From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Jan Beulich" <JBeulich@suse.com>,
"Roger Pau Monné" <roger.pau@citrix.com>
Subject: [PATCH v2 4/5] x86/ucode: Refine the boundary checks for Entrysign
Date: Mon, 27 Oct 2025 22:17:01 +0000 [thread overview]
Message-ID: <20251027221702.3362552-5-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <20251027221702.3362552-1-andrew.cooper3@citrix.com>
After initial publication, the SB-7033 / CVE-2024-36347 bulletin was updated
to list Zen5 CPUs as vulnerable. Use Fam1ah as an upper bound, and adjust the
command line documentation.
When the Zen6 (also Fam1ah processors) model numbers are known, they'll want
excluding from the family ranges.
Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD Fam17h/19h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
v2:
* New
---
docs/misc/xen-command-line.pandoc | 7 ++++---
xen/arch/x86/cpu/microcode/amd.c | 9 +++++++--
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc
index 28a98321c762..34004ce282be 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -2826,9 +2826,10 @@ stop_machine context. In NMI handler, even NMIs are blocked, which is
considered safer. The default value is `true`.
The `digest-check=` option is active by default and controls whether to
-perform additional authenticity checks. Collisions in the signature algorithm
-used by AMD Fam17h/19h processors have been found. Xen contains a table of
-digests of microcode patches with known-good provenance, and will block
+perform additional authenticity checks. The Entrysign vulnerability (AMD
+SB-7033, CVE-2024-36347) on Zen1-5 processors allows forging the signature on
+arbitrary microcode such that it is accepted by the CPU. Xen contains a table
+of digests of microcode patches with known-good provenance, and will block
loading of patches that do not match.
### unrestricted_guest (Intel)
diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index ba03401c24c5..f331d9dfee6e 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -125,7 +125,7 @@ static bool check_digest(const struct container_microcode *mc)
* microcode updates. Mitigate by checking the digest of the patch
* against a list of known provenance.
*/
- if ( boot_cpu_data.family < 0x17 ||
+ if ( boot_cpu_data.family < 0x17 || boot_cpu_data.family > 0x1a ||
!opt_digest_check )
return true;
@@ -571,7 +571,12 @@ static const struct microcode_ops __initconst_cf_clobber amd_ucode_ops = {
void __init ucode_probe_amd(struct microcode_ops *ops)
{
- if ( !opt_digest_check && boot_cpu_data.family >= 0x17 )
+ /*
+ * The Entrysign vulnerability (SB-7033, CVE-2024-36347) affects Zen1-5
+ * CPUs. Taint Xen if digest checking is turned off.
+ */
+ if ( boot_cpu_data.family >= 0x17 && boot_cpu_data.family <= 0x1a &&
+ !opt_digest_check )
{
printk(XENLOG_WARNING
"Microcode patch additional digest checks disabled\n");
--
2.39.5
next prev parent reply other threads:[~2025-10-27 22:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 22:16 [PATCH for-4.21 0/5] x86/ucode: Support loading latest ucode from linux-firwmare Andrew Cooper
2025-10-27 22:16 ` [PATCH v2 1/5] x86/ucode: Abort parallel load early on any control thread error Andrew Cooper
2025-10-27 22:16 ` [PATCH v2 2/5] x86/ucode: Refine TLB flush fix for AMD Fam17h CPUs Andrew Cooper
2025-10-27 22:17 ` [PATCH v2 3/5] x86/ucode: Cross check the minimum revision Andrew Cooper
2025-10-27 22:17 ` Andrew Cooper [this message]
2025-10-28 9:32 ` [PATCH v2 4/5] x86/ucode: Refine the boundary checks for Entrysign Jan Beulich
2025-10-28 10:34 ` Andrew Cooper
2025-10-27 22:17 ` [PATCH v2 5/5] x86/ucode: Relax digest check when Entrysign is fixed in firmware Andrew Cooper
2025-10-28 9:47 ` Jan Beulich
2025-10-28 11:31 ` Andrew Cooper
2025-10-28 13:29 ` Jan Beulich
2025-10-28 14:48 ` [PATCH for-4.21 0/5] x86/ucode: Support loading latest ucode from linux-firwmare Oleksii Kurochko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251027221702.3362552-5-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).