!NBBFPbiuttRgTqbrcY:nixos.org

NixOS Security Discussions

368 Members
Discussions around Security | Triaging happens in #security:nixos.org125 Servers

Load older messages

SenderMessageTime
7 Dec 2024
@hexa:lossy.networkhexa6 days newer than the release we have18:18:05
@hexa:lossy.networkhexa * 11 days newer than the release we have18:18:35
@hexa:lossy.networkhexa 
 Microcode patches in microcode_amd_fam19h.bin:
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a Length=5568 bytes
+  Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c005 Length=5568 bytes
+  Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705206 Length=5568 bytes
+  Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820c Length=5568 bytes
   Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
   Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
+  Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404107 Length=5568 bytes
+  Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708007 Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102d Length=5568 bytes
+  Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704107 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes
   Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes
+  Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209 Length=5568 bytes
   Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
   Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+  Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108108 Length=5568 bytes
+  Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011 Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201210 Length=5568 bytes
18:18:51
@hexa:lossy.networkhexalike the first microcode update for lots of cpus in that family18:19:01
@zzywysm:matrix.orgzzywysmdarn it, i wanted AMD to be as evil as Intel 😆18:20:07
@hexa:lossy.networkhexanouuuu 😄 18:20:51
@hexa:lossy.networkhexarelease date for the cpu was 2020/11/0518:21:30
@hexa:lossy.networkhexa * release date for the cpu was 2020-11-0518:23:39
@winter:catgirl.cloudWinterthere's some repo we can pull ucode from for that, but it's unofficial18:41:24
@winter:catgirl.cloudWinterhttps://github.com/platomav/CPUMicrocodes18:42:01
@hexa:lossy.networkhexayeah, I found that as well, but it is not in any way official, apparently scraped from bios releases18:43:25
@hexa:lossy.networkhexamind you, these are very certainly signed, so I would expect that not to be an issue18:44:11
@winter:catgirl.cloudWinteryeah18:44:10
@winter:catgirl.cloudWinterrepo has been going for almost a decade, if it was shipping malicious ucode i feel like we'd know ;)18:44:48
@hexa:lossy.networkhexaok, so let's find out if any other distros ships it first maybe?18:45:03
@winter:catgirl.cloudWinteri'm looking as we speak18:45:15
@winter:catgirl.cloudWinterGentoo does18:45:48
@hexa:lossy.networkhexaArch does not18:46:25
@hexa:lossy.networkhexaFreeBSD does not18:46:31
@hexa:lossy.networkhexaand the Gentoo wiki says18:47:44
@hexa:lossy.networkhexa

Microcode updates for AMD processors are provided by the sys-kernel/linux-firmware package.

18:47:45
@winter:catgirl.cloudWinteri was looking to see if they shipped anything from the repo, and they do for Intel18:48:26
@hexa:lossy.networkhexa 
intel-microcode-20210608_p20210830.ebuild
intel-microcode-20220207_p20220207.ebuild
intel-microcode-20220419_p20220421.ebuild
intel-microcode-20220510_p20220508.ebuild
intel-microcode-20220809_p20220809.ebuild  <-- in here
18:49:12
@hexa:lossy.networkhexaonly in a comment18:50:19
@hexa:lossy.networkhexa 
# Package Maintenance instructions :
# 1. The ebuild is in the form of intel-microcode-<INTEL_SNAPSHOT>_p<COLLECTION_SNAPSHOT>.ebuild
# 2. The INTEL_SNAPSHOT upstream is located at: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files\
# 3. The COLLECTION_SNAPSHOT is created manually using the following steps:
#   a. Clone the repository https://github.com/platomav/CPUMicrocodes
#   b. Rename the Intel directory to intel-microcode-collection-<YYYYMMDD>
#   c. From the CPUMicrocodes directory tar and xz compress the contents of intel-microcode-collection-<YYYYMMDD>:
#      tar -cJf intel-microcode-collection-<YYYYMMDD>.tar.xz intel-microcode-collection-<YYYYMMDD>/
#   d. This file can go in your devspace, add the URL to SRC_URI if it's not there
#      https://dev.gentoo.org/~<dev nick>/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
18:50:36
@winter:catgirl.cloudWinterdid you read it? the tarball is constructed from the repo :P18:51:21
@hexa:lossy.networkhexa 
SRC_URI="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-${INTEL_SNAPSHOT}.tar.gz
	https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/437f382b1be4412b9d03e2bbdcda46d83d581242/intel-ucode/06-4e-03 -> intel-ucode-sig_0x406e3-rev_0xd6.bin
	https://dev.gentoo.org/~mpagano/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz"
18:51:37
@hexa:lossy.networkhexaso a repo at github.com:intel/Intel-Linux-Processor-Microcode-Data-Files has the collection? 🤔18:51:56
@hexa:lossy.networkhexaoh no, it is multiple files18:52:10
@winter:catgirl.cloudWinteryeah18:52:13

Show newer messages

Back to Room ListRoom Version: 9