oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AMD Microcode Signature Verification Vulnerability

From: Tavis Ormandy <taviso () gmail com>
Date: Wed, 22 Jan 2025 07:52:48 -0800
On Tue, Jan 21, 2025 at 11:38:16PM -0500, Demi Marie Obenour wrote:

On Tue, Jan 21, 2025 at 06:31:31PM -0800, Tavis Ormandy wrote:

It looks like an OEM leaked the patch for a major upcoming CPU
vulnerability, i.e. "AMD Microcode Signature Verification
Vulnerability":

https://rog.asus.com/motherboards/rog-strix/rog-strix-x870-i-gaming-wifi/helpdesk_bios/

I'm not thrilled about this - the patch is *not* currently in
linux-firmware, so this is the only publicly available patch.

However, other people are discussing how to extract them:

https://winraid.level1techs.com/t/offer-intel-amd-via-cpu-microcode-archives-1995-present/102857/53


Is this fix effective, or can it be bypassed via a downgrade attack?



I'm not sure yet, the vendor has been really excruciating to deal with,
this is the first time I've been allowed to see the patch!! :(

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso
Previous By Date Next
Previous By Thread Next

Current thread: