4.9 KiB
| title | type | author | date | post |
|---|---|---|---|---|
| Testers needed: Zenbleed patch for AlmaLinux 8 and 9 | blog | [{name Andrew Lukoshko} {bio Release Engineering Lead} {image /users/alukoshko.jpg}] | 2023-07-24 | [{title Testers needed: Zenbleed patch for AlmaLinux 8 and 9} {image /blog-images/23.07.24.zenbleed.png}] |
Earlier today our community pointed out a new, trivially exploitable flaw in AMD systems called Zenbleed. Due to an accident on the AMD side, the patch was released ahead of responsible disclosure, and unpatched systems are at great risk. We were able to pull in the patch, get through our normal testing, and we are now ready for wider testing for both AlmaLinux 8 and 9.
How did AlmaLinux get the patch?
The fix was released by AMD, so we were able to pull that directly in, similar to what all other distributions are currently having to do. We pulled in three patches from linux-firmware upstream:
You can see the diff of the changes on git.almalinux.org.
How do I install the updated packages?
Due to the risks involved in these patches, these packages are not yet in production and need testing! If you are willing to help provide us feedback, and have access to a bare metal AMD system, you can manually install them by pulling them from the AlmaLinux Build System.
To install the new RPM on AlmaLinux 8:
{{< highlight bash >}} dnf update https://build.almalinux.org/pulp/content/builds/AlmaLinux-8-x86_64-7032-br/Packages/l/linux-firmware-20230404-114.git2e92a49f.el8_8.alma.noarch.rpm {{< /highlight >}}
For AlmaLinux 9:
{{< highlight bash >}} dnf update https://build.almalinux.org/pulp/content/builds/AlmaLinux-9-x86_64-7033-br/Packages/l/linux-firmware-20230310-134.el9_2.alma.noarch.rpm {{< /highlight >}}
To check that the installation completed successfully, you can run:
{{< highlight bash >}} rpm -qa linux-firmware {{< /highlight >}}
To update CPU microcode run the following: {{< highlight bash >}} echo 1 > /sys/devices/system/cpu/microcode/reload {{< /highlight >}}
Once you have completed your testing, please help us by letting us know it works for you! Please share the following information (sanitized in whatever way you feel comfortable) in a comment on the issue we’ve opened to track this update on bugs.almalinux.org. We have created one specific to AlmaLinux 8 and one for AlmaLinux 9. Please include the output of the two commands from the test server and if it worked for you.
{{< highlight bash >}} lscpu journalctl -k --grep=microcode {{< /highlight >}}
Why call for testing now?
The depth of this exploit is motivation for moving fast, in our opinion. Our users are looking for a patch to come quickly, and this is one more opportunity that we have as a result of our decision to aim for ABI compatibility. We will be looking for more opportunities for testing and early/beta adopters as we expand. In fact, we have a kernel update in testing right now, that was shared in chat.almalinux.org earlier today. If you have interest in helping us with testing, please do join us there!
Come help!
Joining the AlmaLinux community is easy! For anyone that has time to offer: the Release Engineering SIG (~Engineering/RelEng on chat.almalinux.org) could use help for testing and building our pipelines, but the Infra, Cloud, and Marketing SIGs are always looking as well. You can also convince your company to become a sponsor or just back us as an individual on GitHub or OpenCollective.
Thank you to everyone who helps make AlmaLinux happen. Our individual sponsors and backers in addition to our corporate sponsors are the biggest reason we can continue to provide AlmaLinux OS free forever.