Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] As requested by the security team, I would like to bring the *firmware* update level for AMD processors in Bullseye and Bookworm to match what we have in Sid and Trixie. This is the bug report for Bookworm, a separate one will be filled for Bullseye. The microcode update is a security update for "Sinkclose", plus unspecified functional issues. This update not only syncs the processor microcode updates and AMD SEV firmware with what we distribute in Sid and Trixie, but also adds the firmware data files for AMD-TEE. It does NOT enable AMD TEE by itself. [ Impact ] These updates fix security issues on AMD server processors, as well as unspecified functional issues. [ Tests ] The recent dpkg-trigger functionality was tested, including by manual error injection so that the error paths were exercised. It is already in Trixie and Sid for a few days, and nobody reported issues with it. There are no reports from users of AMD processors of any regressions due to the microcode update. The TEE changes have been tested in Sid and Trixie since 2024-01. The SEV firmware update has been tested in Sid and Trixie since 2023-08. Installation was tested on a bookworm container with amd64-microcode and all other firmware packages installed, to ensure there are no file collisions. [ Risks ] Microcode updates are known to seldom cause boot hangs on specific systems, and to very rarely cause runtime regressions. These are no different, but I could not find any reports of such issues. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] * Direct calls to "update-initramfs -u" where replaced with the equivalent of: dpkg-trigger --no-await update-initramfs || update-initramfs -u in both postinst and postrm. * Documentation was updated with upstream information * Binary microcode blobs were updated with new upstream binary blobs. [ Extra Information ] Diff was generated from the git tree, in order to avoid excessive noise due to the changes to the binary blobs. diffstat: LICENSE.amd_pmf | 51 +++++++++++ README | 110 ++++++++++++++++++++++++- amd-ucode/README | 25 +++-- amd-ucode/microcode_amd_fam17h.bin |binary amd-ucode/microcode_amd_fam17h.bin.asc | 16 +-- amd-ucode/microcode_amd_fam19h.bin |binary amd-ucode/microcode_amd_fam19h.bin.asc | 16 +-- amd/amd_sev_fam19h_model0xh.sbin |binary amd/amd_sev_fam19h_model1xh.sbin |binary amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin |binary amdtee/amd_pmf_v3.bin | 1 debian/README.Debian | 10 -- debian/amd64-microcode.dirs | 1 debian/amd64-microcode.install | 1 debian/amd64-microcode.postinst | 11 +- debian/amd64-microcode.postrm | 7 - debian/changelog | 86 +++++++++++++++++++ debian/control | 14 ++- debian/copyright | 59 +++++++++++++ 19 files changed, 361 insertions(+), 47 deletions(-) -- Henrique Holschuh
diff --git a/LICENSE.amd_pmf b/LICENSE.amd_pmf
new file mode 100644
index 0000000..349e207
--- /dev/null
+++ b/LICENSE.amd_pmf
@@ -0,0 +1,51 @@
+Copyright (C) 2023 Advanced Micro Devices, Inc. All rights reserved.
+
+REDISTRIBUTION: Permission is hereby granted, free of any license fees,
+to any person obtaining a copy of this microcode (the "Software"), to
+install, reproduce, copy and distribute copies, in binary form only, of
+the Software and to permit persons to whom the Software is provided to
+do the same, provided that the following conditions are met:
+
+No reverse engineering, decompilation, or disassembly of this Software
+is permitted.
+
+Redistributions must reproduce the above copyright notice, this
+permission notice, and the following disclaimers and notices in the
+Software documentation and/or other materials provided with the
+Software.
+
+DISCLAIMER: THE USE OF THE SOFTWARE IS AT YOUR SOLE RISK. THE SOFTWARE
+IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND AND COPYRIGHT
+HOLDER AND ITS LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS AND
+IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
+COPYRIGHT HOLDER AND ITS LICENSORS DO NOT WARRANT THAT THE SOFTWARE WILL
+MEET YOUR REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE
+UNINTERRUPTED OR ERROR-FREE. THE ENTIRE RISK ASSOCIATED WITH THE USE OF
+THE SOFTWARE IS ASSUMED BY YOU. FURTHERMORE, COPYRIGHT HOLDER AND ITS
+LICENSORS DO NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE
+OR THE RESULTS OF THE USE OF THE SOFTWARE IN TERMS OF ITS CORRECTNESS,
+ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE.
+
+DISCLAIMER: UNDER NO CIRCUMSTANCES INCLUDING NEGLIGENCE, SHALL COPYRIGHT
+HOLDER AND ITS LICENSORS OR ITS DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS
+("AUTHORIZED REPRESENTATIVES") BE LIABLE FOR ANY INCIDENTAL, INDIRECT,
+SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS
+PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, AND THE
+LIKE) ARISING OUT OF THE USE, MISUSE OR INABILITY TO USE THE SOFTWARE,
+BREACH OR DEFAULT, INCLUDING THOSE ARISING FROM INFRINGEMENT OR ALLEGED
+INFRINGEMENT OF ANY PATENT, TRADEMARK, COPYRIGHT OR OTHER INTELLECTUAL
+PROPERTY RIGHT EVEN IF COPYRIGHT HOLDER AND ITS AUTHORIZED
+REPRESENTATIVES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN
+NO EVENT SHALL COPYRIGHT HOLDER OR ITS AUTHORIZED REPRESENTATIVES TOTAL
+LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION (WHETHER IN
+CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE) EXCEED THE AMOUNT OF
+US$10.
+
+Notice: The Software is subject to United States export laws and
+regulations. You agree to comply with all domestic and international
+export laws and regulations that apply to the Software, including but
+not limited to the Export Administration Regulations administered by the
+U.S. Department of Commerce and International Traffic in Arm Regulations
+administered by the U.S. Department of State. These laws include
+restrictions on destinations, end users and end use.
diff --git a/README b/README
index 798d2e7..63c0879 100644
--- a/README
+++ b/README
@@ -1,13 +1,117 @@
This amd64-microcode release was based on the linux-firmware tree.
The linux-firmware tree can be found in kernel.org.
-It includes AMD-SEV firmware and AMD-UCODE firmware. The package
-version is now based on the linux-firmware release tag that included
-the newest of either amd-ucode or amd-sev.
+It includes AMD-SEV firmware, AMD-UCODE firmware, and AMD-TEE applications
+(which are often firmware for other AMD drivers). The package version is now
+based on the linux-firmware release tag that included the newest of any of the
+included firmware.
+
+amdtee/ currently includes firmware for the amd_pmf driver.
latest commits in this release:
+commit 091bd5adf19c7ab01214c64689952acb4833b21d
+Author: John Allen <john.al...@amd.com>
+Date: Wed Jul 10 14:58:02 2024 +0000
+
+ linux-firmware: Update AMD cpu microcode
+
+ * Update AMD cpu microcode for processor family 17h
+ * Update AMD cpu microcode for processor family 19h
+
+ Key Name = AMD Microcode Signing Key (for signing microcode container files only)
+ Key ID = F328AE73
+ Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+
+commit a193c6517fbfc0e7a4e2f8b06cb2742a82a8dd63
+Author: John Allen <john.al...@amd.com>
+Date: Tue Jan 16 21:07:43 2024 +0000
+
+ linux-firmware: Update AMD cpu microcode
+
+ * Update AMD cpu microcode for processor family 19h
+
+ Key Name = AMD Microcode Signing Key (for signing microcode container files only)
+ Key ID = F328AE73
+ Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+
+commit bfc33c1e308e1ebd5f216781ea0b091c2379bbb2
+Author: John Allen <john.al...@amd.com>
+Date: Tue Dec 5 20:10:11 2023 +0000
+
+ linux-firmware: Update AMD cpu microcode
+
+ * Update AMD cpu microcode for processor family 17h
+
+ Key Name = AMD Microcode Signing Key (for signing microcode container files only)
+ Key ID = F328AE73
+ Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+
+commit 06afd7f939c5b245b2af9e0fee13026f2aaf77fa
+Author: John Allen <john.al...@amd.com>
+Date: Thu Oct 19 17:03:20 2023 +0000
+
+ linux-firmware: Update AMD cpu microcode
+
+ * Update AMD cpu microcode for processor family 19h
+
+ Key Name = AMD Microcode Signing Key (for signing microcode container files only)
+ Key ID = F328AE73
+ Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+
+commit 328beacb005045b313cd36a217ffbe8d9c37090a
+Author: Shyam Sundar S K <shyam-sundar....@amd.com>
+Date: Tue Sep 26 21:11:07 2023 +0530
+
+ amd_pmf: Add initial PMF TA for Smart PC Solution Builder
+
+ AMD PMF driver loads the PMF TA (Trusted Application) into the AMD
+ ASP's (AMD Security Processor) TEE (Trusted Execution Environment).
