Intel 2020 年 6 月 Microcode 更新
Issue
红帽了解到一组会影响 Intel CPU 硬件微体系结构和板载组件的 CPU 硬件缺陷。
为方便用户,红帽提供了由我们的微处理器合作伙伴开发的 microcode 更新。请与您的硬件供应商联系,以确定是否有推荐使用的更新的 BIOS 或固件更新。
背景信息
CVE-2020-0543 特殊寄存器缓冲区数据采样(SRBDS)
当前存在一种称为特殊寄存器缓冲区数据采样(Special Register Buffer Data Sampling,简称 SRBDS)的新的域旁路瞬态执行攻击。它可能会使特殊寄存器中的数据值被在 CPU 的任何内核上执行的恶意代码推断出来。此漏洞影响某些客户端和 Intel® Xeon® E3 处理器;它不会影响其他 Intel Xeon 或 IntelAtom® 处理器(请参阅下面的“缓解这个问题的 Intel Microcode 更新”表中的内容)。
此安全漏洞已被分配为 CVE-2020-0543,红帽把它的影响严重性级别定为 Moderate。
这个问题需要对 microcode 进行更新,它将会影响到 RDRAND 和 RDSEED 指令的性能。
其他信息:
CVE-2020-0548 向量寄存器数据采样(VRDS)
MDS 缓解措施在执行清除缓冲区指令(VERW)时清除存储缓冲区。程序指令通常将工作委托给硬件子组件。委托工作在清除缓冲区指令之前开始,子组件将在清除缓冲区指令之后完成,然后在存储缓冲区被清除后将结果放入存储缓冲区中。这使得这些指令的结果可能会被使用 MDS/TAA 漏洞利用方法进行安全攻击推断出来。
尚未完成的特定委托操作是来自另一个进程或对等 CPU 的 SSE/AVX/AVX-512 寄存器读操作。
此问题需要 microcode 更新。
此安全漏洞已被分配为 CVE-2020-0548,它的影响严重性等级被定为 Low。
其他信息:
CVE-2020-0549 L1D 缓存逐出采样(L1DCES)
在某些 Intel 处理器上发现了一个微体系结构时序缺陷。在一个非常规的情况下,在逐出过程中处理的数据可能会最终进入“填充缓冲区”,而 MDS 缓解措施并没有适当地清除这些数据。因此,使用 MDS 或 TAA 攻击方法可以推断出填充缓冲区中的内容(填充缓冲区本应该为空),从而可以使一个本地攻击者推断出填充缓冲区的值。
此问题需要 microcode 更新。
此安全漏洞已被分配为 CVE-2020-0549,它的影响严重性等级被定为 Moderate。
其他信息:
诊断工具
目前,尚无任何方法可以知道是否发生了攻击。
受影响的产品
产品 | 修复软件包 | 公告链接 |
---|---|---|
Red Hat Enterprise Linux 8.2.0 (Z-stream) | microcode_ctl-20191115-4.20200602.2.el8_2 | RHSA-2020:2431 |
Red Hat Enterprise Linux 8.1.0 EUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 8.0.0 SAP extension | 更新将在稍后提供 | |
Red Hat Enterprise Linux 7.8 (Z-stream) | microcode_ctl-2.1-61.6.el7_8 | RHSA-2020:2432 |
Red Hat Enterprise Linux 7.7 EUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 7.6 EUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 7.4 AUS/E4S/TUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 7.3 AUS/E4S/TUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 7.2 AUS/E4S/TUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 6.10 (Z-stream) | microcode_ctl-1.17-33.26.el6_10 | RHSA-2020:2433 |
Red Hat Enterprise Linux 6.6 AUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 6.5 AUS | 更新将在稍后提供 | |
Red Hat Enterprise Linux 5 | 不提供更新 | 不适用 |
受影响的配置
下面列出了受这些缺陷影响的 CPU 系列,这些缺陷按缺陷类型细分。您必须确定您所使用的 CPU 系列,以确定您是否会受到影响。
查找 CPU 系列型号
查找系统提供的 CPU 型号。它包括在 /proc/cpuinfo
文件中。
$ grep -E '^(cpu family|model|stepping|microcode)' /proc/cpuinfo | sort -u
cpu family : 6
microcode : 0x84
model : 94
model name : Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
stepping : 3
(请注意:在 RHEL 6 中,microcode 修订版本以十进制表示;在RHEL 7 以后的版本中,以带有相应前缀的十六进制表示)
受影响的 Intel CPU 型号以及可缓解问题的 microcode 更新修订版本
Model No. (dec) | Stepping (dec) | 缓解措施的最低 microcode 修订版本(dec) | 适用的漏洞和勘误 | Codename | 型号名称 |
---|---|---|---|---|---|
0x3c (60) | 0x03 (3) | 0x28 (40) | SRBDS | Haswell Desktop Haswell Xeon E3 |
4th Generation Intel® Core™ Processor Family Intel® Xeon® Processor E3 v3 Family Intel® Core™ Processor i7-4770S, i7-4790S, i7-4770T, i7-4765T, i7-4770, i7-4770K, i7-4771, i7-4790T, i7-4790, i7-4785T, i5-4440S, i5-4570, i5-4570T, i5-4670, i5-4430, i5-4430S, i5-4670K, i5-4440, i5-4670S, i5-4670T, i5-4460T, i5-4460S, i5-4690, i5-4690S, i5-4690T, i5-4590, i5-4460, i5-4570S, i5-4590T, i5-4590S, i3-4350T, i3-4330, i3-4360, i3-4150T, i3-4160, i3-4130, i3-4160T, i3-4130T, i3-4170, i3-4350, i3-4150, i3-4330T, i3-4360T, i3-4340, i3-4370, i3-4370T, i3-4170T, i7-4900MQ, i7-4910MQ, i7-4800MQ, i7-4810MQ, i7-4700MQ, i7-4702MQ, i7-4710MQ, i7-4712MQ, i7-4700EQ, i3-4100M, i3-4110M Intel® Pentium® Processor G3420, G3220, G3220T, G3420T, G3430, G3440, G3440T, G3240, G3240T, G3450, G3450T, G3258, G3250, G3250T, G3460, G3460T, G3470, G3260, G3260T, 3560M Intel® Celeron® Processor G1830, G1820T, G1850, G1840, G1840T, G1820, 2970M Intel® Xeon® Processor v3 E3-1220, E3-1220L, E3-1221, E3-1225, E3-1226, E3-1230, E3-1230L, E3-1231, E3-1240, E3-1240L, E3-1241, E3-1245, E3-1246, E3-1265L, E3-1268L, E3-1268LV3, E3-1270, E3-1271, E3-1275, E3-1275L, E3-1276, E3-1280, E3-1281, E3-1285, E3-1285L, E3-1286, E3-1286L |
0x3d (61) | 0x04 (4) | 0x2f (47) | SRBDS | Broadwell U Broadwell Y |
5th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-5650U, i7-5600U, i7-5557U, i7-5550U, i7-5500U Intel® Core™ Processor i5-5350U, i5-5350, i5-5300U, i5-5287U, i5-5257U, i5-5250U, i5-5200U Intel® Core™ Processor i3-5157U, i3-5020U, i3-5015U, i3-5010U, i3-5006U, i3-5005U, i3-5010U Intel® Pentium® Processor 3805U, 3825U, 3765U, 3755U, 3215U, 3205U Intel® Celeron® 3765U Intel® Core™ Processor M-5Y71, M-5Y70, M-5Y51, M-5Y3, M-5Y10c, M-5Y10a, M-5Y10 |
0x45 (69) | 0x01 (1) | 0x26 (38) | SRBDS | Haswell U Haswell Y |
4th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-4500U, i7-4510U, i7-4550U, i7-4558U, i7-4578U, i7-4600U, i7-4650U Intel® Core™ Processor i5-4200U, i5-4210U, i5-4250U, i5-4258U, i5-4260U, i5-4278U, i5-4288U, i5-4300U, i5-4308U, i5-4350U Intel® Core™ Processor i3-4005U, i3-4010U, i3-4025U, i3-4030U, i3-4100U, i3-4120U, i3-4158U Intel® Pentium® Processor 3556U, 3558U, 3665U Intel® Celeron® Processor 2955U, 2957U, 2980U, 2981U Intel® Core™ Processor i7-4610Y Intel® Core™ Processor i5-4200Y, i5-4202Y, i5-4210Y, i5-4220Y, i5-4300Y, i5-4302Y Intel® Core™ Processor i3-4010Y, i3-4012Y, i3-4020Y, i3-4030Y Intel® Pentium® Processor 3560Y, 3561Y |
0x46 (70) | 0x01 (1) | 0x1c (30) | SRBDS | Haswell H Haswell R |
4th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-4700EC, i7-4702EC, i7-4950HQ, i7-4960HQ, i7-4980HQ, i7-4850HQ, i7-4860HQ, i7-4870HQ, i7-4700HQ, i7-4702HQ, i7-4710HQ, i7-4712HQ, i7-4720HQ, i7-4722HQ, i7-4750HQ, i7-4760HQ, i7-4770HQ, i5-4210H, i5-4402EC Intel® Core™ Processor i7-4770R, i5-4670R, i5-4570R |
0x47 (71) | 0x01 (1) | 0x22 (34) | SRBDS | Broadwell H 43e Broadwell Xeon E3 |
5th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-5700EQ, i7-5700HQ, i7-5750HQ, i7-5850EQ , i7-5850HQ, i7-5950HQ Intel® Core™ Processor i5-5575R, i5-5675C, i5-5675R, i7-5775C, i7-5775R Intel® Xeon® Processor v4 E3-1258L, E3-1265L, E3-1278L, E3-1285, E3-1285 |
0x4e (78) | 0x03 (3) | 0xdc (220) | SRBDS, VRDS, L1DCES | Skylake U/Y Skylake U (2+3e) |
6th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-6500U, i7-6510U, i7-6600U Intel® Core™ Processor i5-6200U, i5-6210U, i5-6300U, i5-6310U Intel® Core™ Processor i3-6100U, i3-6110U Intel® Pentium® Processor 4405U, 4415U Intel® Celeron® Processor 3855U, 3865U, 3955U, 3965U Intel® Core™ Processor I7-6560U, I7-6567U, I7-6650U, I7-6660U Intel® Core™ Processor I5-6260U, I5-6267U, I5-6287U, I5-6360U Intel® Core™ Processor i3-6167U Intel® Core™ Processor m7-6Y75, m5-6Y54, m5-6Y57, m3-6Y30 Intel® Pentium® Processor 4405Y |
0x55 (85) | 0x03 (3) | 0x1000157 (16777559) | VRDS, L1DCES | Skylake Server | Intel® Xeon® Processor P-8124, P-8136 |
0x55 (85) | 0x04 (4) | 0x2006906 (33581318) | VRDS, L1DCES | Skylake D Bakerville Skylake Server Skylake W Skylake X Basin Falls |
Intel® Xeon® Processor D-2123IT, D-2141I, D-2142IT, D-2143IT, D-2145NT, D-2146NT, D-2161I, D-2163IT, D-2166NT, D-2173IT, D-2177NT, D-2183IT, D-2187NT Intel® Xeon® Bronze Processor 3104, 3106 Intel® Xeon® Gold Processor 5115, 5118, 5119T, 5120, 5120T, 5122, 6126, 6126F, 6126T, 6128, 6130, 6130F, 6130T, 6132, 6134, 6134M, 6136, 6138, 6138F, 6138T, 6140, 6140M, 6142, 6142F, 6142M, 6144, 6146, 6148, 6148F, 6150, 6152, 6154 Intel® Xeon® Platinum Processor 8153, 8156, 8158, 8160, 8160F, 8160M, 8160T, 8164, 8168, 8170, 8170M, 8176, 8176F, 8176M, 8180, 8180M Intel® Xeon® Silver Processor 4108, 4109T, 4110, 4112, 4114, 4114T, 4116, 4116T Intel® Xeon® Processor W-2123, W-2125, W-2133, W-2135, W-2145, W-2155, W-2195, W-2175 Intel® Core™ i9 79xxX, 78xxX |
0x55 (85) | 0x07 (7) | 0x5002f01 (83898113) | VRDS, L1DCES | Cascade Lake | 2nd Generation Intel® Xeon® Scalable Processors Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282 Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R Intel® Xeon® Bronze Processor 3204, 3206R Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223 Intel® Core™ X-series Processor i9-10940X, i9-10920X, i9-10900X, i9-9960X, i9-9940X, i9-9920X, i9-9900X, i9-9820X, i9-9800X, i9-7960X, i9-7940X, i9-7920X, i9-7900X, i7-7820X, i7-7800X, i7-7740X, i7-7640X |
