Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] I would like to bring the *firmware* update level for AMD processors in Bullseye and Bookworm to match what we have in Sid and Trixie. This is the bug report for Bullseye, a separate one will be filled for Bookworm. The update is a security update for AMD-SEV (AMD-SB-3003). It does not change the processor microcode. [ Impact ] These updates fix security issues on AMD SEV. [ Tests ] The package was tested, but AMD-SEV was not specifically tested. I could not find any reports of AMD-SEV issues due to this firmware update though. This update only changed a few docs and the binary blob files, so it is as safe as what is already accepted for bullseye and bookworm. [ Risks ] AMD-SEV changes cannot cause boot regressions, but it could cause SEV functionality regressions. I am not aware of any regressions related to this SEV firmware update. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Documentation was updated with upstream information * Binary microcode blobs were updated with new upstream binary blobs. [ Extra Information ] Diff was generated from the git tree, in order to avoid excessive noise due to the changes to the binary blobs. diffstat: README | 20 ++++++++++++++++++++ amd/amd_sev_fam17h_model3xh.sbin |binary amd/amd_sev_fam19h_model0xh.sbin |binary amd/amd_sev_fam19h_model1xh.sbin |binary amd/amd_sev_fam19h_modelaxh.sbin |binary debian/changelog | 30 ++++++++++++++++++++++++++++++ 6 files changed, 50 insertions(+) -- Henrique Holschuh
diff --git a/README b/README index 63c0879..67a4e0e 100644 --- a/README +++ b/README @@ -11,6 +11,26 @@ amdtee/ currently includes firmware for the amd_pmf driver. latest commits in this release: +commit ace84e6edc27bcba8e44ba8588e93a4c74a4fba1 +Author: John Allen <john.al...@amd.com> +Date: Tue Aug 20 18:26:55 2024 +0000 + + linux-firmware: Update AMD SEV firmware + + Update AMD SEV firmware to version 0.24 build 20 for AMD family 17h processors + with models in the range 30h to 3fh. + + Update AMD SEV firmware to version 1.55 build 21 for AMD family 19h processors + with models in the range 00h to 0fh. + + Update AMD SEV firmware to version 1.55 build 37 for AMD family 19h processors + with models in the range 10h to 1fh. + + Add AMD SEV firmware version 1.55 build 37 for AMD family 19h processors with + models in the range a0h to afh. + + Signed-off-by: John Allen <john.al...@amd.com> + commit 091bd5adf19c7ab01214c64689952acb4833b21d Author: John Allen <john.al...@amd.com> Date: Wed Jul 10 14:58:02 2024 +0000 diff --git a/amd/amd_sev_fam17h_model3xh.sbin b/amd/amd_sev_fam17h_model3xh.sbin index ea49929..a1a59d4 100644 Binary files a/amd/amd_sev_fam17h_model3xh.sbin and b/amd/amd_sev_fam17h_model3xh.sbin differ diff --git a/amd/amd_sev_fam19h_model0xh.sbin b/amd/amd_sev_fam19h_model0xh.sbin index 9cde6ad..0e21813 100644 Binary files a/amd/amd_sev_fam19h_model0xh.sbin and b/amd/amd_sev_fam19h_model0xh.sbin differ diff --git a/amd/amd_sev_fam19h_model1xh.sbin b/amd/amd_sev_fam19h_model1xh.sbin index 529dcb5..5855e82 100644 Binary files a/amd/amd_sev_fam19h_model1xh.sbin and b/amd/amd_sev_fam19h_model1xh.sbin differ diff --git a/amd/amd_sev_fam19h_modelaxh.sbin b/amd/amd_sev_fam19h_modelaxh.sbin new file mode 100644 index 0000000..5855e82 Binary files /dev/null and b/amd/amd_sev_fam19h_modelaxh.sbin differ diff --git a/debian/changelog b/debian/changelog index 3b97a91..dc29a0e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +amd64-microcode (3.20240820.1~deb11u1) bullseye; urgency=medium + + * Rebuild for bullseye + * Revert merged-usr changes from unstable + * Revert move to non-free-firmware + + -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 24 Aug 2024 09:28:39 -0300 + +amd64-microcode (3.20240820.1) unstable; urgency=high + + * Update package data from linux-firmware 20240820 + * New AMD-SEV firmware from AMD upstream (20240820) + + Updated SEV firmware: + Family 17h models 30h-3fh: version 0.24 build 20 + Family 19h models 00h-0fh: version 1.55 build 21 + Family 19h models 10h-1fh: version 1.55 build 37 + + New SEV firmware: + Family 19h models a0h-afh: version 1.55 build 37 + * SECURITY UPDATE (AMD-SB-3003): + * Mitigates CVE-2023-20584: IOMMU improperly handles certain special + address ranges with invalid device table entries (DTEs), which may allow + an attacker with privileges and a compromised Hypervisor to induce DTE + faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of + guest integrity. + * Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV + firmware could allow a privileged attacker to corrupt guest private + memory, potentially resulting in a loss of data integrity. + + -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 21 Aug 2024 21:31:07 -0300 + amd64-microcode (3.20240710.2~deb11u1) bullseye; urgency=high * Rebuild for bullseye
signature.asc
Description: PGP signature