+
+ PMF Trusted Application is a secured firmware placed under
+ /lib/firmware/amdtee gets loaded only when the TEE environment is
+ initialized. This Firmware adds the initial support for PMF Smart
+ PC Solution Builder.
+
+ Signed-off-by: Shyam Sundar S K <shyam-sundar....@amd.com>
+
+commit d252e92d50c02623ea9da0a140240f6d7ac4558e
+Author: Sandipan Das <sandipan....@amd.com>
+Date: Thu Sep 14 20:16:51 2023 +0530
+
+ linux-firmware: amd-ucode: Add note on fam19h warnings
+
+ When running 5.19+ kernels on Genoa or Bergamo systems, some microcode
+ patches are known to trigger warnings in the PMI handler. Add a note
+ to list the required minimum patch levels for addressing this problem.
+
+ Signed-off-by: Sandipan Das <sandipan....@amd.com>
+ Signed-off-by: Josh Boyer <jwbo...@kernel.org>
+
+commit 97e88a0d70825d7dc0635d8d898c393b6144ebcc
+Author: John Allen <john.al...@amd.com>
+Date: Wed Aug 23 20:28:06 2023 +0000
+
+ linux-firmware: Update AMD SEV firmware
+
+ Update AMD SEV firmware version 1.55 build 8 for AMD family 19h processors
+ with models in the range 00h to 0fh.
+
+ Add AMD SEV firmware version 1.55 build 21 for AMD family 19h processors
+ with models in the range 10h to 1fh.
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+ Signed-off-by: Josh Boyer <jwbo...@kernel.org>
+
commit f2eb058afc57348cde66852272d6bf11da1eef8f
Author: John Allen <john.al...@amd.com>
Date: Tue Aug 8 19:02:39 2023 +0000
diff --git a/amd-ucode/README b/amd-ucode/README
index fac1152..4f862af 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -31,18 +31,18 @@ Microcode patches in microcode_amd_fam16h.bin:
Family=0x16 Model=0x00 Stepping=0x01: Patch=0x0700010f Length=3458 bytes
Microcode patches in microcode_amd_fam17h.bin:
+ Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f Length=3200 bytes
+ Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c Length=3200 bytes
Family=0x17 Model=0x08 Stepping=0x02: Patch=0x0800820d Length=3200 bytes
- Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107a Length=3200 bytes
Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008 Length=3200 bytes
- Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
Microcode patches in microcode_amd_fam19h.bin:
- Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
- Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
- Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
- Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
- Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
- Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+ Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a Length=5568 bytes
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
+ Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes
+ Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
@@ -53,3 +53,12 @@ a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
When late loading the patches for Genoa or Bergamo, there may be one spurious
NMI observed per physical core. These NMIs are benign and don't cause any
functional issue but will result in kernel messages being logged.
