feat: update amd64-microcode to 3.20251202.1

README

@@ -11,6 +11,81 @@ amdtee/ currently includes firmware for the amd_pmf driver.
 
 latest commits in this release:
 
+commit e637542fa8b9e0a88b0b2885072eea7df3737969
+Author: John Allen <john.allen@amd.com>
+Date:   Thu Oct 30 17:23:31 2025 -0500
+
+    linux-firmware: Update AMD cpu microcode
+
+    * Update AMD cpu microcode for processor family 1ah
+
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
+commit ad91544767665e911386e62ecebaa969e2cfb1c0
+Author: John Allen <john.allen@amd.com>
+Date:   Mon Oct 27 17:25:01 2025 -0500
+
+    linux-firmware: Update AMD cpu microcode
+
+    * Update AMD cpu microcode for processor family 19h
+
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
+commit 3a49a7356a8c83a33d0214edfc5d8fd835caa93a
+Author: Andrew Cooper <andrew.cooper3@citrix.com>
+Date:   Tue Oct 21 14:20:56 2025 +0100
+
+    amd-ucode: Fix minimum revisions in README
+
+    ... to match the minimum revisions stated in the binaries.
+
+    Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 3768c184de68a85b9df6697e7f93a2f61de90a99
+Author: John Allen <john.allen@amd.com>
+Date:   Tue Jul 29 10:21:29 2025 -0500
+
+    linux-firmware: Update AMD cpu microcode
+
+    * Update AMD cpu microcode for processor family 19h
+    * Add AMD cpu microcode for processor family 1ah
+
+    Key Name        = AMD Microcode Signing Key (for signing microcode
+    container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+
+commit 331eac9144402d6cfa02ff3b2888a40bb9a7a01a
+Author: John Allen <john.allen@amd.com>
+Date:   Mon Jul 7 18:56:23 2025 +0000
+
+    linux-firmware: Update AMD cpu microcode
+
+    * Update AMD cpu microcode for processor family 19h
+
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+    Signed-off-by: John Allen <john.allen@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
+
+commit 86d528c261657497967cb2b2051374639e6ad476
+Author: Shyam Sundar  S K <shyam-sundar.s-k@amd.com>
+Date:   Wed May 7 14:22:26 2025 +0000
+
+    amd_pmf: Update AMD PMF TA Firmware to v3.1
+
 commit 3660cb7665df91e664b240c19c560f138d74f483
 Author: John Allen <john.allen@amd.com>
 Date:   Wed Feb 19 20:29:05 2025 +0000

WHENCE.amd

@@ -0,0 +1,58 @@
+             **********
+             * WHENCE *
+             **********
+
+This file attempts to document the origin and licensing information,
+if known, for each piece of firmware distributed for use with the Linux
+kernel.
+
+--------------------------------------------------------------------------
+
+Driver: amd_pmf - AMD Platform Management Framework TA
+
+File: amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin
+Link: amdtee/amd_pmf_v3.bin -> 773bd96f-b83f-4d52-b12dc529b13d8543.bin
+File: amdtee/f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin
+Link: amdtee/amd_pmf_v3_1.bin -> f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin
+
+Licence: Redistributable. See LICENSE.amd_pmf for details.
+
+--------------------------------------------------------------------------
+
+Driver: ccp - Platform Security Processor (PSP) device
+
+File: amd/amd_sev_fam17h_model0xh.sbin
+Version: 2022-2-25
+File: amd/amd_sev_fam17h_model3xh.sbin
+Version: 2024-8-20
+File: amd/amd_sev_fam19h_model0xh.sbin
+Version: 2025-2-20
+File: amd/amd_sev_fam19h_model1xh.sbin
+Version: 2025-2-20
+File: amd/amd_sev_fam19h_modelaxh.sbin
+Version: 2025-2-20
+File: amd/amd_sev_fam1ah_model0xh.sbin
+Version: 2025-2-20
+
+License: Redistributable. See LICENSE.amd-sev for details
+
+--------------------------------------------------------------------------
+
+Driver: microcode_amd - AMD CPU Microcode Update Driver for Linux
+
+RawFile: amd-ucode/microcode_amd.bin
+Version: 2013-07-10
+RawFile: amd-ucode/microcode_amd_fam15h.bin
+Version: 2018-05-24
+RawFile: amd-ucode/microcode_amd_fam16h.bin
+Version: 2014-10-28
+RawFile: amd-ucode/microcode_amd_fam17h.bin
+Version: 2024-11-21
+RawFile: amd-ucode/microcode_amd_fam19h.bin
+Version: 2025-10-27
+RawFile: amd-ucode/microcode_amd_fam1ah.bin
+Version: 2025-12-02
+File: amd-ucode/README
+
+License: Redistributable. See LICENSE.amd-ucode for details
+

