[pve-devel] [PATCH common/qemu-server 0/2] vm start: catch outdated Zen 5 firmware

[pve-devel] [PATCH common/qemu-server 0/2] vm start: catch outdated Zen 5 firmware

[Fiona Ebner]

NOTE: Needs to still be tested on an actually affected system!

With the 6.17.9 kernel, the rdseed feature bit is not available for
some Zen 5 host CPUs anymore unless the firmware is new enough. QEMU
will complain about the missing feature bit upon VM start. Add some
context to the QEMU error message if the host is Zen 5 (or 6, same CPU
family number, but the warning message already states 'Zen 5'
explicitly and probably the feature bit won't be missing in the first
place).

pve-common:

Fiona Ebner (1):
  procfs tools: cpuinfo: also return CPU vendor and family

 src/PVE/ProcFSTools.pm | 6 ++++++
 1 file changed, 6 insertions(+)


qemu-server:

Fiona Ebner (1):
  vm start: catch outdated Zen 5 firmware

 src/PVE/QemuServer.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)


Summary over all repositories:
  2 files changed, 19 insertions(+), 0 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH common 1/2] procfs tools: cpuinfo: also return CPU vendor and family

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/ProcFSTools.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/PVE/ProcFSTools.pm b/src/PVE/ProcFSTools.pm
index a37a4bd..18a159d 100644
--- a/src/PVE/ProcFSTools.pm
+++ b/src/PVE/ProcFSTools.pm
@@ -28,6 +28,8 @@ sub read_cpuinfo {
 
     my $res = {
         user_hz => $clock_ticks,
+        vendor => 'unknown',
+        family => 0,
         model => 'unknown',
         mhz => 0,
         cpus => 1,
@@ -46,6 +48,10 @@ sub read_cpuinfo {
             $count++;
         } elsif ($line =~ m/^model\s+name\s*:\s*(.*)\s*$/i) {
             $res->{model} = $1 if $res->{model} eq 'unknown';
+        } elsif ($line =~ m/^vendor_id\s*:\s*(\S*)\s*$/i) {
+            $res->{vendor} = $1 if $res->{vendor} eq 'unknown';
+        } elsif ($line =~ m/^cpu family\s*:\s*(\d+)\s*$/i) {
+            $res->{family} = $1 if !$res->{family};
         } elsif ($line =~ m/^cpu\s+MHz\s*:\s*(\d+\.\d+)\s*$/i) {
             $res->{mhz} = $1 if !$res->{mhz};
         } elsif ($line =~ m/^flags\s*:\s*(.*)$/) {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH qemu-server 2/2] vm start: catch outdated Zen 5 firmware

[Fiona Ebner]

With the 6.17.9 kernel, the 'rdseed' feature is not available for some
Zen 5 host CPUs anymore unless the firmware is new enough. QEMU will
complain about the missing feature bit upon VM start. Add some context
to the QEMU error message if the host is Zen 5 (or 6, same CPU family
number, but the warning message already states 'Zen 5' explicitly and
probably the feature bit won't be missing in the first place).

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/QemuServer.pm | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/PVE/QemuServer.pm b/src/PVE/QemuServer.pm
index bad3527c..84c6b79b 100644
--- a/src/PVE/QemuServer.pm
+++ b/src/PVE/QemuServer.pm
@@ -5413,6 +5413,17 @@ my sub check_efi_vars {
     return;
 }
 
+my $log_filter_catch_outdated_zen5_firmware = sub {
+    my ($line) = @_;
+    print "$line\n";
+    if ($line =~ m/host doesn't support requested feature:.*rdseed\s*\[bit 18\]/) {
+        log_warn("On Zen 5 systems, the rdseed CPU flag might not be available when the CPU"
+            . " firmware is outdated. See:\n"
+            . "https://security-tracker.debian.org/tracker/CVE-2025-62626\n"
+            . "https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_firmware_cpu");
+    }
+};
+
 # see vm_start_nolock for parameters, additionally:
 # migrate_opts:
 #   storagemap = parsed storage map for allocating NBD disks
@@ -5687,6 +5698,8 @@ sub vm_start_nolock {
     if ($migratedfrom) {
         $run_params{quiet} = 1;
         $run_params{logfunc} = sub { print "QEMU: $_[0]\n" };
+    } elsif ($cpuinfo->{vendor} eq 'AuthenticAMD' && $cpuinfo->{family} == 26) {
+        $run_params{logfunc} = $log_filter_catch_outdated_zen5_firmware;
     }
 
     my %systemd_properties = (
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH common/qemu-server 0/2] vm start: catch outdated Zen 5 firmware

[Markus Frank]

Hi,

On 2026-01-19 17:01, Fiona Ebner wrote:
> NOTE: Needs to still be tested on an actually affected system!

I tested both patches with the kernel 6.17.9 on my affected system (Ryzen 9 9900X, Gigabyte X870 AORUS ELITE WIFI7, Firmware-Version: F8).


Without the patches I get this error with kernel 6.17.9 when using CPU type 'EPYC':

kvm: warning: host doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.rdseed [bit 18]
kvm: Host doesn't support requested features
TASK ERROR: start failed: QEMU exited with code 1


With the patches applied I get the same error with more context:

kvm: warning: host doesn't support requested feature: CPUID[eax=07h,ecx=00h].EBX.rdseed [bit 18]
WARN: On Zen 5 systems, the rdseed CPU flag might not be available when the CPU firmware is outdated. See:
https://security-tracker.debian.org/tracker/CVE-2025-62626
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_firmware_cpu
kvm: Host doesn't support requested features
TASK ERROR: start failed: QEMU exited with code 1


Tested-by: Markus Frank <m.frank@proxmox.com>

> 
> With the 6.17.9 kernel, the rdseed feature bit is not available for
> some Zen 5 host CPUs anymore unless the firmware is new enough. QEMU
> will complain about the missing feature bit upon VM start. Add some
> context to the QEMU error message if the host is Zen 5 (or 6, same CPU
> family number, but the warning message already states 'Zen 5'
> explicitly and probably the feature bit won't be missing in the first
> place).
> 
> pve-common:
> 
> Fiona Ebner (1):
>    procfs tools: cpuinfo: also return CPU vendor and family
> 
>   src/PVE/ProcFSTools.pm | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> 
> qemu-server:
> 
> Fiona Ebner (1):
>    vm start: catch outdated Zen 5 firmware
> 
>   src/PVE/QemuServer.pm | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
> 
> 
> Summary over all repositories:
>    2 files changed, 19 insertions(+), 0 deletions(-)
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel