[PATCH 0/1][SRU][P] x86/microcode/AMD: Add TSA microcode SHAs

AceLan Kao acelan.kao at canonical.com
Wed Sep 3 04:54:56 UTC 2025 

From: "Chia-Lin Kao (AceLan)" <acelan.kao at canonical.com>

BugLink: https://bugs.launchpad.net/bugs/2121417

[ Impact ]

When updating AMD microcodes with the package amd64-microcode, which
places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the
allowed SHAs on the kernel side is needed since the following commit
included in upstream version 6.14:
 50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches

There is an incoming update for amd64-microcode in security-proposed[1]
that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the
patched version in the mentioned allowed SHAs list.

Currently, when trying to run a plucky kernel with the proposed version of
amd64-microcode[2], the error is:
[ 0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found
...
[ 0.741096] microcode: Current revision: 0x0a601203

Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could
happen with other processors and microcode version as well.

The more concerning impact here is that, whenever the kernel doesn't know
about a patch (not in the checksummed list) it will end up downgrading to
the version originally available in the machine's platform initialization.

For example, in the above case, using a device available in testflinger[3],
it would be:
- machine's original microcode:
  - patch version 0x0a601203
- current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1
  - patch version 0x0a601209
- udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2]
  - patch version 0x0a60120a

So, when running a kernel without the checksummed SHAs the device is
not running with the previous version but with an outdated version
uncovering possible already fixed issues.

[ Fix ]

Cherry-pick following upstream commit:

* 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs

[ Test Plan ]

- On boot, get microcode version and logs with 'dmesg | grep microcode'
- Install amd64-microcode from security-proposed[1]
- Reboot
- Get microcode logs and check version update and sha256 digest error

[ Additional Information ]

[1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
[2] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky
[3] https://certification.canonical.com/hardware/202409-35688/

Borislav Petkov (AMD) (1):
  x86/microcode/AMD: Add TSA microcode SHAs

 arch/x86/kernel/cpu/microcode/amd_shas.c | 112 +++++++++++++++++++++++
 1 file changed, 112 insertions(+)

-- 
2.43.0

More information about the kernel-team mailing list