amd-ucode/README

@@ -30,7 +30,6 @@ Microcode patches in microcode_amd_fam15h.bin:
 Microcode patches in microcode_amd_fam16h.bin:
   Family=0x16 Model=0x00 Stepping=0x01: Patch=0x0700010f Length=3458 bytes
 
-
 Microcode patches in microcode_amd_fam17h.bin:
   Family=0x17 Model=0x71 Stepping=0x00: Patch=0x08701034 Length=3200 bytes
   Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f Length=3200 bytes
@@ -42,23 +41,53 @@ Microcode patches in microcode_amd_fam17h.bin:
 
 Microcode patches in microcode_amd_fam19h.bin:
   Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a Length=5568 bytes
-  Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c005 Length=5568 bytes
-  Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705206 Length=5568 bytes
-  Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820c Length=5568 bytes
-  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
-  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
-  Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404107 Length=5568 bytes
-  Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708007 Length=5568 bytes
-  Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102d Length=5568 bytes
-  Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704107 Length=5568 bytes
+  Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
+  Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011de Length=5568 bytes
+    Minimum base ucode version for loading: 0x0a0011d9
   Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes
+  Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001247 Length=5568 bytes
+    Minimum base ucode version for loading: 0x0a001242
+  Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820d Length=5568 bytes
   Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes
-  Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209 Length=5568 bytes
-  Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101158 Length=5568 bytes
+    Minimum base ucode version for loading: 0x0a101153
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101253 Length=5568 bytes
+    Minimum base ucode version for loading: 0x0a10124e
+  Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108109 Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102e Length=5568 bytes
+  Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201211 Length=5568 bytes
+  Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404108 Length=5568 bytes
+  Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500012 Length=5568 bytes
+  Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a60120a Length=5568 bytes
+  Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704108 Length=5568 bytes
+  Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705208 Length=5568 bytes
+  Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708008 Length=5568 bytes
+  Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c008 Length=5568 bytes
   Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
-  Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108108 Length=5568 bytes
-  Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011 Length=5568 bytes
-  Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201210 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa0021c Length=5568 bytes
+    Minimum base ucode version for loading: 0x0aa00218
+
+Microcode patches in microcode_amd_fam1ah.bin:
+  Family=0x1a Model=0x02 Stepping=0x01: Patch=0x0b002161 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b002140
+  Family=0x1a Model=0x08 Stepping=0x01: Patch=0x0b008121 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b008112
+  Family=0x1a Model=0x11 Stepping=0x00: Patch=0x0b101058 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b101040
+  Family=0x1a Model=0x24 Stepping=0x00: Patch=0x0b204037 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b204032
+  Family=0x1a Model=0x44 Stepping=0x00: Patch=0x0b404035 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b404032
+  Family=0x1a Model=0x44 Stepping=0x01: Patch=0x0b404108 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b404102
+  Family=0x1a Model=0x60 Stepping=0x00: Patch=0x0b600037 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b600032
+  Family=0x1a Model=0x68 Stepping=0x00: Patch=0x0b608038 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b608032
+  Family=0x1a Model=0x70 Stepping=0x00: Patch=0x0b700037 Length=14368 bytes
+    Minimum base ucode version for loading: 0x0b700032
 
 NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
 either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
@@ -77,3 +106,20 @@ the required minimum patch levels to address this problem:
   Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
   Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
   Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
+
+NOTE: In order to not fully abandon machines affected by AMD-SB-7033 [1] that
+have not received the BIOS update, the family 19h microcode container now
+includes a second patch for these machines that brings the microcode to the
+highest possible level without the microcode signing fix. While a BIOS update
+is highly recommended to receive the latest security updates issued after the
+microcode signing vulnerability, this will allow non-updated systems to at
+least receive some microcode updates beyond the version provided by BIOS.
+
+The list of additional patches can be seen below:
+  Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes
+  Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes
+  Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes
+  Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes
+
+[1]: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html

amd-ucode/microcode_amd_fam19h.bin.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmc/W4EACgkQ5L5TOfMo
-rnPSAwf/UozBxuAEmSJMgUE3CVKyuvs0VpI1fvUpybW5Dqgz+6DLXtLJBFQLjLn1
-UlxhkHmiZ63QXazpu3QUBGUkUh5fpKDsn8P1XVRPTtOc4IMsWVlCh3RJwFpmQRqW
-8h30WDwxRzIb0VvGg8bclLGH/t1dozagk87eYbq9sz8I/qV9P/kd/BFifNSqANOq
-xQmb9oNFu3JuFHqNoLdR02dQ9T/l21TDoLQwjjyFwAY8B1JNQTjTlq6brfnOKICu
-SRF3PMAS+EOwplGtgUXYhgYBHNikKM9Vk7Ua3DFxcMm1ZKhL3Z+O0OloLapLaR3x
-HEivYRaVoKdVNZfl4rMsjyp7fnU07w==
-=ex8u
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmj4/hcACgkQ5L5TOfMo
+rnN+pAgAqw2g0/vMt82S58O5q2Ec35xqEBabSaeQkI9T2tolQmlBx45ggT8eWitf
+Wx4Oopq13lLvHNk7d7Isvi0nZ/+4yu7IoBNPqR1jkbgUOW1qmhkGK3PJROUphPGZ
+r6GPd/sRW/ugDECO7fiheqop9OzGlOwMzovSJNUDvQL8MfRK9bKUNSPmmKYLeKzw
+5cWtKKhC3AMxaCGiL4gJIXrT+SG+VxR3rMOiFLu2vYi5wJvYbutXX4GspjXPg9PV
+HjE1cQt8pgGEVmGDD47yLNttAN1OVTxf4tBcJmc9svxmFrI6f3TKU99h+fzmH/Zj
+1MGoWAW4FP8L4AEqjJkiUjof08hiVw==
+=IB2l
 -----END PGP SIGNATURE-----

amd-ucode/microcode_amd_fam1ah.bin.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmkvhcIACgkQ5L5TOfMo
+rnMHnQf/VMb4t4zk3y/XtMaff219LqrPsthI3z821nrv7L6Hg4Hy6bQRBH+7JkzF
+p/+jdZkbkp2dKN05RqRTg/vL+jXK9IbmSZoacTjkVtaEwRLyiU3IQz+gWThuBqwj
++ptsAUf+YH7YHpwJ8Xb8KfY43YVMaOnDbsFcWrnxxzdkEfOEKNOwxJMJvpZtzKW0
+HoIxeHfNjIDmpFBGui0ojTxShpH1JNi/ujWHfyHqauIdO/HcHkLhtQIrBjXFDxeg
+3UvS/uzwwu3/xhdzygyvBAoHOMSnrKByjfC6TeFrnPEhmfAiTV32qberDZr4LKAi
+INUNC4I/DDDEG0nYqeJw1O2cdmTrdg==
+=gKQm
+-----END PGP SIGNATURE-----

amdtee/amd_pmf_v3_1.bin

@@ -0,0 +1 @@
+f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin

debian/NEWS

@@ -1,3 +1,41 @@
+amd64-microcode (3.20251030.1) unstable; urgency=high
+
+    This release ships microcode for family 0x1ah (Zen5) that cannot be
+    loaded by very outdated system firmware, due to the fix for the
+    "Entrysign" microcode signature issue (as described by AMD-SB-7033).
+
+    This release ships two sets of microcode for family 0x19h (Zen3,
+    Zen3+, Zen4):
+
+    * The most recent set of microcode updates, which will only work for
+      systems that had their system firmware (BIOS) properly updated to
+      address the Entrysign microcode signature vulnerability.
+
+    * A second set of older microcode "updates", for systems with outdated
+      system firmware still vulnerable to the Entrysign vulnerability.
+
+      As described by AMD:
+      "In order to not fully abandon machines affected by AMD-SB-7033 that
+      have not received the BIOS update, the family 19h microcode container
+      now includes a second patch for these machines that brings the microcode
+      to the highest possible level without the microcode signing fix. While a
+      BIOS update is highly recommended to receive the latest security updates
+      issued after the microcode signing vulnerability, this will allow
+      non-updated systems to at least receive some microcode updates beyond
+      the version provided by BIOS."
+
+      Note that any such systems *will remain vulnerable* to Entrysign and
+      anything else that has been fixed by microcode updates since then.
+
+    For more details, refer to AMD-SB-7033:
+    https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
+
+    IMPORTANT NOTE: an updated Linux kernel with an updated AMD microcode
+    update driver is required in order to the "set of older microcode
+    updates" to be selected on systems with outdated firmware.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 08 Nov 2025 19:20:02 -0300
+
 amd64-microcode (3.20230808.1) unstable; urgency=high
 