+
+NOTE: When running 5.19+ kernels on Genoa or Bergamo systems, some microcode
+patches are known to trigger warnings in the PMI handler. The following are
+the required minimum patch levels to address this problem:
+
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
+ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
diff --git a/amd-ucode/microcode_amd_fam17h.bin b/amd-ucode/microcode_amd_fam17h.bin
index f9841b6..ae94fee 100644
Binary files a/amd-ucode/microcode_amd_fam17h.bin and b/amd-ucode/microcode_amd_fam17h.bin differ
diff --git a/amd-ucode/microcode_amd_fam17h.bin.asc b/amd-ucode/microcode_amd_fam17h.bin.asc
index 34a4024..7c42849 100644
--- a/amd-ucode/microcode_amd_fam17h.bin.asc
+++ b/amd-ucode/microcode_amd_fam17h.bin.asc
@@ -1,11 +1,11 @@
-----BEGIN PGP SIGNATURE-----
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS4Mm4ACgkQ5L5TOfMo
-rnN35wgAkllCunxE6J5hQyLMx5o4WTHZkbNvXmu6nV1Y3vjiL1oeaK+pmx8BlkPt
-fGZJCe/068kqmp3N4EtOZLxXn55t3jNBYectPr0RmFqpjMsEJEcfXfuXROA4N9Ti
-Zd/o6X21eHEsm0kK0q4YfppfgTd5Ze7k1jTkUuuU6/yh6uRk1MiFreEzkPO3Aayh
-iEWlYx33vq3HccTPgdY3D64Zr8gmgKG+8mdEvqb1jK4SVZ1/9vy4OKIIpUZB/eqx
-46h9Ejwn9pktnYkHi/A/zCREEcIQ10HXFF5bjxJTFQkM5S46/QEO7uuvnpMb+6Yy
-4V1/QIWMG6ixqCRx9GqbBK7GHdYODw==
-=+IsI
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmX+B5wACgkQ5L5TOfMo
+rnOyEQgAjcQdiUYTOecifIkRdvIotUmd0rYG4Y4atXIkcMKpuZXY3ipiIJQTi+zb
+fsTrrzqvfdS0FeG9GPePsgZwBvUCbvxbW+I2ffw4KXmZQh7J0WE3qYAEx3uV3IaE
+UtV6yM9OW6EEFuIwx8m2LQsl3bP6X/Cwgf3DEHlsVZzDexrYNU9lP/BkujpO0m/q
+s8PanPluQqesoaOm+DAQnceMC4r1jpfeZ3DShvyGqaNzB9HeOE2uQEfWW69cfkU9
+n3Lsqxjgl45EmKyNqqy5o3uMBwMJzl0jW2NR5k80+H65hv4Skclk6YCz651zx9C5
+bisCiEwf4gg7ffQPLYW9MCsK3yjTaQ==
+=vQEt
-----END PGP SIGNATURE-----
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 02a5d05..4dcdca8 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index 8cff901..dcd5a23 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
-----BEGIN PGP SIGNATURE-----
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmTEYrcACgkQ5L5TOfMo
-rnN4IQf/QKbOezXZ4OYzaPANvsZQEAzLNfuylC/aQMwrPaO7daz5/zmCN4HU5XkH
-dDT8DYfPg+fQHIgxAw0/L24xPOm5Op/QuLVDyDqVr4qvL8+65eeI+JqxD/wXMXYN
-V34kkLM2p8iuyY1Nc8IDLXu4X75KGNPbKZlMRKMU3Pr7ai5O4ihmiAM+N6qv1KEJ
-YToNN6vrg0qt1cv0SLM8sa4e7L1+oblUrg/o0FViYE8pxsU3ZRRVSJMUg+lKjvl/
-1ZPGKOdD80fcNJ+ItYGHNNs3eCc3WgW7Kc/E668eH75Yu9Zt7ewWZX8Sg/mygleY
-OzMwhbPJg4bF4zm7C/Pku7i1T2Omcg==
-=km2X
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmX9xsgACgkQ5L5TOfMo
+rnP2aQf/QBOiKUZsrVIbnn0+Ls84yDYovoesYriy1rbK+K5CVRb/0iqoFn5xKIu6
+bvyHN0fnj7Ko+oedNvcRCmlu+jiw08s3WArQb6r3fK4QT/2Wj2f+qX14uoFuCGUd
+QgZTc4hZxNxSZBbQuKVbtDmT0iFtV0jKBp/ajdYD9++rA+VcIemKtwX/sxEZnUFi
+fXg016uAs/Q9LQ5KWvz3VhFz2G77BEXjDIJNAHSVCxmWCvsd05kf1SbXUswlj/T8
+JtuH840zfZicZEk8e3grO4fSywLyrZCjqATSXa+XY63thCIglM9c6V+EBL3jGXxh
+Cs2tZH8/ge+tL/UBBJ8FdOZcVSpkeQ==
+=HHoV
-----END PGP SIGNATURE-----
diff --git a/amd/amd_sev_fam19h_model0xh.sbin b/amd/amd_sev_fam19h_model0xh.sbin
index 141d5d0..9cde6ad 100644
Binary files a/amd/amd_sev_fam19h_model0xh.sbin and b/amd/amd_sev_fam19h_model0xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model1xh.sbin b/amd/amd_sev_fam19h_model1xh.sbin
new file mode 100644
index 0000000..529dcb5
Binary files /dev/null and b/amd/amd_sev_fam19h_model1xh.sbin differ
diff --git a/amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin b/amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin
new file mode 100644
index 0000000..6b454bf
Binary files /dev/null and b/amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin differ
diff --git a/amdtee/amd_pmf_v3.bin b/amdtee/amd_pmf_v3.bin
new file mode 120000
index 0000000..e340752
--- /dev/null
+++ b/amdtee/amd_pmf_v3.bin
@@ -0,0 +1 @@
+773bd96f-b83f-4d52-b12dc529b13d8543.bin
\ No newline at end of file
diff --git a/debian/README.Debian b/debian/README.Debian
index b0116a4..cd91c25 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -44,13 +44,7 @@ the initramfs using dracut, and reboot. Note that since Linux kernel 4.4,
one must use dracut 044 or later.
Applying the microcode updates without the use of an early initramfs is
-not automatically supported anymore, due to future safety concerns.
-However, the local administrator may trigger an immediate microcode update
-attempt at any time, at her own risk:
-
- USING AN INITRAMFS+REBOOT IS SAFER. DO THIS ONLY WHEN YOU KNOW BETTER:
- as root:
- echo 1 > /sys/devices/system/cpu/microcode/reload
+not supported in Debian.
RECOVERY PROCEDURE:
@@ -97,4 +91,4 @@ the initramfs images for every installed kernel.
Please report any issues caused by microcode updates to the mailing-list or
to the Debian bug tracker.
- -- Henrique de Moraes Holschuh <h...@debian.org>, 2016-04-05
+ -- Henrique de Moraes Holschuh <h...@debian.org>, 2024-08-11
diff --git a/debian/amd64-microcode.dirs b/debian/amd64-microcode.dirs
index 0790bdb..60f0777 100644
--- a/debian/amd64-microcode.dirs
+++ b/debian/amd64-microcode.dirs
@@ -2,3 +2,4 @@ etc/default
etc/modprobe.d
lib/firmware/amd-ucode
lib/firmware/amd
+lib/firmware/amdtee
diff --git a/debian/amd64-microcode.install b/debian/amd64-microcode.install
index 40d0e9c..07af704 100644
--- a/debian/amd64-microcode.install
+++ b/debian/amd64-microcode.install
@@ -1,2 +1,3 @@
amd-ucode/*bin lib/firmware/amd-ucode
+amdtee/* lib/firmware/amdtee
amd/*sev*bin lib/firmware/amd
diff --git a/debian/amd64-microcode.postinst b/debian/amd64-microcode.postinst
index 453fd98..7fdc28b 100644
--- a/debian/amd64-microcode.postinst
+++ b/debian/amd64-microcode.postinst
@@ -19,11 +19,14 @@ set -e
case "$1" in
configure)
- # do it like udev and firmware-linux-*
- if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
- update-initramfs -u && {
+ RC=0
+ dpkg-trigger --no-await update-initramfs || RC=$?
+ [ "$RC" -ne 0 ] && [ -e /etc/initramfs-tools/initramfs.conf ] && {
+ RC=0
+ update-initramfs -u || RC=$?
+ }
+ if [ "$RC" -eq 0 ] ; then
echo "amd64-microcode: microcode will be updated at next boot" >&2
- }
else
echo "amd64-microcode: initramfs support missing" >&2
fi
diff --git a/debian/amd64-microcode.postrm b/debian/amd64-microcode.postrm
index c775b42..4b187d0 100644
--- a/debian/amd64-microcode.postrm
+++ b/debian/amd64-microcode.postrm
@@ -20,9 +20,10 @@ set -e
case "$1" in
purge|remove)
- if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
- update-initramfs -u
- fi
+ dpkg-trigger --no-await update-initramfs || {
+ #shellcheck disable=SC2015
+ [ -e /etc/initramfs-tools/initramfs.conf ] && update-initramfs -u || :
+ }
;;
upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
diff --git a/debian/changelog b/debian/changelog
index fd5fbd3..72b76b1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,89 @@
+amd64-microcode (3.20240710.2~deb12u1) bookworm; urgency=high
+
+ * Rebuild for bookworm (revert merged-usr changes from unstable)
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 12 Aug 2024 09:37:38 -0300
+
+amd64-microcode (3.20240710.2) unstable; urgency=high
+
+ * postrm: activate the update-initramfs dpkg trigger on remove/purge
+ instead of always executing update-initramfs directly, just like it
+ was done for postinst in 3.20240710.1: call update-initramfs directly
+ only if the dpkg-trigger activation call fails.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Mon, 12 Aug 2024 09:00:19 -0300
+
+amd64-microcode (3.20240710.1) unstable; urgency=high
+
+ * Update package data from linux-firmware 20240709-141-g59460076
+ (closes: #1076128)
+ * SECURITY UPDATE: Mitigates "Sinkclose" CVE-2023-31315 (AMD-SB-7014) on
+ AMD Epyc processors: SMM lock bypass - Improper validation in a model
+ specific register (MSR) could allow a malicious program with ring 0
+ access (kernel) to modify SMM configuration while SMI lock is enabled,
+ potentially leading to arbitrary code execution.
+ Note: a firmware update is recommended for AMD Epyc (to protect the
+ system as early as possible). Many other AMD processor models are
+ also vulnerable to SinkClose, and can only be fixed by a firmware
+ update at this time.
+ * Updated Microcode patches:
+ + Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f
+ + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107c
+ + Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a
+ + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248
+ + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215
+ + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238
+ + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148
+ + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5
+ * README.Debian: "late" microcode updates are unsupported in Debian
+ (closes: #1074514)
+ * postinst: use dpkg-trigger to activate update-initramfs, this enables
+ dracut integration (closes: #1000193)
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sun, 11 Aug 2024 18:38:59 -0300
+
+amd64-microcode (3.20240116.2) unstable; urgency=medium
+
+ * Add AMD-TEE firmware to the package (closes: #1062678)
+ + amdtee: add amd_pmf TA firmware 20230906
+ * debian: install amdtee to /lib/firmware/amdtee
+ * debian/control: update short and long descriptions
+ * debian/copyright: update with amd-pmf license
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Thu, 15 Feb 2024 16:56:06 -0300
+
+amd64-microcode (3.20240116.1) unstable; urgency=medium
+
+ * Update package data from linux-firmware 20240115-80-gb4b04a5c
+ * Updated Microcode patches:
+ + Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107b
+ + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d3
+ + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001236
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Tue, 06 Feb 2024 15:35:27 -0300
+
+amd64-microcode (3.20231019.1) unstable; urgency=medium
+
+ * Update package data from linux-firmware 20231019
+ * Updated Microcode patches:
+ + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101144
+ + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101244
+ + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00213
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 21 Oct 2023 15:06:29 -0300
+
+amd64-microcode (3.20230823.1) unstable; urgency=medium
+
+ * Update package data from linux-firmware 20230919
+ * New AMD-SEV firmware from AMD upstream (20230823)
+ + Updated SEV firmware:
+ Family 19h models 00h-0fh: version 1.55 build 8
+ + New SEV firmware:
+ Family 19h models 10h-1fh: version 1.55 build 21
+ * amd-ucode: Add note on fam19h warnings.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Fri, 13 Oct 2023 02:02:47 -0300
+
amd64-microcode (3.20230808.1.1~deb12u1) bookworm; urgency=medium
* Rebuild for bookworm (no changes)
diff --git a/debian/control b/debian/control
index ba0d5ad..735cea0 100644
--- a/debian/control
+++ b/debian/control
@@ -14,11 +14,17 @@ Architecture: i386 amd64 x32
Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
Depends: ${misc:Depends}
Breaks: intel-microcode (<< 2)
-Description: Processor microcode firmware for AMD CPUs
- This package contains microcode patches for all AMD AMD64
+Description: Platform firmware and microcode for AMD CPUs and SoCs
+ This package contains microcode patches for AMD AMD64
processors. AMD releases microcode patches to correct
processor behavior as documented in the respective processor
- revision guides. This package includes both AMD CPU microcode
- patches and AMD SEV firmware updates.
+ revision guides.
+ .
+ This package includes the required firmware to enable AMD
+ SEV (Secure Encrypted Virtualization) functionality.
+ .
+ This package also includes AMD TAs (Trusted Applications)
+ required by AMD platform drivers such as AMD PMF (Platform
+ Management Framework).
.
For Intel processors, please refer to the intel-microcode package.
diff --git a/debian/copyright b/debian/copyright
index d8aea83..8327915 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -22,7 +22,12 @@ Upstream Copyright (AMD_SEV):
Copyright (C) 2015-2019 Advanced Micro Devices, Inc.
All rights reserved.
-Upstream License:
+Upstream Copyright (AMD_PMF):
+ Copyright (C) 2023 Advanced Micro Devices, Inc.
+ All rights reserved.
+
+
+Upstream License (AMD-UCODE, AMD_SEV):
Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"),
free of any license fees, to any person obtaining a copy of this
@@ -87,3 +92,55 @@ Upstream License:
obligations under those regulations, please refer to the U.S. Bureau
of Industry and Security?s website at ttp://www.bis.doc.gov/.
+
+Upstream License: (AMD_PMF):
+
+ REDISTRIBUTION: Permission is hereby granted, free of any license fees,
+ to any person obtaining a copy of this microcode (the "Software"), to
+ install, reproduce, copy and distribute copies, in binary form only, of
+ the Software and to permit persons to whom the Software is provided to
+ do the same, provided that the following conditions are met:
+
+ No reverse engineering, decompilation, or disassembly of this Software
+ is permitted.
+
+ Redistributions must reproduce the above copyright notice, this
+ permission notice, and the following disclaimers and notices in the
+ Software documentation and/or other materials provided with the
+ Software.
+
+ DISCLAIMER: THE USE OF THE SOFTWARE IS AT YOUR SOLE RISK. THE SOFTWARE
+ IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND AND COPYRIGHT
+ HOLDER AND ITS LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS AND
+ IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
+ COPYRIGHT HOLDER AND ITS LICENSORS DO NOT WARRANT THAT THE SOFTWARE WILL
+ MEET YOUR REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE
+ UNINTERRUPTED OR ERROR-FREE. THE ENTIRE RISK ASSOCIATED WITH THE USE OF
+ THE SOFTWARE IS ASSUMED BY YOU. FURTHERMORE, COPYRIGHT HOLDER AND ITS
+ LICENSORS DO NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE
+ OR THE RESULTS OF THE USE OF THE SOFTWARE IN TERMS OF ITS CORRECTNESS,
+ ACCURACY, RELIABILITY, CURRENTNESS, OR OTHERWISE.
+
+ DISCLAIMER: UNDER NO CIRCUMSTANCES INCLUDING NEGLIGENCE, SHALL COPYRIGHT
+ HOLDER AND ITS LICENSORS OR ITS DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS
+ ("AUTHORIZED REPRESENTATIVES") BE LIABLE FOR ANY INCIDENTAL, INDIRECT,
+ SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF BUSINESS
+ PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, AND THE
+ LIKE) ARISING OUT OF THE USE, MISUSE OR INABILITY TO USE THE SOFTWARE,
+ BREACH OR DEFAULT, INCLUDING THOSE ARISING FROM INFRINGEMENT OR ALLEGED
+ INFRINGEMENT OF ANY PATENT, TRADEMARK, COPYRIGHT OR OTHER INTELLECTUAL
+ PROPERTY RIGHT EVEN IF COPYRIGHT HOLDER AND ITS AUTHORIZED
+ REPRESENTATIVES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN
+ NO EVENT SHALL COPYRIGHT HOLDER OR ITS AUTHORIZED REPRESENTATIVES TOTAL
+ LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION (WHETHER IN
+ CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE) EXCEED THE AMOUNT OF
+ US$10.
+
+ Notice: The Software is subject to United States export laws and
+ regulations. You agree to comply with all domestic and international
+ export laws and regulations that apply to the Software, including but
+ not limited to the Export Administration Regulations administered by the
+ U.S. Department of Commerce and International Traffic in Arm Regulations
+ administered by the U.S. Department of State. These laws include
+ restrictions on destinations, end users and end use.
signature.asc
Description: PGP signature
