Linux Tightening Up AMD Zen 5 CPU Microcode Check
([AMD] 3 Hours Ago
Zen 5)
- Reference: 0001539787
- News link: https://www.phoronix.com/news/AMD-Zen-5-Linux-Microcode-Check
- Source link:
Google engineers earlier this year [1]detailed an AMD CPU microcode signature verification vulnerability. For local users with administration/root privileges, it could lead to loading malicious CPU microcode patches on the system. Initially AMD Zen 1 through Zen 4 were affected but the Google security engineers since discovered Zen 5 also could be impacted. BIOS updates are rolling out to address this signature verification issue while the Linux kernel is also being patched for microcode protections on Zen 5.
Google engineers dubbed this AMD CPU microcode signature verification issue as the [2]EntrySign vulnerability. While the Zen 1 through Zen 4 software updates have rolled out to ensure dubious actors can't apply malicious CPU microcode updates, Zen 5 was only publicly acknowledged this week and BIOS updates are now rolling out there.
As an additional protection in the event of no BIOS update yet, a Linux kernel patch was posted today to ensure no bad CPU microcode can be applied on Zen 5 processors -- extending protections in place for earlier Zen processors. This is for all Zen 5 cores, including both the EPYC and Ryzen product lines.
[3]The patch message explains:
"All Zen5 machines out there should get BIOS updates which update to the correct microcode patches addressing the microcode signature issue. However, silly people carve out random microcode blobs from BIOS packages and think are doing other people a service this way...
Block loading of any unreleased standalone Zen5 microcode patches."
The patch will presumably work its way into the mainline Linux kernel in the coming days for this added protection. AMD's details on this security advisory via [4]AMD.com .
[1] https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
[2] https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking
[3] https://lore.kernel.org/lkml/20250410114222.32523-1-bp@kernel.org/
[4] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
Google engineers dubbed this AMD CPU microcode signature verification issue as the [2]EntrySign vulnerability. While the Zen 1 through Zen 4 software updates have rolled out to ensure dubious actors can't apply malicious CPU microcode updates, Zen 5 was only publicly acknowledged this week and BIOS updates are now rolling out there.
As an additional protection in the event of no BIOS update yet, a Linux kernel patch was posted today to ensure no bad CPU microcode can be applied on Zen 5 processors -- extending protections in place for earlier Zen processors. This is for all Zen 5 cores, including both the EPYC and Ryzen product lines.
[3]The patch message explains:
"All Zen5 machines out there should get BIOS updates which update to the correct microcode patches addressing the microcode signature issue. However, silly people carve out random microcode blobs from BIOS packages and think are doing other people a service this way...
Block loading of any unreleased standalone Zen5 microcode patches."
The patch will presumably work its way into the mainline Linux kernel in the coming days for this added protection. AMD's details on this security advisory via [4]AMD.com .
[1] https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
[2] https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking
[3] https://lore.kernel.org/lkml/20250410114222.32523-1-bp@kernel.org/
[4] https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
phoronix