AMD Updates Zen 3 / Zen 4 CPU Microcode For Systems Lacking Microcode Signing Fix
AMD this week uploaded new Family 19h CPU microcode for Zen 3 and Zen 4 processors to the linux-firmware.git repoository that in turn is pulled by the Linux distributions for offering the latest firmware/microcode to users.
AMD CPU microcode updates to linux-firmware.git typically come without any change-log or details as to the changes, but this time is different. Thanks to a README update we have a bit more context around this new Zen 3 / Zen 4 microcode update.
Earlier this year AMD announced a CPU microcode signature verification vulnerability that was discovered by Google. An attacker with system admin privileges could load malicious CPU microcode patches that didn't need to be signed by AMD. In turn the malicious CPU microcode patches could lead to loss of integrity for x86 instruction execution, loss of confidentiality and integrity of data, or compromising the SMM execution environment. This security bulletin goes into all the details but long story short the signature verification of the AMD CPU ROM microcode patch loader was inadequate.
AMD released updated BIOS/microcode to deal with this issue. But not all motherboard/system vendors shipped updated BIOS to their customers. What the new AMD Family 19h CPU microcode for Linux users is for this week is now having a second patch to bring the microcode to the highest possible level without the microcode signing fix. As some reprieve for those lacking an updated BIOS but wanting to run as much of an updated CPU microcode at run-time as possible.
The README update with the new microcode commit explains:
So a nice effort by AMD for those on prior-generation Zen 3 / Zen 4 products on Linux.
AMD CPU microcode updates to linux-firmware.git typically come without any change-log or details as to the changes, but this time is different. Thanks to a README update we have a bit more context around this new Zen 3 / Zen 4 microcode update.
Earlier this year AMD announced a CPU microcode signature verification vulnerability that was discovered by Google. An attacker with system admin privileges could load malicious CPU microcode patches that didn't need to be signed by AMD. In turn the malicious CPU microcode patches could lead to loss of integrity for x86 instruction execution, loss of confidentiality and integrity of data, or compromising the SMM execution environment. This security bulletin goes into all the details but long story short the signature verification of the AMD CPU ROM microcode patch loader was inadequate.
AMD released updated BIOS/microcode to deal with this issue. But not all motherboard/system vendors shipped updated BIOS to their customers. What the new AMD Family 19h CPU microcode for Linux users is for this week is now having a second patch to bring the microcode to the highest possible level without the microcode signing fix. As some reprieve for those lacking an updated BIOS but wanting to run as much of an updated CPU microcode at run-time as possible.
The README update with the new microcode commit explains:
"NOTE: In order to not fully abandon machines affected by AMD-SB-7033 that have not received the BIOS update, the family 19h microcode container now includes a second patch for these machines that brings the microcode to the highest possible level without the microcode signing fix. While a BIOS update is highly recommended to receive the latest security updates issued after the microcode signing vulnerability, this will allow non-updated systems to at least receive some microcode updates beyond the version provided by BIOS."
So a nice effort by AMD for those on prior-generation Zen 3 / Zen 4 products on Linux.