd if="$f" ibs=1 skip="$skip" count=36 status=none \
|
||||
| xxd -e -g4 | xxd -r | hexdump -n 36 \
|
||||
-e '"0x" 4/1 "%02x" " 0x" 4/1 "%02x" " " \
|
||||
1/1 "%02x " 1/1 "%02x " 2/1 "%02x" " " \
|
||||
4/1 "%02x" " 0x" 4/1 "%02x" " 0x" 4/1 "%02x" \
|
||||
" 0x" 4/1 "%x" \
|
||||
" 0x" 4/1 "%02x" " 0x" 4/1 "%02x" "\n"')
|
||||
EOF
|
||||
|
||||
# Converting values from the constructed %#08x format
|
||||
rev="$(printf '%#x' "$((rev))")"
|
||||
pf_mask="$((pf_mask))"
|
||||
datasz="$((datasz))"
|
||||
totalsz="$((totalsz))"
|
||||
|
||||
# Skipping files with unexpected hdrver value
|
||||
[ 1 = "$((hdrver))" ] || {
|
||||
echo "$f+$skip@$file_sz: incorrect hdrver $((hdrver))" >&2
|
||||
break
|
||||
}
|
||||
|
||||
[ 0 != "$datasz" ] || datasz=2000
|
||||
[ 0 != "$totalsz" ] || totalsz=2048
|
||||
|
||||
@ -80,9 +98,12 @@ for f in $(grep -E '/intel-ucode.*/[0-9a-f][0-9a-f]-[0-9a-f][0-9a-f]-[0-9a-f][0-
|
||||
# ext_sig table header, 20 bytes in size,
|
||||
# last 3 fields are reserved.
|
||||
IFS=' ' read ext_sig_cnt <<- EOF
|
||||
$(hexdump -s "$skip" -n 4 \
|
||||
-e '"" 1/4 "%u" "\n"' "$f")
|
||||
$(dd if="$f" ibs=1 skip="$skip" count=4 status=none \
|
||||
| xxd -e -g4 | hexdump -n 4 \
|
||||
-e '"0x" 4/1 "%02x" "\n"')
|
||||
EOF
|
||||
# Converting values from the constructed format
|
||||
ext_sig_cnt="$((ext_sig_cnt))"
|
||||
|
||||
skip="$((skip + 20))"
|
||||
else
|
@ -144,7 +144,7 @@ def read_revs_dir(path, args, src=None, ret=None):
|
||||
offs = 0
|
||||
while offs < sz:
|
||||
f.seek(offs, os.SEEK_SET)
|
||||
hdr = struct.unpack("IiIIIIIIIIII", f.read(48))
|
||||
hdr = struct.unpack("<IiIIIIIIIIII", f.read(48))
|
||||
ret.append({"path": rp, "src": src or path,
|
||||
"cpuid": hdr[3], "pf": hdr[6], "rev": hdr[1],
|
||||
"date": hdr[2], "offs": offs, "cksum": hdr[4],
|
||||
@ -152,7 +152,7 @@ def read_revs_dir(path, args, src=None, ret=None):
|
||||
|
||||
if hdr[8] and hdr[8] - hdr[7] > 48:
|
||||
f.seek(hdr[7], os.SEEK_CUR)
|
||||
ext_tbl = struct.unpack("IIIII", f.read(20))
|
||||
ext_tbl = struct.unpack("<IIIII", f.read(20))
|
||||
log_status("Found %u extended signatures for %s:%#x" %
|
||||
(ext_tbl[0], rp, offs), level=1)
|
||||
|
||||
@ -160,7 +160,7 @@ def read_revs_dir(path, args, src=None, ret=None):
|
||||
ext_sig_cnt = 0
|
||||
while cur_offs < offs + hdr[8] \
|
||||
and ext_sig_cnt <= ext_tbl[0]:
|
||||
ext_sig = struct.unpack("III", f.read(12))
|
||||
ext_sig = struct.unpack("<III", f.read(12))
|
||||
ignore = args.ignore_ext_dups and \
|
||||
(ext_sig[0] == hdr[3])
|
||||
if not ignore:
|
File diff suppressed because it is too large
Load Diff
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
||||
SHA512 (microcode-20240910.tar.gz) = d996de4f045df33f4eb1a1dabfb2f55bd8941e8dc16241d7a6c361216f4b87b88c34ba57c88ee4d4b7b3cf2b3fac937c43806191681df031fa3d5cdd677a86fe
|
Loading…
Reference in New Issue
Block a user