This is both a warning and a request for AMD to provide a fix. There is a new vulnerability that has been disclosed called "Sinkclose" (article). This vulnerability is notable because: "In theory, malicious code could burrow itself so deep within the firmware that it would be almost impossible to find. As a matter of fact, the researchers say that the code would likely survive a complete reinstallation of the operating system. The best option for infected computers would be a one-way ticket to the trash heap". While the exploit is not easy, if this it is exploited, the CPU becomes junk. Worse than junk, it becomes dangerous to put into a computer.
AMD will be issuing a fix for the 5000 and 7000 series processors, but not for the 3000 series desktop processors. Here is a link to their page of affected products and planned fixes (ctrl-f "Matisse" to find the relevant section). The 3000 series came out less than 5 years ago, in late 2019 and 2020. That's the absolute earliest people could buy them. These CPUs are recent, powerful, and still widely used. To not issue a fix for them is extremely disappointing.
If you have a 3000 series processor, be aware of this, and make your desire for a fix known to AMD. If you live in Europe, your country may even have consumer protection laws that entitle you to a refund or replacement.
Solved! Go to Solution.
As noted above, there is a fix for Sinkclose for 3000 series processors. In order to apply it, you will need to perform a BIOS update that has integrated the AGESA version ComboAM4v2PI 1.2.0Cc. This update will come from your motherboard manufacturer, and some manufacturers may not have the update available yet.
For my ASRock motherboard, a beta version of the update that includes the fix is available, and to apply it required putting the update onto a USB drive, booting into the BIOS, and then using the BIOS UI to flash the firmware from the USB.
I agree this isn't acceptable. It remains the only CPU on that list affected by the Sinkclose vulnerability that doesn't make the cut to receive an update. This list is published by AMD here: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html
Similar Zen 2 CPUs such as the Ryzen 4000 series are set to receive patches, indicating that this not a platform limitation. The lack of an explanation or statement from AMD regarding the exclusion of these CPUs from their patched cousins is disappointing.
Great find by the way.
I can understand about fixing the flaw on all AMD Server Hardware processors like EPYC since those are used almost exclusively by companies Workstations and Servers and not by regular home users.
In my case I don't have an issue at all if my Rzyen 7 3700X is not fixed for the flaw since I am just a regular Home User and my PC isn't connected to any businesses directly.
For those who do have the Ryzen 3000 series processors on their Company PCs or Workstations most likely all they have to do is upgrade the processor to the 5000 series to secure their company related PCs. Most Motherboards that use the 3000 are compatible with the 5000 series processors.
Possibly AMD could make some sort of Exchange program to replace those specific 3000 series processors to 5000 series processors for a big discount to keep their Business Customers happy.
If you noticed by the processors that are going to be fixed includes the Ryzen 3000 Mobile series processors and newer. Probably because most laptops can be used for both personal and business uses and would be easier to hack into a laptop than try hacking into a Server or Work Station PC.
Another reason why I don't have an issue if my 3700x flaw is not fixed is because the new Motherboard BIOS to fix the flaw might cause unintentional performance issues on the processors like other fixes have done in the past.
they will fix 4000 series that is based on zen2 too as well the zen2 threadripper. while it's perfectly reasonable to give higher priority to more recent hardware, AMD already cutted zen1 and zen1+ in collaboration with microsoft to bump new hardware sales (and no other real valid reasons, we all know that since tpm2 is not a real static linkage requirement in kernel code... in fact it can be disabled), this seems like more a prank not delivering the agesa patch for 3000 series zen2 too.
Upgrading to 5000 series is not ever simple, because often it has to be changed the heatsink in the process and often the power supply unit, and to justify the change one must go to high end 5000 processors. This means, in my case for pure example:
I can change my 3700X with a 5950X, but
A) the 5950X is still outrageously expensive also in sale after years from its release
B) since my case has a side fan the operation can't be done because simply the heatsink doesn't fit in it, so, other money for the case
C) The TDP of high end AMD processor is lower than Intel ones. but still high: if one plans to add or has a decent video card, that absorbs a decent amount of power. In my case I have an RTX3060 (170W) and I plan to upgrade to a future hypothetical RTX5070 or similar class, so the TDP of the combined new CPU (105W with a limit of 142W) + GPU would force me to buy a GOLD 850W or more possibly modular PSU, that is, again, very expensive.
Not mentioning that:
1) One will still have a no more upgradable AM4 computer
2) If one suddenly needs to use the PC for office/commercial use, what is supposed to do? Do it and then if the worst happens say the boss/customer to call AMD and scream at them?
I have the precise right to do with my computer ever legitimate activity, personal and business/commercial, and I will continue to do so with my 3700X until I have the money to change entirely my computer, and it will not be my fault if something happens.
Hello
For this exploit, hacker first needs Kernel access. That means if someone already has kernel access (access to Operating System), he can basically do anything he wishes, Sinkclose existing or not! Do not fall prey to fear-mongering of clickbait corporations.
I will personally (as 7000 user) disable any mitigation offered and will not install newer BIOS to AVOID performance regressions that come with such mitigations...
I already get 10% increased performance by disabling existing mitigations in Kernel (cannot disable BIOS level mitigations though). I have decided to live with these, but to add yet another mitigation to something that needs Kernel access in the first place, no, don't think so.
the PC software is still full of ring-0 kernel drivers outside hardware devices... just think about crowdstrike, gaming anti-cheating softwares, other remote management and survillance software, older devices... this is just a **bleep** move by AMD.
Teadrinker, good comment! I am curious what mitigations you disabled and how. Thanks, John.
I use Linux and just recently tried to test my CPU (7900X3D) performance with ALL mitigations disabled. These include Spectre 1 and 2, ZenBleed and one more that forgot its name... these are applied on Kernel level. Though my BIOS also has some mitigations applied I think that cannot be disabled.
When I disabled all by using kernel parameter "mitigations = off", I measured between 8% to 10% improved gaming performance (when CPU bound though, as GPU bound scenes will hardly see much difference if any).
Thanks!
Absolutely they need to fix this, these processors are still being sold and used, one should not have to buy a new CPU to fix a security issue with their product. This sounds like a scheme to get people to buy their newer processors. AMD fix this or my next CPU will be intel.
Ryzen 3000 mobile has a fix but not the desktop version, it's the only cpu family with "No fix planned".
So there'll be a bios update that contains a fix but not for my 3700x ?
Any explanation for this ?
It's pretty obvious why they are not offering a fix to their 3000 series desktop CPUs, because they want people, and especially businesses to buy one of their newer CPUs. This move is absolutely unacceptable as they could easily provide a fix for these CPUs , they probably already have one. If this is the way AMD is going to treat the customers of their products, then they don't deserve any customers.
I would not call AMD straight evil yet.
But from what I read the culprit of Sinkclose lies in the bios that allows non signed stuff in the internal memory of the cpu. Both Ryzen 3000 and 5000 run on ComboAM4v2PI so why would it fix only one and not the other, this is non logical.
I understand previous gens run on older bios and it cost a bit more to fix them though not a lot .. but Ryzen 3000 runs on the latest.
Anyway if AMD can't solve that for my 3 years old cpu I will draw my own conclusion which effects will be pretty much the same as yours.
amd now is the evil one. more evil than intel. means amd is satan. even though i wont make a difference, next upgrade will be no more amd. i will endure and wait for intel to be back. you amd become cocky now.
*out of topic , amd suck big time first you didnt manage well the launch of first gen CPU with AI, until now some manufacturer have yet to enable the npu (why your integration with oem is below par level). we buyer have to beg and talk to oem for this to get it done. amd lies and whenever i see amd presentation for their upcoming tech, i feel disgusted at these people. profit over righteous.
Amen. needs further explanation about whether it's really not an issue for 3000s or whether they are just being stingy
No patches for cpu that is on the market? They are still completely usable. In other hand, what about refurbished pc, what about tons of electronic waste, green deals, global warming.
As of now, there is no fix for the Sinkclose exploit affecting 3000 series CPUs. Keep an eye on official updates from CPU manufacturers for any future patches or mitigation strategies.
I have a Ryzen7 3700X from the end of 2020, and I was planning to have it for many years to come for the fact it has 16 threads and so it will benefit of future software multithread optimizations, but my little investment for the future was useless. It is really pityful to know from AMD there will be no fix for this series of processors.
If at least AMD hasn't chosen to change so frequently the CPU sockets (AM4 socket was like a meteor how few years has been on the market) I could have think to buy a new AMD processor, but now, since I have to change MY ENTIRE MOTHERBOARD CPU AND MEMORY, I will surely be sure to CHANGE MY CPU VENDOR TOO.
Up to yesterday I was a big AMD supporter, today I am very disappointed, because it seems like you only care about selling new processors and you don't care about customers.
How do you think you can justify this? Who has an old processor must change it or be subject to crucial security risks and issues? This is absolutely senseless and also not clearly legitimate in my opinion. Also because the average user scared by the news could go looking for fake unofficial patches and risk exposing himself to even greater risks. I confess that I too am tempted to search the web to see if anyone has an alternative solution for my CPU, and I have been using PCs from more than three decades. Think about it because it is not fair to customers. Otherwise avoid making CPUs in the consumer market that can easily last for years due to the amount of power and spare threads available, and avoid to change sockets every 2 years.
I have a 3600, I'll be needing an upgrade in about a year or so just to keep up with gaming, after this stunt my next CPU won't be AMD, even if it means buying a new rig. I'm also a stock holder of AMD which will probably change too.
I wonder if this is affecting Ryzen 1000 and 2000 aswell.
i wont be able to upgrade my CPU to a 5000 series yet and i am still on my 2700X and this is a very serious issue since i assume, it affects the whole AM4?
+1 for fixing 3000 series CPUs.
I am outraged how AMD is doing intel practices now, windows 11 compatible CPU and they treat it like End of Life?
If they don't release a patch, i won't buy anything ever again from amd out of spite, too bad i was planning for linux machine but now with their practices, no sale for gpu or cpu, ill recommend intel over this, even their degrading cpus can't be hacked on firmware level remotely... Glad that i got 12th gen intel notebook instead of amd one
It looks like the linked article has been updated on Aug 14, and the 3000 Matisse series is getting a fix with a target date of August 20. Success?
Hope so, Best Regards!
Thanks so much for this, I've applied the BIOS update - Is there anything else I need to do now? I'd never done a BIOS update before, but this apparently updated successfully. Anything else I need to do now like getting AMD drivers or anything like that?
oh this is a good thing!
also noted zen1 and zen1+ are getting patched too at least for embedded systems.
so yes, it's just about amd spending resources to fix it.
good move.
.
thank you to AMD for fixing this!
It's notable that the 4000G series CPUs are offered a patch but there is no specific mention of the 4000 none G CPUs getting one. Am I to conclude that a Ryzen 3 4100 won't get a patch?
Regards Steve
They have changed to support 3000 series now. which is still pretty **bleep** as there are a LOT of users I support that are runing 2000 and 1000 series CPU's. If the bios comes out for your board even if you have 2000 or 1000 series shouldn't it fix it? Also why are Gigabyte so hit at releasing these type of fixes for AMD boards? They also stopped listing what the latest bios was for. No descriptions for Years now. I will be encouraging clients to use MSI boards going forwards as they tend to be quicker AND publish the details of what the bios changes.
Is Threadripper 2990WX affected as well?
What about 4700S desktop kit (Generation:Ryzen Embedded Zen 2 (Renoir)), is that product abandoned also.
As noted above, there is a fix for Sinkclose for 3000 series processors. In order to apply it, you will need to perform a BIOS update that has integrated the AGESA version ComboAM4v2PI 1.2.0Cc. This update will come from your motherboard manufacturer, and some manufacturers may not have the update available yet.
For my ASRock motherboard, a beta version of the update that includes the fix is available, and to apply it required putting the update onto a USB drive, booting into the BIOS, and then using the BIOS UI to flash the firmware from the USB.
Thanks so much for this, I've applied the BIOS update - Is there anything else I need to do now? I'd never done a BIOS update before, but this apparently updated successfully. Anything else I need to do now like getting AMD drivers or anything like that?
If you applied a BIOS update that contains the AGESA version ComboAM4v2PI 1.2.0Cc (likely the update notes will specifically refer to the Sinkclose vulnerability), then you should be good to go.
Thanks so much for this! I've done this update now and it said it was the fix, but I notice on the AMD SMM lock page, they also mention a
.ba update, just below the .cc one, for the Matisse series. Does the .cc supersede this - if you have the .cc. you don't need the .ba?