[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108122: marked as done (bookworm-pu: package amd64-microcode/3.20250311.1~deb12u1)

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1108122,
regarding bookworm-pu: package amd64-microcode/3.20250311.1~deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108122
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org

[ Reason ]

I would like to bring the *firmware* update level for AMD processors in
Bookworm to match what we have in Sid, Trixie and Bullseye(!).

The AMD-SEV update (dated 20250221) is a security update for AMD-SB-3019
/ CVE-2024-56161, to make AMD-SEV compatible with systems that have
received updated firmware fixing the AMD microcode "EntrySign"
vulnerability.

The AMD microcode update (dated 20241121) fixes several functional
issues on AMD Family 17h and 19h processors.

[ Impact ]

These updates fix security issues on AMD SEV, and functional issues on
some AMD processors.

[ Tests ]

The package was tested, but AMD-SEV was not specifically tested.  I
could not find any reports of AMD-SEV issues due to this firmware update
though.

This update only changed a few docs and the binary blob files, and it
has been tested for long enough in Sid, Trixie and Bullseye.

[ Risks ]

I am not aware of any regressions related to the AMD SEV and AMD
microcode updates in this package.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

* Documentation was updated with upstream information

* Binary firmware blobs were updated with new upstream binary blobs.

[ Extra Information ]

Diff was generated from the git tree, in order to avoid excessive noise
due to the changes to the binary blobs.

diffstat:
 README                                 |   35 +++++++++++++++++++++++++
 amd-ucode/README                       |   17 +++++++++++-
 amd-ucode/microcode_amd_fam17h.bin     |binary
 amd-ucode/microcode_amd_fam17h.bin.asc |   16 +++++------
 amd-ucode/microcode_amd_fam19h.bin     |binary
 amd-ucode/microcode_amd_fam19h.bin.asc |   16 +++++------
 amd/amd_sev_fam19h_model0xh.sbin       |binary
 amd/amd_sev_fam19h_model1xh.sbin       |binary
 amd/amd_sev_fam19h_modelaxh.sbin       |binary
 amd/amd_sev_fam1ah_model0xh.sbin       |binary
 debian/changelog                       |   45 +++++++++++++++++++++++++++++++++
 11 files changed, 112 insertions(+), 17 deletions(-)

-- 
  Henrique Holschuh


diff --git a/README b/README
index 67a4e0e..ef55531 100644
--- a/README
+++ b/README
@@ -11,6 +11,41 @@ amdtee/ currently includes firmware for the amd_pmf driver.
 
 latest commits in this release:
 
+commit 3660cb7665df91e664b240c19c560f138d74f483
+Author: John Allen <john.allen@amd.com>
+Date:   Wed Feb 19 20:29:05 2025 +0000
+
+    linux-firmware: Update AMD SEV firmware
+
+    Update AMD SEV firmware to version 1.55 build 29 for AMD family 19h processors
+    with models in the range 00h to 0fh.
+
+    Update AMD SEV firmware to version 1.55 build 39 for AMD family 19h processors
+    with models in the range 10h to 1fh.
+
+    Update AMD SEV firmware to version 1.55 build 39 for AMD family 19h processors
+    with models in the range a0h to afh.
+
+    Add AMD SEV firmware version 1.55 build 54 for AMD family 1ah processors with
+    models in the range 00h to 0fh.
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
+commit 48bb90cceb882cab8e9ab692bc5779d3bf3a13b8
+Author: John Allen <john.allen@amd.com>
+Date:   Thu Nov 21 10:22:38 2024 -0600
+
+    linux-firmware: Update AMD cpu microcode
+
+    * Update AMD cpu microcode for processor family 17h
+    * Update AMD cpu microcode for processor family 19h
+
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
 commit ace84e6edc27bcba8e44ba8588e93a4c74a4fba1
 Author: John Allen <john.allen@amd.com>
 Date:   Tue Aug 20 18:26:55 2024 +0000
diff --git a/amd-ucode/README b/amd-ucode/README
index 4f862af..138b24d 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -30,20 +30,35 @@ Microcode patches in microcode_amd_fam15h.bin:
 Microcode patches in microcode_amd_fam16h.bin:
   Family=0x16 Model=0x00 Stepping=0x01: Patch=0x0700010f Length=3458 bytes
 
