Package Details: amd-zen-ucode-platomav r297-1

Git Clone URL: https://aur.archlinux.org/amd-zen-ucode-platomav.git (read-only, click to copy)
Package Base: amd-zen-ucode-platomav
Description: Microcode update image for AMD Zen CPUs (family 17h, 19h, 1Ah) from platomav's github
Upstream URL: https://github.com/platomav/CPUMicrocodes
Licenses: custom
Conflicts: amd-ucode
Provides: amd-ucode
Submitter: dobo
Maintainer: dobo
Last Packager: dobo
Votes: 18
Popularity: 1.41
First Submitted: 2023-09-17 12:59 (UTC)
Last Updated: 2024-05-28 21:54 (UTC)

Latest Comments

phonemic commented on 2024-03-08 12:20 (UTC)

@dobo Thanks! I appreciate the detailed response. In the last instance (hopefully) the kernel would report the CPU vulnerabilities in lscpu. That seems difficult for a third-party to trick the kernel into reporting everything is fine while still passing hardware validation on the microcode.

dobo commented on 2024-03-08 10:17 (UTC) (edited on 2024-03-08 10:19 (UTC) by dobo)

@0x9fff00: I wasn't aware of this, thanks for reporting. I've updated PKGBUILD.

@phonemic: I haven't found any specific resources regarding 19h family. But, microcode for 15h family is encrypted. Relevant quotes: "Note that Intel started to cryptographically sign microcode updates in 1995 [15] and AMD started to deploy strong cryptographic protection in 2011 [15]. We assume that the underlying microcode update mechanism is similar, but cannot analyze the microcode updates since we cannot decrypt them" 1

"On the 15h microarchitecture, binary comparison of multiple microcode revisions for a single processor produces no useful similarities, indicating that a chained block or stream cipher is likely being used for encryption. Since changes to offsets 672 through 2719, measuring exactly 2048 bits in size, result in early termination, it is possible that this segment contains a hash that is used to verify the integrity of the encrypted update data, in an encrypt-then-MAC approach. Although it is possible to use the reverse, MAC-then-encrypt, this is rather unlikely, as not only is it less secure, but 2048 bits is also rather long for the block size of a block cipher." 2

Generally MAC algorithms provide integrity and authenticity. My understanding is following (but I might be wrong): I suppose that the key and the algorithm is hardwired inside CPU. Unless someone knows the original key and the MAC algorithm, you're pretty safe (CPU won't accept "signed" microcode with wrong key). I haven't checked if microcode version is part of the MAC message. If it isn't third-party can theoretically force to load some old (possibly vulnerable) microcode.

I hope that this answers your question.

phonemic commented on 2024-03-07 13:17 (UTC)

Are there known methods to validate the platomav repo? Specifically AMD 19h.

I am hesitant to use the binaries without a way to verify authenticity.

phonemic commented on 2024-03-06 21:00 (UTC)

Thanks for maintaining this package.

0x9fff00 commented on 2024-03-05 20:05 (UTC)

Unlike the amd-ucode package, this package doesn't automatically rebuild initcpios when it's upgraded since it only installs /boot/amd-ucode.img but not /usr/lib/firmware/amd-ucode/microcode_amd*.bin, and /usr/share/libalpm/hooks/90-mkinitcpio-install.hook only checks for the latter