Microcode update for zenbleed?

solene · July 24, 2023, 6:02pm

Hi,

with the new pretty bad zenbleed vulnerability, how does microcode updates works in Qubes OS?

Should I open an issue on GitHub to keep track about the progress by the team?

I found a previous Discourse announcement in 2022 about a microcode update, so it seems Qubes OS will handle it through an update, but I just wanted to be sure

ludovic · July 24, 2023, 7:57pm

Yes, please, open an issue. It’s the good way.

ludovic · July 24, 2023, 8:03pm

The QubesOS team published :

github.com/QubesOS/updates-status

linux-firmware v20230625-147 (r4.2)

opened 04:31PM - 24 Jul 23 UTC

qubesos-bot

r4.2-host-cur-test r4.2-host-sec-test

Update of linux-firmware to v20230625-147 for Qubes OS r4.2, see comments below …for details and build status. From commit: https://github.com/QubesOS/qubes-linux-firmware/commit/737cc2a10fe103d738a45e5077e04e7c3f49986e [Changes since previous version](https://github.com/QubesOS/qubes-linux-firmware/compare/v20230625...v20230625-147): QubesOS/qubes-linux-firmware@737cc2a version 20230625-147 QubesOS/qubes-linux-firmware@30906f9 Bump epoch to make sure the package will remain newer than one from Fedora Referenced issues: If you're release manager, you can issue GPG-inline signed command: * `Upload-component r4.2 linux-firmware 737cc2a10fe103d738a45e5077e04e7c3f49986e current all` (available 5 days from now) * `Upload-component r4.2 linux-firmware 737cc2a10fe103d738a45e5077e04e7c3f49986e security-testing all` You can choose subset of distributions like: * `Upload-component r4.2 linux-firmware 737cc2a10fe103d738a45e5077e04e7c3f49986e current vm-bookworm,vm-fc37` (available 5 days from now) Above commands will work only if packages in current-testing repository were built from given commit (i.e. no new version superseded it). For more information on how to test this update, please take a look at https://www.qubes-os.org/doc/testing/#updates.

solene · July 24, 2023, 8:04pm

Thanks, I was writing the issue when you added the update

solene · July 24, 2023, 8:36pm

Actually, the issue to track the update for r4.1 is this one

github.com/QubesOS/updates-status

linux-firmware v20230625 (r4.1)

opened 12:54AM - 21 Jul 23 UTC

qubesos-bot

r4.1-dom0-cur-test r4.1-dom0-sec-test

Update of linux-firmware to v20230625 for Qubes r4.1, see comments below for det…ails. Built from: https://github.com/QubesOS/qubes-linux-firmware/commit/41625f8d4998a844e79e044e5b894dd3c55ae414 [Changes since previous version](https://github.com/QubesOS/qubes-linux-firmware/compare/v20230117...v20230625): QubesOS/qubes-linux-firmware@41625f8 Include recent AMD microcode updates for family 17h and 19h QubesOS/qubes-linux-firmware@11898fb Update to 20230625 Referenced issues: If you're release manager, you can issue GPG-inline signed command: * `Upload linux-firmware 41625f8d4998a844e79e044e5b894dd3c55ae414 r4.1 current repo` (available 7 days from now) * `Upload linux-firmware 41625f8d4998a844e79e044e5b894dd3c55ae414 r4.1 current (dists) repo`, you can choose subset of distributions, like `vm-fc24 vm-fc25` (available 7 days from now) * `Upload linux-firmware 41625f8d4998a844e79e044e5b894dd3c55ae414 r4.1 security-testing repo` Above commands will work only if packages in current-testing repository were built from given commit (i.e. no new version superseded it).

deeplow · July 25, 2023, 8:30am