[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1079544: marked as done (bullseye-pu: package amd64-microcode/3.20240820.1~deb11u1)

Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id <27c418b1a49ffc566f1b9635359e59f6a742be26.camel@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1079544,
regarding bullseye-pu: package amd64-microcode/3.20240820.1~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1079544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079544
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

I would like to bring the *firmware* update level for AMD processors in
Bullseye and Bookworm to match what we have in Sid and Trixie.  This is
the bug report for Bullseye, a separate one will be filled for Bookworm.

The update is a security update for AMD-SEV (AMD-SB-3003).  It does not
change the processor microcode.

[ Impact ]

These updates fix security issues on AMD SEV.

[ Tests ]

The package was tested, but AMD-SEV was not specifically tested.  I
could not find any reports of AMD-SEV issues due to this firmware
update though.

This update only changed a few docs and the binary blob files, so it is
as safe as what is already accepted for bullseye and bookworm.

[ Risks ]

AMD-SEV changes cannot cause boot regressions, but it could cause SEV
functionality regressions.  I am not aware of any regressions related
to this SEV firmware update.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Documentation was updated with upstream information

* Binary microcode blobs were updated with new upstream binary blobs.

[ Extra Information ]

Diff was generated from the git tree, in order to avoid excessive noise
due to the changes to the binary blobs.

diffstat:
 README                           |   20 ++++++++++++++++++++
 amd/amd_sev_fam17h_model3xh.sbin |binary
 amd/amd_sev_fam19h_model0xh.sbin |binary
 amd/amd_sev_fam19h_model1xh.sbin |binary
 amd/amd_sev_fam19h_modelaxh.sbin |binary
 debian/changelog                 |   30 ++++++++++++++++++++++++++++++
 6 files changed, 50 insertions(+)

-- 
  Henrique Holschuh


diff --git a/README b/README
index 63c0879..67a4e0e 100644
--- a/README
+++ b/README
@@ -11,6 +11,26 @@ amdtee/ currently includes firmware for the amd_pmf driver.
 
 latest commits in this release:
 
+commit ace84e6edc27bcba8e44ba8588e93a4c74a4fba1
+Author: John Allen <john.allen@amd.com>
+Date:   Tue Aug 20 18:26:55 2024 +0000
+
+    linux-firmware: Update AMD SEV firmware
+
+    Update AMD SEV firmware to version 0.24 build 20 for AMD family 17h processors
+    with models in the range 30h to 3fh.
+
+    Update AMD SEV firmware to version 1.55 build 21 for AMD family 19h processors
+    with models in the range 00h to 0fh.
+
+    Update AMD SEV firmware to version 1.55 build 37 for AMD family 19h processors
+    with models in the range 10h to 1fh.
+
+    Add AMD SEV firmware version 1.55 build 37 for AMD family 19h processors with
+    models in the range a0h to afh.
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
 commit 091bd5adf19c7ab01214c64689952acb4833b21d
 Author: John Allen <john.allen@amd.com>
 Date:   Wed Jul 10 14:58:02 2024 +0000
diff --git a/amd/amd_sev_fam17h_model3xh.sbin b/amd/amd_sev_fam17h_model3xh.sbin
index ea49929..a1a59d4 100644
Binary files a/amd/amd_sev_fam17h_model3xh.sbin and b/amd/amd_sev_fam17h_model3xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model0xh.sbin b/amd/amd_sev_fam19h_model0xh.sbin
index 9cde6ad..0e21813 100644
Binary files a/amd/amd_sev_fam19h_model0xh.sbin and b/amd/amd_sev_fam19h_model0xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model1xh.sbin b/amd/amd_sev_fam19h_model1xh.sbin
index 529dcb5..5855e82 100644
Binary files a/amd/amd_sev_fam19h_model1xh.sbin and b/amd/amd_sev_fam19h_model1xh.sbin differ
diff --git a/amd/amd_sev_fam19h_modelaxh.sbin b/amd/amd_sev_fam19h_modelaxh.sbin
new file mode 100644
index 0000000..5855e82
Binary files /dev/null and b/amd/amd_sev_fam19h_modelaxh.sbin differ
diff --git a/debian/changelog b/debian/changelog
index 3b97a91..dc29a0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+amd64-microcode (3.20240820.1~deb11u1) bullseye; urgency=medium
+
+  * Rebuild for bullseye
+  * Revert merged-usr changes from unstable
+  * Revert move to non-free-firmware
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 24 Aug 2024 09:28:39 -0300
+
+amd64-microcode (3.20240820.1) unstable; urgency=high
+
+  * Update package data from linux-firmware 20240820
+    * New AMD-SEV firmware from AMD upstream (20240820)
+      + Updated SEV firmware:
+        Family 17h models 30h-3fh: version 0.24 build 20
+        Family 19h models 00h-0fh: version 1.55 build 21
+        Family 19h models 10h-1fh: version 1.55 build 37
+      + New SEV firmware:
+        Family 19h models a0h-afh: version 1.55 build 37
+  * SECURITY UPDATE (AMD-SB-3003):
+    * Mitigates CVE-2023-20584: IOMMU improperly handles certain special
+      address ranges with invalid device table entries (DTEs), which may allow
+      an attacker with privileges and a compromised Hypervisor to induce DTE
+      faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of
+      guest integrity.
+    * Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV
+      firmware could allow a privileged attacker to corrupt guest private
+      memory, potentially resulting in a loss of data integrity.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Wed, 21 Aug 2024 21:31:07 -0300
+
 amd64-microcode (3.20240710.2~deb11u1) bullseye; urgency=high
 
   * Rebuild for bullseye

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.11

Hi,

Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.

Regards,

Adam

--- End Message ---
Reply to: