Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1

2023-10-01 Thread Henrique de Moraes Holschuh 
Uploaded (source + amd64 binaries).

Thank you!

-- 
  Henrique de Moraes Holschuh

Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1

2023-10-01 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Sat, 2023-09-30 at 20:21 -0300, Henrique de Moraes Holschuh wrote:
> As requested by the security team, I would like to bring the
> microcode
> update level for AMD64 processors in Bullseye and Bookworm to match
> what
> we have in Sid and Trixie.  This is the bug report for Bullseye, a
> separate one will be filled for Bookmorm.
> 
> This fixes:
> CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
> 

The upload window for the next point release closes at some point today
(UTC). If the upload happens in time then we can look at getting it
included for this cycle, but at this stage it's certainly too close to
promise anything.

Regards,

Adam

Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1

2023-09-30 Thread Henrique de Moraes Holschuh 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]

As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie.  This is the bug report for Bullseye, a
separate one will be filled for Bookmorm.

This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors

There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.

[ Impact ]

If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.

[ Tests ]

There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).

[ Risks ]

Unknown, but not believed to be any different from other AMD microcode
updates.

Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.

Diffstat:
 README |   15 +
 amd-ucode/README   |   13 +++
 amd-ucode/microcode_amd_fam19h.bin |binary
 amd-ucode/microcode_amd_fam19h.bin.asc |   16 ++---
 debian/NEWS|   15 +
 debian/changelog   |   38 +
 6 files changed, 89 insertions(+), 8 deletions(-)

[ Other info ]

The package version with "~" is needed to guarantee smooth updates to
the next debian release.

-- 
  Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
 
 latest commits in this release:
 
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen 
+Date:   Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID  = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen 
+Signed-off-by: Josh Boyer 
+
 commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
 Author: John Allen 
 Date:   Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
 
 Microcode patches in microcode_amd_fam19h.bin:
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
 -BEGIN PGP SIGNATURE-
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V