Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak

[Solar Designer <solar () openwall com>]

Regarding AMD not intending to provide a microcode mitigation:

On Tue, Oct 03, 2023 at 04:04:31PM -0700, Jean Luc Picard wrote:
> No intent?  It wouldn't be terribly hard

Possibly not terribly hard, but (with my also too limited understanding)
probably not in any of the ways you suggested.

> That said I could understand the
> want to depricate zen1 support entirely, everyone upgraded when they could
> it was super super cheap to do so & there weren't really any enterprise
> users.

That's false.

Zen1 is still found in major clouds.  The AMD security bulletin:

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html

specifically lists "Datacenter AMD EPYC 7001 Processors" as affected,
and these are used e.g. in:

https://aws.amazon.com/about-aws/whats-new/2021/04/amazon-ec2-instances-featuring-amd-epyc-processors-are-now-available-in-additional-regions/

"M5a, R5a and T3a instances are variants of Amazon EC2 general purpose
(M5), memory optimized (R5) and burstable general-purpose (T3) instance
families. These instances feature AMD EPYC 7001 series processors"

That was in 2021, but indeed the T3a tab at:

https://aws.amazon.com/ec2/amd/

still says:

"Amazon EC2 T3a instances feature AMD EPYC 7000 series processors"

T3 are the most common/default AWS instance family with Intel CPUs, and
T3a are probably the most commonly used AMD alternative to them.

I don't mean to single out AWS, I think it's similar with many other
cloud and dedicated server providers.  This is just a prominent example.

Alexander