NACK/Cmnt: [SRU][P][PATCH 0/1] x86/microcode/AMD: Add TSA microcode SHAs

Manuel Diewald manuel.diewald at canonical.com
Tue Oct 7 08:35:29 UTC 2025 

On Mon, Aug 25, 2025 at 08:24:26PM -0300, Rodrigo Figueiredo Zaiden wrote:
> BugLink: https://bugs.launchpad.net/bugs/2121417
> 
> SRU Justification:
> 
> [ Impact ]
> 
> When updating AMD microcodes with the package amd64-microcode, which
> places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the
> allowed SHAs on the kernel side is needed since the following commit
> included in upstream version 6.14:
>  50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches
> 
> There is an incoming update for amd64-microcode in security-proposed[1]
> that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the
> patched version in the mentioned allowed SHAs list.
> 
> Currently, when trying to run a plucky kernel with the proposed version of
> amd64-microcode[2], the error is:
> [    0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found
> ...
> [    0.741096] microcode: Current revision: 0x0a601203
> 
> Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could
> happen with other processors and microcode version as well.
> 
> The more concerning impact here is that, whenever the kernel doesn't know
> about a patch (not in the checksummed list) it will end up downgrading to
> the version originally available in the machine's platform initialization.
> 
> For example, in the above case, using a device available in testflinger[3],
> it would be:
> - machine's original microcode:
>   - patch version 0x0a601203
> - current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1
>   - patch version 0x0a601209
> - udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2]
>   - patch version 0x0a60120a
> 
> So, when running a kernel without the checksummed SHAs the device is
> not running with the previous version but with an outdated version
> uncovering possible already fixed issues.
> 
> [ Fix ]
> 
> Cherry-pick following upstream commit:
> 
> * 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs
> 
> [ Test Plan ]
> 
> - On boot, get microcode version and logs with 'dmesg | grep microcode'
> - Install amd64-microcode from security-proposed[1]
> - Reboot
> - Get microcode logs and check version update and sha256 digest error
> 
> [ Additional Information ]
> 
> [1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
> [2] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky
> [3] https://certification.canonical.com/hardware/202409-35688/
> 
> 
> Borislav Petkov (AMD) (1):
>   x86/microcode/AMD: Add TSA microcode SHAs
> 
>  arch/x86/kernel/cpu/microcode/amd_shas.c | 112 +++++++++++++++++++++++
>  1 file changed, 112 insertions(+)
> 
> -- 
> 2.43.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

This patch has been already applied to plucky:linux with upstream stable
patchset 2025-09-04 (LP: #2122072). Sorry for the inconvenience.

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251007/74997081/attachment.sig>

More information about the kernel-team mailing list