1. Patchew
  2. Xen
  3. [PATCH for-4.21? 0/5] x86/ucode: Support loading latest ucode from linux-firwmare
  4. View patch

[PATCH 4/5] x86/ucode: Cross check the minimum revision

Andrew Cooper posted 5 patches 1 week, 2 days ago
There is a newer version of this series
[PATCH 4/5] x86/ucode: Cross check the minimum revision
Posted by Andrew Cooper 1 week, 2 days ago 
For Zen3-5 microcode blobs signed with the updated signature scheme, the
checksum field has been reused to be a min_revision field, referring to the
microcode revision which fixed Entrysign (SB-7033, CVE-2024-36347).

Cross-check this when trying to load microcode, but allow --force to override
it.  If the signature scheme is genuinely different, a #GP will occur.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
---
 xen/arch/x86/cpu/microcode/amd.c | 48 +++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/amd.c
index 7ff702c06caf..30bddc89da0a 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -42,7 +42,10 @@ struct microcode_patch {
     uint8_t  mc_patch_data_id[2];
     uint8_t  mc_patch_data_len;
     uint8_t  init_flag;
-    uint32_t mc_patch_data_checksum;
+    union {
+        uint32_t checksum; /* Fam12h and earlier */
+        uint32_t min_rev;  /* Zen3-5, post Entrysign */
+    };
     uint32_t nb_dev_id;
     uint32_t sb_dev_id;
     uint16_t processor_rev_id;
@@ -270,6 +273,41 @@ static int cf_check amd_compare(
     return compare_revisions(old->patch_id, new->patch_id);
 }
 
+/*
+ * Check whether this patch has a minimum revision given, and whether the
+ * condition is satisfied.
+ *
+ * In linux-firmware, blobs signed with the updated signature algorithm have
+ * reused the checksum field as a min-revision field.  From public archives,
+ * the checksum field appears to have been unused since Fam12h.
+ *
+ * Returns false if there is a min revision given, and it suggests that that
+ * the patch cannot be loaded on the current system.  True otherwise.
+ */
+static bool check_min_rev(const struct microcode_patch *patch)
+{
+    ASSERT(microcode_fits_cpu(patch));
+
+    if ( patch->processor_rev_id < 0xa000 || /* pre Zen3? */
+         patch->min_rev == 0 )               /* No min rev specified */
+        return true;
+
+    /*
+     * Sanity check, as this is a reused field.  If this is a true
+     * min_revision field, it will differ only in the bottom byte from the
+     * patch_id.  Otherwise, it's probably a checksum.
+     */
+    if ( (patch->patch_id ^ patch->min_rev) & ~0xff )
+    {
+        printk(XENLOG_WARNING
+               "microcode: patch %#x has unexpected min_rev %#x\n",
+               patch->patch_id, patch->min_rev);
+        return true;
+    }
+
+    return this_cpu(cpu_sig).rev >= patch->min_rev;
+}
+
 static int cf_check apply_microcode(const struct microcode_patch *patch,
                                     unsigned int flags)
 {
@@ -299,6 +337,14 @@ static int cf_check apply_microcode(const struct microcode_patch *patch,
         return -ENXIO;
     }
 
+    if ( !ucode_force && !check_min_rev(patch) )
+    {
+        printk(XENLOG_ERR
+               "microcode: CPU%u current rev %#x below patch min_rev %#x\n",
+               cpu, sig->rev, patch->min_rev);
+        return -ENXIO;
+    }
+
     hw_err = wrmsr_safe(MSR_AMD_PATCHLOADER, (unsigned long)patch);
 
     /* get patch id after patching */
-- 
2.39.5
Re: [PATCH 4/5] x86/ucode: Cross check the minimum revision
Posted by Jan Beulich 1 week, 1 day ago 
On 20.10.2025 15:19, Andrew Cooper wrote:
> For Zen3-5 microcode blobs signed with the updated signature scheme, the
> checksum field has been reused to be a min_revision field, referring to the
> microcode revision which fixed Entrysign (SB-7033, CVE-2024-36347).
> 
> Cross-check this when trying to load microcode, but allow --force to override
> it.  If the signature scheme is genuinely different, a #GP will occur.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Acked-by: Jan Beulich <jbeulich@suse.com>

Might be upgradable to R-b if only I knew where - if anywhere - this is
documented. I can't spot anything in PM vol 2 in particular.

Jan
Re: [PATCH 4/5] x86/ucode: Cross check the minimum revision
Posted by Andrew Cooper 1 week, 1 day ago 
On 21/10/2025 10:18 am, Jan Beulich wrote:
> On 20.10.2025 15:19, Andrew Cooper wrote:
>> For Zen3-5 microcode blobs signed with the updated signature scheme, the
>> checksum field has been reused to be a min_revision field, referring to the
>> microcode revision which fixed Entrysign (SB-7033, CVE-2024-36347).
>>
>> Cross-check this when trying to load microcode, but allow --force to override
>> it.  If the signature scheme is genuinely different, a #GP will occur.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Acked-by: Jan Beulich <jbeulich@suse.com>

Thanks.

>
> Might be upgradable to R-b if only I knew where - if anywhere - this is
> documented. I can't spot anything in PM vol 2 in particular.

Like everything else about the ucode format, It's not documented at all.

In fact, this was discovered by people on the WinRaid forums, because
even
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/amd-ucode?id=3768c184de68a85b9df6697e7f93a2f61de90a99
doesn't say that the internal headers have been adjusted.

I've confirmed with AMD that it's intentional and expected to continue
like this for the lifetime of the Zen3-5 blobs.

~Andrew

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.