Resigning ucode to mitigate security issues2025-07-14
Today's real-ucode update now includes an optional subpackage amd-ucode-firmware-resigned which contains new microcodes resigned with the old format to allow loading on pre 2025-01 BIOSes. This is necessary to mitigate security issues such as the recent TSA vulnerability on systems without vendor updates.
- Remove the exclusion if you had one from
/etc/dnf/dnf.conffirst - Update package list:
dnf install https://divested.dev/rpm/fedora/divested-release-20250714-1.noarch.rpm - Update real-ucode:
dnf update --refresh - Swap them:
dnf swap amd-ucode-firmware amd-ucode-firmware-resigned - Update initramfs:
dracut -f - Disable hash verification:
grubby --update-kernel=ALL --args="microcode.amd_sha_check=off" dmesg | grep microcode >> beforelscpu >> before- Reboot to apply new microcode
dmesg | grep microcode >> afterlscpu >> after- Compare: meld before after
- Enjoy!
Comment on this: Fediverse