On Sat, Mar 08, 2025 at 01:28:07AM +0000, Andrew Cooper wrote: > On 06/03/2025 4:48 am, Solar Designer wrote: > > On Thu, Mar 06, 2025 at 04:11:25AM +0000, Andrew Cooper wrote: > >> This issue wins points for spite, because the highest risk users are the > >> ones who were taking proactive steps to try and improve their security, > >> betting that AMD's patchloader crypto was sound. > > OK, so this is to protect legitimate sysadmins from loading malicious > > microcode inadvertently or via a supply chain attack. Makes sense. > > Sorry for the delay, I knew there was a distro formally doing this, but > I'd lost track of the links. > > https://github.com/divestedcg/real-ucode which is packaged for Arch as > https://aur.archlinux.org/packages/amd-real-ucode-git (and an equivalent > Intel package).
Thank you for these followup postings, Andrew! They're very helpful. I have one late nitpick to add - as jericho @attritionorg pointed out on Twitter, the Subject line here gives an incorrect CVE number. The correct one is CVE-2024-36347. Alexander
