There is the rather serios CVE-2023-31315 which means malware can worm
itself into system firmware through leaky SMM on AMD CPUs. This might
promote the bug from wishlist to important.
This is so serious that I think that we are just forced to include the
current AMD microcode in stable. Testing has the current version.
This entry from the testing changelog looks serious enough to warrant
porting to stable for servers, doesn't it?
* SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on
AMD Epyc processors: SMM lock bypass - Improper validation in a model
specific register (MSR) could allow a malicious program with ring 0
access (kernel) to modify SMM configuration while SMI lock is enabled,
potentially leading to arbitrary code execution.
Note: a firmware update is recommended for AMD Epyc (to protect the
system as early as possible). Many other AMD processor models are
also vulnerable to SinkClose, and can only be fixed by a firmware
update at this time.
EPYC CPUs are employed just in the kind of machine that would run
stable. Firmware update might be recommened, but doesn't have to be
available with differing mainboard vendors.
I'd be happy to install updated amd64-microcode from
bookworm-backports, but it's not there, I am stuck at
3.20230808.1.1~deb12u1 without starting to mix in packages from testing.
--
Dr. Thomas Orgis
HPC @ Universität Hamburg
