Is CPU microcode available to address CVE-2018-3620 and CVE-2018-3646 via the microcode_ctl package?

Updated -

Microcode/firmware/millicode is software that microprocessor manufacturers supply to operating system vendors to take advantage of internal features of the CPU. The authoritative source for this software is the CPU manufacturer.

The microcode_ctl mechanism to update system firmware is non-persistent in nature. The microcode is loaded during each boot operation; however, it is only applied in the event that the microcode available within /lib/firmware/ for the installed CPU is newer than the revision loaded during the hardware initialization phase of boot. Updating the system firmware to a revision that includes updated microcode is applicable to any resident software, and is recommended as a more permanent solution.

Red Hat is providing an updated Intel microcode package, microcode_ctl to customers in order to simplify deployment processes and minimize downtime.

Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended, as additional improvements may be available.

Please use the process outlined in the CVE-2018-3620 and CVE-2018-3646, L1TF, documentation below to verify that the microcode update is active to help mitigate this particular behaviour. Specifically in the Flush L1 Data Cache heading within the Resolve tab.

L1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646

Note: To check your system's CPU model:

egrep -e 'model|cpu family|stepping|microcode' /proc/cpuinfo | sort | uniq

Intel Microcode Updates that mitigate CVE-2018-3620 and CVE-2018-3646, L1TF.

