[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.20] x86/ucode: Refine the boundary checks for Entrysign

commit f42dff8429566c40e268c16e7266baa4fc7d4be7
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Oct 27 19:59:47 2025 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 28 15:48:07 2025 +0000

    x86/ucode: Refine the boundary checks for Entrysign
    
    After initial publication, the SB-7033 / CVE-2024-36347 bulletin was updated
    to list Zen5 CPUs as vulnerable.  Use Fam1ah as an upper bound, and adjust 
the
    command line documentation.
    
    When the Zen6 (also Fam1ah processors) model numbers are known, they'll want
    excluding from the range.
    
    Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD 
Fam17h/19h microcode")
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
    Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
    (cherry picked from commit c2529496d07326f7a234c0c8e565bc8ec87d7836)
---
 docs/misc/xen-command-line.pandoc | 7 ++++---
 xen/arch/x86/cpu/microcode/amd.c  | 9 +++++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/misc/xen-command-line.pandoc 
b/docs/misc/xen-command-line.pandoc
index dba5d7f31e..ff7bc7e861 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2772,9 +2772,10 @@ stop_machine context. In NMI handler, even NMIs are 
blocked, which is
 considered safer. The default value is `true`.
 
 The `digest-check=` option is active by default and controls whether to
-perform additional authenticity checks.  Collisions in the signature algorithm
-used by AMD Fam17h/19h processors have been found.  Xen contains a table of
-digests of microcode patches with known-good provenance, and will block
+perform additional authenticity checks.  The Entrysign vulnerability (AMD
+SB-7033, CVE-2024-36347) on Zen1-5 processors allows forging the signature on
+arbitrary microcode such that it is accepted by the CPU.  Xen contains a table
+of digests of microcode patches with known-good provenance, and will block
 loading of patches that do not match.
 
 ### unrestricted_guest (Intel)
diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index bfeb81f596..eeb51bbfe7 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -126,7 +126,7 @@ static bool check_digest(const struct container_microcode 
*mc)
      * microcode updates.  Mitigate by checking the digest of the patch
      * against a list of known provenance.
      */
-    if ( boot_cpu_data.x86 < 0x17 ||
+    if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x1a ||
          !opt_digest_check )
         return true;
 
@@ -564,7 +564,12 @@ static const struct microcode_ops __initconst_cf_clobber 
amd_ucode_ops = {
 
 void __init ucode_probe_amd(struct microcode_ops *ops)
 {
-    if ( !opt_digest_check && boot_cpu_data.x86 >= 0x17 )
+    /*
+     * The Entrysign vulnerability (SB-7033, CVE-2024-36347) affects Zen1-5
+     * CPUs.  Taint Xen if digest checking is turned off.
+     */
+    if ( boot_cpu_data.x86 >= 0x17 && boot_cpu_data.x86 <= 0x1a &&
+         !opt_digest_check )
     {
         printk(XENLOG_WARNING
                "Microcode patch additional digest checks disabled\n");
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.20

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.