firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Debian Bug report logs - #970395
firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Musenbrock <michael.musenbrock@gmx.at>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Tue, 15 Sep 2020 16:55:43 +0200

Source: firmware-nonfree
Severity: important

Dear maintainer,

first of all thanks for maintaining and packaging the linux-firmware files repository as debian packages.

We currently need to manually obtain the linux-firmware.git:amd/amd_sev_fam17h_model3xh.sbin [1] file on
our AMD EPYC servers. The firmware files containing the AMD SEV firmware closing security vulnerabilities [2]
and fixes bugs and adds improvements to the AMD SEV implementation.

I'm most likely unqualified for legal questions but the LICENSE.amd-sev [3] reads quite similar to the already
added amdgpu license [4]. So I hope this is not the reason, why those files were not added in the past.

The severity was choosen because it fixes a security vulnerability, please change accordingly if you think
it is wrong.

Thanks in advance. Best regards,
michael

[1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9836
[3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amd-sev
[4] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amdgpu

Message #10 received at 970395@bugs.debian.org (full text, mbox, reply):

From: maximilian attems <maks@stro.at>

To: Henrique de Moraes Holschuh <hmh@debian.org>, debian-kernel@lists.debian.org

Cc: Michael Musenbrock <michael.musenbrock@gmx.at>, 970395@bugs.debian.org

Subject: Re: Bug#970395: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Sun, 20 Sep 2020 10:36:12 +0200

[Message part 1 (text/plain, inline)]

Dear Henrique, dear debian kernel maintainers, Cc: Michael,

Would you agree to generate the amd64-firmware packages directly out of the debian
linux-firmware source package?

This way the microcode would be updated on every linux-firmware non-free upload?
I am asking as it keeps nugging me to have to outcomment the updates of that
microcode in the changelog (there is again a new one for the upcoming 20200918).

Would you want to be added in counterpart to the uploaders of firmware-nonfree?

Thank you very much for your amd64 microcode work.

kind regards,
maximilian

On Tue, Sep 15, 2020 at 04:55:43PM +0200, Michael Musenbrock wrote:
> Source: firmware-nonfree
> Severity: important
> 
> Dear maintainer,
> 
> first of all thanks for maintaining and packaging the linux-firmware files repository as debian packages.
> 
> We currently need to manually obtain the linux-firmware.git:amd/amd_sev_fam17h_model3xh.sbin [1] file on
> our AMD EPYC servers. The firmware files containing the AMD SEV firmware closing security vulnerabilities [2]
> and fixes bugs and adds improvements to the AMD SEV implementation.
> 
> I'm most likely unqualified for legal questions but the LICENSE.amd-sev [3] reads quite similar to the already
> added amdgpu license [4]. So I hope this is not the reason, why those files were not added in the past.
> 
> The severity was choosen because it fixes a security vulnerability, please change accordingly if you think
> it is wrong.
> 
> Thanks in advance. Best regards,
> michael
> 
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd
> [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9836
> [3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amd-sev
> [4] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amdgpu
> 

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 970395@bugs.debian.org (full text, mbox, reply):

From: maximilian attems <maks@stro.at>

To: Henrique de Moraes Holschuh <hmh@debian.org>

Cc: 970395@bugs.debian.org, debian-kernel@lists.debian.org, Michael Musenbrock <michael.musenbrock@gmx.at>

Subject: Re: Bug#970395: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Fri, 25 Sep 2020 14:14:09 +0200

[Message part 1 (text/plain, inline)]

Dear Henrique,

It be great to get your input, hence repinging (;

Especially as linux-firmware is the common upstream source, it be ideal to ship
the amd64 mircrocode out of our firmware packages.

Thanks for letting us know.

kind regards,
maximilian

On Sun, Sep 20, 2020 at 10:36:12AM +0200, maximilian attems wrote:
> Dear Henrique, dear debian kernel maintainers, Cc: Michael,
> 
> Would you agree to generate the amd64-firmware packages directly out of the debian
> linux-firmware source package?
> 
> This way the microcode would be updated on every linux-firmware non-free upload?
> I am asking as it keeps nugging me to have to outcomment the updates of that
> microcode in the changelog (there is again a new one for the upcoming 20200918).
> 
> Would you want to be added in counterpart to the uploaders of firmware-nonfree?
> 
> Thank you very much for your amd64 microcode work.
> 
> kind regards,
> maximilian
> 
> On Tue, Sep 15, 2020 at 04:55:43PM +0200, Michael Musenbrock wrote:
> > Source: firmware-nonfree
> > Severity: important
> > 
> > Dear maintainer,
> > 
> > first of all thanks for maintaining and packaging the linux-firmware files repository as debian packages.
> > 
> > We currently need to manually obtain the linux-firmware.git:amd/amd_sev_fam17h_model3xh.sbin [1] file on
> > our AMD EPYC servers. The firmware files containing the AMD SEV firmware closing security vulnerabilities [2]
> > and fixes bugs and adds improvements to the AMD SEV implementation.
> > 
> > I'm most likely unqualified for legal questions but the LICENSE.amd-sev [3] reads quite similar to the already
> > added amdgpu license [4]. So I hope this is not the reason, why those files were not added in the past.
> > 
> > The severity was choosen because it fixes a security vulnerability, please change accordingly if you think
> > it is wrong.
> > 
> > Thanks in advance. Best regards,
> > michael
> > 
> > [1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd
> > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9836
> > [3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amd-sev
> > [4] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amdgpu
> > 

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 970395@bugs.debian.org (full text, mbox, reply):

From: "Henrique de Moraes Holschuh" <hmh@debian.org>

To: "maximilian attems" <maks@stro.at>

Cc: 970395@bugs.debian.org, debian-kernel@lists.debian.org, "Michael Musenbrock" <michael.musenbrock@gmx.at>

Subject: Re: Bug#970395: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Sun, 27 Sep 2020 13:43:12 -0300

Answering from my phone, please excuse brevity and other netiquete issues such as poor quoting cleanup.

On Fri, Sep 25, 2020, at 09:14, maximilian attems wrote:
> Dear Henrique,
> 
> It be great to get your input, hence repinging (;
> 
> Especially as linux-firmware is the common upstream source, it be ideal to ship
> the amd64 mircrocode out of our firmware packages.

We can ship the ucode and other related data files in linux-firmware-nonfree, yes.  But the initramsfs glue needs.to go somewhere.  Either it can stick in the older package, and a depends ensures it gets installed, or linux-firmware-nonfree must carry it as debian packaging.

I.e. I am not opposed.  But there is more than a bunch of data files involved: the initramsfs integration must be somehow handled by whatever ships the data files.

However, you can also try opening a bug against amd64-microcode with a pointer to new upstream releases should I miss any for longer than a week, or asking for more files to be switched to amd64-microcode, e.g. if the ses datafiles should be in there along with the ucode ones, this could be done.

Either way is fine, what does the majority of the maintainers of linux-firmware-nonfree think about it ?

> On Sun, Sep 20, 2020 at 10:36:12AM +0200, maximilian attems wrote:
> > Dear Henrique, dear debian kernel maintainers, Cc: Michael,
> > 
> > Would you agree to generate the amd64-firmware packages directly out of the debian
> > linux-firmware source package?
> > 
> > This way the microcode would be updated on every linux-firmware non-free upload?

If you guys think this will improve update delivery latency in Debian, I am not opposed.  But ucode updates go to security, backports and stable unless there is too little feedback to gauge regression risk.

  Is that viable for the whole of linux-firmware-nonfree ?  If not, it would make sense to keep the amd64 ucode in a separate package.

> > I am asking as it keeps nugging me to have to outcomment the updates of that
> > microcode in the changelog (there is again a new one for the upcoming 20200918).

This should be very very easy to automate, but...

> > Would you want to be added in counterpart to the uploaders of firmware-nonfree?

I can do it myself if there is a need to upload a new release and I have to do that upload, but if you guys are using salsa, I'd need to be in the salsa group you're using.

> > Thank you very much for your amd64 microcode work.
> > 
> > kind regards,
> > maximilian
> > 
> > On Tue, Sep 15, 2020 at 04:55:43PM +0200, Michael Musenbrock wrote:
> > > Source: firmware-nonfree
> > > Severity: important
> > > 
> > > Dear maintainer,
> > > 
> > > first of all thanks for maintaining and packaging the linux-firmware files repository as debian packages.
> > > 
> > > We currently need to manually obtain the linux-firmware.git:amd/amd_sev_fam17h_model3xh.sbin [1] file on
> > > our AMD EPYC servers. The firmware files containing the AMD SEV firmware closing security vulnerabilities [2]
> > > and fixes bugs and adds improvements to the AMD SEV implementation.
> > > 
> > > I'm most likely unqualified for legal questions but the LICENSE.amd-sev [3] reads quite similar to the already
> > > added amdgpu license [4]. So I hope this is not the reason, why those files were not added in the past.
> > > 
> > > The severity was choosen because it fixes a security vulnerability, please change accordingly if you think
> > > it is wrong.
> > > 
> > > Thanks in advance. Best regards,
> > > michael
> > > 
> > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd
> > > [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9836
> > > [3] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amd-sev
> > > [4] https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/LICENSE.amdgpu

-- 
  Henrique de Moraes Holschuh <hmh@debian.org>

Message #25 received at 970395@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Henrique de Moraes Holschuh <hmh@debian.org>, maximilian attems <maks@stro.at>

Cc: 970395@bugs.debian.org, debian-kernel@lists.debian.org, Michael Musenbrock <michael.musenbrock@gmx.at>

Subject: Re: Bug#970395: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Sun, 27 Sep 2020 22:27:16 +0100

[Message part 1 (text/plain, inline)]

On Sun, 2020-09-27 at 13:43 -0300, Henrique de Moraes Holschuh wrote:
> Answering from my phone, please excuse brevity and other netiquete
> issues such as poor quoting cleanup.
> 
> On Fri, Sep 25, 2020, at 09:14, maximilian attems wrote:
> > Dear Henrique,
> > 
> > It be great to get your input, hence repinging (;
> > 
> > Especially as linux-firmware is the common upstream source, it be ideal to ship
> > the amd64 mircrocode out of our firmware packages.
> 
> We can ship the ucode and other related data files in linux-firmware-
> nonfree, yes.  But the initramsfs glue needs.to go somewhere.  Either
> it can stick in the older package, and a depends ensures it gets
> installed, or linux-firmware-nonfree must carry it as debian
> packaging.

That's a good point.  firmware-nonfree does have initramfs integration,
but currently that is just triggering update-initramfs for packages
whose firmware might get pulled in automatically.

[...]
> > On Sun, Sep 20, 2020 at 10:36:12AM +0200, maximilian attems wrote:
> > > Dear Henrique, dear debian kernel maintainers, Cc: Michael,
> > > 
> > > Would you agree to generate the amd64-firmware packages directly out of the debian
> > > linux-firmware source package?
> > > 
> > > This way the microcode would be updated on every linux-firmware non-free upload?
> 
> If you guys think this will improve update delivery latency in
> Debian, I am not opposed.  But ucode updates go to security,
> backports and stable unless there is too little feedback to gauge
> regression risk.
> 
>   Is that viable for the whole of linux-firmware-nonfree ?  If not,
> it would make sense to keep the amd64 ucode in a separate package.
[...]

firmware-nonfree is present in backports suites, and does get security
updates (mostly for Wifi and Bluetooth issues).

However, we normally take all changes from linux-firmware.git up to a
specific tag, and that might not be appropriate for the AMD microcode
given the potential for system-breaking regressions.

Ben.

-- 
Ben Hutchings
Klipstein's 4th Law of Prototyping and Production:
                               A fail-safe circuit will destroy others.

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 970395@bugs.debian.org (full text, mbox, reply):

From: "Henrique de Moraes Holschuh" <hmh@debian.org>

To: "Ben Hutchings" <ben@decadent.org.uk>, "maximilian attems" <maks@stro.at>

Cc: 970395@bugs.debian.org, debian-kernel@lists.debian.org, "Michael Musenbrock" <michael.musenbrock@gmx.at>

Subject: Re: Bug#970395: firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Thu, 01 Oct 2020 23:16:36 -0300

On Sun, Sep 27, 2020, at 18:27, Ben Hutchings wrote:
> On Sun, 2020-09-27 at 13:43 -0300, Henrique de Moraes Holschuh wrote:
> > Answering from my phone, please excuse brevity and other netiquete
> > issues such as poor quoting cleanup.

This is still true :(

> However, we normally take all changes from linux-firmware.git up to a
> specific tag, and that might not be appropriate for the AMD microcode
> given the potential for system-breaking regressions.

So, until a more workable solution is found, if you need amd64-microcode to carry any other data files, please file a bug.  If I am behind an update for any reason, please file a bug.  I will see it and act on it. You don't need to wait to see if I noticed the upstream update or not, file the bug as soon as you're prepared to.

There was a mention about a pending security update of SES firmware in this thread.  If this needs an amd64-microcode release and if the ses firmware should go into that release, please explicitly say so, preferably in a new bug report, so that we can keep this one open until a final decision is done whether we should drop amd64-microcode as a separate package or keep it just for scripts, or keep the status-quo.

-- 
  Henrique de Moraes Holschuh <hmh@debian.org>

Message #37 received at 970395@bugs.debian.org (full text, mbox, reply):

From: Henrique de Moraes Holschuh <hmh@debian.org>

To: maximilian attems <maks@stro.at>, debian-kernel@lists.debian.org

Cc: 970395@bugs.debian.org

Subject: Re: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs

Date: Fri, 29 Jan 2021 13:37:51 -0300

On Tue, 26 Jan 2021, Debian Bug Tracking System wrote:
> > reassign 970395 amd64-microcode
> Bug #970395 [src:firmware-nonfree] firmware-nonfree: Please add AMD-SEV firmware files (amd-folder) to close CVE-2019-9836 on specific EPYC-CPUs
> Bug reassigned from package 'src:firmware-nonfree' to 'amd64-microcode'.
> Ignoring request to alter found versions of bug #970395 to the same values previously set
> Ignoring request to alter fixed versions of bug #970395 to the same values previously set
> > # please update to latest bc9cd0b7b0e96038ccc041ff409948d8f176142d
> > # 20/11/2020 in linux-firmware
> > done
> Unknown command or malformed arguments to command.
> > bc9cd0b7b0e96038ccc041ff409948d8f176142d has:
> Unknown command or malformed arguments to command.
> >    Update AMD SEV firmware to version 0.17 build 44 for AMD family 17h
> Unknown command or malformed arguments to command.
> >     processors with models in the range 00h to 0fh.
> Unknown command or malformed arguments to command.
> >     Update AMD SEV firmware to version 0.24 build 7 for AMD family 17h
> Unknown command or malformed arguments to command.
> Too many unknown commands, stopping here.

I will look into this soon, probably this weekend.

I will direct any questions I have to the submitters and to this bug
report.

However, I have to find out if these firmware data files should go into
the early initramfs like the microcode (and *how*: naming, packaging
into a single file? the early initramfs works differently than normal
firmware loading).  Or should it go into the normal initramfs ?  Or
both?

If you have the answer to these questions and can follow up with them,
it will hasten the fix since I will not have to spend time looking for
the answers.

-- 
  Henrique Holschuh

Message #44 received at 970395-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 970395-close@bugs.debian.org

Subject: Bug#970395: fixed in amd64-microcode 3.20220411.1

Date: Wed, 20 Apr 2022 21:48:45 +0000

Source: amd64-microcode
Source-Version: 3.20220411.1
Done: Henrique de Moraes Holschuh <hmh@debian.org>

We believe that the bug you reported is fixed in the latest version of
amd64-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 970395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <hmh@debian.org> (supplier of updated amd64-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Apr 2022 18:27:36 -0300
Source: amd64-microcode
Architecture: source
Version: 3.20220411.1
Distribution: unstable
Urgency: medium
Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
Changed-By: Henrique de Moraes Holschuh <hmh@debian.org>
Closes: 970395 1006444 1009333
Changes:
 amd64-microcode (3.20220411.1) unstable; urgency=medium
 .
   * Update package data from linux-firmware 20220411:
     * New microcode updates from AMD upstream (20220408)
       (closes: #1006444, #1009333)
       + New Microcode patches:
         sig 0x00830f10, patch id 0x08301055, 2022-02-15
         sig 0x00a00f10, patch id 0x0a001058, 2022-02-10
         sig 0x00a00f11, patch id 0x0a001173, 2022-01-31
         sig 0x00a00f12, patch id 0x0a001229, 2022-02-10
       + Updated Microcode patches:
         sig 0x00800f12, patch id 0x0800126e, 2021/11/11
     * New AMD-SEV firmware from AMD upstream (20220308)
       Fixes: CVE-2019-9836 (closes: #970395)
       + New SEV firmware:
         Family 17h models 00h-0fh: version 0.17 build 48
         Family 17h models 30h-3fh: version 0.24 build 15
         Family 19h models 00h-0fh: version 1.51 build 3
   * README: update for new release
   * debian: ship AMD-SEV firmware.
     Upstream license is the same license used for amd-ucode
Checksums-Sha1:
 bb99ba54562db07a5f3a3c939a819b71983b2d71 1686 amd64-microcode_3.20220411.1.dsc
 c6bfddd571c74aa5dc9d6e1c266118a993ed9c4b 115376 amd64-microcode_3.20220411.1.tar.xz
 34129ca80ee8e7e370599ceafc66693fbecd5957 6445 amd64-microcode_3.20220411.1_amd64.buildinfo
Checksums-Sha256:
 fc364255f94847a3567bb39c8bd629233747aafa15a1833038aa1494baf6ddf4 1686 amd64-microcode_3.20220411.1.dsc
 546fb3503b61b4a9398698b73061f669769cc191e1f9cb9a2c328d31ba3209a6 115376 amd64-microcode_3.20220411.1.tar.xz
 acf3e1729ba7e4f3915d3ceeadb21272d5b8982ce93899c6f95b2ef1d9689c88 6445 amd64-microcode_3.20220411.1_amd64.buildinfo
Files:
 44cb3a52e44a2343d457fe0f4c61513d 1686 non-free/admin standard amd64-microcode_3.20220411.1.dsc
 63aea1c76bc5844a886507697486f593 115376 non-free/admin standard amd64-microcode_3.20220411.1.tar.xz
 34183e34cc7bcb0cf9880780b2325acf 6445 non-free/admin standard amd64-microcode_3.20220411.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIXEYtQeAQUHyKjs9TkVcVzAplOQFAmJgeqAACgkQTkVcVzAp
lOQIRw/+LaqNBMqJxrbmwdbXgu47l1aG1GwNdTRtXTpqfBjPuzeEkmzKaVhRfXQ9
5d70A4vzBmXpeYcFA5M+bdgwuhL+q6cw69umH6zGZkBEueg2uREVhC2rZSx2/RaO
EoUfxh4JhzcCjxu8Gf9kam7duu/xJbmD99T4SCorZV4Wi1qkY5aTlZLEVf3Cw2fV
GKnd5ouF7Nnd1Pm5/hEU9IzE29Nq+Sqj4qa8iQFsr4ox7D7yJY0Tog1dvHXBEsKO
1H7mLKjJ3tx20pClM2xrin4WC6Atlpq961+rD44WGhLut0NrRT7/bahav2G73CXB
yhQKMkwmhfTmIS+ejC5q1HTWMxr62NwfABue2CY55xDkbxUGEtOnDdp9O/osvX6S
DhkJY1m+ikzgNE1kyn4w6GA5Ux/axWtE7RDYAu8HDnfyNdLq3JurTXH2AamJZ8Ho
bPOlj65EtPcBzDotbGj8P9KMf0GHQcMuqI4Jy7N7tUZOQqO7x5HZCn+w9VzCPQ3E
6PVo7k4/LnutYONwf2XlEb9iA8gEf3ZBobXBCB49mHLLkkJfdcpoKn0ZWNFcygLm
XaGcbyudBTgkP8o2FL8SL/eGSARbwRVD9y8u+FTugSCw/hIoSSC65PgHQot7Jqyw
uSHCmr9uD+6Jlo+nv+l+RD5GDgxtHtZSnuxilBsVLw6aRSqU5rg=
=HCXM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.