Hello Tobias, On Sat, Sep 6, 2025, at 10:20, Tobias Frost wrote: > Maybe a stupid question, does that mean we cannot update the microcode > if the firmware (bios?) hasn't been updated?
Exactly. You try to load the new microcode into a processor booted from an older BIOS, it throws a #GP. You try to load the old microcode on a processor with the new BIOS, it throws a #GP (the kernel avoids *this* one by refusing to attempt microcode revision downgrades). New firmware is required to switch the entire system into the new signature scheme, this has been pretty clear from day one, although *why* isn't exactly explained anywhere I could find. So, the practical issue is how we keep systems with outdated firmware in the 20250311 release, while shipping new releases to the systems with newer firmware. The bad news is that, unless I misunderstood the kernel code (and there *is* a good chance I did, let's be hopeful), it will try to update the kernel with *just* the newest revision it is given, and the firmware data files / early initramfs files are *not* different for old and new signature scheme. I just asked AMD about it, hopefully they will have good news for us. Now, assuming I did not fail to notice something kernel-side, we would have to detect what microcode track we need to use to generate the initramfs (with all the issues this causes for the installer and live images, etc), or have a legacy package (which is *almost* the same as giving up on the users that need it, as the UX will be horrible, but it is something we can do very easily and safely). So, let's wait for AMD's response. > Regarding the bits in the kernel source Salvatore mentioned above, does > that mean that a minimum kernel is required as well? Salvatore has already answered this: yes, one needs both. Systems on old firmware *cannot* load the new microcode updates, and will remain vulnerable. -- Henrique de Moraes Holschuh <h...@debian.org>
