In mid-October a Meta engineer uncovered an RDSEED architectural issue with AMD Zen 5 CPUs. A patch in turn was sent out to the Linux kernel mailing list to disable RDSEED usage on affected Zen 5 processors. AMD this week issued a security bulletin to acknowledge the issue and report that a microcode fix is coming.
AMD-SB-7055 was made public this week with and described as RDSEED Failure on AMD “Zen 5” Processors. This RDSEED failure is rated as a high severity due to loss of confidentiality and integrity. The issue is summarized by AMD as:
“AMD was notified of a bug in “Zen 5” processors that may cause the RDSEED instruction to return 0 at a rate inconsistent with randomness while incorrectly signaling success (CF=1), indicating a potential misclassification of failure as success. This issue was initially reported publicly via the Linux kernel mailing list and was not submitted through AMD’s Coordinated Vulnerability Disclosure (CVD) process.
AMD has determined that the 16-bit and 32-bit forms of the RDSEED instruction on “Zen 5” processors are affected. The 64-bit form of RDSEED is not affected.”
For the moment they advise either using the 64-bit form of RDSEED, blocking RDSEED usage/discovery, or altering the RDSEED usage for this faulty Zen 5 case. On 14 November they plan to release updated AGESA for AMD EPYC 9005 processors to address this issue in microcode. Or now via linux-firmware.git is updated Family 1Ah microcode with the necessary fix for Turin and Turin Dense processor cores.
In late November they plan to release updated AGESA for the AMD Ryzen 9000 series and Ryzen AI 300 series and similar for addressing this issue too. EPYC Embedded 9000 and EPYC Embedded 4005 series aren’t expected to see mitigated software releases until January.
More details on this issue can be found via the AMD security bulletin.
