If I understand this right, this change has to do with CVE-2024-36347: "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment."
Which resulted in hardcoding microcode hashes in the kernel with the following commit: https://github.com/torvalds/linux/commit/50cef76d5cb0e199cda19f026842560f6eedc4f7 But I don't understand why this would help in any way. If you are a local administrator, you can just disable the check with "microcode.amd_sha_check=off", so how is this an improvement in any way? I'm not sure it's worth the effort in trying to match the microcode with the kernel for a fix that doesn't actually improve anything, unless I'm not quite understanding the issue here. ** CVE added: https://cve.org/CVERecord?id=CVE-2024-36347 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130658 Title: hashed microcode updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/amd64-microcode/+bug/2130658/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
