From: "Borislav Petkov (AMD)" bp@alien8.de
[ Upstream commit 8a9fb5129e8e64d24543ebc70de941a2d77a9e77 ]
Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5.
X86_BUG cannot be used here because the loading on the BSP happens way too early, before the cpufeatures machinery has been set up.
Signed-off-by: Borislav Petkov (AMD) bp@alien8.de Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Perfect! Now let me write up my comprehensive analysis.
## **Backport Recommendation: YES**
Based on my analysis using semantic code analysis tools and examination of the kernel repository, this commit **SHOULD** be backported to stable kernel trees.
---
## **Analysis Details:**
### **1. Semantic Tool Analysis Performed:**
I used the following semantic code analysis tools to understand the impact:
- **mcp__semcode__find_function**: Located `verify_sha256_digest`, `need_sha_check`, and `__apply_microcode_amd` functions - **mcp__semcode__find_callers**: Traced the call graph to understand impact scope: - `verify_sha256_digest` is called by `__apply_microcode_amd` - `__apply_microcode_amd` is called by: - `load_ucode_amd_bsp` (BSP microcode loading during early boot) - `apply_microcode_amd` (AP microcode loading) - `reload_ucode_amd` (microcode reload path) - **mcp__semcode__find_calls**: Verified dependencies - uses only standard functions (`x86_family`, `x86_model`) that exist in all stable kernels - **git log and git blame**: Traced the evolution of SHA256 checking to understand the bug's context
### **2. What the Code Changes Do:**
The commit adds a new helper function `cpu_has_entrysign()` that precisely identifies AMD CPUs supporting Entrysign SHA256 signature verification:
```c +static bool cpu_has_entrysign(void) +{ + unsigned int fam = x86_family(bsp_cpuid_1_eax); + unsigned int model = x86_model(bsp_cpuid_1_eax); + + if (fam == 0x17 || fam == 0x19) // Zen1-Zen4 + return true; + + if (fam == 0x1a) { // Zen5 (specific models only) + if (model <= 0x2f || + (0x40 <= model && model <= 0x4f) || + (0x60 <= model && model <= 0x6f)) + return true; + } + + return false; +} ```
It then replaces the overly broad family check: ```c - if (x86_family(bsp_cpuid_1_eax) < 0x17) + if (!cpu_has_entrysign()) return true; // Skip SHA256 checking ```
### **3. The Bug Being Fixed:**
**Old behavior**: SHA256 signature checking was applied to **ALL** AMD CPUs with family >= 0x17
**Problem**: Entrysign (AMD's SHA256 signature feature) only exists on Zen1-Zen5 CPUs: - Family 0x17: Zen1, Zen+, Zen2 - Family 0x19: Zen3, Zen4 - Family 0x1a (specific models): Zen5
**Impact**: Future AMD CPUs (e.g., family 0x1b or unlisted 0x1a models) would incorrectly trigger SHA256 verification, which would **fail** (no matching hash in the database), causing microcode loading to be **completely blocked**.
### **4. Impact Scope (from semantic analysis):**
From tracing the call chain: - `verify_sha256_digest()` → `__apply_microcode_amd()` → Early boot BSP loading + AP loading + reload paths - If SHA256 verification fails, `__apply_microcode_amd()` returns `false` and **microcode is NOT applied** - Without microcode updates, systems remain vulnerable to known CPU security issues and bugs
**User-facing impact**: Users with future AMD CPUs (post-Zen5) would be unable to load microcode updates, leaving their systems exposed to vulnerabilities that microcode patches normally fix.
### **5. Why This Qualifies for Backporting:**
✅ **Fixes a real bug**: Incorrect hardware detection logic that prevents microcode loading on future CPUs
✅ **Small and contained**: Only 20 lines added, 1 line changed in a single function
✅ **No new features**: This is a pure bug fix making the check more accurate
✅ **No architectural changes**: Doesn't modify data structures or interfaces
✅ **Low regression risk**: - Doesn't change behavior for existing Zen1-Zen5 CPUs - Only affects future/unknown AMD CPUs (makes them work correctly instead of failing) - Uses only existing, stable APIs (`x86_family`, `x86_model`)
✅ **No complex dependencies**: The SHA256 infrastructure already exists in 6.17 stable (verified with grep)
✅ **Forward compatibility**: Critical for users upgrading to newer AMD CPUs while running stable kernels
✅ **Already vetted for backporting**: Commit message shows `[ Upstream commit 8a9fb5129e8e6... ]` and `Signed-off-by: Sasha Levin sashal@kernel.org`, indicating it's already been reviewed and prepared for stable backporting
### **6. Stable Tree Compliance:**
This commit follows all stable kernel rules: - ✅ It fixes a bug (not a new feature) - ✅ Change is "obviously correct" (precise hardware detection) - ✅ Not cosmetic (fixes functional issue) - ✅ Small and self-contained - ✅ No new external dependencies
---
## **Conclusion:**
This is a **clear YES for backporting**. It fixes a forward- compatibility bug that would prevent microcode loading on future AMD CPUs, is low-risk, well-contained, and has already been approved by stable maintainers (Sasha Levin). The semantic analysis confirms it has no complex dependencies and the impact is limited to making SHA256 checking work correctly on the appropriate CPU generations.
arch/x86/kernel/cpu/microcode/amd.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c index ad66eb83b96af..698fd8b388a0f 100644 --- a/arch/x86/kernel/cpu/microcode/amd.c +++ b/arch/x86/kernel/cpu/microcode/amd.c @@ -233,13 +233,31 @@ static bool need_sha_check(u32 cur_rev) return true; }
+static bool cpu_has_entrysign(void) +{ + unsigned int fam = x86_family(bsp_cpuid_1_eax); + unsigned int model = x86_model(bsp_cpuid_1_eax); + + if (fam == 0x17 || fam == 0x19) + return true; + + if (fam == 0x1a) { + if (model <= 0x2f || + (0x40 <= model && model <= 0x4f) || + (0x60 <= model && model <= 0x6f)) + return true; + } + + return false; +} + static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len) { struct patch_digest *pd = NULL; u8 digest[SHA256_DIGEST_SIZE]; int i;
- if (x86_family(bsp_cpuid_1_eax) < 0x17) + if (!cpu_has_entrysign()) return true;
if (!need_sha_check(cur_rev))