+
 Microcode patches in microcode_amd_fam17h.bin:
+  Family=0x17 Model=0x71 Stepping=0x00: Patch=0x08701034 Length=3200 bytes
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f Length=3200 bytes
   Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c Length=3200 bytes
+  Family=0x17 Model=0x60 Stepping=0x01: Patch=0x0860010d Length=3200 bytes
   Family=0x17 Model=0x08 Stepping=0x02: Patch=0x0800820d Length=3200 bytes
-  Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008 Length=3200 bytes
+  Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a0000a Length=3200 bytes
+  Family=0x17 Model=0x68 Stepping=0x01: Patch=0x08608108 Length=3200 bytes
 
 Microcode patches in microcode_amd_fam19h.bin:
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a Length=5568 bytes
+  Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c005 Length=5568 bytes
+  Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705206 Length=5568 bytes
+  Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820c Length=5568 bytes
   Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
   Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
+  Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404107 Length=5568 bytes
+  Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708007 Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102d Length=5568 bytes
+  Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704107 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes
   Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes
+  Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
   Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+  Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108108 Length=5568 bytes
+  Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011 Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201210 Length=5568 bytes
 
 NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
 either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
diff --git a/amd-ucode/microcode_amd_fam17h.bin b/amd-ucode/microcode_amd_fam17h.bin
index ae94fee..4011bdb 100644
Binary files a/amd-ucode/microcode_amd_fam17h.bin and b/amd-ucode/microcode_amd_fam17h.bin differ
diff --git a/amd-ucode/microcode_amd_fam17h.bin.asc b/amd-ucode/microcode_amd_fam17h.bin.asc
index 7c42849..51afd22 100644
--- a/amd-ucode/microcode_amd_fam17h.bin.asc
+++ b/amd-ucode/microcode_amd_fam17h.bin.asc
@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmX+B5wACgkQ5L5TOfMo
-rnOyEQgAjcQdiUYTOecifIkRdvIotUmd0rYG4Y4atXIkcMKpuZXY3ipiIJQTi+zb
-fsTrrzqvfdS0FeG9GPePsgZwBvUCbvxbW+I2ffw4KXmZQh7J0WE3qYAEx3uV3IaE
-UtV6yM9OW6EEFuIwx8m2LQsl3bP6X/Cwgf3DEHlsVZzDexrYNU9lP/BkujpO0m/q
-s8PanPluQqesoaOm+DAQnceMC4r1jpfeZ3DShvyGqaNzB9HeOE2uQEfWW69cfkU9
-n3Lsqxjgl45EmKyNqqy5o3uMBwMJzl0jW2NR5k80+H65hv4Skclk6YCz651zx9C5
-bisCiEwf4gg7ffQPLYW9MCsK3yjTaQ==
-=vQEt
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmc/W5AACgkQ5L5TOfMo
+rnN+IQf/SpWITbAMKm22ZkUs6NOwgOV3bKx6D38BPQ3MRwAzfN8nTT9h33tlw0rc
+XdxdzfyRh+FJcweQHVOzLMLtUH6GwTFfGphjDBEFAhNLMZoeD29Z98IDaOQfWSJ2
+geGlZY7tfNZycN/NCYJqRON3MmpqAqoILp1tuck5JU+eQzcCGW5nn96LeAQc7Cin
+8q4X3FvYbRIGuiChSF3R9yxPIVtY1Pps/gtg9j0Q5zXBWN3Yb3OcRPCZi4xjZmDg
+FfYg79UzB2eM+HdoQ+ymqRgySLIqunBxcNP8pOkyrW0lxLEIhqj7TE++M6om/mwT
+pzUx+Q7L5FS9b/n3c7Hw0esH6yztcA==
+=1U/Y
 -----END PGP SIGNATURE-----
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 4dcdca8..7646010 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index dcd5a23..5f54185 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmX9xsgACgkQ5L5TOfMo
-rnP2aQf/QBOiKUZsrVIbnn0+Ls84yDYovoesYriy1rbK+K5CVRb/0iqoFn5xKIu6
-bvyHN0fnj7Ko+oedNvcRCmlu+jiw08s3WArQb6r3fK4QT/2Wj2f+qX14uoFuCGUd
-QgZTc4hZxNxSZBbQuKVbtDmT0iFtV0jKBp/ajdYD9++rA+VcIemKtwX/sxEZnUFi
-fXg016uAs/Q9LQ5KWvz3VhFz2G77BEXjDIJNAHSVCxmWCvsd05kf1SbXUswlj/T8
-JtuH840zfZicZEk8e3grO4fSywLyrZCjqATSXa+XY63thCIglM9c6V+EBL3jGXxh
-Cs2tZH8/ge+tL/UBBJ8FdOZcVSpkeQ==
-=HHoV
