Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1079543,
regarding bookworm-pu: package amd64-microcode/3.20240820.1~deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1079543: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079543
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
I would like to bring the *firmware* update level for AMD processors in
Bullseye and Bookworm to match what we have in Sid and Trixie. This is
the bug report for Bookworm, a separate one will be filled for Bullseye.
The update is a security update for AMD-SEV (AMD-SB-3003). It does not
change the processor microcode.
[ Impact ]
These updates fix security issues on AMD SEV.
[ Tests ]
The package was tested, but AMD-SEV was not specifically tested. I
could not find any reports of AMD-SEV issues due to this firmware
update though.
This update only changed a few docs and the binary blob files, so it is
as safe as what is already accepted for bullseye and bookworm.
[ Risks ]
AMD-SEV changes cannot cause boot regressions, but it could cause SEV
functionality regressions. I am not aware of any regressions related
to this SEV firmware update.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Documentation was updated with upstream information
* Binary microcode blobs were updated with new upstream binary blobs.
[ Extra Information ]
Diff was generated from the git tree, in order to avoid excessive noise
due to the changes to the binary blobs.
diffstat:
README | 20 ++++++++++++++++++++
amd/amd_sev_fam17h_model3xh.sbin |binary
amd/amd_sev_fam19h_model0xh.sbin |binary
amd/amd_sev_fam19h_model1xh.sbin |binary
amd/amd_sev_fam19h_modelaxh.sbin |binary
debian/changelog | 28 ++++++++++++++++++++++++++++
6 files changed, 48 insertions(+)
--
Henrique Holschuh
diff --git a/README b/README
index 63c0879..67a4e0e 100644
--- a/README
+++ b/README
@@ -11,6 +11,26 @@ amdtee/ currently includes firmware for the amd_pmf driver.
latest commits in this release:
+commit ace84e6edc27bcba8e44ba8588e93a4c74a4fba1
+Author: John Allen <john.al...@amd.com>
+Date: Tue Aug 20 18:26:55 2024 +0000
+
+ linux-firmware: Update AMD SEV firmware
+
+ Update AMD SEV firmware to version 0.24 build 20 for AMD family 17h processors
+ with models in the range 30h to 3fh.
+
+ Update AMD SEV firmware to version 1.55 build 21 for AMD family 19h processors
+ with models in the range 00h to 0fh.
+
+ Update AMD SEV firmware to version 1.55 build 37 for AMD family 19h processors
+ with models in the range 10h to 1fh.
+
+ Add AMD SEV firmware version 1.55 build 37 for AMD family 19h processors with
+ models in the range a0h to afh.
+
+ Signed-off-by: John Allen <john.al...@amd.com>
+
commit 091bd5adf19c7ab01214c64689952acb4833b21d
Author: John Allen <john.al...@amd.com>
Date: Wed Jul 10 14:58:02 2024 +0000
diff --git a/amd/amd_sev_fam17h_model3xh.sbin b/amd/amd_sev_fam17h_model3xh.sbin
index ea49929..a1a59d4 100644
Binary files a/amd/amd_sev_fam17h_model3xh.sbin and b/amd/amd_sev_fam17h_model3xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model0xh.sbin b/amd/amd_sev_fam19h_model0xh.sbin
index 9cde6ad..0e21813 100644
Binary files a/amd/amd_sev_fam19h_model0xh.sbin and b/amd/amd_sev_fam19h_model0xh.sbin differ
diff --git a/amd/amd_sev_fam19h_model1xh.sbin b/amd/amd_sev_fam19h_model1xh.sbin
index 529dcb5..5855e82 100644
Binary files a/amd/amd_sev_fam19h_model1xh.sbin and b/amd/amd_sev_fam19h_model1xh.sbin differ
diff --git a/amd/amd_sev_fam19h_modelaxh.sbin b/amd/amd_sev_fam19h_modelaxh.sbin
new file mode 100644
index 0000000..5855e82
Binary files /dev/null and b/amd/amd_sev_fam19h_modelaxh.sbin differ
diff --git a/debian/changelog b/debian/changelog
index 72b76b1..26983aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,31 @@
+amd64-microcode (3.20240820.1~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for bookworm (revert merged-usr changes from unstable)
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Sat, 24 Aug 2024 09:24:14 -0300
+
+amd64-microcode (3.20240820.1) unstable; urgency=high
+
+ * Update package data from linux-firmware 20240820
+ * New AMD-SEV firmware from AMD upstream (20240820)
+ + Updated SEV firmware:
+ Family 17h models 30h-3fh: version 0.24 build 20
+ Family 19h models 00h-0fh: version 1.55 build 21
+ Family 19h models 10h-1fh: version 1.55 build 37
+ + New SEV firmware:
+ Family 19h models a0h-afh: version 1.55 build 37
+ * SECURITY UPDATE (AMD-SB-3003):
+ * Mitigates CVE-2023-20584: IOMMU improperly handles certain special
+ address ranges with invalid device table entries (DTEs), which may allow
+ an attacker with privileges and a compromised Hypervisor to induce DTE
+ faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of
+ guest integrity.
+ * Mitigates CVE-2023-31356: Incomplete system memory cleanup in SEV
+ firmware could allow a privileged attacker to corrupt guest private
+ memory, potentially resulting in a loss of data integrity.
+
+ -- Henrique de Moraes Holschuh <h...@debian.org> Wed, 21 Aug 2024 21:31:07 -0300
+
amd64-microcode (3.20240710.2~deb12u1) bookworm; urgency=high
* Rebuild for bookworm (revert merged-usr changes from unstable)
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.7
Hi,
Each of these bugs relates to an update including in today's bookworm
12.7 point release.
Regards,
Adam
--- End Message ---
