[xen staging-4.19] x86/ucode: Extend AMD digest checks to cover Zen5 CPUs

[patchbot@xxxxxxx]

commit 465ccf84e382d367833924cc9fb44eb1580f2337
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Apr 8 17:09:15 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Apr 11 14:12:25 2025 +0100

    x86/ucode: Extend AMD digest checks to cover Zen5 CPUs
    
    AMD have updated the SB-7033 advisory to include Zen5 CPUs.  Extend the 
digest
    check to cover Zen5 too.
    
    In practice, cover everything until further notice.
    
    Observant readers may be wondering where the update to the digest list is.  
At
    the time of writing, no Zen5 patches are available via a verifiable channel.
    
    Link: 
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
    Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD 
Fam17h/19h microcode")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    (cherry picked from commit b63951467e964bcc927f823fc943e40069fac0c9)
    
    x86/ucode: Extend warning about disabling digest check too
    
    This was missed by accident.
    
    Fixes: b63951467e96 ("x86/ucode: Extend AMD digest checks to cover Zen5 
CPUs")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    (cherry picked from commit 59bb316ea89e7f9461690fe00547d7d2af96321d)
---
 xen/arch/x86/cpu/microcode/amd.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index e17c60fe3b..4f236e4399 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -118,8 +118,12 @@ static bool check_digest(const struct container_microcode 
*mc)
     const struct patch_digest *pd;
     uint8_t digest[SHA2_256_DIGEST_SIZE];
 
-    /* Only Fam17h/19h are known to need extra checks.  Skip other families. */
-    if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x19 ||
+    /*
+     * Zen1 thru Zen5 CPUs are known to use a weak signature algorithm on
+     * microcode updates.  Mitigate by checking the digest of the patch
+     * against a list of known provenance.
+     */
+    if ( boot_cpu_data.x86 < 0x17 ||
          !opt_digest_check )
         return true;
 
@@ -505,8 +509,7 @@ static const struct microcode_ops __initconst_cf_clobber 
amd_ucode_ops = {
 
 void __init ucode_probe_amd(struct microcode_ops *ops)
 {
-    if ( !opt_digest_check &&
-         boot_cpu_data.x86 >= 0x17 && boot_cpu_data.x86 <= 0x19 )
+    if ( !opt_digest_check && boot_cpu_data.x86 >= 0x17 )
     {
         printk(XENLOG_WARNING
                "Microcode patch additional digest checks disabled");
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.19