Timeline for How to do AMD CPU microcode update (not BIOS update)?

Current License: CC BY-SA 4.0

11 events

when toggle format	what		by	license	comment
Oct 14 at 21:59	comment	added	Mark		@hanshenrik, they're not talking about the signing key there; rather, the recovered key is the symmetric key from the AES-CMAC hash that AMD is mis-using as a cryptographic hash function. It's not used to encrypt anything.
Oct 14 at 8:58	comment	added	hanshenrik		@Mark Both, it seems. quote `We were then able to recover the Zen 5 key on March 7, 2025 and reported this to AMD. We then jointly added Zen 5 to the list of affected products to our advisories on April 7, 2025.`
Oct 14 at 1:13	comment	added	Mark		It's not that the signing key has been leaked; rather, there's a flaw in the signature verification procedure that lets an attacker create additional keypairs that will be accepted as valid.
Oct 13 at 19:52	history	edited	Stephen Kitt	CC BY-SA 4.0	Fix microcode typo, thanks Ismael Miguel!
Oct 13 at 10:57	comment	added	Stephen Kitt		Ah, good to know, thanks @hanshenrik!
Oct 13 at 10:57	history	edited	Stephen Kitt	CC BY-SA 4.0	The keys are known, thanks hanshenrik!
Oct 13 at 10:53	comment	added	hanshenrik		actually seems Zen 5 is also affected, cpus up to 2025-03-04 seems to be affected: github.com/google/security-research/security/advisories/… - conflicting reports, some places say Zen 1-4, but the github advisory page also mention Zen 5 and "PI < 2025-03-04" 🤔
Oct 13 at 10:45	comment	added	hanshenrik		The signing key for AMD Zen 1-4 cpus has leaked , meaning AMD CPUs between at least 2017-2022 are vulnerable to malicious microcode updates.
Oct 13 at 3:17	history	edited	Vlastimil Burián	CC BY-SA 4.0	added Recovery procedure, in case the new microcode misbehaves, I hope you do not mind Stephen, cheers
Oct 12 at 7:28	vote	accept	Vlastimil Burián
Oct 12 at 7:25	history	answered	Stephen Kitt	CC BY-SA 4.0