| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YvvLJZR+8jS7Asnq@araj-dh-work>
Date: Tue, 16 Aug 2022 16:51:49 +0000
From: Ashok Raj <ashok.raj@...el.com>
To: Borislav Petkov <bp@...en8.de>
CC: Ashok Raj <ashok_raj@...ux.intel.com>, X86 ML <x86@...nel.org>,
"Andrew Cooper" <amc96@...f.net>,
LKML <linux-kernel@...r.kernel.org>,
Ștefan Talpalaru <stefantalpalaru@...oo.com>,
Ashok Raj <ashok.raj@...el.com>
Subject: Re: [PATCH] x86/microcode/AMD: Attempt applying on every logical
thread
On Tue, Aug 16, 2022 at 02:41:39PM +0200, Borislav Petkov wrote:
> On Tue, Aug 16, 2022 at 09:00:14AM +0000, Ashok Raj wrote:
> > A re-application means, you want to apply even if the cpu_rev <= patch.rev
>
> Yes.
I see, so we probably shouldn't remove the rev check completely but just
permit to reload if the rev is equal?
>
> > if cpu_rev is > patch_rev, clearly its ahead?. say BIOS has a newer
> > version than in the initrd image, do we want to replace the BIOS
> > version since we do no revid checks here.
>
> Can you even downgrade the microcode through the MSR?
I'm not sure what is true for AMD.
For Intel's there is a Security Version Number in the signed encrypted part
of the microcode. As long as the new image has SVN >= what the CPU's SVN is
you can update the microcode.
So if a rev2 is loaded, and rev1 is the new MCU, and rev2 and rev1 have the
same SVN, you can go down rev from rev2->rev1 where rev2 > rev1.
Microcode enforcement for rollback protection has been the SVN. Version
number is a SW feel good thing to identifying which image you are running,
not intended for preventing rollback or any security enforcement.
Cheers,
Ashok
Powered by blists - more mailing lists