|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] x86/ucode: Extend AMD digest checks to cover Zen5 CPUs
commit b63951467e964bcc927f823fc943e40069fac0c9
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Apr 8 17:09:15 2025 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Apr 8 17:51:45 2025 +0100
x86/ucode: Extend AMD digest checks to cover Zen5 CPUs
AMD have updated the SB-7033 advisory to include Zen5 CPUs. Extend the
digest
check to cover Zen5 too.
In practice, cover everything until further notice.
Observant readers may be wondering where the update to the digest list is.
At
the time of writing, no Zen5 patches are available via a verifiable channel.
Link:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD
Fam17h/19h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
xen/arch/x86/cpu/microcode/amd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index ee7de5282b..4bc490dedc 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -117,8 +117,12 @@ static bool check_digest(const struct container_microcode
*mc)
const struct patch_digest *pd;
uint8_t digest[SHA2_256_DIGEST_SIZE];
- /* Only Fam17h/19h are known to need extra checks. Skip other families. */
- if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x19 ||
+ /*
+ * Zen1 thru Zen5 CPUs are known to use a weak signature algorithm on
+ * microcode updates. Mitigate by checking the digest of the patch
+ * against a list of known provenance.
+ */
+ if ( boot_cpu_data.x86 < 0x17 ||
!opt_digest_check )
return true;
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |