|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.18] x86/ucode: Refine the boundary checks for Entrysign
commit 4112b5c6a2443f41f9b6047168d64ae897ffe616
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Mon Oct 27 19:59:47 2025 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Oct 28 18:18:20 2025 +0000
x86/ucode: Refine the boundary checks for Entrysign
After initial publication, the SB-7033 / CVE-2024-36347 bulletin was updated
to list Zen5 CPUs as vulnerable. Use Fam1ah as an upper bound, and adjust
the
command line documentation.
When the Zen6 (also Fam1ah processors) model numbers are known, they'll want
excluding from the range.
Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD
Fam17h/19h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
(cherry picked from commit c2529496d07326f7a234c0c8e565bc8ec87d7836)
---
docs/misc/xen-command-line.pandoc | 7 ++++---
xen/arch/x86/cpu/microcode/amd.c | 2 +-
xen/arch/x86/cpu/microcode/core.c | 8 ++++++--
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/docs/misc/xen-command-line.pandoc
b/docs/misc/xen-command-line.pandoc
index bb04d3d124..63ff245c6a 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2683,9 +2683,10 @@ of the same version, and this allows for easy testing of
the late microcode
loading path.
The `digest-check=` option is active by default and controls whether to
-perform additional authenticity checks. Collisions in the signature algorithm
-used by AMD Fam17h/19h processors have been found. Xen contains a table of
-digests of microcode patches with known-good provenance, and will block
+perform additional authenticity checks. The Entrysign vulnerability (AMD
+SB-7033, CVE-2024-36347) on Zen1-5 processors allows forging the signature on
+arbitrary microcode such that it is accepted by the CPU. Xen contains a table
+of digests of microcode patches with known-good provenance, and will block
loading of patches that do not match.
### unrestricted_guest (Intel)
diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index 18c025d65d..45a7d4cc03 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -126,7 +126,7 @@ static bool check_digest(const struct container_microcode
*mc)
* microcode updates. Mitigate by checking the digest of the patch
* against a list of known provenance.
*/
- if ( boot_cpu_data.x86 < 0x17 ||
+ if ( boot_cpu_data.x86 < 0x17 || boot_cpu_data.x86 > 0x1a ||
!opt_digest_check )
return true;
diff --git a/xen/arch/x86/cpu/microcode/core.c
b/xen/arch/x86/cpu/microcode/core.c
index 0e776264f3..22330099df 100644
--- a/xen/arch/x86/cpu/microcode/core.c
+++ b/xen/arch/x86/cpu/microcode/core.c
@@ -870,8 +870,12 @@ int __init early_microcode_init(unsigned long *module_map,
switch ( c->x86_vendor )
{
case X86_VENDOR_AMD:
- if ( !opt_digest_check &&
- boot_cpu_data.x86 >= 0x17 )
+ /*
+ * The Entrysign vulnerability (SB-7033, CVE-2024-36347) affects
+ * Zen1-5 CPUs. Taint Xen if digest checking is turned off.
+ */
+ if ( boot_cpu_data.x86 >= 0x17 && boot_cpu_data.x86 <= 0x1a &&
+ !opt_digest_check )
{
printk(XENLOG_WARNING
"Microcode patch additional digest checks disabled\n");
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |