Mailing List Archive: AMD microkernel update failing (trying to patch zenbleed)

AMD microkernel update failing (trying to patch zenbleed)

Mar 3, 2024, 11:14 AM

Post #1 of 3 (230 views)

Hi all,

I've always had problems updating the microcode for my AMD processor. I
have various other Intel-based PCs and this has never been an issue.

I have confirmed it's not updating:

~ # dmesg | grep -i microcode
[ 0.201619] Zenbleed: please update your microcode for the most
optimal fix
[ 0.748482] microcode: CPU1: patch_level=0x08701030
[ 0.748482] microcode: CPU0: patch_level=0x08701030
[ 0.748484] microcode: CPU3: patch_level=0x08701030
[ 0.748485] microcode: CPU5: patch_level=0x08701030
[ 0.748485] microcode: CPU4: patch_level=0x08701030
[ 0.748486] microcode: CPU6: patch_level=0x08701030
[ 0.748486] microcode: CPU7: patch_level=0x08701030
[ 0.748487] microcode: CPU8: patch_level=0x08701030
[ 0.748488] microcode: CPU9: patch_level=0x08701030
[ 0.748488] microcode: CPU10: patch_level=0x08701030
[ 0.748488] microcode: CPU11: patch_level=0x08701030
[ 0.748491] microcode: CPU12: patch_level=0x08701030
[ 0.748491] microcode: CPU13: patch_level=0x08701030
[ 0.748492] microcode: CPU14: patch_level=0x08701030
[ 0.748493] microcode: CPU15: patch_level=0x08701030
[ 0.748496] microcode: CPU17: patch_level=0x08701030
[ 0.748496] microcode: CPU18: patch_level=0x08701030
[ 0.748498] microcode: CPU19: patch_level=0x08701030
[ 0.748498] microcode: CPU20: patch_level=0x08701030
[ 0.748500] microcode: CPU21: patch_level=0x08701030
[ 0.748500] microcode: CPU22: patch_level=0x08701030
[ 0.748501] microcode: CPU24: patch_level=0x08701030
[ 0.748501] microcode: CPU23: patch_level=0x08701030
[ 0.748503] microcode: CPU16: patch_level=0x08701030
[ 0.748503] microcode: CPU26: patch_level=0x08701030
[ 0.748503] microcode: CPU27: patch_level=0x08701030
[ 0.748505] microcode: CPU28: patch_level=0x08701030
[ 0.748506] microcode: CPU29: patch_level=0x08701030
[ 0.748507] microcode: CPU30: patch_level=0x08701030
[ 0.748508] microcode: CPU25: patch_level=0x08701030
[ 0.748509] microcode: CPU31: patch_level=0x08701030
[ 0.748511] microcode: CPU2: patch_level=0x08701030
[ 0.748554] microcode: Microcode Update Driver: v2.2.

I'm pretty sure I wouldn't be getting a zenbleed warning if it was using
the most recent microcode.

My processor is this one:

vendor_id : AuthenticAMD
cpu family : 23
model : 113
model name : AMD Ryzen 9 3950X 16-Core Processor

This leads me to the 17h family.

I do not use an initramfs as my system doesn't require one. I am not
willing to try an initramfs as my system fully functions without one and
this is not an issue with the Intel machines I have.

I have properly configured the kernel (gentoo-sources-6.6.13):

CONFIG_CPU_SUP_AMD=y
CONFIG_EXTRA_FIRMWARE="brcm/BCM20702B0-19ff-0239.hcd
amd-ucode/microcode_amd_fam17h.bin"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"

The firmware loading is working as it does load the firmware for my
bluetooth adapter with no issues.

(In the newer kernels microcode loading is enabled by default - no way
to turn it off. All you have to do is select CPU_SUP_AMD apparently. It
works on Intel machines.)

I've even updated the motherboard BIOS firmware, and while that fixed
all the other issues it apparently does not have patches for zenbleed.

Does anyone have any idea why this will not update?

-Dan

Re: AMD microkernel update failing (trying to patch zenbleed) [ In reply to ]

confabulate at kintzios

Mar 3, 2024, 1:48 PM

Post #2 of 3 (228 views)

Permalink

On Sunday, 3 March 2024 19:14:23 GMT Daniel Frey wrote:
> Hi all,
>
> I've always had problems updating the microcode for my AMD processor. I
> have various other Intel-based PCs and this has never been an issue.
>
> I have confirmed it's not updating:
>
>
> ~ # dmesg | grep -i microcode
> [ 0.201619] Zenbleed: please update your microcode for the most
> optimal fix
> [ 0.748482] microcode: CPU1: patch_level=0x08701030
> [ 0.748482] microcode: CPU0: patch_level=0x08701030
> [ 0.748484] microcode: CPU3: patch_level=0x08701030
> [ 0.748485] microcode: CPU5: patch_level=0x08701030
> [ 0.748485] microcode: CPU4: patch_level=0x08701030
> [ 0.748486] microcode: CPU6: patch_level=0x08701030
> [ 0.748486] microcode: CPU7: patch_level=0x08701030
> [ 0.748487] microcode: CPU8: patch_level=0x08701030
> [ 0.748488] microcode: CPU9: patch_level=0x08701030
> [ 0.748488] microcode: CPU10: patch_level=0x08701030
> [ 0.748488] microcode: CPU11: patch_level=0x08701030
> [ 0.748491] microcode: CPU12: patch_level=0x08701030
> [ 0.748491] microcode: CPU13: patch_level=0x08701030
> [ 0.748492] microcode: CPU14: patch_level=0x08701030
> [ 0.748493] microcode: CPU15: patch_level=0x08701030
> [ 0.748496] microcode: CPU17: patch_level=0x08701030
> [ 0.748496] microcode: CPU18: patch_level=0x08701030
> [ 0.748498] microcode: CPU19: patch_level=0x08701030
> [ 0.748498] microcode: CPU20: patch_level=0x08701030
> [ 0.748500] microcode: CPU21: patch_level=0x08701030
> [ 0.748500] microcode: CPU22: patch_level=0x08701030
> [ 0.748501] microcode: CPU24: patch_level=0x08701030
> [ 0.748501] microcode: CPU23: patch_level=0x08701030
> [ 0.748503] microcode: CPU16: patch_level=0x08701030
> [ 0.748503] microcode: CPU26: patch_level=0x08701030
> [ 0.748503] microcode: CPU27: patch_level=0x08701030
> [ 0.748505] microcode: CPU28: patch_level=0x08701030
> [ 0.748506] microcode: CPU29: patch_level=0x08701030
> [ 0.748507] microcode: CPU30: patch_level=0x08701030
> [ 0.748508] microcode: CPU25: patch_level=0x08701030
> [ 0.748509] microcode: CPU31: patch_level=0x08701030
> [ 0.748511] microcode: CPU2: patch_level=0x08701030
> [ 0.748554] microcode: Microcode Update Driver: v2.2.
>
> I'm pretty sure I wouldn't be getting a zenbleed warning if it was using
> the most recent microcode.
>
> My processor is this one:
>
> vendor_id : AuthenticAMD
> cpu family : 23
> model : 113
> model name : AMD Ryzen 9 3950X 16-Core Processor
>
> This leads me to the 17h family.
>
> I do not use an initramfs as my system doesn't require one. I am not
> willing to try an initramfs as my system fully functions without one and
> this is not an issue with the Intel machines I have.
>
> I have properly configured the kernel (gentoo-sources-6.6.13):
>
> CONFIG_CPU_SUP_AMD=y
> CONFIG_EXTRA_FIRMWARE="brcm/BCM20702B0-19ff-0239.hcd
> amd-ucode/microcode_amd_fam17h.bin"
> CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
>
> The firmware loading is working as it does load the firmware for my
> bluetooth adapter with no issues.
>
> (In the newer kernels microcode loading is enabled by default - no way
> to turn it off. All you have to do is select CPU_SUP_AMD apparently. It
> works on Intel machines.)
>
> I've even updated the motherboard BIOS firmware, and while that fixed
> all the other issues it apparently does not have patches for zenbleed.
>
> Does anyone have any idea why this will not update?
>
> -Dan

It could be AMD have not yet released microcode updates for the community.
OEMs receive new microcode first and patch it in their MoBo BIOS/UEFI
firmware. Eventually the CPU manufacturers release microcode for older CPUs
no longer supported by OEMs. Since you have embedded 'amd-ucode/
microcode_amd_fam17h.bin' in your kernel I don't think there's anything else
you can do at this point in time, beyond emerging the latest sys-kernel/linux-
firmware and rebooting.

PS. I always place the microcode string first in the CONFIG_EXTRA_FIRMWARE=
entries, since it should be the fist thing to load by the CPU. I don't know
if it would makes any difference, since the whole string of firmwares will be
parsed in one go.

Re: AMD microkernel update failing (trying to patch zenbleed) [ In reply to ]

djqfrey at gmail

Mar 3, 2024, 2:49 PM

Post #3 of 3 (228 views)

Permalink

On 3/3/24 13:48, Michael wrote:
>
> It could be AMD have not yet released microcode updates for the community.
> OEMs receive new microcode first and patch it in their MoBo BIOS/UEFI
> firmware. Eventually the CPU manufacturers release microcode for older CPUs
> no longer supported by OEMs. Since you have embedded 'amd-ucode/
> microcode_amd_fam17h.bin' in your kernel I don't think there's anything else
> you can do at this point in time, beyond emerging the latest sys-kernel/linux-
> firmware and rebooting.
>
> PS. I always place the microcode string first in the CONFIG_EXTRA_FIRMWARE=
> entries, since it should be the fist thing to load by the CPU. I don't know
> if it would makes any difference, since the whole string of firmwares will be
> parsed in one go.

That's a good point about the microcode - I'll change that now (it's
easy enough to do.

And after an hour messing about and reading documentation and various
articles, I have found out AMD does not release microcode for my CPU.

I ran the spectre-meltdown-checker script (I've removed non-Zenbleed info):

* Hardware support (CPU microcode) for mitigation techniques
* CPU microcode is known to fix Zenbleed: NO (required version:
0x08701032)
* CPU microcode is known to cause stability problems: NO (family
0x17 model 0x71 stepping 0x0 ucode 0x8701030 cpuid 0x870f10)
* CPU microcode is the latest known available version: YES (latest
version is 0x8701030 dated 2022/03/28 according to builtin firmwares DB
v271+i20230614)

* CPU vulnerability to the speculative execution attack variants
* Affected by CVE-2023-20593 (Zenbleed, cross-process information
leak): YES

CVE-2023-20593 aka 'Zenbleed, cross-process information leak'
* Zenbleed mitigation is supported by kernel: YES (found zenbleed
message in kernel image)
* Zenbleed kernel mitigation enabled and active: YES (FP_BACKUP_FIX
bit set in DE_CFG)
* Zenbleed mitigation is supported by CPU microcode: NO
> STATUS: NOT VULNERABLE (Your kernel mitigates Zenbleed)

So my processor is indeed family 17h - the model is 71h. It indicates
the most recent microcode is being run (probably because I've updated
the motherboard firmware.)

I did find a tool to inspect the microcode blobs so I could see what's
included:

# ./amd_ucode_info.py /usr/lib/firmware/amd-ucode/microcode_amd_fam17h.bin
Microcode patches in /usr/lib/firmware/amd-ucode/microcode_amd_fam17h.bin:
Family=0x17 Model=0x08 Stepping=0x02: Patch=0x0800820d Length=3200 bytes
Family=0x17 Model=0x31 Stepping=0x00: Patch=0x0830107b Length=3200 bytes
Family=0x17 Model=0xa0 Stepping=0x00: Patch=0x08a00008 Length=3200 bytes
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes

This just confirmed there's no microcode update for my processor model
(71h.)

I did download a different distribution's firmware package (mostly out
of curiosity) and the results are identical.

So AMD just doesn't have microcode for my model of CPU.

As the spectre-meltdown-checker script says the kernel is mitigating
Zenbleed for now, I'm just going forget about this and move on.

Dan

Mailing List Archive

Mailing List Archive

Attached Files: