On 10/27/25 11:16 PM, Andrew Cooper wrote:
> linux-firmware now contains microcode signed with the new signature scheme.
> Xen currently refuses to load these as we've not updated the digest list.
>
> The plan was always to stop using the digest list in due course, which is what
> this series does. A fix for the RDSEED vulnerability is imminent, and it's
> critical that Xen can load this microcode.
>
> As such, this is intended for backport to all trees including security trees,
> and therefore really does need to get into Xen 4.21
Considering that it is security related and will be backported anyway it should
be considered to be in Xen 4.21:
Release-Acked-By: Oleksii Kurochko<oleksii.kurochko@gmail.com>
Thanks.
~ Oleksii
>
> Andrew Cooper (5):
> x86/ucode: Abort parallel load early on any control thread error
> x86/ucode: Refine TLB flush fix for AMD Fam17h CPUs
> x86/ucode: Cross check the minimum revision
> x86/ucode: Refine the boundary checks for Entrysign
> x86/ucode: Relax digest check when Entrysign is fixed in firmware
>
> docs/misc/xen-command-line.pandoc | 7 +-
> xen/arch/x86/cpu/microcode/amd.c | 158 +++++++++++++++++++++++++--
> xen/arch/x86/cpu/microcode/core.c | 6 +-
> xen/arch/x86/cpu/microcode/private.h | 2 +
> xen/arch/x86/flushtlb.c | 3 +-
> xen/arch/x86/include/asm/flushtlb.h | 5 +
> 6 files changed, 165 insertions(+), 16 deletions(-)
>