On 26/11/2025 2:49 pm, Jan Beulich wrote: > On 26.11.2025 14:22, Andrew Cooper wrote: >> This was potentially helpful when the chickenbit was the only mitigation and >> microcode had not been released, but that was two years ago. >> >> Zenbleed microcode has been avaialble since December 2023, and the subsequent >> Entrysign signature vulnerability means that firmware updates block >> OS-loading >> and more OS-loadable microcode will be produced for Zen2. >> >> i.e. the Zenbleed fix is not going to appear at runtime these days. >> >> No practical change. >> >> Signed-off-by: Andrew Cooper <[email protected]> > Acked-by: Jan Beulich <[email protected]>
Thanks. > on the basis that people unwilling to update their firmware already accept > being vulnerable. To them this might be a perceived regression, i.e. not > exactly "No practical change", but we kind of accept that possibility. It's not quite that easy. There are plenty of Zen2 systems without a firmware update. But, a user who cares about their security will have a more up-to-date microcode than 2 years old, and will get the Zenbleed fix at boot time. What I'm trying to say is that the "old ucode at boot, new at runtime" case doesn't sensibly exist any more. ~Andrew
