AMD vulnerability

rktchip

https://www.tomshardware.com/pc-components/cpus/amds-microcode-vulnerability-also-affects-zen-5-cpus-granite-ridge-turin-ryzen-ai-300-and-fire-range-at-risk

Is there a BIOS update to fix this vulnerable in the works? Or was it already patched? Looks like AI 370 is on the list of affected units. SER9.

jotapesse

rktchip adrianhand Thank you for raising here this request/concern. There are several AMD CPUs affected and (at least) two different vulnerabilities, so likely multiple Beelink models are also affected.

AMD-SB-7033 - AMD CPU Microcode Signature Verification Vulnerability – affects AMD CPUs with Zen 1 up to Zen 5
AMD-SB-7055 - RDSEED Failure on AMD “Zen 5” Processors – affects AMD CPUs with Zen 5 only

On both cases they require proper CPU microcode (uCode) updates with the latest patched AGESA™ (AMD Generic Encapsulated System Architecture) versions, readily available from AMD, to be deployed on BIOS/UEFI updates by the OEM mainboard manufacturers. 👉 That means you @Beelink!

Specifically, on my GTR9 Pro model with the AMD Ryzen AI Max+ 395 cpu with the latest BIOS/UEFI version P110 I confirmed that it is still using very old unpatched AGESA version StrixHaloPI-FP11 1.0.0.0c and old microcode (uCode) version 0x0b70001e .

Image description

These unpatched AGESA and microcode versions and existing RDSEED vulnerability (and mitigation) can also be confirmed on Linux terminal with:

$ sudo dmesg | grep microcode
[    0.523280] microcode: Current revision: 0x0b70001e

$ sudo dmesg | grep RDSEED32
[    0.135120] RDSEED32 is broken. Disabling the corresponding CPUID bit.

⚠️ But we know that the latest microcode (uCode) update available from AMD for the AMD Ryzen AI Max+ 395 (family: 0x1a, model: 0x70, stepping: 0x0) cpu is 0x0b700032. But on the GTR9 Pro we are all on the older unpatched 0x0b70001e.

👉 @Beelink Please provide BIOS/UEFI updates with the latest patched AGESA and microcode (uCode) updates for the several models affected. 🙏

rktchip

Hello?

Beelink CS-George

Hello there,
Please send us a picture of the SN on the bottom of the PC.

Please press delete key as soon as you turn on the PC, so that you can go to BIOS. Please send us a picture of the Main page.
We will check if you need to update the BIOS.

rktchip

Beelink CS-George I’m running the .73 bios for the SER9 but that’s not the question.

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html

Please see the CVE-2024-36347 which affects the AMD CPU.

AMD says they released patch to fix the vulnerability March 20, 2025 so we are not protected until we receive a newer BIOS that has the following Platform Initialization (PI) firmware update as noted:

StrixHaloPI-FP11

1.0.0.1

(2025-03-20)

Beelink CS-George

rktchip Hi there, please send us a picture of SN on the bottom of the PC and a picture of the Main page of the BIOS. We will transfer it to our R&D for checking.

adrianhand

Did you ever get a resolution for this, rktchip? I can’t tell if the vulnerability has been patched in later SER9 bios, but newer linux kernels have just started checking for it and my (up to date) SER9 is not passing that check “RDSEED32 is broken, disabling the corresponding cpuid bit”

adrianhand

Thank you jotapesse, indeed a firmware update looks like the only way to get it fixed.

For the hx370 CPU the latest applicable to Family=0×1a Model=0×24 Stepping=0×00 is patch 0×0b204037.

Beelink, please oblige or at least pass comment on alternatives!

Now that the CPU instruction set is being partially disabled by newer kernels, the onus really is on beelink to update all firmware embedded microcode to be more recent than the EntrySign vulnerability, which will stop this from being patchable anywhere but the bios.

adrianhand

For anyone who finds this thread via google, at time of writing a bios update for this microcode vulnerability isn’t available and isn’t coming, so bear that in mind if you’re shopping for a mini PC and think that ongoing support, compatibility or security are important. Will update this thread if that ever changes.

adrianhand

Any news Beelink on a bios update with the microcode patch for AMD-SB-7033 included? It’s been 11 months.

adrianhand

Any news @Beelink on a bios update with the microcode patch for AMD-SB-7033 included? The anniversary is coming up.

adrianhand

Any news @Beelink CS-George @Beelink CS-Ian Chan @Beelink CS-Bettie @Beelink on a bios update with the microcode patch for AMD-SB-7033 included? 350 days have passed since AMD published a mitigation and still you have not incorporated it into your shipping bios.

jotapesse

@Beelink CS-George Can we please have BIOS/UEFI updates for all Beelink AMD based miniPCs (GTR9 Pro, SER9, etc.) with latest patched AGESA and microcode (uCode) updates which can address the known vulnerabilities as detailed on my post above? 🙏

pcm720

jotapesse
GTR 9 Pro also needs the AGESA update to support kernel microcode updates.
The current microcode version available in amd-ucode is 0×0b700037, and it requires base version 0×0b700032 to load.
Currently our GTR 9 Pros run 0×0b70001e, which is too old.

I really wouldn’t be surprised if our NIC instability issues are caused by old AGESA…

jotapesse

@Beelink CS-George Can we please have BIOS/UEFI updates for all Beelink AMD based miniPCs (GTR9 Pro, SER9, etc.) with latest patched AGESA and microcode (uCode) updates which can address the known vulnerabilities as detailed on my post above?

jotapesse @Beelink @Beelink CS-George @Beelink CS-Ian Chan @Beelink CS-Rose @Beelink CS-June I’m sorry to tag you all… but the silence and lack for response for months now in this thread is really concerning. Can we please have an update regarding this issue/request here? 🙏

jotapesse

pcm720 I know! 🙂 That’s exactly what I asked for on my previous posts. Not sure if it has any relation to the NIC instability issues though.

pcm720

jotapesse
Agree.
I get that they’re probably busy figuring out NIC failures, but it would be good to get a beta version of the firmware with updated AGESA out so we can test and report if it works as expected.

I don’t like using vulnerable and broken non-updatable microcode on my machine.
At least for NIC there’s a workaround I can apply to make it work until I power off the PC, but I can’t really patch AGESA myself.

bandito

Please update frimware, because my gtr9 pro can’t boot anymore.