update: fwdb from v344+i20250811+1523 to v344+i20250811+7486, 1 microcode changes

chore: fix autoupdate workflow
fix CVE-2017-5715 reporting when IBRS_FW is enabled
2025-11-09 10:10:53 +01:00 · 2025-10-31 09:47:19 +00:00 · 2025-10-30 23:57:05 +01:00 · 2025-10-27 08:42:51 +01:00 · 2025-10-26 22:08:07 +01:00 · 2025-10-25 20:48:38 +02:00
5 changed files with 1531 additions and 956 deletions
--- a/.github/workflows/autoupdate.yml
+++ b/.github/workflows/autoupdate.yml
@@ -0,0 +1,34 @@
+name: autoupdate
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '42 9 * * *'
+
+jobs:
+  autoupdate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install prerequisites
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends iucode-tool sqlite3 unzip
+      - name: Update microcode versions
+        run: ./spectre-meltdown-checker.sh --update-builtin-fwdb
+      - name: Check git diff
+        id: diff
+        run: |
+          echo change="$(git diff spectre-meltdown-checker.sh | awk '/MCEDB/ { if(V) { print V" to "$4; exit } else { V=$4 } }')" >> "$GITHUB_OUTPUT"
+          echo nbdiff="$(git diff --numstat spectre-meltdown-checker.sh | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+          git diff
+          cat "$GITHUB_OUTPUT"
+      - name: Create Pull Request if needed
+        if: steps.diff.outputs.nbdiff != '0'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.SMC_PR_PAT }}
+          branch: autoupdate-fwdb
+          commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
+          title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
+          body: |
+            Automated PR to update fwdb from ${{ steps.diff.outputs.change }}
+            Detected ${{ steps.diff.outputs.nbdiff }} microcode changes
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -24,7 +24,7 @@ jobs:
        fi
    - name: check direct execution
      run: |
-        expected=17
+        expected=19
        nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
@@ -32,11 +32,11 @@ jobs:
        else
          echo "OK $nb CVEs reported"
        fi
-    - name: check docker-compose run execution
+    - name: check docker compose run execution
      run: |
-        expected=17
-        docker-compose build
-        nb=$(docker-compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
+        expected=19
+        docker compose build
+        nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
          echo "Invalid number of CVEs reported: $nb instead of $expected"
          exit 1
@@ -45,7 +45,7 @@ jobs:
        fi
    - name: check docker run execution
      run: |
-        expected=17
+        expected=19
        docker build -t spectre-meltdown-checker .
        nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
        if [ "$nb" -ne "$expected" ]; then
--- a/README.md
+++ b/README.md
@@ -21,7 +21,9 @@ CVE
 [CVE-2018-12207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207) | Machine Check Exception on Page Size Changes        | MCEPSC, No eXcuses, iTLB Multihit
 [CVE-2020-0543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543)   | Special Register Buffer Data Sampling               | SRBDS
 [CVE-2022-40982](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982) | Gather Data Sampling                                | GDS, Downfall
+[CVE-2023-20569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20569) | Return Address Security                             | Inception, RAS, SRSO
 [CVE-2023-20593](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593) | Cross-Process Information Leak                      | Zenbleed
+[CVE-2023-23583](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583) | Redundant Prefix issue                              | Reptar

 Supported operating systems:
 - Linux (all versions, flavors and distros)
@@ -74,10 +76,13 @@ sudo ./spectre-meltdown-checker.sh
 #### With docker-compose

 ```shell
-docker-compose build
-docker-compose run --rm spectre-meltdown-checker
+docker compose build
+docker compose run --rm spectre-meltdown-checker
 ```

