57766 – amd64-microcode: Multiple issues (5.0)

Bug 57766 - amd64-microcode: Multiple issues (5.0)

Summary: amd64-microcode: Multiple issues (5.0)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	UCS 5.0-9-errata
Assignee:	Quality Assurance
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-25 13:55 CET by Quality Assurance
Modified:	2024-11-27 13:57 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:	7.5 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2024-11-25 13:55:05 CET

New Debian amd64-microcode 3.20240820.1~deb10u1 fixes:
This update addresses the following issues:
3.20240820.1~deb10u1 (Sat, 23 Nov 2024 13:20:52 +0100)
* Non-maintainer upload by the ELTS Security Team.
* Rebuild for buster, addressing CVE-2023-31356, CVE-2023-31315 and  CVE-2023-20584 (see below for details on the vulnerabilties.)
3.20240820.1~deb11u1 (Sat, 24 Aug 2024 09:28:39 -0300)
* Rebuild for bullseye
* Revert merged-usr changes from unstable
* Revert move to non-free-firmware
3.20240820.1 (Wed, 21 Aug 2024 21:31:07 -0300)
* Update package data from linux-firmware 20240820 * New AMD-SEV firmware  from AMD upstream (20240820) + Updated SEV firmware: Family 17h models  30h-3fh: version 0.24 build 20 Family 19h models 00h-0fh: version 1.55  build 21 Family 19h models 10h-1fh: version 1.55 build 37 + New SEV  firmware: Family 19h models a0h-afh: version 1.55 build 37
* SECURITY UPDATE (AMD-SB-3003): * Mitigates CVE-2023-20584: IOMMU improperly  handles certain special address ranges with invalid device table entries  (DTEs), which may allow an attacker with privileges and a compromised  Hypervisor to induce DTE faults to bypass RMP checks in SEV-SNP,  potentially leading to a loss of guest integrity. * Mitigates  CVE-2023-31356: Incomplete system memory cleanup in SEV firmware could  allow a privileged attacker to corrupt guest private memory, potentially  resulting in a loss of data integrity.
3.20240710.2~deb11u1 (Mon, 12 Aug 2024 09:59:32 -0300)
3.20240710.2 (Mon, 12 Aug 2024 09:00:19 -0300)
* postrm: activate the update-initramfs dpkg trigger on remove/purge instead  of always executing update-initramfs directly, just like it was done for  postinst in 3.20240710.1: call update-initramfs directly only if the  dpkg-trigger activation call fails.
3.20240710.1 (Sun, 11 Aug 2024 18:38:59 -0300)
* Update package data from linux-firmware 20240709-141-g59460076

* SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on AMD  Epyc processors: SMM lock bypass - Improper validation in a model specific  register (MSR) could allow a malicious program with ring 0 access (kernel)  to modify SMM configuration while SMI lock is enabled, potentially leading  to arbitrary code execution. Note: a firmware update is recommended for AMD  Epyc (to protect the system as early as possible). Many other AMD processor  models are also vulnerable to SinkClose, and can only be fixed by a  firmware update at this time.
* Updated Microcode patches: + Family=0x17 Model=0x01 Stepping=0x02:  Patch=0x0800126f + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c +  Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a + Family=0x19  Model=0x11 Stepping=0x02: Patch=0x0a101248 + Family=0x19 Model=0xa0  Stepping=0x02: Patch=0x0aa00215 + Family=0x19 Model=0x01 Stepping=0x02:  Patch=0x0a001238 + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 +  Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5
* README.Debian: "late" microcode updates are unsupported in Debian
* postinst: use dpkg-trigger to activate update-initramfs, this enables  dracut integration
3.20240116.2 (Thu, 15 Feb 2024 16:56:06 -0300)
* Add AMD-TEE firmware to the package + amdtee: add amd_pmf TA firmware  20230906
* debian: install amdtee to /lib/firmware/amdtee
* debian/control: update short and long descriptions
* debian/copyright: update with amd-pmf license
3.20240116.1 (Tue, 06 Feb 2024 15:35:27 -0300)
* Update package data from linux-firmware 20240115-80-gb4b04a5c
* Updated Microcode patches: + Family=0x17 Model=0x31 Stepping=0x00:  Patch=0x0830107b + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d3 +  Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001236
3.20231019.1 (Sat, 21 Oct 2023 15:06:29 -0300)
* Update package data from linux-firmware 20231019
* Updated Microcode patches: + Family=0x19 Model=0x11 Stepping=0x01:  Patch=0x0a101144 + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101244 +  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00213
3.20230823.1 (Fri, 13 Oct 2023 02:02:47 -0300)
* Update package data from linux-firmware 20230919 * New AMD-SEV firmware  from AMD upstream (20230823) + Updated SEV firmware: Family 19h models  00h-0fh: version 1.55 build 8 + New SEV firmware: Family 19h models  10h-1fh: version 1.55 build 21
* amd-ucode: Add note on fam19h warnings.
3.20230808.1.1~deb11u1 (Sat, 02 Sep 2023 20:38:42 -0300)
* Build for bullseye
3.20230808.1.1 (Thu, 10 Aug 2023 10:18:38 -0300)
* Update package data from linux-firmware 20230804-6-gf2eb058a * Fixes for  CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
* WARNING: for proper operation on AMD Genoa and Bergamo processors, either  up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date Linux kernels  (minimal versions on each active Linux stable branch: v4.19.289 v5.4.250  v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1) are *required*
* New Microcode patches: + Family=0x19 Model=0x11 Stepping=0x01:  Patch=0x0a10113e + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e +  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 + Family=0x19  Model=0xa0 Stepping=0x01: Patch=0x0aa00116
* README: update for new release
* debian/NEWS: AMD Genoa/Bergamo kernel version restrictions
* debian/changelog: update entry for release 3.20230719.1, noting that it  included fixes for "AMD Inception" for Zen3 processors. We did not know  about AMD Inception at the time, but we always include all available  microcode updates when issuing a new package, so we lucked out.
* debian/changelog: correct some information in 3.20230808.1 entry and  reupload as 3.20230808.1.1. There's no Zenbleed for Zen4... oops!
3.20230719.1~deb11u1 (Mon, 24 Jul 2023 16:19:13 -0300)
* Build for bullseye-security

Comment 1 Quality Assurance

2024-11-25 14:00:11 CET

--- mirror/ftp/pool/main/a/amd64-microcode/amd64-microcode_3.20230719.1~deb10u1.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/amd64-microcode_3.20240820.1~deb10u1.dsc
@@ -1,3 +1,145 @@
+3.20240820.1~deb10u1 [Sat, 23 Nov 2024 13:20:52 +0100] Tobias Frost <tobi@debian.org>:
+
+  * Non-maintainer upload by the ELTS Security Team.
+  * Rebuild for buster, addressing CVE-2023-31356, CVE-2023-31315 and
+    CVE-2023-20584 (see below for details on the vulnerabilties.)
+
+3.20240820.1~deb11u1 [Sat, 24 Aug 2024 09:28:39 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for bullseye
+  * Revert merged-usr changes from unstable
+  * Revert move to non-free-firmware
+
+3.20240820.1 [Wed, 21 Aug 2024 21:31:07 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20240820
+    * New AMD-SEV firmware from AMD upstream (20240820)
+      + Updated SEV firmware:
+        Family 17h models 30h-3fh: version 0.24 build 20
+        Family 19h models 00h-0fh: version 1.55 build 21
+        Family 19h models 10h-1fh: version 1.55 build 37
+      + New SEV firmware:
+        Family 19h models a0h-afh: version 1.55 build 37
+  * SECURITY UPDATE (AMD-SB-3003):
+    * Mitigates CVE-2023-20584: IOMMU improperly handles certain special
+      address ranges with invalid device table entries (DTEs), which may allow
+      an attacker with privileges and a compromised Hypervisor to induce DTE
+      faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of
+      guest integrity.
+    * Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV
+      firmware could allow a privileged attacker to corrupt guest private
+      memory, potentially resulting in a loss of data integrity.
+
+3.20240710.2~deb11u1 [Mon, 12 Aug 2024 09:59:32 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Rebuild for bullseye
+  * Revert merged-usr changes from unstable
+  * Revert move to non-free-firmware
+
+3.20240710.2 [Mon, 12 Aug 2024 09:00:19 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * postrm: activate the update-initramfs dpkg trigger on remove/purge
+    instead of always executing update-initramfs directly, just like it
+    was done for postinst in 3.20240710.1: call update-initramfs directly
+    only if the dpkg-trigger activation call fails.
+
+3.20240710.1 [Sun, 11 Aug 2024 18:38:59 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20240709-141-g59460076
+    (closes: #1076128)
+  * SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on
+    AMD Epyc processors: SMM lock bypass - Improper validation in a model
+    specific register (MSR) could allow a malicious program with ring 0
+    access (kernel) to modify SMM configuration while SMI lock is enabled,
+    potentially leading to arbitrary code execution.
+    Note: a firmware update is recommended for AMD Epyc (to protect the
+    system as early as possible).  Many other AMD processor models are
+    also vulnerable to SinkClose, and can only be fixed by a firmware
+    update at this time.
+  * Updated Microcode patches:
+    + Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f
+    + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c
+    + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a
+    + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248
+    + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215
+    + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238
+    + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148
+    + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5
+  * README.Debian: "late" microcode updates are unsupported in Debian
+    (closes: #1074514)
+  * postinst: use dpkg-trigger to activate update-initramfs, this enables
+    dracut integration (closes: #1000193)
+
+3.20240116.2 [Thu, 15 Feb 2024 16:56:06 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Add AMD-TEE firmware to the package (closes: #1062678)
+    + amdtee: add amd_pmf TA firmware 20230906