Model # (dec) Stepping (dec) Minimum MCU Rev for L1TF mitigation Codename Model Name
0x4e (78) 0x03 (3) 0x00c6 Skylake U/Y
Skylake U23e
6th Generation Intel® Core™ m Processors
0x4e (78) 0x01 (1) 0x0028 Gemini Lake Intel® Pentium® Silver processors N5xxx, J5xxx
Intel® Celeron® processors N4xxx, J4xxx
0x9e (158) 0x0b (11) 0x008e Coffee Lake - S (4+2) 8th Generation Intel® Core™ Desktop Processor Family
0x46 (70) 0x01 (1) 0x001a Haswell Perf Halo Intel® Core™ Extreme Processor (5960x, 5930x, 5820x)
0x9e (158) 0x09 (9) 0x008e Kaby Lake H/S/X/G
Kaby Lake Xeon E3"
7th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor v6 E3-1220, E3-1225, E3-1230, E3-1240, E3-1245, E3-1270, E3-1275, E3-1280"
0x3d (61) 0x04 (4) 0x002b Broadwell U/Y Intel® Core™ Processor i7-5650U,i7-5600U, i7-5557U, i7-5550U, i7-5500U
Intel® Core™ Processor i5-5350U, i5-5350,i5-5300U, i5-5287U,i5-5257U, i5-5250U, i5-5200U
Intel® Core™ Processor i3-5157U, i3-5020U, i3-5015U, i3-5010U, i3-5006U, i3-5005U, i3-5010U, i5-5350U, i7-5650U
Intel® Core™ Processor M-5Y71, M-5Y70, M-5Y51, M-5Y3, M-5Y10c, M -5Y10a, M-5Y10
Intel® Pentium® Processor 3805U, 3825U, 3765U, 3755U, 3215U, 3205U
Intel® Celeron® 3765U
0x56 (86) 0x03 (3) 0x7000013 Broadwell DE V2,V3 Intel® Xeon® Processor D-1518, D-1519, D-1521, D-1527, D-1528, D-1531, D-1533, D-1537, D-1541, D-1548
Intel® Pentium® Processor D1507, D1508, D1509, D1517, D1519
0x2a (42) 0x07 (7) 0x002e Sandy Bridge
Sandy Bridge Xeon E3
Intel® Core™ i3-21xx/23xx-T/M/E/UE Processor
Intel® Core™ i5-23xx/24xx/25xx-T/S/M/K Processor
Intel® Core™ i7-2xxx-S/K/M/QM/LE/UE/QE Processor
Intel® Core™ i7-29xxXM Extreme Processor
Intel® Celeron® Desktop G4xx, G5xx Processor
Intel® Celeron® Mobile 8xx, B8xx Processor
Intel® Pentium® Desktop 350, G6xx, G6xxT, G8xx Processor
Intel® Pentium® Mobile 9xx, B9xx Processor
Intel® Xeon® Processor E3-1200 Product Family
0x8e (142) 0x09 (9) 0x008e Kaby Lake U/Y, U23e 7th Generation Intel® Core™ Mobile Processors
0x9e (158) 0x0a (10) 0x0096 Coffee Lake H (6+2)
Coffee Lake S (6+2)
Coffee Lake S (6+2) Xeon E
Coffee Lake-S (4+2) Xeon E
Coffee Lake-S (6+2) x/KBP
8th Generation Intel® Core™ Processor Family
0x8e (142) 0x0a (10) 0x0096 Kaby Lake Refresh U 4+2
Coffee Lake U43e
8th Generation Intel® Core™ Mobile Processor Family
8th Generation Intel® Core™ Processor Family
0x5e (94) 0x03 (3) 0x00c6 Skylake H/S
Skylake Xeon E3
6th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor v5 E3-1220, E3-1225, E3-1230, E3-1235L, E3-1240, E3-1240L, E3-1245, E3-1260L, E3-1270, E3-1275, E3-1280
0x56 (86) 0x02 (2) 0x0017 Broadwell DE V1 Intel® Xeon® Processor D-1520, D-1540
0x56 (86) 0x04 (4) 0xf000012 Broadwell DE Y0 Intel® Xeon® Processor D-1557, D-1559, D-1567, D-1571, D-1577, D-1581, D-1587
0x3c (60) 0x03 (3) 0x0025 Haswell (including H, S)
Haswell Xeon E3
4th Generation Intel® Core™ Mobile Processor Family, Intel® Pentium® Mobile Processor Family, Intel® Celeron® Mobile Processor Family
Intel® Xeon® Processor E3-1220V3, E3-1225V3, E3-1230LV3, E3-1230V3, E3-1240V3, E3-1245V3, E3-1270V3, E3-1275LV3, E3-1275V3, E3-1280V3, E3-1285LV3, E3-1285LV3, E3-1285V3
0x47 (71) 0x01 (1) 0x001e Broadwell H 43e
Broadwell Xeon E3
Intel® Core™ Processor i7-5950HQ, i7-5850HQ, i7-5750HQ, i7-5700HQ
Intel® Core™ Processor i5-5575R, i5-5675C, i5-5675R, i7-5775C, i7-5775R
Intel® Core™ Processor i7-5700EQ, i7-5850EQ
Intel® Xeon® Processor v4 E3-1258L, E3-1265L, E3-1278L, E3-1285, E3-1285
0x3a (58) 0x09 (9) 0x0020 Gladden
Ivy Bridge
Ivy Bridge Xeon E3
Intel® Core™ Processor i3-2115C, i3-3115C
Intel® Pentium® Processor B915C, B925C
Intel® Celeron® Processor 725C
Intel® Xeon® Processor E3-1105C, E3-1125C, E3-1105C v2, E3-1125C v2
3rd Generation Intel® Core™ Mobile Processor Family, Intel® Pentium® Mobile Processor Family, and Intel® Celeron® Mobile Processor Family
Intel® Core™ Processor Extreme Edition i7-4960X
Intel® Core™ Processor i7-4820K, i7-4930K
0x45 (69) 0x01 (1) 0x0024 Haswell ULT 4th Generation Intel® Core™ Mobile Processor Family, Intel® Pentium® Mobile Processor Family, Intel® Celeron® Mobile Processor Family
0x1a (26) 0x05 (5) 0x001d Nehalem EP
Nehalem WS
Bloomfield

Bloomfield Xeon
Intel® Xeon® Processor E5502, E5503, E5504, E5506, E5507, E5520, E5530, E5540
Intel® Xeon® Processor L5506, L5508, L5518, L5520, L5530
Intel® Xeon® Processor W5580, W5590
Intel® Xeon® Processor X5550, X5560, X5570
Intel® CoreTM Processor Extreme Edition i7-965
Intel® CoreTM Processor i7-920, 940
Intel® Xeon® Processor W3520, W3530, W3540, W3550, W3565, W3570, W3580
0x1e (30) 0x05 (5) 0x0000a Clarksfield
Lynnfield
Lynnfield Xeon
Intel® CoreTM Extreme Processor i7-920XM, 940XM
Intel® CoreTM Processor i7-720QM, 740QM, 820QM, 840QM
Intel® CoreTM Processor i7-860, 860S, 870, 870S, 875K, 880
Intel® CoreTM Processor i5-750, 750S, 760
Intel® Xeon® Processor L3426
Intel® Xeon® Processor X3430, X3440, X3450, X3460, X3470, X3480
0x25 (37) 0x02 (2) 0x0011 Arrandale
Clarkdale
Clarkdale Xeon
Intel® CoreTM Processor i7-i7-620M/LM/UM, i7-640LM/UM
Intel® CoreTM Processor i5-430M, i5-520M/UM, i5-540M
Intel® CoreTM Processor 330M, 350M
Intel® Celeron® Processor P4500, P4505
Intel® CoreTM Processor i5-650, 660, 661, 670
Intel® CoreTM Processor i3-530, 540, 550, 560
Intel® Pentium® Processor G6950
Intel® Xeon® Processor L3406
0x25 (37) 0x05 (5) 0x00007 Arrandale
Clarkdale
Intel® CoreTM Processor i7-610E, 620LE/LM/M/UE/UM, 640LM/M/UM, 660LM/UE/UM, 680UM
Intel® CoreTM Processor i5-430M/UM, 450M, 460M, 470UM, 480M, 520E/M/UM, 540M/UM, 560M/UM, 580M
Intel® CoreTM Processor i3-330E/M/UM, 350M, 370M, 380M/UM, 390M
Intel® Pentium® Processor P6000, P6100, P6200, P6300
Intel® Pentium® Processor U5400, U5600
Intel® Celeron® Processor P4500, P4505, P4600
Intel® Celeron® Processor U3400, U3405, U3600
Intel® CoreTM Processor i5-650, 655K, 660, 661, 670, 680
Intel® CoreTM Processor i3-530, 540
Intel® Pentium® Processor G6950, G6951, G6960
0x2c (44) 0x02 (2) 0x001f Gulftown
Westmere EP, WS
Intel® CoreTM i7-970, 980
Intel® CoreTM Processor Extreme Edition i7-980X, 990X
Intel® Xeon® Processor W3690
Intel® Xeon® Processor E5603, E5606, E5607, E5620, E5630, E5640, E5645, E5649
Intel® Xeon® Processor L5609, L5618, L5630, L5638, L5640
Intel® Xeon® Processor W3670, W3680
Intel® Xeon® Processor X5647, X5650, X5660, X5667, X5670, X5672, X5675, X5677, X5680, X5687, X5690, X5698"
0x2e (46) 0x06 (6) 0x000d Nehalem EX Intel® Xeon® Processor E6510, E6540, E7520, E7530, E7540, L7545, L7555, X6550, X7542, X7550, X7560
0x2f (47) 0x02 (2) 0x003b Westmere EX (EGL, WSM) Intel® Xeon® Processor E7-2803, 2820, 2830, 2850, 2860, 2870, 4807, 4820, 4830, 4850, 4860, 4870, 8830, 8837, 8850, 8860, 8867L, 8870
0x5c (92) 0x02 (2) 0x0014 Broxton Intel® Atom® Scalable Platform
0x5c (92) 0x09 (9) 0x0032 Apollo Lake D0 Intel® Pentium® Processor J4205, N4200
Intel® Celeron® Processor J3355, J3455, N3350, N3450
Intel® Atom® Processor x5-E3930, x5-E3940, x7-E3950
0x5c (92) 0x0a (11) 0x000c Apollo Lake E0 Intel® Atom® Processor x5-E3930, x5-E3940, x7-E3950
0x5f (95) 0x01 (1) 0x0024 Denverton (GLM) Intel® Atom® Processor C3000 Product Family

What if my CPU is not listed in the table?
Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended because additional improvements may be available.

More information can be found in the following reference documentation:

3 Comments

where are the microcode updates?

You can download the latest applicable ucode updates from the resolve tab of our vulnerability article: https://access.redhat.com/security/vulnerabilities/L1TF Updates that include fixes for L1TF include: RHEA-2018:2299, RHEA-2018:2298, RHEA-2018:2301, RHEA-2018:2300, RHEA-2018:2304, RHEA-2018:2302, RHEA-2018:2303 , RHEA-2018:2297 , RHEA-2018:2305, & RHEA-2018:2295

Should I have to care about microcode_ctl package upgrade when running in a virtual machine (for ex.: vmware)?