+Note that on older versions of docker, `docker-compose` is a separate command, so you might
+need to replace the two `docker compose` occurences above by `docker-compose`.
+
 #### Without docker-compose

 ```shell
@@ -187,8 +192,20 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m
   - Mitigation: either microcode update or disabling AVX feature
   - Performance impact of the mitigation: TBD

+**CVE-2023-20569** Return Address Security (Inception)
+
+   - Impact: Kernel & all software
+   - Mitigation: updated kernel & microcode
+   - Performance impact of the mitigation: low to significant depending on the mitigation
+
 **CVE-2023-20593** Cross-Process Information Leak (Zenbleed)

   - Impact: Kernel & all software
   - Mitigation: either kernel mitigation by disabling a CPU optimization through an MSR bit, or CPU microcode mitigation
   - Performance impact of the mitigation: TBD
+
+**CVE-2023-23583** Redundant Prefix issue (Reptar)
+
+   - Impact: All software
+   - Mitigation: microcode update for the affected CPU
+   - Performance impact of the mitigation: low
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '2'
-
 services:
  spectre-meltdown-checker:
    build:
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
Author	SHA1	Message	Date
speed47	f5d12b0f4a	update: fwdb from v344+i20250811+1523 to v344+i20250811+7486, 1 microcode changes	2025-10-31 09:47:19 +00:00
Stéphane Lesimple	5f18e67f6f	chore: fix autoupdate workflow	2025-10-30 23:57:05 +01:00
Gabriel Francisco	a8466b74fe	fix CVE-2017-5715 reporting when IBRS_FW is enabled	2025-10-27 08:42:51 +01:00
speed47	b99be2363c	update: fwdb from v296+i20240514+988c to v344+i20250811+1523, 128 microcode changes	2025-10-26 22:08:07 +01:00
Stéphane Lesimple	ee4cfd00b8	chore: add autoupdate workflow for fwdb	2025-10-25 20:48:38 +02:00
Stéphane Lesimple	c2c60e0161	chore: fix recent shellcheck warnings	2025-10-25 20:48:38 +02:00
Jörg Sommer	bae43d8370	Replace head -1 by head -n1 The info page of GNU head says: > For compatibility 'head' also supports an obsolete option syntax > '-[NUM][bkm][cqv]', [...] Scripts intended for standard hosts should use > '-c NUM' or '-n NUM' instead. At least busybox's head does not support the `-NUM` syntax.	2025-10-25 20:45:24 +02:00
Stéphane Lesimple	34c6095912	fix: Linux 6.9+ changed some config options names (#490 ) Issue #490 is about retpoline but other options have also changed, as reported by a comment on the issue, this commit fixes these other options: Breno Leitao (10): x86/bugs: Rename CONFIG_GDS_FORCE_MITIGATION => CONFIG_MITIGATION_GDS_FORCE x86/bugs: Rename CONFIG_CPU_IBPB_ENTRY => CONFIG_MITIGATION_IBPB_ENTRY x86/bugs: Rename CONFIG_CALL_DEPTH_TRACKING => CONFIG_MITIGATION_CALL_DEPTH_TRACKING x86/bugs: Rename CONFIG_PAGE_TABLE_ISOLATION => CONFIG_MITIGATION_PAGE_TABLE_ISOLATION x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE x86/bugs: Rename CONFIG_SLS => CONFIG_MITIGATION_SLS x86/bugs: Rename CONFIG_CPU_UNRET_ENTRY => CONFIG_MITIGATION_UNRET_ENTRY x86/bugs: Rename CONFIG_CPU_IBRS_ENTRY => CONFIG_MITIGATION_IBRS_ENTRY x86/bugs: Rename CONFIG_CPU_SRSO => CONFIG_MITIGATION_SRSO x86/bugs: Rename CONFIG_RETHUNK => CONFIG_MITIGATION_RETHUNK	2024-08-04 15:15:45 +02:00
Stéphane Lesimple	e806e4bc41	chore: docker compose v2 The `docker-compose` command has been replaced by `docker compose`. The "version" tag has also been deprecated in docker-compose.yml.	2024-08-04 13:53:36 +02:00
Ivan Zahariev	388d44edbd	Fix Retpoline detection for Linux 6.9+ (issue #490 )	2024-08-04 13:41:01 +02:00
Stéphane Lesimple	bd0c7c94b5	fix: typo introduced by #483 , fixes #486	2024-05-18 13:01:48 +02:00
Stéphane Lesimple	d70e4c2974	fwdb: update to v296+i20240514+988c	2024-05-18 13:01:48 +02:00
Stéphane Lesimple	4e29fb5a21	fix: ucode_platformid_mask is hexa (fixes #485 )	2024-02-15 17:27:12 +01:00
Stephane Lesimple	0f2edb1a71	feat: blacklist some more microcodes (fixes #475 )	2024-01-09 18:54:39 +01:00
Stephane Lesimple	8ac2539a2a	fix: microcode check now supports pf_mask (fixes #482 )	2024-01-09 17:05:18 +01:00
Stéphane Lesimple	97f4d5f2bc	feat(reptar): add detection and mitigation of Reptar	2024-01-09 15:38:16 +01:00
Stéphane Lesimple	9b7b09ada3	fix(inception): continued mitigation detection	2023-08-25 18:50:53 +02:00
Sébastien Mériot	c94811e63d	fix(inception): Zen1/2 results based on kernel mitigations	2023-08-25 18:50:53 +02:00
Sébastien Mériot	3e67047c73	feat(inception): README	2023-08-25 18:50:53 +02:00
Sébastien Mériot	ecee75716e	feat(inception): kernel checks + sbpb support detection	2023-08-25 18:50:53 +02:00
Sébastien Mériot	fb6933dc64	feat(inception): Zen1/2 IBPB and SMT checks	2023-08-25 18:50:53 +02:00
Stéphane Lesimple	dc6921a1ac	feat(inception): handle sysfs interface	2023-08-25 18:50:53 +02:00
Sébastien Mériot	3167762cfd	feat(inception): start supporting AMD inception	2023-08-25 18:50:53 +02:00
Stéphane Lesimple	44223c5308	fix: bsd: kernel version detection	2023-08-11 18:41:35 +02:00
Stéphane Lesimple	dbe208fc48	enh: downfall: detect kernel mitigation without sysfs	2023-08-11 18:10:27 +02:00
Stéphane Lesimple	aca4e2a9b1	enh: move root warning to the bottom	2023-08-11 18:10:27 +02:00