+  * debian: install amdtee to /lib/firmware/amdtee
+  * debian/control: update short and long descriptions
+  * debian/copyright: update with amd-pmf license
+
+3.20240116.1 [Tue, 06 Feb 2024 15:35:27 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20240115-80-gb4b04a5c
+  * Updated Microcode patches:
+    + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107b
+    + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d3
+    + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001236
+
+3.20231019.1 [Sat, 21 Oct 2023 15:06:29 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20231019
+  * Updated Microcode patches:
+    + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101144
+    + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101244
+    + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00213
+
+3.20230823.1 [Fri, 13 Oct 2023 02:02:47 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20230919
+    * New AMD-SEV firmware from AMD upstream (20230823)
+      + Updated SEV firmware:
+        Family 19h models 00h-0fh: version 1.55 build 8
+      + New SEV firmware:
+        Family 19h models 10h-1fh: version 1.55 build 21
+  * amd-ucode: Add note on fam19h warnings.
+
+3.20230808.1.1~deb11u1 [Sat, 02 Sep 2023 20:38:42 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Build for bullseye
+  * Revert move to non-free-firmware
+
+3.20230808.1.1 [Thu, 10 Aug 2023 10:18:38 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Update package data from linux-firmware 20230804-6-gf2eb058a
+    * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
+    (closes: #1043381)
+  * WARNING: for proper operation on AMD Genoa and Bergamo processors,
+    either up-to-date BIOS (with AGESA 1.0.0.8 or newer) or up-to-date
+    Linux kernels (minimal versions on each active Linux stable branch:
+    v4.19.289 v5.4.250 v5.10.187 v5.15.120 v6.1.37 v6.3.11 v6.4.1)
+    are *required*
+  * New Microcode patches:
+    +  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e
+    +  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
+    +  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
+    +  Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
+  * README: update for new release
+  * debian/NEWS: AMD Genoa/Bergamo kernel version restrictions
+  * debian/changelog: update entry for release 3.20230719.1, noting
+    that it included fixes for "AMD Inception" for Zen3 processors.
+    We did not know about AMD Inception at the time, but we always
+    include all available microcode updates when issuing a new
+    package, so we lucked out.
+  * debian/changelog: correct some information in 3.20230808.1
+    entry and reupload as 3.20230808.1.1.  There's no Zenbleed
+    for Zen4... oops!
+
+3.20230719.1~deb11u1 [Mon, 24 Jul 2023 16:19:13 -0300] Henrique de Moraes Holschuh <hmh@debian.org>:
+
+  * Build for bullseye-security
+  * Revert move to non-free-firmware
+
 3.20230719.1~deb10u1 [Mon, 31 Jul 2023 12:02:41 +0200] Jochen Sprickerhof <jspricke@debian.org>:
 
   * Non-maintainer upload by the LTS Security Team.
@@ -9,6 +151,9 @@
   * Update package data from linux-firmware 20230625-39-g59fbffa9:
     * Fixes for CVE-2023-20593 "Zenbleed" on AMD Zen2 processors
       (closes: #1041863)
+    * Fixes for CVE-2023-20569 "AMD Inception" on AMD Zen3 processors
+      (this changelog entry time-travelled from the future, we were
+      lucky we always include all microcode updates available)
     * New Microcode patches:
       + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008
     * Updated Microcode patches:

<http://piuparts.knut.univention.de/5.0-9/#418030038885456803>

Comment 2 Iván.Delgado

2024-11-26 11:56:41 CET

OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-9] ab7f3b71c7 Bug #57766: amd64-microcode 3.20240820.1~deb10u1
 doc/errata/staging/amd64-microcode.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

Comment 3 Felix Botner

2024-11-27 13:57:36 CET

<https://errata.software-univention.de/#/?erratum=5.0x1179>