Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643476 - <sys-kernel/linux-firmware-20180103-r1: Microcode for AMD family 17h processor to mitigate against CVE-2017-5715
Summary: <sys-kernel/linux-firmware-20180103-r1: Microcode for AMD family 17h processo...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2017-5715
  Show dependency tree
 
Reported: 2018-01-04 19:28 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-06 20:30 UTC (History)
10 users (show)

See Also:
Package list:
sys-kernel/linux-firmware-20180103-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-04 19:28:52 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-04 19:30:07 UTC
This new firmware disables branch prediction on AMD family 17h processor.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-01-04 19:36:10 UTC
@ Arches,

please test and mark stable: =sys-kernel/linux-firmware/linux-firmware-20180103-r1
Comment 3 Stabilization helper bot gentoo-dev 2018-01-04 20:00:28 UTC
An automated check of this bug failed - the following atom is unknown:

sys-kernel/linux-firmware/linux-firmware-20180103-r1

Please verify the atom list.
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-01-06 05:25:22 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2018-01-06 17:54:12 UTC
amd64 stable
Comment 6 Sergei Trofimovich gentoo-dev 2018-01-06 21:50:48 UTC
ppc/ppc64 stable
Comment 7 pva 2018-01-07 21:45:15 UTC
Looks like Suse mixed things up. This update does not disable branch prediction: https://www.phoronix.com/scan.php?page=news_item&px=AMD-Branch-Prediction-Still

So I've removed "disables branch prediction" from subject. Let's see what further clarifications we will have.
Comment 8 Andreas Grois 2018-01-07 22:18:27 UTC
Red Hat seems to have more information on what the microcode update does (if they are indeed talking about this one):
https://access.redhat.com/articles/3311301
Comment 9 nobody 2018-01-08 10:16:40 UTC
Please update -> https://wiki.gentoo.org/wiki/Project:Security/Vulnerabilities/Meltdown_and_Spectre

sys-kernel/linux-firmware

A CPU microcode update was added which will disables branch prediction on AMD family 17h processors (800F12 only). The updated microcode is included in >=sys-kernel/linux-firmware-20180103-r1 which is currently being stabilized in bug #643476. 

--> which will disables branch prediction on AMD <--
It doesn't disable it. Should be reword to "A CPU microcode update was added on AMD family 17h processors (800F12 only) to mitigate the issue."
Comment 10 Thomas Deutschmann gentoo-dev Security 2018-01-08 15:35:56 UTC
Source for your claim? Our text was bundled with the firmware blob we received from AMD.

Don't get me wrong. You might be  right. But until we have a better source we stick with upstream's wording. Also, we are looking for someone who as access to an affected processor (AMD EPYC 7551).
Comment 11 nobody 2018-01-09 00:50:40 UTC
Sorry from peter comment #7 phoronix link.

<I reached out to AMD and on Friday heard back. They wrote in an email to Phoronix that this Zen/17h microcode update does not disable branch prediction.>


If you don't know who to trust, the rephrasing will do nothing if it really disable branch prediction (you don't lie saying "to mitigate the issue", but if it does not, you have avoid to spread a  fake/false news spreading.

Better safe than sorry.
Comment 12 Sergei Trofimovich gentoo-dev 2018-01-11 22:33:59 UTC
ia64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2018-01-13 10:12:42 UTC
hppa stable
Comment 14 Markus Meier gentoo-dev 2018-02-05 21:21:56 UTC
arm stable
Comment 15 Sergei Trofimovich gentoo-dev 2018-02-10 19:17:48 UTC
commit fa7b6bf3c8dc747cc57e66837acb48772f7905d2
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Sat Feb 10 19:40:37 2018 +0100

    sys-kernel/linux-firmware: stable 20180103-r1 for sparc, bug #643476
Comment 16 Tobias Klausmann gentoo-dev 2018-03-04 08:17:11 UTC
Stable on alpha.
Comment 17 Chí-Thanh Christopher Nguyễn gentoo-dev 2019-09-26 10:12:37 UTC
All arches done and vulnerable versions have been dropped for a while already.
Comment 18 Thomas Deutschmann gentoo-dev Security 2019-10-06 20:30:45 UTC
No GLSA required.