Hi Nenrique, On Sat, Mar 08, 2025 at 12:56:25PM -0300, Henrique de Moraes Holschuh wrote: > retitle 1095470 amd64-microcode: CVE-2024-56161 updated AMD-SEV FW needed to > pass attestation > severity 1095470 important > clone 1095470 -1 > tag 1095470 + fixed-upstream > retitle -1 amd64-microcode: CVE-2024-36347 weak microcode update validation > tag -1 = upstream security wontfix > severity -1 important > thanks > > Please let me clarify some details. If this is incorrect, please provide > pointers to the relevant documentation/artifacts: > > There is NO *operating-system-loadable* microcode update available from AMD > to address the root issue (weak microcode validation) at this time. And > public documentation states the root-cause fix must be done through a system > firmware (UEFI) update. > > https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html > > Maybe this will change, and if it doesn't, maybe lesser mitigations (such as > blocking further microcode updates) will become available: I understand > running a minimal kernel-monitor secure hypervisor should be able to block > the MSR writes that trigger a microcode update, for example. > > So, AMD-SB-7033 / CVE-2024-36347 is unactionable by package amd64-microcode > at this time. > > I will clone the bug to split the two CVEs into their own bugs, and tag the > one for CVE-2024-36347 "wontfix" accordingly. I will also downgrade its > severity to "important", since unactionable grave bugs can block actionable > fixes from propagating to testing, etc. Should the situation change > (hopefully it will), we can revisit this. > > > Now, for CVE-2024-56161, which is the AMD-SEV side of the issue. > > There is a pending AMD-SEV loadable firmware update from 2025/02/29, and I > will package it soon (but I'd rather hear back from AMD about a few details, > first). However, I understand from AMD SB-3019 that the SEV firmware update > will just ensure that SEV remote attestation can succeed on updated firmware. > It is relevant for CVE-2024-56161, yes, but it is NOT FIXING the underlying > issue at all. > > https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html > > Note that CVE-2024-56161 is mitigated by ensuring no SEV payload attestation > can succeed on outdated firmware (and you don't need to do anything for THAT: > the SEV payload providers are already on it), and by allowing attestation to > succeed on updated firmware. > > What is missing in Debian is a way for SEV payloads to pass attestation *on > systems with updated firmware*, and THAT is what the pending SEV firmware > update is about. I changed the bug title accordingly. > > Since AMD-SEV is *not* officially supported in Debian anyway, I will > downgrade the SEV bug to severity to important as well. > > More information about AMD-SEV: > https://www.amd.com/en/developer/sev.html
Thanks for your analysis, I have tried to reflect the status in the security-tracker for both CVEs now. AFAIU, there are "stop-gap" mitigations in Kernel and Xen as well which are implemnted (and for the kernel they did already land in 6.12.18 and 6.13.6): https://www.openwall.com/lists/oss-security/2025/03/06/3 Regards, Salvatore
