Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Oct 2023 15:41:50 +0200
From: Solar Designer <>
Subject: Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak

Regarding AMD not intending to provide a microcode mitigation:

On Tue, Oct 03, 2023 at 04:04:31PM -0700, Jean Luc Picard wrote:
> No intent?  It wouldn't be terribly hard

Possibly not terribly hard, but (with my also too limited understanding)
probably not in any of the ways you suggested.

> That said I could understand the
> want to depricate zen1 support entirely, everyone upgraded when they could
> it was super super cheap to do so & there weren't really any enterprise
> users.

That's false.

Zen1 is still found in major clouds.  The AMD security bulletin:

specifically lists "Datacenter AMD EPYC 7001 Processors" as affected,
and these are used e.g. in:

"M5a, R5a and T3a instances are variants of Amazon EC2 general purpose
(M5), memory optimized (R5) and burstable general-purpose (T3) instance
families. These instances feature AMD EPYC 7001 series processors"

That was in 2021, but indeed the T3a tab at:

still says:

"Amazon EC2 T3a instances feature AMD EPYC 7000 series processors"

T3 are the most common/default AWS instance family with Intel CPUs, and
T3a are probably the most commonly used AMD alternative to them.

I don't mean to single out AWS, I think it's similar with many other
cloud and dedicated server providers.  This is just a prominent example.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.