CVE-2023-20585 - Are there any mitigation plans for this?
jose.ogando at canonical.com
jose.ogando at canonical.com
Wed Jul 1 15:23:17 UTC 2026
Hi Jethro,
If you feel confident, I would then encourage you to submit the patch
to the mailing list, following our process.
That is the only thing that I believe Fortanix can do from the
community that can potentially speed things up.
And to answer your question, yes, we are in contact with the proper
stakeholders.
Regards,
On Wed, 2026-07-01 at 17:14 +0200, Jethro Beekman wrote:
> Hi Jose,
>
> We have validated that applying the patch results in the "mitigation
> vector bit 2" mentioned in the AMD security bulletin.
>
> Also, AMD told us a couple of weeks ago "AMD is tracking down the
> individual Linux distro plans for updates with the fix." I don't know
> who at Canonical is in touch with AMD, but that may be something to
> check on.
>
> --
> Jethro Beekman | CTO | Fortanix
>
> On 2026-07-01 17:10, jose.ogando at canonical.com wrote:
> > Hello Denis,
> >
> > We currently do not have a plan to integrate those mitigation. More
> > research is required. We have similar information to you, we know
> > that OS specific updates are required but we do not know if that is
> > referring to the specific commit you mentioned or if something else
> > is required.
> >
> > We therefore do not have a timeline. As part of the Ubuntu
> > community, If Fortanix has validated that the patch is what AMD
> > refers to as OS update, has backported and tested the patch on a
> > specific environment, you can submit the
> > patch https://documentation.ubuntu.com/kteam-docs/public/explanatio
> > n/stable-release-
> > updates.html <https://documentation.ubuntu.com/kteam-
> > docs/public/explanation/stable-release-updates.html>
> >
> > Regards,
> >
> > Jose
> >
> >
> >
> >
> >
> > On Tue, 2026-06-30 at 20:32 +0000, Denis Legalov wrote:
> > > Hello Ubuntu Kernel Team,
> > >
> > > tl;dr: Will there be a mitigation for CVE-2023-20585 in the
> > > Ubuntu kernel in the near term, and what can be done for this?
> > >
> > > I am part of the backend team at Fortanix, Inc, and part of our
> > > work involves attesting AMD SEV SNP machines.
> > > Recently, there was an issue with attesting an Ubuntu machine,
> > > running 6.17.0-35-generic.
> > > Our attestation requires certain TCB parameters to be set,
> > > reflecting the security patch state of AMD's advisories.
> > > Due to the kernel component needed for this CVE, our attestation
> > > was not going as expected.
> > >
> > > The listing for this CVE is here:
> > > https://ubuntu.com/security/CVE-2023-20585#notes <
> > > https://ubuntu.com/security/CVE-2023-20585#notes> (Ubuntu
> > > listing)
> > > https://security-tracker.debian.org/tracker/CVE-2023-20585 <
> > > https://security-tracker.debian.org/tracker/CVE-2023-20585>
> > > https://www.cve.org/CVERecord?id=CVE-2023-20585 <
> > > https://www.cve.org/CVERecord?id=CVE-2023-20585>
> > >
> > > The security bulletin is here:
> > > https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html
> > > <
> > > https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html
> > > >
> > >
> > > According to this bulletin, the operating system must also have a
> > > mitigation, the firmware is not enough:
> > > > Note: Mitigation of this vulnerability requires both a SEV
> > > > firmware update and an OS-specific update. Mitigations may be
> > > > deployed in any order, but both are required. Mitigation also
> > > > requires SNP guest shutdown and reinitialization.
> > > > For mitigations requiring operating system (OS) updates, AMD
> > > > recommends consulting with your operating system vendor’s
> > > > documentation for information on how to enable the OS portion
> > > > of the mitigation.
> > > There appear to be patches related to this CVE:
> > > https://lore.kernel.org/linux-iommu/20260420084204.12263-2-vasant.hegde@amd.com/
> > > <
> > > https://lore.kernel.org/linux-iommu/20260420084204.12263-2-vasant.hegde@amd.com/
> > > >
> > > The current status of this on ubuntu.com is "Needs evaluation",
> > > and "which is not clear yet what it is about" in regard to AMD's
> > > bulletin, which indicates that more research is needed. With the
> > > priority of this as "Medium", we would like to know if there is
> > > any timeline on this fix making it into the standard kernel. If
> > > there is no current priority, can Fortanix do something to
> > > resolve this?
> > > Thank you,
> > > Denis Legalov
> > >
> >
More information about the kernel-team
mailing list