[hmh@debian.org: Re: Bug#1109035: amd64-microcode: 2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1]

To: debian-lts@lists.debian.org, benh@debian.org
Subject: [hmh@debian.org: Re: Bug#1109035: amd64-microcode: 2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1]
From: Tobias Frost <tobi@debian.org>
Date: Wed, 24 Dec 2025 11:27:53 +0100
Message-id: <[🔎] aUvAKa6A3UuqU4xW@isildor2.loewenhoehle.ip>

Hi,

(I've just claimed amd64-microcode, but as this package will need an
updated kernel, some coordination will be required until it is ready for
upload and of course stable / oldstable will need to have the fixes
too.)

It seems that the required kernel bits will be in 6.19 - 
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?h=x86/cpu&id=2a47c26e55a2bc085a2349ed1d4e065ee298155f

@ben: for coordination purposes, are there plans regarding those bits in respect to backport them to earlier
kernels? 

-- 
Cheers,
tobi


----- Forwarded message from Henrique de Moraes Holschuh <hmh@debian.org> -----

Date: Sun, 09 Nov 2025 18:14:23 -0300
From: Henrique de Moraes Holschuh <hmh@debian.org>
To: 1109035@bugs.debian.org, Tobias Frost <tobi@debian.org>
Subject: Re: Bug#1109035: amd64-microcode: 2024-36350/TSA-SQ and CVE-2024-36357/TSA-L1
X-Mailer: MessagingEngine.com Webmail Interface

AMD changes to avoid regressing outdated family 19h systems have showed up on linux-firmware recently, and there are patches to the kernel microcode driver on their way to mainline (they can be seen on the "tip" tree).

I am packaging the new microcode update to upload to *unstable*, but systems with outdated firmware are supposed to regress unless they also have the kernel changes, so updates to stable are still in the future.

It has also become very clear that:

1. Family 0x19 (Zen 2 to Zen 4) will have the choice of staying on the last Entrysign-vulnerable microcode release.  Obviously, they will remain vulnerable to Entrysign and everything else fixed since Entrysign, since they will *not* receive any new microcode updates.

2. Zen 5 systems have no such choice: all systems must update the firmware to fix Entrysign in order to receive microcode updates.

We can issue partial security updates to stable covering only family 0x1a (Zen 5) while we wait for the kernel-side changes that will enable us to ship the fixes for family 0x19 without regressing systems with outdated firmware.

-- 
  Henrique de Moraes Holschuh <hmh@debian.org>

----- End forwarded message -----

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: LTS Meeting Notes
Next by Date: Sogo for Trixie
Previous by thread: LTS Meeting Notes
Next by thread: Sogo for Trixie
Index(es):
- Date
- Thread