[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/3] x86/amd: Stop updating the Zenbleed mitigation dynamically
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Wed, 26 Nov 2025 17:33:55 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1Two5c6uhFvZRoK3rhOU1MDJG9JWsowpw9m/Y7g6xws=; b=XOtObOLHqQfg1dGWlCeiogbTDNyKH0sJtkVeMSiAQFIMDwyU3QGF9G3WMr5YA+arCzIOd8RF0MX6TARx2Hj9EthfZFSHX4dHjfvyMrb5vrcPUBQEs5n9IgNAwoMapw07qzDy0TyFxXYkC2zKhCbiXlRfv4VogeFksZUqkx/5w4iqNGU10Qy+7s/33IoENpNMAF37K5GRmIcbJ1IOnc8W8IQ3/O7dC1Z5jcIGIHt3Kcevx0LjEm8sJd6z1B31mxF5Fa3McUpXFYdKzcYpPQStCLZjo9wB6aomeVlVJDPuIK2W7HV6SRjiBv7FCs88K02BBI8rni+7oLPO736EeXiT8w==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wdzhabnKbnF7venKgjJwql9Avp56ATm9Ulv9QFZYUVF13Sq4tUYazyv7aiEDyxvBtcqmrcQvZY8VmPGVIUPVMuSP30Fec+K3c529KV8iE7hgE9mgm32uvdyOoH+psQsd0u/PAgPvRLPxX9Ub1iJTyFkR2z5vzYEXtRXdG6svJHIvgvlPJ5nWKN2VRqwb39IeFDSW73r7afyziz9rvRFEN5ZyM0YZyPcCSKlvclRh93PMVYlh4pLl/szjOs+5JpRyy6NdmpdJ0K3KrDIEOkdOB3E6HoRbaLrMDHwnYcQdn1aKtbg/GyeGzth+i92ISKCa6ghysHhFjNkH/1yF5yhDDg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: andrew.cooper3@xxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 26 Nov 2025 17:34:29 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 26/11/2025 2:49 pm, Jan Beulich wrote:
> On 26.11.2025 14:22, Andrew Cooper wrote:
>> This was potentially helpful when the chickenbit was the only mitigation and
>> microcode had not been released, but that was two years ago.
>>
>> Zenbleed microcode has been avaialble since December 2023, and the subsequent
>> Entrysign signature vulnerability means that firmware updates block
>> OS-loading
>> and more OS-loadable microcode will be produced for Zen2.
>>
>> i.e. the Zenbleed fix is not going to appear at runtime these days.
>>
>> No practical change.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
Thanks.
> on the basis that people unwilling to update their firmware already accept
> being vulnerable. To them this might be a perceived regression, i.e. not
> exactly "No practical change", but we kind of accept that possibility.
It's not quite that easy. There are plenty of Zen2 systems without a
firmware update.
But, a user who cares about their security will have a more up-to-date
microcode than 2 years old, and will get the Zenbleed fix at boot time.
What I'm trying to say is that the "old ucode at boot, new at runtime"
case doesn't sensibly exist any more.
~Andrew
|
