retitle 1095470 amd64-microcode: CVE-2024-56161 updated AMD-SEV FW needed to pass attestation severity 1095470 important clone 1095470 -1 tag 1095470 + fixed-upstream retitle -1 amd64-microcode: CVE-2024-36347 weak microcode update validation tag -1 = upstream security wontfix severity -1 important thanks
Please let me clarify some details. If this is incorrect, please provide pointers to the relevant documentation/artifacts: There is NO *operating-system-loadable* microcode update available from AMD to address the root issue (weak microcode validation) at this time. And public documentation states the root-cause fix must be done through a system firmware (UEFI) update. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html Maybe this will change, and if it doesn't, maybe lesser mitigations (such as blocking further microcode updates) will become available: I understand running a minimal kernel-monitor secure hypervisor should be able to block the MSR writes that trigger a microcode update, for example. So, AMD-SB-7033 / CVE-2024-36347 is unactionable by package amd64-microcode at this time. I will clone the bug to split the two CVEs into their own bugs, and tag the one for CVE-2024-36347 "wontfix" accordingly. I will also downgrade its severity to "important", since unactionable grave bugs can block actionable fixes from propagating to testing, etc. Should the situation change (hopefully it will), we can revisit this. Now, for CVE-2024-56161, which is the AMD-SEV side of the issue. There is a pending AMD-SEV loadable firmware update from 2025/02/29, and I will package it soon (but I'd rather hear back from AMD about a few details, first). However, I understand from AMD SB-3019 that the SEV firmware update will just ensure that SEV remote attestation can succeed on updated firmware. It is relevant for CVE-2024-56161, yes, but it is NOT FIXING the underlying issue at all. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html Note that CVE-2024-56161 is mitigated by ensuring no SEV payload attestation can succeed on outdated firmware (and you don't need to do anything for THAT: the SEV payload providers are already on it), and by allowing attestation to succeed on updated firmware. What is missing in Debian is a way for SEV payloads to pass attestation *on systems with updated firmware*, and THAT is what the pending SEV firmware update is about. I changed the bug title accordingly. Since AMD-SEV is *not* officially supported in Debian anyway, I will downgrade the SEV bug to severity to important as well. More information about AMD-SEV: https://www.amd.com/en/developer/sev.html -- Henrique de Moraes Holschuh <h...@debian.org>