0x5e (94) | 0x03 (3) | 0xdc (220) | SRBDS, VRDS, L1DCES | Skylake H | 6th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-6700HQ, i7-6770HQ, i7-6820HK, i7-6820HQ, i7-6870HQ, i7-6920HQ, i7-6970HQ, i5-6300HQ, i5-6350HQ, i5-6440HQ, i3-6100H, i7-6700, i7-6700K, i7-6700T, i7-6700TE, i7-6820EQ, i7-6822EQ, i5-6400, i5-6400T, i5-6440EQ, i5-6442EQ, i5-6500, i5-6500T, i5-6500TE, i5-6600, i5-6600K, i5-6600T, i3-6100, i3-6100E, i3-6100T, i3-6100TE, i3-6102E, i3-6120, i3-6120T, i3-6300, i3-6300T, i3-6320, i3-6320T Intel® Pentium® Processor G4400, G4400T, G4400TE, G4420, G4420T, G4500, G4500T, G4520, G4520T, G4540 Intel® Celeron® Processor G3900, G3900T, G3900TE, G3902E, G3920, G3920T, G3940 |
0x8e (142) | 0x09 (9) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Kaby Lake U Kaby Lake U (2+3e) Kaby Lake Y |
7th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-7500U, i7-7510U, i7-7600U, i7-7560U, i7-7567U, i7-7660U, i7-7Y75, i5-7200U, i5-7210U, i5-7300U, i5-7500U, i5-7260U, i5-7267U, i5-7287U, i5-7360U, i5-7Y54, i5-7Y57, i3-7007U, i3-7100U, i3-7110U, i3-7130U, i3-7167U, M3-7Y30, M3-7Y30 Intel® Pentium® Processor 4415U, 4410Y, 4415Y Intel® Celeron® Processor 3865U, 3965U, 3965Y |
0x8e (142) | 0x09 (9) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Amber Lake Y | 8th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-8500Y, i5-8310Y, i5-8210Y, i5-8200Y, m3-8100Y |
0x8e (142) | 0x0a (10) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Coffee Lake U (4+3e) Kaby Lake Refresh U (4+2) |
8th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-8559U, i7-8550U, i7-8650U, i5-8259U, 8269U, i5-8250U, i5-8350U, i3-8109U, i3-7020U, i3-8130U |
0x8e (142) | 0x0b (11) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Whiskey Lake U | 8th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-8565U, i7-8665U, i5-8365U, i5-8265U, i3-8145U Intel® Core™ Processor 4205U, 5405U |
0x8e (142) | 0x0c (12) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Whiskey Lake U, Amber Lake Y, Comet Lake U (4+2) | 8th Generation Intel® Core™ Processor Family 10th Generation Intel® Core™ Processor Family Intel® Core™ Processor i7-10510Y, i5-10310Y, i5-10210Y, i5-10110Y, i7-10510U, i7-8565U, i7-8665U, i5-10210U, i5-8365U, i5-8265U, Intel® Pentium® Gold Processor 6405U, Intel® Celeron® Processor 5305U |
0x9e (158) | 0x09 (9) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Kaby Lake G Kaby Lake H Kaby Lake S Kaby Lake X Kaby Lake Xeon E3 |
7th Generation Intel® Core™ Processor Family 8th Generation Intel® Core™ Processor Family Intel® Core™ X-series Processors (i5-7640X, i7-7740X) Intel® Core™ Processor i7-8705G, i7-8706G, i7-8709G, i7-8809G, i5-8305G, Intel® Core™ Processor i7-7700HQ, i7-7820EQ, i7-7820HK, i7-7820HQ, i7-7920HQ, i7-7700, i7-7700K, i7-7700T, i5-7300HQ, i5-7440EQ, i5-7440HQ, i5-7442EQ, i5-7400, i5-7400T, i5-7500, i5-7500T, i5-7600, i5-7600K, i5-7600T, i3-7100H, i3-7100E, i3-7101E, i3-7101TE, i3-7102E, i3-7120, i3-7120T, i3-7320T, i3-7340 Intel® Celeron® Processor G3930E, G3930TE Intel® Xeon® Processor v6 E3-1535M, E3-1505M, E3-1505L, E3-1501L, E3-1501M, E3-1285, E3-1280, E3-1275, E3-1270, E3-1245, E3-1240, E3-1230, E3-1225, E3-1220 |
