Some Intel Skylake CPU models (SKL-H/S/Xeon E3 v5, family 6, model 94, stepping 3) have reports of possible system hangs when revision 0xdc of microcode, that is included in microcode-20200609 update to address CVE-2020-0543, CVE-2020-0548, and CVE-2020-0549, is applied[1]. In order to address this, microcode update to the newer revision has been disabled by default on these systems, and the previously published microcode revision 0xd6 is used by default for the OS-driven microcode update. [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31#issuecomment-644885826 For the reference, SHA1 checksums of 06-5e-03 microcode files containing microcode revisions in question are listed below: * 06-5e-03, revision 0xd6: 86c60ee7d5d0d7115a4962c1c61ceecb0fd3a95a * 06-5e-03, revision 0xdc: 5e1020a10678cfc60980131c3d3a2cfd462b4dd7 * 06-5e-03, revision 0xe2: 031e6e148b590d1c9cfdb6677539eeb4899e831c Please contact your system vendor for a BIOS/firmware update that contains the latest microcode version. For the information regarding microcode versions required for mitigating specific side-channel cache attacks, please refer to the following knowledge base articles: * CVE-2017-5715 ("Spectre"): https://access.redhat.com/articles/3436091 * CVE-2018-3639 ("Speculative Store Bypass"): https://access.redhat.com/articles/3540901 * CVE-2018-3620, CVE-2018-3646 ("L1 Terminal Fault Attack"): https://access.redhat.com/articles/3562741 * CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091 ("Microarchitectural Data Sampling"): https://access.redhat.com/articles/4138151 * CVE-2019-0117 (Intel SGX Information Leak), CVE-2019-0123 (Intel SGX Privilege Escalation), CVE-2019-11135 (TSX Asynchronous Abort), CVE-2019-11139 (Voltage Setting Modulation): https://access.redhat.com/solutions/2019-microcode-nov * CVE-2020-0543 (Special Register Buffer Data Sampling), CVE-2020-0548 (Vector Register Data Sampling), CVE-2020-0549 (L1D Cache Eviction Sampling): https://access.redhat.com/solutions/5142751 The information regarding enforcing microcode update is provided below. To enforce usage of the latest 06-5e-03 microcode revision for a specific kernel version, please create a file "force-intel-06-5e-03" inside /lib/firmware/ directory: mkdir - /lib/firmware/3.10.0-862.9.1/ touch /lib/firmware/3.10.0-862.9.1/force-intel-06-5e-03 After that, it is possible to perform a late microcode update by executing "/usr/libexec/microcode_ctl/reload_microcode". To enforce addition of this microcode for all kernels, please create file "/etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03": mkdir -p /etc/microcode_ctl/ucode_with_caveats touch /etc/microcode_ctl/ucode_with_caveats/force-intel-06-5e-03 Please refer to /usr/share/doc/microcode_ctl/README.caveats for additional information.