oss-sec mailing list archives
Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability
From: Andrew Cooper <andrew.cooper3 () citrix com>
Date: Sat, 8 Mar 2025 01:28:07 +0000
On 06/03/2025 4:48 am, Solar Designer wrote:
On Thu, Mar 06, 2025 at 04:11:25AM +0000, Andrew Cooper wrote:This issue wins points for spite, because the highest risk users are the ones who were taking proactive steps to try and improve their security, betting that AMD's patchloader crypto was sound.OK, so this is to protect legitimate sysadmins from loading malicious microcode inadvertently or via a supply chain attack. Makes sense.
Sorry for the delay, I knew there was a distro formally doing this, but I'd lost track of the links. https://github.com/divestedcg/real-ucode which is packaged for Arch as https://aur.archlinux.org/packages/amd-real-ucode-git (and an equivalent Intel package). ~Andrew
Current thread:
- Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Bastian Blank (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 06)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 07)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 12)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Mar 05)
- Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Solar Designer (Mar 05)