[xen stable-4.21] x86/ucode: Exclude Zen6 from entrysign mitigations

[patchbot@xxxxxxx]

commit 74930b4a9d3688cb07b1df8997199d70e3957cee
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Mar 16 10:34:23 2026 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Thu Mar 19 13:26:13 2026 +0000

    x86/ucode: Exclude Zen6 from entrysign mitigations
    
    Family 0x1a covers both Zen5 and Zen6, but the latter is not believed to be
    vulnerable to entrysign.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    (cherry picked from commit bd15fdedafb3a414aeafa918a9212148ac22ebb5)
---
 xen/arch/x86/cpu/microcode/amd.c | 6 ++++--
 xen/arch/x86/include/asm/amd.h   | 4 ++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index e7ae1e8023..34e3a52753 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -20,6 +20,7 @@
 #include <xen/mm.h> /* TODO: Fix asm/tlbflush.h breakage */
 #include <xen/sha2.h>
 
+#include <asm/amd.h>
 #include <asm/msr.h>
 
 #include "private.h"
@@ -575,7 +576,7 @@ void __init ucode_probe_amd(struct microcode_ops *ops)
      * CPUs.  Taint Xen if digest checking is turned off.
      */
     if ( boot_cpu_data.family >= 0x17 && boot_cpu_data.family <= 0x1a &&
-         !opt_digest_check )
+         !is_zen6_uarch() && !opt_digest_check )
     {
         printk(XENLOG_WARNING
                "Microcode patch additional digest checks disabled\n");
@@ -616,7 +617,8 @@ void __init amd_check_entrysign(void)
 
     if ( boot_cpu_data.vendor != X86_VENDOR_AMD ||
          boot_cpu_data.family < 0x17 ||
-         boot_cpu_data.family > 0x1a )
+         boot_cpu_data.family > 0x1a ||
+         is_zen6_uarch() )
         return;
 
     /*
diff --git a/xen/arch/x86/include/asm/amd.h b/xen/arch/x86/include/asm/amd.h
index 72df42a6f6..5903b21890 100644
--- a/xen/arch/x86/include/asm/amd.h
+++ b/xen/arch/x86/include/asm/amd.h
@@ -149,6 +149,8 @@
  * For Zen3 and Zen4 (Fam19h) the heuristic is the presence of AutoIBRS, as
  * it's Zen4-specific.
  *
+ * For Zen5 and Zen6 (Fam1ah) the heuristic is the presence of FRED.
+ *
  * The caller is required to perform the appropriate vendor/family checks
  * first.
  */
@@ -156,6 +158,8 @@
 #define is_zen2_uarch()   boot_cpu_has(X86_FEATURE_AMD_STIBP)
 #define is_zen3_uarch() (!boot_cpu_has(X86_FEATURE_AUTO_IBRS))
 #define is_zen4_uarch()   boot_cpu_has(X86_FEATURE_AUTO_IBRS)
+#define is_zen5_uarch() (!boot_cpu_has(X86_FEATURE_FRED))
+#define is_zen6_uarch()   boot_cpu_has(X86_FEATURE_FRED)
 
 struct cpuinfo_x86;
 int cpu_has_amd_erratum(const struct cpuinfo_x86 *cpu, int osvw_id, ...);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.21