     This release requires *either* new-enough system firmware, *or* a

debian/amd64-microcode.docs

@@ -1 +1,3 @@
 README
+WHENCE.amd
+LICENSE*

debian/changelog

@@ -1,3 +1,52 @@
+amd64-microcode (3.20251202.1) unstable; urgency=medium
+
+  * Update package data from linux-firmware 20251202
+    * ATTENTION: regression risk if backported to stable or LTS.
+      The amd processor microcode updates in this release will not load on
+      systems with outdated BIOS vulnerable to "Entrysign" unless a number of
+      kernel patches are present.
+    * amd-tee: update AMD PMF TA Firmware to v3.1.
+    * amd-ucode: update with release 2025-12-02:
+      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)
+        Fix RDSEED Failure on more AMD Zen 5 Processor models
+        (closes: #1120005)
+    * amd-ucode: update with release 2025-11-13:
+      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)
+        Fix RDSEED Failure on more AMD Zen 5 Processor models
+    * amd-ucode: update with release 2025-10-30:
+      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)
+        Fix RDSEED Failure on some AMD Zen 5 Processor models
+    + amd-ucode: update with release 2025-10-27:
+      * This is the final microcode release for systems that have not
+        been updated to fix vulnerability AMD-SB-7033 "Entrysign").
+      * A kernel update is needed for the microcode driver to be able
+        to select the appropriate microcode updates for outdated system
+        firmware vulnerable to "Entrysign".
+      * On non-updated kernels, this will potentially *regress* the
+        microcode version on the running system back to the one in the
+        (outdated, unpatched-for-Entrysign) BIOS.
+    + amd-ucode: update with release 2025-07-29:
+      + SECURITY UPDATE (AMD-SB-7029: CVE-2024-36350, CVE-2024-36357):
+        Mitigate transient execution vulnerabilities in some AMD processors
+        which might allow an attacker to infer data from previous stores
+        (TSA-SQ) or data in the L1D cache (TSA-L1), potentially resulting in
+        the leakage of privileged information and sensitive information across
+        priviledged boundaries (closes: #1109035)
+      * NOTE: Requires kernel and hypervisor changes for the security
+        mitigations to be applied (issue VERW instruction at appropriate
+        times).
+  * initramfs: guard against copying non-microcode data into the
+    early-initramfs bundle, for the benefit of those that copy all files from
+    linux-firmware into /lib/firmware/*.  Thanks to Eric Valette for tracking
+    it down (closes: #1101350)
+  * debian/control: recommend cpio (closes: #1110987)
+  * NEWS.Debian: update for post-Entrysign microcode updates
+    Document that kernel patches are needed to avoid regressing the microcode
+    release on vulnerable Zen2/3/4 systems (family 0x19), and also that these
+    systems will not receive any future microcode updates.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 06 Dec 2025 12:04:29 -0300
+
 amd64-microcode (3.20250311.1) unstable; urgency=medium
 
   * Update package data from linux-firmware 20250311

debian/control

@@ -11,7 +11,7 @@ XS-Autobuild: yes
 
 Package: amd64-microcode
 Architecture: i386 amd64 x32
-Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
+Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs, cpio
 Depends: ${misc:Depends}
 Breaks: intel-microcode (<< 2)
 Description: Platform firmware and microcode for AMD CPUs and SoCs

debian/initramfs.hook

@@ -96,7 +96,7 @@ EFWF="${EFWCD}/AuthenticAMD.bin"
 # firmware file, as well as the timestamp and ordering of
 # all cpio members.
 mkdir -p "${EFWCD}" && \
- find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
+ find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -name 'microcode_amd*.bin' -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
  find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \
     # --reproducible requires cpio >= 2.12
     cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true