Some Intel Tiger Lake-UP3/UP4 CPU models (TGL, family 6, model 140, stepping 1) had reports of system hangs when a microcode update, that was included since microcode-20201110 update, was applied[1]. In order to address this, microcode update had been disabled by default on these systems. The revision 0x88 seems to have fixed the aforementioned issue, hence it is enabled by default (but can be disabled explicitly; see below). [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/44 For the reference, SHA1 checksums of 06-8c-01 microcode files containing microcode revisions in question are listed below: * 06-8c-01, revision 0x68: 2204a6dee1688980cd228268fdf4b6ed5904fe04 * 06-8c-01, revision 0x88: 61b6590feb2769046d5b0c394179beaf2df51290 Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer to the following knowledge base articles: * CVE-2020-8695 (Information disclosure issue in Intel SGX via RAPL interface), CVE-2020-8696 (Vector Register Leakage-Active), CVE-2020-8698 (Fast Forward Store Predictor): https://access.redhat.com/articles/5569051 * CVE-2020-24489 (VT-d-related Privilege Escalation), CVE-2020-24511 (Improper Isolation of Shared Resources), CVE-2020-24512 (Observable Timing Discrepancy), CVE-2020-24513 (Information Disclosure on Some Intel Atom Processors): https://access.redhat.com/articles/6101171 The information regarding disabling microcode update is provided below. To disable 06-8c-01 microcode updates for a specific kernel version, please create a file "disallow-intel-06-8c-01" inside /lib/firmware/ directory, run "/usr/libexec/microcode_ctl/update_ucode" to remove it from the firmware directory where microcode is available for late microcode update, and run "dracut -f --kver ", so initramfs for this kernel version is regenerated, for example: touch /lib/firmware/3.10.0-862.9.1/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --kver 3.10.0-862.9.1 To avoid addition of this microcode for all kernels, please create file "/etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01", run "/usr/libexec/microcode_ctl/update_ucode" for late microcode updates, and "dracut -f --regenerate-all" for early microcode updates: mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/disallow-intel-06-8c-01 /usr/libexec/microcode_ctl/update_ucode dracut -f --regenerate-all Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional information.