Public bug reported:
SRU Justification:
[ Impact ]
When updating AMD microcodes with the package amd64-microcode, which
places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the
allowed SHAs on the kernel side is needed since the following commit
included in upstream version 6.14:
50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches
There is an incoming update for amd64-microcode in security-proposed[1]
that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the
patched version in the mentioned allowed SHAs list.
Currently, when trying to run a plucky kernel with the proposed version of
amd64-microcode[2], the error is:
[ 0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found
...
[ 0.741096] microcode: Current revision: 0x0a601203
Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could
happen with other processors and microcode version as well.
The more concerning impact here is that, whenever the kernel doesn't know
about a patch (not in the checksummed list) it will end up downgrading to
the version originally available in the machine's platform initialization.
For example, in the above case, using a device available in testflinger[3],
it would be:
- machine's original microcode:
- patch version 0x0a601203
- current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1
- patch version 0x0a601209
- udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2]
- patch version 0x0a60120a
So, when running a kernel without the checksummed SHAs the device is
not running with the previous version but with an outdated version
uncovering possible already fixed issues.
[ Fix ]
Cherry-pick following upstream commit:
* 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs
[ Test Plan ]
- On boot, get microcode version and logs with 'dmesg | grep microcode'
- Install amd64-microcode from security-proposed[1]
- Reboot
- Get microcode logs and check version update and sha256 digest error
[ Additional Information ]
[1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
[2]
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky
[3] https://certification.canonical.com/hardware/202409-35688/
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Plucky)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Plucky)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2121417
Title:
x86/microcode/AMD: Add TSA microcode SHAs
Status in linux package in Ubuntu:
New
Status in linux source package in Plucky:
New
Bug description:
SRU Justification:
[ Impact ]
When updating AMD microcodes with the package amd64-microcode, which
places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the
allowed SHAs on the kernel side is needed since the following commit
included in upstream version 6.14:
50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches
There is an incoming update for amd64-microcode in security-proposed[1]
that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the
patched version in the mentioned allowed SHAs list.
Currently, when trying to run a plucky kernel with the proposed version of
amd64-microcode[2], the error is:
[ 0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found
...
[ 0.741096] microcode: Current revision: 0x0a601203
Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could
happen with other processors and microcode version as well.
The more concerning impact here is that, whenever the kernel doesn't know
about a patch (not in the checksummed list) it will end up downgrading to
the version originally available in the machine's platform initialization.
For example, in the above case, using a device available in testflinger[3],
it would be:
- machine's original microcode:
- patch version 0x0a601203
- current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1
- patch version 0x0a601209
- udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2]
- patch version 0x0a60120a
So, when running a kernel without the checksummed SHAs the device is
not running with the previous version but with an outdated version
uncovering possible already fixed issues.
[ Fix ]
Cherry-pick following upstream commit:
* 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs
[ Test Plan ]
- On boot, get microcode version and logs with 'dmesg | grep microcode'
- Install amd64-microcode from security-proposed[1]
- Reboot
- Get microcode logs and check version update and sha256 digest error
[ Additional Information ]
[1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
[2]
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky
[3] https://certification.canonical.com/hardware/202409-35688/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121417/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
