Commit 8a9fb512 authored by Borislav Petkov (AMD)'s avatar Borislav Petkov (AMD)
Browse files

x86/microcode/AMD: Limit Entrysign signature checking to known generations 



Limit Entrysign sha256 signature checking to CPUs in the range Zen1-Zen5.

X86_BUG cannot be used here because the loading on the BSP happens way
too early, before the cpufeatures machinery has been set up.

Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
Link: https://patch.msgid.link/all/20251023124629.5385-1-bp@kernel.org
parent dcb6fa37

arch/x86/kernel/cpu/microcode/amd.c

+19 −1
Original line number Diff line number Diff line
@@ -233,13 +233,31 @@ static bool need_sha_check(u32 cur_rev) 
	return true;

}



static bool cpu_has_entrysign(void)

{

	unsigned int fam   = x86_family(bsp_cpuid_1_eax);

	unsigned int model = x86_model(bsp_cpuid_1_eax);



	if (fam == 0x17 || fam == 0x19)

		return true;



	if (fam == 0x1a) {

		if (model <= 0x2f ||

		    (0x40 <= model && model <= 0x4f) ||

		    (0x60 <= model && model <= 0x6f))

			return true;

	}



	return false;

}



static bool verify_sha256_digest(u32 patch_id, u32 cur_rev, const u8 *data, unsigned int len)

{

	struct patch_digest *pd = NULL;

	u8 digest[SHA256_DIGEST_SIZE];

	int i;



	if (x86_family(bsp_cpuid_1_eax) < 0x17)

	if (!cpu_has_entrysign())

		return true;



	if (!need_sha_check(cur_rev))