Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] As requested by the security team, I would like to bring the microcode update level for AMD64 processors in Bullseye and Bookworm to match what we have in Sid and Trixie. This is the bug report for Bullseye, a separate one will be filled for Bookmorm. This fixes: CVE-2023-20569 "AMD Inception" on AMD Zen4 processors There are no releavant issues reported on this microcode update, considering the version of amd64-microcode already available as security updates for bookworm and bullseye. [ Impact ] If this update is not approved, owners of some Zen4 processors will depend on UEFI updates to be protected against CVE-2023-20569. [ Tests ] There were no bug reports from users of Debian sid or Trixie, these packages have been tested there since 2023-08-10 (sid), 2023-08-12 (trixie). [ Risks ] Unknown, but not believed to be any different from other AMD microcode updates. Linux kernel updates related to these microcode update fixes are already available in Bookworm and Bullseye. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] As per the debdiff, only documentation changes, package documentation changes, and the binary blob change from upstream. Diffstat: README | 15 +++++++++++++ amd-ucode/README | 13 +++++++++++ amd-ucode/microcode_amd_fam19h.bin |binary amd-ucode/microcode_amd_fam19h.bin.asc | 16 ++++++------- debian/NEWS | 15 +++++++++++++ debian/changelog | 38 +++++++++++++++++++++++++++++++++ 6 files changed, 89 insertions(+), 8 deletions(-) [ Other info ] The package version with "~" is needed to guarantee smooth updates to the next debian release. -- Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
latest commits in this release:
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen <john.al...@amd.com>
+Date: Tue Aug 8 19:02:39 2023 +0000
+
+ linux-firmware: Update AMD cpu microcode
+
+ * Update AMD cpu microcode for processor family 19h
+
+ Key Name = AMD Microcode Signing Key (for signing microcode container files only)
+ Key ID = F328AE73
+ Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+ Signed-off-by: Josh Boyer <jwbo...@kernel.org>
+
commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
Author: John Allen <john.al...@amd.com>
Date: Wed Jul 19 19:17:57 2023 +0000
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
Microcode patches in microcode_amd_fam19h.bin:
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
-----BEGIN PGP SIGNATURE-----
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V
-wJCtcDle/3pF+N6SAFWiXbNZ+P8p19afhcYddDl97xtpzA6/8b20a2eHkrqnu/Ds
-jTozF9kmhiifYMYpXtXgSOwI3GRZbQ==
-=t+j1
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmTEYrcACgkQ5L5TOfMo
+rnN4IQf/QKbOezXZ4OYzaPANvsZQEAzLNfuylC/aQMwrPaO7daz5/zmCN4HU5XkH
+dDT8DYfPg+fQHIgxAw0/L24xPOm5Op/QuLVDyDqVr4qvL8+65eeI+JqxD/wXMXYN
+V34kkLM2p8iuyY1Nc8IDLXu4X75KGNPbKZlMRKMU3Pr7ai5O4ihmiAM+N6qv1KEJ
+YToNN6vrg0qt1cv0SLM8sa4e7L1+oblUrg/o0FViYE8pxsU3ZRRVSJMUg+lKjvl/
+1ZPGKOdD80fcNJ+ItYGHNNs3eCc3WgW7Kc/E668eH75Yu9Zt7ewWZX8Sg/mygleY
+OzMwhbPJg4bF4zm7C/Pku7i1T2Omcg==
+=km2X
-----END PGP SIGNATURE-----
diff --git a/debian/NEWS b/debian/NEWS
index 433ac3f..0780d06 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,18 @@
+amd64-microcode (3.20230808.1) unstable; urgency=high
+
+ This release requires *either* new-enough system firmware, *or* a
+ recent-enough Linux kernel to properly work on AMD Genoa and Bergamo
+ processors.
+
+ The firmware requirement is AGESA 1.0.0.8 or newer.
+
+ The Linux kernel requirement is a group of patches that are already
+ present in the Linux stable/LTS trees since versions: v4.19.289,
+ v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These
+ patches are also present in Linux v6.5-rc1.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 10 Aug 2023 09:32:37 -0300
+
amd64-microcode (2.20141028.1) unstable; urgency=medium
This release drops support for automatically applying microcode updates
diff --git a/debian/changelog b/debian/changelog
index 8288d46..fdf0d2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,38 @@
+amd64-microcode (3.20230808.1.1~deb11u1) bullseye; urgency=medium
+
+ * Build for bullseye
+ * Revert move to non-free-firmware
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 02 Sep 2023 20:38:42 -0300
+
+amd64-microcode (3.20230808.1.1) unstable; urgency=high
+
+ * Update package data from linux-firmware 20230804-6-gf2eb058a
+ * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
+ (closes: #1043381)
+ * WARNING: for proper operation on AMD Genoa and Bergamo processors,
+ either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date
+ Linux kernels (minimal versions on each active Linux stable branch:
+ v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1)
+ are *required*
+ * New Microcode patches:
+ + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e
+ + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
+ + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
+ + Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
+ * README: update for new release
+ * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions
+ * debian/changelog: update entry for release 3.20230719.1, noting
+ that it included fixes for "AMD Inception" for Zen3 processors.
+ We did not know about AMD Inception at the time, but we always
+ include all available microcode updates when issuing a new
+ package, so we lucked out.
+ * debian/changelog: correct some information in 3.20230808.1
+ entry and reupload as 3.20230808.1.1. There's no Zenbleed
+ for Zen4... oops!
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 10 Aug 2023 10:18:38 -0300
+
amd64-microcode (3.20230719.1~deb11u1) bullseye-security; urgency=high
* Build for bullseye-security
@@ -10,6 +45,9 @@ amd64-microcode (3.20230719.1) unstable; urgency=high
* Update package data from linux-firmware 20230625-39-g59fbffa9:
* Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors
(closes: #1041863)
+ * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors
+ (this changelog entry time-travelled from the future, we were
+ lucky we always include all microcode updates available)
* New Microcode patches:
+ Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008
* Updated Microcode patches:
signature.asc
Description: PGP signature