0x9e (158) | 0x0a (10) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Coffee Lake H (6+2) Coffee Lake S (6+2) Coffee Lake S (6+2) Xeon E Coffee Lake S (4+2) Xeon E |
8th Generation Intel® Core™ Processor Family Intel® Xeon® Processor E Family Intel® Core™ Processor i9-8950HK, i7-8700K, i7-8700B, i7-8750H, i7-8850H, i7-8670, i7-8670T, i7-8700, i7-8700T, i5-8600K, i5-8650K, i5-8300H, i5-8400B, i5-8400H, i5-8500B, i5-8400, i5-8400T, i5-8420, i5-8420T, i5-8500 , i5-8500T, i5-8550, i5-8600, i5-8600T, i5-8650 Intel® Xeon® Processor E-2174G, E-2144G, E-2134, E-2124, E-2124G, E-2284G, E-2274G, E-2254ML, E-2254ME, E-2244G, E-2234, E-2224, E-2224G, E-2184G, E-2186G, E-2176G, E-2176M, E-2146G, E-2136, E-2126G, 2286G, E-2276ML, E-2276ME, E-2276M, E-2276G, E-2246G, E-2236, E-2226GE, E-2226G, E-2186M, E-2176M |
0x9e (158) | 0x0b (11) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Coffee Lake S (4+2) | 8th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Series Intel® Celeron® Processor G Series Intel® Core™ Processor i3-8000, i3-8000T, i3-8020, i3-8100, i3-8100, i3-8100H, i3-8100T, i3-8120, i3-8300, i3-8300T, i3-8350K Intel® Pentium® Gold G5400, G5400T, G5400T, G5420, G5420T, G5420T, G5500, G5500T, G5600 Intel® Celeron® Processor G4900, G4900T, G4920 |
0x9e (158) | 0x0c (12) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Coffee Lake S (8+2) | 9th Generation Intel® Core™ Processor Family Intel® Core™ Processor i9-9900K, i9-9900KF, i7-9700K, i7-9700KF, i5-9600K, i5-9600KF, i5-9400, i5-9400F |
0x9e (158) | 0x0d (13) | 0xd6 (214) | SRBDS, VRDS, L1DCES | Coffee Lake H (8+2) Coffee Lake S (8+2) Coffee Lake S (8+2) Xeon E |
9th Generation Intel® Core™ Processor Family Intel® Core™ Processor i9-9980HK, i9-9880H, i7-9850H, 9750HF, i5-9400H, 9300H Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G |
解决方案
我们强烈建议,运行受影响版本的红帽产品的用户,在勘误可用后立即对其进行更新。用户应立即应用适当的更新,并重新启动系统以解决这个缺陷造成的问题。
致谢
红帽感谢 Intel 解决了这些问题,并告知红帽相应的补救措施。
常见问题解答
问:是否需要重启系统才能使改变生效?
答:重新启动并不是必须的,但是如果进行了最新的 microcode 更新,在 RHEL 7 和 8 上通过 sysfs 进行的 SRBDS 缓解报告将不正确。
问:如果我的 CPU 没有在表中列出怎么办?
答:红帽计划继续根据需要更新这些 microcode 包。请与您的硬件供应商联系,以确定是否有推荐的更新的 BIOS 和固件更新。
额外信息
由于 microcode 是由上游厂商提供的,因此红帽无法完全保证上述信息的正确性。
相关知识库文章:
- microcode_ctl 包是否包括了可以解决 CVE-2017-5715 的 CPU microcode?
- microcode_ctl 包是否包括了可以解决 CVE-2018-3639 的 CPU microcode?
- microcode_ctl 包是否包括了可以解决 CVE-2018-3620和CVE-2018-3646 的 CPU microcode?
- microcode_ctl 包是否包括了可以解决 MDS (ZombieLoad) CVE-2018-12130, CVE-2018-12126, CVE-2018-12127 和 CVE-2019-11091 的 CPU microcode?
- Intel 2019 年 11 月 Microcode 更新
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments