What about https://git.kernel.org/torvalds/c/d8010d4ba43e9 ? That's the other half of TSA. The microcode is pointless without the kernel work..
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2121417 Title: x86/microcode/AMD: Add TSA microcode SHAs Status in linux package in Ubuntu: New Status in linux source package in Noble: New Status in linux source package in Plucky: Fix Released Bug description: SRU Justification: [ Impact ] When updating AMD microcodes with the package amd64-microcode, which places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the allowed SHAs on the kernel side is needed since the following commit included in upstream version 6.14: 50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches There is an incoming update for amd64-microcode in security-proposed[1] that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the patched version in the mentioned allowed SHAs list. Currently, when trying to run a plucky kernel with the proposed version of amd64-microcode[2], the error is: [ 0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found ... [ 0.741096] microcode: Current revision: 0x0a601203 Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could happen with other processors and microcode version as well. The more concerning impact here is that, whenever the kernel doesn't know about a patch (not in the checksummed list) it will end up downgrading to the version originally available in the machine's platform initialization. For example, in the above case, using a device available in testflinger[3], it would be: - machine's original microcode: - patch version 0x0a601203 - current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1 - patch version 0x0a601209 - udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2] - patch version 0x0a60120a So, when running a kernel without the checksummed SHAs the device is not running with the previous version but with an outdated version uncovering possible already fixed issues. [ Fix ] Cherry-pick following upstream commit: * 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs [ Test Plan ] - On boot, get microcode version and logs with 'dmesg | grep microcode' - Install amd64-microcode from security-proposed[1] - Reboot - Get microcode logs and check version update and sha256 digest error [ Additional Information ] [1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa [2] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky [3] https://certification.canonical.com/hardware/202409-35688/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2121417/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
