NACK/Cmnt: [PATCH 0/1][SRU][P] x86/microcode/AMD: Add TSA microcode SHAs

Stefan Bader stefan.bader at canonical.com
Thu Sep 4 14:22:16 UTC 2025 

On 03/09/2025 06:54, AceLan Kao wrote:
> From: "Chia-Lin Kao (AceLan)" <acelan.kao at canonical.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/2121417
> 
> [ Impact ]
> 
> When updating AMD microcodes with the package amd64-microcode, which
> places the microcodes in `usr/lib/firmware/amd-ucode`, an update on the
> allowed SHAs on the kernel side is needed since the following commit
> included in upstream version 6.14:
>   50cef76d5cb0e199 x86/microcode/AMD: Load only SHA256-checksummed patches
> 
> There is an incoming update for amd64-microcode in security-proposed[1]
> that fixes CVE-2024-36350, and CVE-2024-36357 that needs to have the
> patched version in the mentioned allowed SHAs list.
> 
> Currently, when trying to run a plucky kernel with the proposed version of
> amd64-microcode[2], the error is:
> [ 0.000000] microcode: No sha256 digest for patch ID: 0xa60120a found
> ...
> [ 0.741096] microcode: Current revision: 0x0a601203
> 
> Above example of error is for AMD Ryzen 9 7950X ("Raphael") but could
> happen with other processors and microcode version as well.
> 
> The more concerning impact here is that, whenever the kernel doesn't know
> about a patch (not in the checksummed list) it will end up downgrading to
> the version originally available in the machine's platform initialization.
> 
> For example, in the above case, using a device available in testflinger[3],
> it would be:
> - machine's original microcode:
>    - patch version 0x0a601203
> - current amd64-microcode version: 3.20250311.1ubuntu0.25.04.1
>    - patch version 0x0a601209
> - udpated amd64-microcode version: 3.20250708.0ubuntu0.25.04.2[2]
>    - patch version 0x0a60120a
> 
> So, when running a kernel without the checksummed SHAs the device is
> not running with the previous version but with an outdated version
> uncovering possible already fixed issues.
> 
> [ Fix ]
> 
> Cherry-pick following upstream commit:
> 
> * 2329f250e04d3b8e x86/microcode/AMD: Add TSA microcode SHAs
> 
> [ Test Plan ]
> 
> - On boot, get microcode version and logs with 'dmesg | grep microcode'
> - Install amd64-microcode from security-proposed[1]
> - Reboot
> - Get microcode logs and check version update and sha256 digest error
> 
> [ Additional Information ]
> 
> [1] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
> [2] https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=amd64-microcode&field.status_filter=published&field.series_filter=plucky
> [3] https://certification.canonical.com/hardware/202409-35688/
> 
> Borislav Petkov (AMD) (1):
>    x86/microcode/AMD: Add TSA microcode SHAs
> 
>   arch/x86/kernel/cpu/microcode/amd_shas.c | 112 +++++++++++++++++++++++
>   1 file changed, 112 insertions(+)
> 



Rejected for the following reasons:
There is already an identical submission on in review which has not been 
NACKed (Aug-28 by Rodrigo Figueiredo Zaiden <rodrigo.zaiden at canonical.com>)


-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250904/b5a76295/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250904/b5a76295/attachment-0001.sig>

More information about the kernel-team mailing list