x86/ucode: Extend AMD digest checks to cover Zen5 CPUs

AMD have updated the SB-7033 advisory to include Zen5 CPUs.  Extend the digest
check to cover Zen5 too.

In practice, cover everything until further notice.

Observant readers may be wondering where the update to the digest list is.  At
the time of writing, no Zen5 patches are available via a verifiable channel.

Link: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD Fam17h/19h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index ee7de5282b2a0bd78852b7f40e64755b122f63f8..4bc490dedca75466fdf97e69f29c17161a309166 100644 (file)
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -117,8 +117,12 @@ static bool check_digest(const struct container_microcode *mc)
     const struct patch_digest *pd;
     uint8_t digest[SHA2_256_DIGEST_SIZE];
 
-    /* Only Fam17h/19h are known to need extra checks.  Skip other families. */
-    if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x19 ||
+    /*
+     * Zen1 thru Zen5 CPUs are known to use a weak signature algorithm on
+     * microcode updates.  Mitigate by checking the digest of the patch
+     * against a list of known provenance.
+     */
+    if ( boot_cpu_data.x86 < 0x17 ||
          !opt_digest_check )
         return true;