Bug 273238
| Summary: | sysutils/cpu-microcode-amd: Update to include vulnerability fix | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Christos Chatzaras <chris> | ||||
| Component: | Individual Port(s) | Assignee: | Joseph Mingrone <jrm> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | fernape, jrm, ports-secteam, sbruno | ||||
| Priority: | --- | Flags: | fernape:
maintainer-feedback?
(sbruno) |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Christos Chatzaras
2023-08-19 23:18:41 UTC
AMD "Inception" security vulnerability fix for Zen 3 and Zen 4 processors Just for reference: The AMD microcode updates are only for EPYC and not Ryzen. For Ryzen a BIOS update from each vendor is needed. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html Created attachment 244249 [details]
Patch to update sysutils/cpu-microcode-amd
Christos, thank you for reporting. Are you able to run-time test with the attached patch? (In reply to Joseph Mingrone from comment #4) Hello Joseph, With a visual inspection of the patch, it seems to be okay. If you want I can test if the port update works fine. But I have no way to test if it actually updates the microcode as I have Ryzen (Family=0x19 Model=0x21) which is not included in the microcode update (only someone with EPYC can test it). On my Intel-based laptop I do this to verify the ucode revision has been updated. % sudo cpucontrol -m 0x8b -v /dev/cpuctl0 MSR 0x8b: 0x00000029 0x00000000 % sudo service microcode_update onestart Updating CPU Microcode... Done. % sudo cpucontrol -m 0x8b -v /dev/cpuctl0 MSR 0x8b: 0x0000002f 0x00000000 markj tells me "from my reading of the microcode update code in usr.sbin/cpucontrol/amd10h.c, you should be able to get the ucode revision in the same way, on recent AMD systems anyway. In particular, MSR_BIOS_SIGN is 0x8b. IIRC AMD does not document their ucode update interface." Even though it won't give you the updates to workaround the recent issue, could you check the microcode revision is properly updated? (In reply to Joseph Mingrone from comment #6) Your patch cleanly applied using "git apply patch" and I upgrade the port in my system. `cpucontrol` shows the same result before and after `service microcode_update onestart`: "MSR 0x8b: 0x00000000 0x0a201016". This is expected because you can see at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html that μcode update is only available for EPYC processors. The rest of us that use Ryzen have to wait for AMD to release new "AGESA Firmware" which will be used from motherboard manufacturers to update the BIOS. -------------------- yes | portmaster --no-confirm -y cpu-microcode-amd-20230724 ===>>> Currently installed version: cpu-microcode-amd-20230724 ===>>> Port directory: /usr/ports/sysutils/cpu-microcode-amd ===>>> Launching 'make checksum' for sysutils/cpu-microcode-amd in background ===>>> Gathering dependency list for sysutils/cpu-microcode-amd from ports ===>>> Initial dependency check complete for sysutils/cpu-microcode-amd ===>>> Starting build for sysutils/cpu-microcode-amd <<<=== ===>>> All dependencies are up to date ===> Cleaning for cpu-microcode-amd-20230808 ===>>> Waiting on fetch & checksum for sysutils/cpu-microcode-amd <<<=== ===> License EULA accepted by the user ===> License EULA accepted by the user ===> cpu-microcode-amd-20230808 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by cpu-microcode-amd-20230808 for building ===> Extracting for cpu-microcode-amd-20230808 => SHA256 Checksum OK for cpu-microcode-amd/microcode_amd.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f. => SHA256 Checksum OK for cpu-microcode-amd/microcode_amd_fam15h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f. => SHA256 Checksum OK for cpu-microcode-amd/microcode_amd_fam16h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f. => SHA256 Checksum OK for cpu-microcode-amd/microcode_amd_fam17h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f. => SHA256 Checksum OK for cpu-microcode-amd/microcode_amd_fam19h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f. ===> Patching for cpu-microcode-amd-20230808 ===> Configuring for cpu-microcode-amd-20230808 ===>>> Building the port required 0 seconds ===> Staging for cpu-microcode-amd-20230808 ===> Generating temporary packing list /bin/mkdir -p /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/ install -m 0644 /usr/ports/sysutils/cpu-microcode-amd/work/cpu-microcode-amd-20230808/microcode_amd.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/microcode_amd.bin install -m 0644 /usr/ports/sysutils/cpu-microcode-amd/work/cpu-microcode-amd-20230808/microcode_amd_fam15h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/microcode_amd_fam15h.bin install -m 0644 /usr/ports/sysutils/cpu-microcode-amd/work/cpu-microcode-amd-20230808/microcode_amd_fam16h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/microcode_amd_fam16h.bin install -m 0644 /usr/ports/sysutils/cpu-microcode-amd/work/cpu-microcode-amd-20230808/microcode_amd_fam17h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/microcode_amd_fam17h.bin install -m 0644 /usr/ports/sysutils/cpu-microcode-amd/work/cpu-microcode-amd-20230808/microcode_amd_fam19h.bin?id=f2eb058afc57348cde66852272d6bf11da1eef8f /usr/ports/sysutils/cpu-microcode-amd/work/stage/usr/local/share/cpucontrol/microcode_amd_fam19h.bin ====> Compressing man pages (compress-man) ===>>> Creating a backup package for old version cpu-microcode-amd-20230724 Creating package for cpu-microcode-amd-20230724 Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 1 packages (of 0 packages in the universe): Installed packages to be REMOVED: cpu-microcode-amd: 20230724 Number of packages to be removed: 1 [1/1] Deinstalling cpu-microcode-amd-20230724... [1/1] Deleting files for cpu-microcode-amd-20230724: 100% ===> Installing for cpu-microcode-amd-20230808 ===> Checking if cpu-microcode-amd is already installed ===> Registering installation for cpu-microcode-amd-20230808 Installing cpu-microcode-amd-20230808... Refer to the cpu-microcode-rc installation notes to enable AMD microcode updates. ===>>> pkg-message for cpu-microcode-amd-20230808 On install: Refer to the cpu-microcode-rc installation notes to enable AMD microcode updates. ===>>> Done displaying pkg-message files ===>>> Upgrade of cpu-microcode-amd-20230724 to cpu-microcode-amd-20230808 complete A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=32581ecbe9478918189b37e604bce5811fad88d0 commit 32581ecbe9478918189b37e604bce5811fad88d0 Author: Joseph Mingrone <jrm@FreeBSD.org> AuthorDate: 2023-08-21 11:44:41 +0000 Commit: Joseph Mingrone <jrm@FreeBSD.org> CommitDate: 2023-08-21 18:13:01 +0000 sysutils/cpu-microcode-amd: Update for 19h processor family PR: 273238 Reported by: Christos Chatzaras <chris@cretaforce.gr> Approved by: maintainer (sbruno, implicit) Sponsored by: The FreeBSD Foundation sysutils/cpu-microcode-amd/Makefile | 4 ++-- sysutils/cpu-microcode-amd/distinfo | 22 +++++++++++----------- 2 files changed, 13 insertions(+), 13 deletions(-) Committed. Thanks. |