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmc/W4EACgkQ5L5TOfMo
+rnPSAwf/UozBxuAEmSJMgUE3CVKyuvs0VpI1fvUpybW5Dqgz+6DLXtLJBFQLjLn1
+UlxhkHmiZ63QXazpu3QUBGUkUh5fpKDsn8P1XVRPTtOc4IMsWVlCh3RJwFpmQRqW
+8h30WDwxRzIb0VvGg8bclLGH/t1dozagk87eYbq9sz8I/qV9P/kd/BFifNSqANOq
+xQmb9oNFu3JuFHqNoLdR02dQ9T/l21TDoLQwjjyFwAY8B1JNQTjTlq6brfnOKICu
+SRF3PMAS+EOwplGtgUXYhgYBHNikKM9Vk7Ua3DFxcMm1ZKhL3Z+O0OloLapLaR3x
+HEivYRaVoKdVNZfl4rMsjyp7fnU07w==
+=ex8u
 -----END PGP SIGNATURE-----
diff --git a/amd/amd_sev_fam19h_model0xh.sbin b/amd/amd_sev_fam19h_model0xh.sbin
index 0e21813..a7400f1 100644
Binary files a/amd/amd_sev_fam19h_model0xh.sbin and b/amd/amd_sev_fam19h_model0xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model1xh.sbin b/amd/amd_sev_fam19h_model1xh.sbin
index 5855e82..b4f88f2 100644
Binary files a/amd/amd_sev_fam19h_model1xh.sbin and b/amd/amd_sev_fam19h_model1xh.sbin differ
diff --git a/amd/amd_sev_fam19h_modelaxh.sbin b/amd/amd_sev_fam19h_modelaxh.sbin
index 5855e82..b4f88f2 100644
Binary files a/amd/amd_sev_fam19h_modelaxh.sbin and b/amd/amd_sev_fam19h_modelaxh.sbin differ
diff --git a/amd/amd_sev_fam1ah_model0xh.sbin b/amd/amd_sev_fam1ah_model0xh.sbin
new file mode 100644
index 0000000..dbbbcb9
Binary files /dev/null and b/amd/amd_sev_fam1ah_model0xh.sbin differ
diff --git a/debian/changelog b/debian/changelog
index 26983aa..ded157a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,48 @@
+amd64-microcode (3.20250311.1~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm (revert merged-usr changes from unstable)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Fri, 20 Jun 2025 11:36:35 -0300
+
+amd64-microcode (3.20250311.1) unstable; urgency=medium
+
+  * Update package data from linux-firmware 20250311
+  * New AMD-SEV firmware from AMD upstream (20250221)
+    * SECURITY UPDATE (AMD-SB-3019 / CVE-2024-56161):
+      Update remote attestation to be compatible with AMD systems with
+      up-to-date firmware (i.e. which fixes "EntrySign"), and update
+      AMD-SEV for AMD-SB-3019 mitigations.  Note that this AMD-SEV
+      update DOES NOT FIX the microcode "EntrySign" vulnerability.
+      (closes: #1095470)
+    + Updated SEV firmware:
+        Family 17h models 30h-3fh: version 0.24 build 20
+        Family 19h models 00h-0fh: version 1.55 build 29
+        Family 19h models 10h-1fh: version 1.55 build 39
+        Family 19h models a0h-afh: version 1.55 build 39
+      + New SEV firmware:
+        Family 1ah models 00h-0fh: version 1.55 build 54
+  * New AMD microcode updates from AMD upstream (20241121)
+    + Add patches for many (non-server) family 19h processors
+    * Updated Microcode patches:
+      + Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a0000a
+    * New Microcode patches:
+      + Family=0x17 Model=0x60 Stepping=0x01: Patch=0x0860010d
+      + Family=0x17 Model=0x68 Stepping=0x01: Patch=0x08608108
+      + Family=0x17 Model=0x71 Stepping=0x00: Patch=0x08701034
+      + Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820c
+      + Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108108
+      + Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102d
+      + Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201210
+      + Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404107
+      + Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011
+      + Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209
+      + Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704107
+      + Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705206
+      + Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708007
+      + Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c005
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sun, 23 Mar 2025 21:13:20 -0300
+
 amd64-microcode (3.20240820.1~deb12u1) bookworm; urgency=medium
 
   * Rebuild for bookworm (revert merged-usr changes from unstable)

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: