On 13/03/2025 3:55 am, Solar Designer wrote: > On Sat, Mar 08, 2025 at 01:28:07AM +0000, Andrew Cooper wrote: >> On 06/03/2025 4:48 am, Solar Designer wrote: >>> On Thu, Mar 06, 2025 at 04:11:25AM +0000, Andrew Cooper wrote: >>>> This issue wins points for spite, because the highest risk users are the >>>> ones who were taking proactive steps to try and improve their security, >>>> betting that AMD's patchloader crypto was sound. >>> OK, so this is to protect legitimate sysadmins from loading malicious >>> microcode inadvertently or via a supply chain attack. Makes sense. >> Sorry for the delay, I knew there was a distro formally doing this, but >> I'd lost track of the links. >> >> https://github.com/divestedcg/real-ucode which is packaged for Arch as >> https://aur.archlinux.org/packages/amd-real-ucode-git (and an equivalent >> Intel package). > Thank you for these followup postings, Andrew! They're very helpful. > > I have one late nitpick to add - as jericho @attritionorg pointed out on > Twitter, the Subject line here gives an incorrect CVE number. The > correct one is CVE-2024-36347.
Oops, my mistake. (This is what happens when the sources of information try to block things like copy/paste, and I'm in a rush.) However, happy patch Tuesday. Zen5 CPUs have been breached too, and https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html has been quietly updated to reflect this. ~Andrew
