Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors

[Lucas Rolff <lucas () slcoding com>]

OS vendors can include it in microcode updates just fine assuming the change is minor (Spectre/Meltdown did take quite 
some time to iron out stability to live patch it).

> On 25 Jul 2023, at 19:58, Demi Marie Obenour <demi () invisiblethingslab com> wrote:
>
> On Tue, Jul 25, 2023 at 06:12:44PM +0100, Eddie Chapman wrote:
> > alice wrote:
> > > this is a disaster of a security announcement from AMD. nothing is fixed
> > > except for epyc. the only workaround anyone really has is the chicken bit,
> > > thankfully.
> >
> > Yes, very disappointing. Pure speculation; perhaps they were planning on
> > disclosing at the end of the year with full set of Microcode ready but
> > something we don't know (yet) forced them to disclose early. Who knows.
>
> Does AMD make OS-loadable μcode patches available for client platforms,
> or must all μcode loading on clients be done by the firmware?  If the
> latter, then it will take a very long time for clients to get patched,
> even if AMD released the updates promptly.  Also, server platforms can
> usually reflash the firmware via the BMC, but client platforms do not
> have this option.
> -- 
> Sincerely,
> Demi Marie Obenour (she/her/hers)
> Invisible Things Lab