AMD have updated the SB-7033 advisory to include Zen5 CPUs. Extend the digest
check to cover Zen5 too.
In practice, cover everything until further notice.
Observant readers may be wondering where the update to the digest list is. At
the time of writing, no Zen5 patches are available via a verifiable channel.
Link: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD Fam17h/19h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit
b63951467e964bcc927f823fc943e40069fac0c9)
x86/ucode: Extend warning about disabling digest check too
This was missed by accident.
Fixes: b63951467e96 ("x86/ucode: Extend AMD digest checks to cover Zen5 CPUs")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit
59bb316ea89e7f9461690fe00547d7d2af96321d)
const struct patch_digest *pd;
uint8_t digest[SHA2_256_DIGEST_SIZE];
- /* Only Fam17h/19h are known to need extra checks. Skip other families. */
- if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x19 ||
+ /*
+ * Zen1 thru Zen5 CPUs are known to use a weak signature algorithm on
+ * microcode updates. Mitigate by checking the digest of the patch
+ * against a list of known provenance.
+ */
+ if ( boot_cpu_data.x86 < 0x17 ||
!opt_digest_check )
return true;
{
case X86_VENDOR_AMD:
if ( !opt_digest_check &&
- boot_cpu_data.x86 >= 0x17 && boot_cpu_data.x86 <= 0x19 )
+ boot_cpu_data.x86 >= 0x17 )
{
printk(XENLOG_WARNING
"Microcode patch additional digest checks disabled");
projects / people / andrewcoop / xen.git / commitdiff