Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability

[Andrew Cooper <andrew.cooper3 () citrix com>]

On 13/03/2025 3:55 am, Solar Designer wrote:
> On Sat, Mar 08, 2025 at 01:28:07AM +0000, Andrew Cooper wrote:
> > On 06/03/2025 4:48 am, Solar Designer wrote:
> > > On Thu, Mar 06, 2025 at 04:11:25AM +0000, Andrew Cooper wrote:
> > > > This issue wins points for spite, because the highest risk users are the
> > > > ones who were taking proactive steps to try and improve their security,
> > > > betting that AMD's patchloader crypto was sound.
> > > OK, so this is to protect legitimate sysadmins from loading malicious
> > > microcode inadvertently or via a supply chain attack.  Makes sense.
> > Sorry for the delay, I knew there was a distro formally doing this, but
> > I'd lost track of the links.
> >
> > https://github.com/divestedcg/real-ucode which is packaged for Arch as
> > https://aur.archlinux.org/packages/amd-real-ucode-git (and an equivalent
> > Intel package).
> Thank you for these followup postings, Andrew!  They're very helpful.
>
> I have one late nitpick to add - as jericho @attritionorg pointed out on
> Twitter, the Subject line here gives an incorrect CVE number.  The
> correct one is CVE-2024-36347.

Oops, my mistake.  (This is what happens when the sources of information
try to block things like copy/paste, and I'm in a rush.)

However, happy patch Tuesday.

Zen5 CPUs have been breached too, and
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
has been quietly updated to reflect this.

~Andrew