[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 4/5] x86/ucode: Cross check the minimum revision

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 21 Oct 2025 10:24:00 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LK1ZSAwzYA80W1a/Y6p3pFYyUkbrpRl/Nu6AThUk9XI=; b=QuuL5jsanz/8iAlKF17HaGXuhcq5bZMmuDrG81/WKAuWp6umrd7MY9uaZILu5sSXWYhyLIk83Bc5ZCKPGBHy4r5nSM2cMK1/AE+ydDaeHrSwdjvyakfUz+4WQrkfV5hKmozqlOVGS/Eg7YrluQrGQF0/TEvhF8tdb1+SeewbW5fXCxYmtCE1S6ZSPQ6kOPQcoeuF/SKKnlqfvG0rHOFyPbuwyvAwd9/gbw6t506239Em4Cdt0gGVFJ8DBPTSFP094Srkxejiu/ahY16sQwgOzTrC4tJ8t7Qu/qJSTfsNP6vMkFmtn4GrjCW2MGKXXtl//AhHo5BRv5A6AHkKbynneQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=J1snkiTOHIwYJcDODykzlnrLM3q1ar4PtWiP3g8GBT5vA3C23ovvLch2tdvzI5PCZ9pQSvvdi8hEBNdEKHQALHaqUCo84FSmUC3xfXaTFnYWjryd5v/Su0k9f+W1GU4ecPPAiZiTBXx0WsNJvfy1NZ7pno0f3eseV7BCA47P+1bA/8LnJ69y/8JQNXBtjVK21GIzQ0l+kaxAU18xvA/33t99yuzmJpvBkw741w1vayE1BWpTLDQpe8r+2TlVlOcHBoQs7xA2a37XzmlILqImKGpU+RaDuSvNJAiYZ5YDcK3lX1Cxn8QpzCNzRlYCzvT4PYMFNossasahnHtIv7KQwA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 21 Oct 2025 09:24:15 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 21/10/2025 10:18 am, Jan Beulich wrote:
> On 20.10.2025 15:19, Andrew Cooper wrote:
>> For Zen3-5 microcode blobs signed with the updated signature scheme, the
>> checksum field has been reused to be a min_revision field, referring to the
>> microcode revision which fixed Entrysign (SB-7033, CVE-2024-36347).
>>
>> Cross-check this when trying to load microcode, but allow --force to override
>> it.  If the signature scheme is genuinely different, a #GP will occur.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Acked-by: Jan Beulich <jbeulich@xxxxxxxx>

Thanks.

>
> Might be upgradable to R-b if only I knew where - if anywhere - this is
> documented. I can't spot anything in PM vol 2 in particular.

Like everything else about the ucode format, It's not documented at all.

In fact, this was discovered by people on the WinRaid forums, because
even
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=3768c184de68a85b9df6697e7f93a2f61de90a99
doesn't say that the internal headers have been adjusted.

I've confirmed with AMD that it's intentional and expected to continue
like this for the lifetime of the Zen3-5 blobs.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.