Warning message

This translation is outdated. For the most up-to-date information, please refer to the English version.

Intel 2020 年 6 月 Microcode 更新

Solution Verified - Updated -

Issue

红帽了解到一组会影响 Intel CPU 硬件微体系结构和板载组件的 CPU 硬件缺陷。

为方便用户,红帽提供了由我们的微处理器合作伙伴开发的 microcode 更新。请与您的硬件供应商联系,以确定是否有推荐使用的更新的 BIOS 或固件更新。

背景信息

CVE-2020-0543 特殊寄存器缓冲区数据采样(SRBDS)

当前存在一种称为特殊寄存器缓冲区数据采样(Special Register Buffer Data Sampling,简称 SRBDS)的新的域旁路瞬态执行攻击。它可能会使特殊寄存器中的数据值被在 CPU 的任何内核上执行的恶意代码推断出来。此漏洞影响某些客户端和 Intel® Xeon® E3 处理器;它不会影响其他 Intel Xeon 或 IntelAtom® 处理器(请参阅下面的“缓解这个问题的 Intel Microcode 更新”表中的内容)。

此安全漏洞已被分配为 CVE-2020-0543,红帽把它的影响严重性级别定为 Moderate

这个问题需要对 microcode 进行更新,它将会影响到 RDRAND 和 RDSEED 指令的性能。

其他信息:

CVE-2020-0548 向量寄存器数据采样(VRDS)

MDS 缓解措施在执行清除缓冲区指令(VERW)时清除存储缓冲区。程序指令通常将工作委托给硬件子组件。委托工作在清除缓冲区指令之前开始,子组件将在清除缓冲区指令之后完成,然后在存储缓冲区被清除后将结果放入存储缓冲区中。这使得这些指令的结果可能会被使用 MDS/TAA 漏洞利用方法进行安全攻击推断出来。

尚未完成的特定委托操作是来自另一个进程或对等 CPU 的 SSE/AVX/AVX-512 寄存器读操作。

此问题需要 microcode 更新。

此安全漏洞已被分配为 CVE-2020-0548,它的影响严重性等级被定为 Low

其他信息:

CVE-2020-0549 L1D 缓存逐出采样(L1DCES)

在某些 Intel 处理器上发现了一个微体系结构时序缺陷。在一个非常规的情况下,在逐出过程中处理的数据可能会最终进入“填充缓冲区”,而 MDS 缓解措施并没有适当地清除这些数据。因此,使用 MDS 或 TAA 攻击方法可以推断出填充缓冲区中的内容(填充缓冲区本应该为空),从而可以使一个本地攻击者推断出填充缓冲区的值。

此问题需要 microcode 更新。

此安全漏洞已被分配为 CVE-2020-0549,它的影响严重性等级被定为 Moderate

其他信息:

诊断工具

目前,尚无任何方法可以知道是否发生了攻击。

受影响的产品

产品 修复软件包 公告链接
Red Hat Enterprise Linux 8.2.0 (Z-stream) microcode_ctl-20191115-4.20200602.2.el8_2 RHSA-2020:2431
Red Hat Enterprise Linux 8.1.0 EUS 更新将在稍后提供
Red Hat Enterprise Linux 8.0.0 SAP extension 更新将在稍后提供
Red Hat Enterprise Linux 7.8 (Z-stream) microcode_ctl-2.1-61.6.el7_8 RHSA-2020:2432
Red Hat Enterprise Linux 7.7 EUS 更新将在稍后提供
Red Hat Enterprise Linux 7.6 EUS 更新将在稍后提供
Red Hat Enterprise Linux 7.4 AUS/E4S/TUS 更新将在稍后提供
Red Hat Enterprise Linux 7.3 AUS/E4S/TUS 更新将在稍后提供
Red Hat Enterprise Linux 7.2 AUS/E4S/TUS 更新将在稍后提供
Red Hat Enterprise Linux 6.10 (Z-stream) microcode_ctl-1.17-33.26.el6_10 RHSA-2020:2433
Red Hat Enterprise Linux 6.6 AUS 更新将在稍后提供
Red Hat Enterprise Linux 6.5 AUS 更新将在稍后提供
Red Hat Enterprise Linux 5 不提供更新 不适用

受影响的配置

下面列出了受这些缺陷影响的 CPU 系列,这些缺陷按缺陷类型细分。您必须确定您所使用的 CPU 系列,以确定您是否会受到影响。

查找 CPU 系列型号

查找系统提供的 CPU 型号。它包括在 /proc/cpuinfo 文件中。

$ grep -E '^(cpu family|model|stepping|microcode)' /proc/cpuinfo | sort -u
cpu family  : 6
microcode   : 0x84
model       : 94
model name  : Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
stepping    : 3

(请注意:在 RHEL 6 中,microcode 修订版本以十进制表示;在RHEL 7 以后的版本中,以带有相应前缀的十六进制表示)

受影响的 Intel CPU 型号以及可缓解问题的 microcode 更新修订版本

Model No. (dec) Stepping (dec) 缓解措施的最低 microcode 修订版本(dec) 适用的漏洞和勘误 Codename 型号名称
0x3c (60) 0x03 (3) 0x28 (40) SRBDS Haswell Desktop
Haswell Xeon E3
4th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E3 v3 Family
Intel® Core™ Processor i7-4770S, i7-4790S, i7-4770T, i7-4765T, i7-4770, i7-4770K, i7-4771, i7-4790T, i7-4790, i7-4785T, i5-4440S, i5-4570, i5-4570T, i5-4670, i5-4430, i5-4430S, i5-4670K, i5-4440, i5-4670S, i5-4670T, i5-4460T, i5-4460S, i5-4690, i5-4690S, i5-4690T, i5-4590, i5-4460, i5-4570S, i5-4590T, i5-4590S, i3-4350T, i3-4330, i3-4360, i3-4150T, i3-4160, i3-4130, i3-4160T, i3-4130T, i3-4170, i3-4350, i3-4150, i3-4330T, i3-4360T, i3-4340, i3-4370, i3-4370T, i3-4170T, i7-4900MQ, i7-4910MQ, i7-4800MQ, i7-4810MQ, i7-4700MQ, i7-4702MQ, i7-4710MQ, i7-4712MQ, i7-4700EQ, i3-4100M, i3-4110M
Intel® Pentium® Processor G3420, G3220, G3220T, G3420T, G3430, G3440, G3440T, G3240, G3240T, G3450, G3450T, G3258, G3250, G3250T, G3460, G3460T, G3470, G3260, G3260T, 3560M
Intel® Celeron® Processor G1830, G1820T, G1850, G1840, G1840T, G1820, 2970M
Intel® Xeon® Processor v3 E3-1220, E3-1220L, E3-1221, E3-1225, E3-1226, E3-1230, E3-1230L, E3-1231, E3-1240, E3-1240L, E3-1241, E3-1245, E3-1246, E3-1265L, E3-1268L, E3-1268LV3, E3-1270, E3-1271, E3-1275, E3-1275L, E3-1276, E3-1280, E3-1281, E3-1285, E3-1285L, E3-1286, E3-1286L
0x3d (61) 0x04 (4) 0x2f (47) SRBDS Broadwell U
Broadwell Y
5th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-5650U, i7-5600U, i7-5557U, i7-5550U, i7-5500U
Intel® Core™ Processor i5-5350U, i5-5350, i5-5300U, i5-5287U, i5-5257U, i5-5250U, i5-5200U
Intel® Core™ Processor i3-5157U, i3-5020U, i3-5015U, i3-5010U, i3-5006U, i3-5005U, i3-5010U
Intel® Pentium® Processor 3805U, 3825U, 3765U, 3755U, 3215U, 3205U
Intel® Celeron® 3765U
Intel® Core™ Processor M-5Y71, M-5Y70, M-5Y51, M-5Y3, M-5Y10c, M-5Y10a, M-5Y10
0x45 (69) 0x01 (1) 0x26 (38) SRBDS Haswell U
Haswell Y
4th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-4500U, i7-4510U, i7-4550U, i7-4558U, i7-4578U, i7-4600U, i7-4650U
Intel® Core™ Processor i5-4200U, i5-4210U, i5-4250U, i5-4258U, i5-4260U, i5-4278U, i5-4288U, i5-4300U, i5-4308U, i5-4350U
Intel® Core™ Processor i3-4005U, i3-4010U, i3-4025U, i3-4030U, i3-4100U, i3-4120U, i3-4158U
Intel® Pentium® Processor 3556U, 3558U, 3665U
Intel® Celeron® Processor 2955U, 2957U, 2980U, 2981U
Intel® Core™ Processor i7-4610Y
Intel® Core™ Processor i5-4200Y, i5-4202Y, i5-4210Y, i5-4220Y, i5-4300Y, i5-4302Y
Intel® Core™ Processor i3-4010Y, i3-4012Y, i3-4020Y, i3-4030Y
Intel® Pentium® Processor 3560Y, 3561Y
0x46 (70) 0x01 (1) 0x1c (30) SRBDS Haswell H
Haswell R
4th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-4700EC, i7-4702EC, i7-4950HQ, i7-4960HQ, i7-4980HQ, i7-4850HQ, i7-4860HQ, i7-4870HQ, i7-4700HQ, i7-4702HQ, i7-4710HQ, i7-4712HQ, i7-4720HQ, i7-4722HQ, i7-4750HQ, i7-4760HQ, i7-4770HQ, i5-4210H, i5-4402EC
Intel® Core™ Processor i7-4770R, i5-4670R, i5-4570R
0x47 (71) 0x01 (1) 0x22 (34) SRBDS Broadwell H 43e
Broadwell Xeon E3
5th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-5700EQ, i7-5700HQ, i7-5750HQ, i7-5850EQ , i7-5850HQ, i7-5950HQ
Intel® Core™ Processor i5-5575R, i5-5675C, i5-5675R, i7-5775C, i7-5775R
Intel® Xeon® Processor v4 E3-1258L, E3-1265L, E3-1278L, E3-1285, E3-1285
0x4e (78) 0x03 (3) 0xdc (220) SRBDS, VRDS, L1DCES Skylake U/Y
Skylake U (2+3e)
6th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-6500U, i7-6510U, i7-6600U
Intel® Core™ Processor i5-6200U, i5-6210U, i5-6300U, i5-6310U
Intel® Core™ Processor i3-6100U, i3-6110U
Intel® Pentium® Processor 4405U, 4415U
Intel® Celeron® Processor 3855U, 3865U, 3955U, 3965U
Intel® Core™ Processor I7-6560U, I7-6567U, I7-6650U, I7-6660U
Intel® Core™ Processor I5-6260U, I5-6267U, I5-6287U, I5-6360U
Intel® Core™ Processor i3-6167U
Intel® Core™ Processor m7-6Y75, m5-6Y54, m5-6Y57, m3-6Y30
Intel® Pentium® Processor 4405Y
0x55 (85) 0x03 (3) 0x1000157 (16777559) VRDS, L1DCES Skylake Server Intel® Xeon® Processor P-8124, P-8136
0x55 (85) 0x04 (4) 0x2006906 (33581318) VRDS, L1DCES Skylake D
Bakerville
Skylake Server
Skylake W
Skylake X
Basin Falls
Intel® Xeon® Processor D-2123IT, D-2141I, D-2142IT, D-2143IT, D-2145NT, D-2146NT, D-2161I, D-2163IT, D-2166NT, D-2173IT, D-2177NT, D-2183IT, D-2187NT
Intel® Xeon® Bronze Processor 3104, 3106
Intel® Xeon® Gold Processor 5115, 5118, 5119T, 5120, 5120T, 5122, 6126, 6126F, 6126T, 6128, 6130, 6130F, 6130T, 6132, 6134, 6134M, 6136, 6138, 6138F, 6138T, 6140, 6140M, 6142, 6142F, 6142M, 6144, 6146, 6148, 6148F, 6150, 6152, 6154
Intel® Xeon® Platinum Processor 8153, 8156, 8158, 8160, 8160F, 8160M, 8160T, 8164, 8168, 8170, 8170M, 8176, 8176F, 8176M, 8180, 8180M
Intel® Xeon® Silver Processor 4108, 4109T, 4110, 4112, 4114, 4114T, 4116, 4116T
Intel® Xeon® Processor W-2123, W-2125, W-2133, W-2135, W-2145, W-2155, W-2195, W-2175
Intel® Core™ i9 79xxX, 78xxX
0x55 (85) 0x07 (7) 0x5002f01 (83898113) VRDS, L1DCES Cascade Lake 2nd Generation Intel® Xeon® Scalable Processors
Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282
Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V
Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R
Intel® Xeon® Bronze Processor 3204, 3206R
Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223
Intel® Core™ X-series Processor i9-10940X, i9-10920X, i9-10900X, i9-9960X, i9-9940X, i9-9920X, i9-9900X, i9-9820X, i9-9800X, i9-7960X, i9-7940X, i9-7920X, i9-7900X, i7-7820X, i7-7800X, i7-7740X, i7-7640X
0x5e (94) 0x03 (3) 0xdc (220) SRBDS, VRDS, L1DCES Skylake H 6th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-6700HQ, i7-6770HQ, i7-6820HK, i7-6820HQ, i7-6870HQ, i7-6920HQ, i7-6970HQ, i5-6300HQ, i5-6350HQ, i5-6440HQ, i3-6100H, i7-6700, i7-6700K, i7-6700T, i7-6700TE, i7-6820EQ, i7-6822EQ, i5-6400, i5-6400T, i5-6440EQ, i5-6442EQ, i5-6500, i5-6500T, i5-6500TE, i5-6600, i5-6600K, i5-6600T, i3-6100, i3-6100E, i3-6100T, i3-6100TE, i3-6102E, i3-6120, i3-6120T, i3-6300, i3-6300T, i3-6320, i3-6320T
Intel® Pentium® Processor G4400, G4400T, G4400TE, G4420, G4420T, G4500, G4500T, G4520, G4520T, G4540
Intel® Celeron® Processor G3900, G3900T, G3900TE, G3902E, G3920, G3920T, G3940
0x8e (142) 0x09 (9) 0xd6 (214) SRBDS, VRDS, L1DCES Kaby Lake U
Kaby Lake U (2+3e)
Kaby Lake Y
7th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-7500U, i7-7510U, i7-7600U, i7-7560U, i7-7567U, i7-7660U, i7-7Y75, i5-7200U, i5-7210U, i5-7300U, i5-7500U, i5-7260U, i5-7267U, i5-7287U, i5-7360U, i5-7Y54, i5-7Y57, i3-7007U, i3-7100U, i3-7110U, i3-7130U, i3-7167U, M3-7Y30, M3-7Y30
Intel® Pentium® Processor 4415U, 4410Y, 4415Y
Intel® Celeron® Processor 3865U, 3965U, 3965Y
0x8e (142) 0x09 (9) 0xd6 (214) SRBDS, VRDS, L1DCES Amber Lake Y 8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8500Y, i5-8310Y, i5-8210Y, i5-8200Y, m3-8100Y
0x8e (142) 0x0a (10) 0xd6 (214) SRBDS, VRDS, L1DCES Coffee Lake U (4+3e)
Kaby Lake Refresh U (4+2)
8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8559U, i7-8550U, i7-8650U, i5-8259U, 8269U, i5-8250U, i5-8350U, i3-8109U, i3-7020U, i3-8130U
0x8e (142) 0x0b (11) 0xd6 (214) SRBDS, VRDS, L1DCES Whiskey Lake U 8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8565U, i7-8665U, i5-8365U, i5-8265U, i3-8145U
Intel® Core™ Processor 4205U, 5405U
0x8e (142) 0x0c (12) 0xd6 (214) SRBDS, VRDS, L1DCES Whiskey Lake U, Amber Lake Y, Comet Lake U (4+2) 8th Generation Intel® Core™ Processor Family
10th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-10510Y, i5-10310Y, i5-10210Y, i5-10110Y, i7-10510U, i7-8565U, i7-8665U, i5-10210U, i5-8365U, i5-8265U, Intel® Pentium® Gold Processor 6405U, Intel® Celeron® Processor 5305U
0x9e (158) 0x09 (9) 0xd6 (214) SRBDS, VRDS, L1DCES Kaby Lake G
Kaby Lake H
Kaby Lake S
Kaby Lake X
Kaby Lake Xeon E3
7th Generation Intel® Core™ Processor Family
8th Generation Intel® Core™ Processor Family
Intel® Core™ X-series Processors (i5-7640X, i7-7740X)
Intel® Core™ Processor i7-8705G, i7-8706G, i7-8709G, i7-8809G, i5-8305G, Intel® Core™ Processor i7-7700HQ, i7-7820EQ, i7-7820HK, i7-7820HQ, i7-7920HQ, i7-7700, i7-7700K, i7-7700T, i5-7300HQ, i5-7440EQ, i5-7440HQ, i5-7442EQ, i5-7400, i5-7400T, i5-7500, i5-7500T, i5-7600, i5-7600K, i5-7600T, i3-7100H, i3-7100E, i3-7101E, i3-7101TE, i3-7102E, i3-7120, i3-7120T, i3-7320T, i3-7340
Intel® Celeron® Processor G3930E, G3930TE
Intel® Xeon® Processor v6 E3-1535M, E3-1505M, E3-1505L, E3-1501L, E3-1501M, E3-1285, E3-1280, E3-1275, E3-1270, E3-1245, E3-1240, E3-1230, E3-1225, E3-1220
0x9e (158) 0x0a (10) 0xd6 (214) SRBDS, VRDS, L1DCES Coffee Lake H (6+2)
Coffee Lake S (6+2)
Coffee Lake S (6+2) Xeon E
Coffee Lake S (4+2) Xeon E
8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E Family
Intel® Core™ Processor i9-8950HK, i7-8700K, i7-8700B, i7-8750H, i7-8850H, i7-8670, i7-8670T, i7-8700, i7-8700T, i5-8600K, i5-8650K, i5-8300H, i5-8400B, i5-8400H, i5-8500B, i5-8400, i5-8400T, i5-8420, i5-8420T, i5-8500 , i5-8500T, i5-8550, i5-8600, i5-8600T, i5-8650
Intel® Xeon® Processor E-2174G, E-2144G, E-2134, E-2124, E-2124G, E-2284G, E-2274G, E-2254ML, E-2254ME, E-2244G, E-2234, E-2224, E-2224G, E-2184G, E-2186G, E-2176G, E-2176M, E-2146G, E-2136, E-2126G, 2286G, E-2276ML, E-2276ME, E-2276M, E-2276G, E-2246G, E-2236, E-2226GE, E-2226G, E-2186M, E-2176M
0x9e (158) 0x0b (11) 0xd6 (214) SRBDS, VRDS, L1DCES Coffee Lake S (4+2) 8th Generation Intel® Core™ Processor Family
Intel® Pentium® Gold Processor Series
Intel® Celeron® Processor G Series
Intel® Core™ Processor i3-8000, i3-8000T, i3-8020, i3-8100, i3-8100, i3-8100H, i3-8100T, i3-8120, i3-8300, i3-8300T, i3-8350K
Intel® Pentium® Gold G5400, G5400T, G5400T, G5420, G5420T, G5420T, G5500, G5500T, G5600
Intel® Celeron® Processor G4900, G4900T, G4920
0x9e (158) 0x0c (12) 0xd6 (214) SRBDS, VRDS, L1DCES Coffee Lake S (8+2) 9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9900K, i9-9900KF, i7-9700K, i7-9700KF, i5-9600K, i5-9600KF, i5-9400, i5-9400F
0x9e (158) 0x0d (13) 0xd6 (214) SRBDS, VRDS, L1DCES Coffee Lake H (8+2)
Coffee Lake S (8+2)
Coffee Lake S (8+2) Xeon E
9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9980HK, i9-9880H, i7-9850H, 9750HF, i5-9400H, 9300H
Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G

解决方案

我们强烈建议,运行受影响版本的红帽产品的用户,在勘误可用后立即对其进行更新。用户应立即应用适当的更新,并重新启动系统以解决这个缺陷造成的问题。

致谢

红帽感谢 Intel 解决了这些问题,并告知红帽相应的补救措施。

常见问题解答

问:是否需要重启系统才能使改变生效?
答:重新启动并不是必须的,但是如果进行了最新的 microcode 更新,在 RHEL 7 和 8 上通过 sysfs 进行的 SRBDS 缓解报告将不正确。
问:如果我的 CPU 没有在表中列出怎么办?
答:红帽计划继续根据需要更新这些 microcode 包。请与您的硬件供应商联系,以确定是否有推荐的更新的 BIOS 和固件更新。

额外信息

由于 microcode 是由上游厂商提供的,因此红帽无法完全保证上述信息的正确性。

相关知识库文章:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.