From nobody Wed Oct 29 21:57:39 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1760966435; cv=none;
	d=zohomail.com; s=zohoarc;
	b=QMHiF1p45PHtyhk/7A3xVuTWBTnGJ7hfYZuFwHJ2CFwMPiqmD4M8v18pqJOzIpHot7Z0fWETx+2nFTXv2QQd13CaXvOBxLfskDRxATABdmQXSKvgDUE9Bn31w5vRYXUO+apUEGMTrzJPteb0A/QmP2d/iwTU63ou70B1C6KSNTw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1760966435;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=YClZXLeX0pB5pdUdqdhEoYeXVD8Jv4KNegou1kZsW9k=;
	b=KtSa6ibJKy08lnNHV3YQwDSU9gr6Uu2SzCWsgNG9alr3enFsFOI+VUVS3r5skD72i/i9JRqoZgsUm+UOFwZ6+/27x8bMu2z4urP5SqzN1LrEWGxYsZ81yDBlHjfWCXg3pP00bEhq+MU4q5Nlh1stW3VAKJPQfqNyo4UhlyDZrpI=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1760966435792702.2483111771629;
 Mon, 20 Oct 2025 06:20:35 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1146288.1478734 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnw-000875-Ec; Mon, 20 Oct 2025 13:20:04 +0000
Received: by outflank-mailman (output) from mailman id 1146288.1478734;
 Mon, 20 Oct 2025 13:20:04 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnw-00085T-8a; Mon, 20 Oct 2025 13:20:04 +0000
Received: by outflank-mailman (input) for mailman id 1146288;
 Mon, 20 Oct 2025 13:20:03 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=ZoK0=45=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1vApnv-0007gg-Cn
 for xen-devel@lists.xenproject.org; Mon, 20 Oct 2025 13:20:03 +0000
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com
 [2a00:1450:4864:20::32d])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 7bb903da-adb7-11f0-9d15-b5c5bf9af7f9;
 Mon, 20 Oct 2025 15:20:01 +0200 (CEST)
Received: by mail-wm1-x32d.google.com with SMTP id
 5b1f17b1804b1-47114a40161so47998145e9.3
 for <xen-devel@lists.xenproject.org>; Mon, 20 Oct 2025 06:20:01 -0700 (PDT)
Received: from localhost.localdomain (host-78-149-11-196.as13285.net.
 [78.149.11.196]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-427ea5b3c65sm15267835f8f.15.2025.10.20.06.20.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Oct 2025 06:20:00 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 7bb903da-adb7-11f0-9d15-b5c5bf9af7f9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1760966401; x=1761571201;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YClZXLeX0pB5pdUdqdhEoYeXVD8Jv4KNegou1kZsW9k=;
        b=FB/lX7Zq3iEK/0ctor8sRECqCiyWO6JlzdJTia20bucoUSAUW1UFnEaw9/nyr/vq8s
         WOmGqW1+4uixJQSNdDj0XKGm716LyJ8wpIBJOiBvpIjyAkXAF+M9j6kOgLb3f8iCoVly
         Uj/65CpwzhNoZOSLLYz9S0Vjlk25BRUw/zmms=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760966401; x=1761571201;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YClZXLeX0pB5pdUdqdhEoYeXVD8Jv4KNegou1kZsW9k=;
        b=wqUUcalCWxodBWjqApWpA6OSz51QKYqtqyz00sodtUaOjD2Lwft0Sv8842C7gIyI3x
         oIPM+QiDT8pkbSvy/B7XQ91YGean+QGDw0xCtw10lHU1WpnZ5g4RE2OaFfnVAXCN38yA
         fdUPIDhEtqcHP60pVy9rV+tCl33hBZa3d8IklrOLVm9jLGFt0Ll1RgnWw57mpKIn1oxc
         KPvJfyYNZbcuiukKt/REVO8Ded7Ya7ZBLMzyr3lPFdwFLpjjOuh+ns41JIlGKtJz5m8Q
         538xxsHrxzWc91dvvFaYwf6Hg0kHtrEqM4emsHffrwv62cwqnWH5m/9ftU9VwmyhhKqH
         oB8g==
X-Gm-Message-State: AOJu0YyGuOCLyN9HBHqr1Zfc+wob3lWhXrAvSABO2mvyZHHflGJ2caHe
	QRpOmcn6OeCNG64EncMkUBR0b3Grqz/5n9hIz54XCcW7IDJDyjeH57fZLInGGdyvB0bPDBJq9Sj
	qZnvLT4Fjyg==
X-Gm-Gg: ASbGncuGSCgwGj6IkymfSqKOxFMyV/Awa43UhMiZWSiRO/WY9vSlq8dUaVkvz0TjdJ1
	U8ST6rOTfo7nUkC5I4KZ7XaK44KtHb1tvccbdnKiwFTgwV2DehrcQpGrgYklO4edAbaQ5tsH/9e
	TPKLuzgt1AAYFQ1V6bUYiHDdzy7XVHXdpKe7GV7S1yuahlTcKgx827maYogo6Ewe4FtPmXz6E5/
	OgqrXTNzzdP0/X5eJ3EoRy88dl+4Kux/JHxwqYelgdxsvyOYKgyhsarF6qAEa6IAsS1aH8rFMix
	tFHQnpwcnQzdJJxjPqP6p86OYHLA/k9RsUxrgRWLd/yzCckHNDw35rUlzQJz0hDROqQRhqq/arv
	cLQ5kTio/nsJzGOv6+To8GC7osW4mNMLJ2v7GgKCZG3GaI+MxUqznLMwBFQ1U14L75qrlqXG8Mk
	JQCULptWJgNIjCy5SyYKthYOooW8SguNH69nKTJF3ocfdNZBk7vf0Eh4C9o54pRg==
X-Google-Smtp-Source: 
 AGHT+IEiYUNYQCTl8KEffiDtETjildS3uhoapKNIU5qTRVtrY08cmVxTsc+VFs/0OXDzgECKAU5dCQ==
X-Received: by 2002:a05:600c:8b0c:b0:46e:731b:db0f with SMTP id
 5b1f17b1804b1-47117912b5fmr108884555e9.28.1760966400759;
        Mon, 20 Oct 2025 06:20:00 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>,
	Oleksii Kurochko <oleksii.kurochko@gmail.com>
Subject: [PATCH 1/5] x86/ucode: Fix missing printk() newline in
 ucode_probe_amd()
Date: Mon, 20 Oct 2025 14:19:51 +0100
Message-Id: <20251020131955.2928261-2-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
References: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1760966437020154100

Fixes: 630e8875ab36 ("x86/ucode: Perform extra SHA2 checks on AMD Fam17h/19=
h microcode")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
CC: Oleksii Kurochko <oleksii.kurochko@gmail.com>

For 4.21.  This is a formatting fix with basically 0 risk.

It is encouraging that no-one has reported this bug so far, because it
suggests that no-one has turned off digest checking and then looked at dmes=
g.
---
 xen/arch/x86/cpu/microcode/amd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/=
amd.c
index a5729229a403..59332da2b827 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -519,7 +519,7 @@ void __init ucode_probe_amd(struct microcode_ops *ops)
     if ( !opt_digest_check && boot_cpu_data.family >=3D 0x17 )
     {
         printk(XENLOG_WARNING
-               "Microcode patch additional digest checks disabled");
+               "Microcode patch additional digest checks disabled\n");
         add_taint(TAINT_CPU_OUT_OF_SPEC);
     }
=20
--=20
2.39.5


From nobody Wed Oct 29 21:57:39 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1760966427; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CZqDlo8UPSG2dRgK1xTkMFxAOxUPKcMtWeHKLnULbXqRX4uyGhPgWyQoO5J5KPQRNEuB7loogcJE3svoazKaI8A7Tn3SLdKhfmvZr4PTAWeYJR8dJOXfI6OE6bTymkRDtxEjgn9zcNnUQW9EqO6fmz0XkWwmO/11EdAFO2/ySuU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1760966427;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=/sCYEgDbMO50bkVM5mQCUFddDlyiUtxNrLBekHY3/xE=;
	b=AH3Ymze042HliMQ+t+bk1QvuMS7oEjvpTVd99q8qf1i/rto4o9y/IQrOrniBayeG/5wnf6q0bvrF64GcM5h2IiUvmV0i01dVCCqeqsc67cU+euRL7O0sTcUx3eE5PRoezguSo0cnE9RsG5FlxKFxozzi4MIAzkJNMovLNB5uD+4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 176096642774693.945650668128;
 Mon, 20 Oct 2025 06:20:27 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1146289.1478741 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnw-0008Co-Oo; Mon, 20 Oct 2025 13:20:04 +0000
Received: by outflank-mailman (output) from mailman id 1146289.1478741;
 Mon, 20 Oct 2025 13:20:04 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnw-0008BB-HL; Mon, 20 Oct 2025 13:20:04 +0000
Received: by outflank-mailman (input) for mailman id 1146289;
 Mon, 20 Oct 2025 13:20:03 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=ZoK0=45=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1vApnv-0007gg-Jy
 for xen-devel@lists.xenproject.org; Mon, 20 Oct 2025 13:20:03 +0000
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com
 [2a00:1450:4864:20::431])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 7c3c3917-adb7-11f0-9d15-b5c5bf9af7f9;
 Mon, 20 Oct 2025 15:20:02 +0200 (CEST)
Received: by mail-wr1-x431.google.com with SMTP id
 ffacd0b85a97d-3f99ac9acc4so3997894f8f.3
 for <xen-devel@lists.xenproject.org>; Mon, 20 Oct 2025 06:20:02 -0700 (PDT)
Received: from localhost.localdomain (host-78-149-11-196.as13285.net.
 [78.149.11.196]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-427ea5b3c65sm15267835f8f.15.2025.10.20.06.20.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Oct 2025 06:20:01 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 7c3c3917-adb7-11f0-9d15-b5c5bf9af7f9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1760966402; x=1761571202;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/sCYEgDbMO50bkVM5mQCUFddDlyiUtxNrLBekHY3/xE=;
        b=qLwUIkMdbI1GiFV84GnRnx0Oj0AE8i4TA3eHS6h/skKz80vQfmi445T/EtwHEzUTas
         cOQFRSMiquLClsT6SXt/ossKHFfURdvMvDppWRk7FKgAzSPX8JK5aSvWzNtqj3sPrzCJ
         Yq0KFRhy+TZaDvpgMY6Eq9zeZn4v7zgoIKCcg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760966402; x=1761571202;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=/sCYEgDbMO50bkVM5mQCUFddDlyiUtxNrLBekHY3/xE=;
        b=UGqwkpJvylVFHhrEg9b3J7dfv8veM2wsm5420GBHrSf9Ugj08aAhl2qDkOazM8jRgd
         uQZ9BWLYDSFmktC0qJ0E5/Zga6jy4qIkHJuxm/1V5bd92uBzLrOee0I5Di4xpcd6yRkS
         HtUEaqh5/iK/5O4fJEsLqRreMYeNUPiv9O/n03681gckl41OpIZEItOHpeTojctiHbWS
         czpPUfKyaTnhYNbUb3Jz2PFbRsusCwJo03ROpB/ZdBER/33QL4RmJTMxdTIDcgJ9/j7r
         nKFQtX09MSKrFd+9uyO0xErug8M7c0vosB1tmMC4wbXE74g6NrXtZu0gw8AZ+jiThheo
         oAyQ==
X-Gm-Message-State: AOJu0YxruX9IDQPnwYhROPK4hT03uHs1wcSvk0RxvLQWrydcGNuRaZvy
	3ug3i6hiV54Y/dy2Fta7POYXJywhVZoMQzJBj+kSVQungOZUG8CtIFw933P++cN5UjuJWPWtdBy
	tE7hE7L0CSw==
X-Gm-Gg: ASbGncuvwDQ1OOD3CW62Y1FnkAc++lKtQdQUIQktNJXICKePnmLqBrtKYnEXuPHMe/r
	t4tguMfWR0h13aPstxpbyjvaJz89ppth/WstiEYjVaRP6PY5No0D+v05rZ9AzLZH3u5I5R+8Ttr
	iDXhi/ZyvjnKAvjMUTI4TjcEhQ6J1iFkar5BN6zoDI9dsrT3GEmsgwFB/CUzxHI21AHxIgEvx0K
	KV83tNFiL/HwcJmm44WCBrG8bDTkrsGTNgbElJCgDPjWqSEXuCr4WhpERiM+1E4CJJiXN3CmvVu
	wPM2DGZMkJFGcVfG9wOarVTnmeMG6Ufd8gEqMi4afo4oaBABOOAtdqWxn3At+dJDa8bUZUYOzvj
	IL8P/toRxWq1tZTUJoXflWyuTjVB+FbL0TiNNOz9rxxGBFvMHT+VS+CnlbY1AbGUGL07+2PrVTd
	QJxHw+fC6cIT2bDOXGojRpSGo2GBtkdtFimlkeDgrD0z6Uqwj3UWc=
X-Google-Smtp-Source: 
 AGHT+IGYT/rN2F18vBoC+pW1f/wS2gn1Q94YP1lnTzaJMcaQQIQM6eR0kcojLttKL9T2tL8wVI3onw==
X-Received: by 2002:a5d:5d05:0:b0:427:809:eff5 with SMTP id
 ffacd0b85a97d-4270809f252mr8584466f8f.53.1760966401644;
        Mon, 20 Oct 2025 06:20:01 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH 2/5] x86/ucode: Abort parallel load early on any control
 thread error
Date: Mon, 20 Oct 2025 14:19:52 +0100
Message-Id: <20251020131955.2928261-3-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
References: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1760966429379154100

EIO is not the only error that ucode_ops.apply_microcode() can produce.
EINVAL, EEXISTS and ENXIO can be generated too, each of which mean that Xen=
 is
unhappy in some way with the proposed blob.

Some of these can be bypassed with --force, which will cause the parallel l=
oad
to be attempted.

Fixes: 5ed12565aa32 ("microcode: rendezvous CPUs in NMI handler and load uc=
ode")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
---
 xen/arch/x86/cpu/microcode/core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode=
/core.c
index 1b093bc98a58..2705bb43c97f 100644
--- a/xen/arch/x86/cpu/microcode/core.c
+++ b/xen/arch/x86/cpu/microcode/core.c
@@ -392,10 +392,10 @@ static int control_thread_fn(const struct microcode_p=
atch *patch,
         atomic_inc(&cpu_updated);
     atomic_inc(&cpu_out);
=20
-    if ( ret =3D=3D -EIO )
+    if ( ret )
     {
         printk(XENLOG_ERR
-               "Late loading aborted: CPU%u failed to update ucode\n", cpu=
);
+               "Late loading aborted: CPU%u failed to update ucode: %d\n",=
 cpu, ret);
         goto out;
     }
=20
--=20
2.39.5


From nobody Wed Oct 29 21:57:39 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1760966436; cv=none;
	d=zohomail.com; s=zohoarc;
	b=BcoRZIp0Lfxuuw8qenHCN5XT7dAp3bJ4T2sn1JUMIUegrnDRdUcDvzil++8GGJadESsmuOxPHF2VDdETMspQTRbMXOd0+iZHtX4pqdjis1w7ZwChPaaxUPBHF1s86neAOKN8ogP5JThKn43Cjs4p9/G5AA6dJDiAzhYpsAquR4U=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1760966436;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=oeBO6Pv9prlvTRwuZU49UrWO/g3oMFaQ1LhxvNL2gBU=;
	b=a80XMGinV6Vsw3iEeAr+WwOO4F5iIJg4SiHfTWtspflAZuYANkzP3n+0mWgsRH7HKVvGtnw+l5XtMqc1F5mTLBjM1VHoj5Mh2y57vCyqNimNkHC35YBIYNzT2xCsSt9sownMtrQQtKFf/bJhB4/Q+KVy9pny3hrOc38DsyZbpFk=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 17609664362611007.2972261067799;
 Mon, 20 Oct 2025 06:20:36 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1146290.1478759 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApny-0000N5-0s; Mon, 20 Oct 2025 13:20:06 +0000
Received: by outflank-mailman (output) from mailman id 1146290.1478759;
 Mon, 20 Oct 2025 13:20:05 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnx-0000LA-QK; Mon, 20 Oct 2025 13:20:05 +0000
Received: by outflank-mailman (input) for mailman id 1146290;
 Mon, 20 Oct 2025 13:20:04 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=ZoK0=45=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1vApnw-0007gg-Af
 for xen-devel@lists.xenproject.org; Mon, 20 Oct 2025 13:20:04 +0000
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com
 [2a00:1450:4864:20::442])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 7cd5eb4d-adb7-11f0-9d15-b5c5bf9af7f9;
 Mon, 20 Oct 2025 15:20:03 +0200 (CEST)
Received: by mail-wr1-x442.google.com with SMTP id
 ffacd0b85a97d-3ecde0be34eso3095128f8f.1
 for <xen-devel@lists.xenproject.org>; Mon, 20 Oct 2025 06:20:03 -0700 (PDT)
Received: from localhost.localdomain (host-78-149-11-196.as13285.net.
 [78.149.11.196]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-427ea5b3c65sm15267835f8f.15.2025.10.20.06.20.01
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Oct 2025 06:20:02 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 7cd5eb4d-adb7-11f0-9d15-b5c5bf9af7f9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1760966403; x=1761571203;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=oeBO6Pv9prlvTRwuZU49UrWO/g3oMFaQ1LhxvNL2gBU=;
        b=JCx4pfdwZTklG1nV4tY140Ezy7iRgqXIQvo4/n68vLPqz3DSbzkUVNrR3r1NYVRuxm
         LYoKRdWH2XwWL0OHz9v6NziItdQ8dXnGioL96pvR8c11RKPu3NLbStXE1pp8EUaxh4G5
         pYTs5FbrxJL0U1ELuJDYNEd0F+RVCGpePdb3E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760966403; x=1761571203;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=oeBO6Pv9prlvTRwuZU49UrWO/g3oMFaQ1LhxvNL2gBU=;
        b=kOLO8Ag49DcpXMHJjPEqkojMAlwzgiR4FVayQsMGk5aPbPYZeH/A+vTV0icFyBADqj
         DeXG0W3pLz61aB9ovurRHh2KxbagI/UeLSXrXbjuE3VmLuLJiAtC9kRQZnfy16ruFelO
         5dI96rHVRmqMMAI2CrIOSLHBwae5OvTDAi2REgiKCrHWmQ53lkXQsEmIEYtAgnkPWa7S
         YlC9U3Zw9PZgY9TqNYnfcYNWp9rLLARK5RIv9NoqavPV5mRWgtRycKqrXg/1WWKSea74
         OIBIVMQWuga1uhYf+GDD6FaViWB7Bgb2gb+A1+0RFBn4dwaJp4H2brUugSP84xy/DdG5
         k/pw==
X-Gm-Message-State: AOJu0Yxlg8+c7l4WbIXk6RawUtBM6/IX0TCWC7VNKrEQJi80H2xfNEDR
	lRtRJ+a4I+5twD7AbQAUwCqGqrP/5KPfpaeRz6yavFmcAUFMkuoUtR7VFH8AdiC+DVk7neU01jp
	QPq84j5z2Xm6N
X-Gm-Gg: ASbGncsios4qcxbveR5rfgx0XQ3KamZPty1Z+x72FV6yxfv/tqOJh8z3jEezg3Dj57R
	/sAVlIq4cnVCzT7WkbyGZjkhX0tLGbcZIsCKwR5zi/UBbjqRMMq+XAjozF/Yz0PXRAxghcW4GFj
	a3ynnhAhn33/9VTzXmjZ3iwx5AngXPCMu/Ouwl/ponI/gNQ8QJsREMtsDMOxa9BkBx4Q3y9lGbg
	KPpN3pDOgYP10UzgtR+VvriZrzcbYRvY5T4tDuSWV7MRjCOuokoPmQ0ugu+K8nNklcMZzh/vDQS
	VnQItUs/9vq7y0bdM8U9PHpP2r0ZVilK9thEK9IlRQyxgOUWfOPhomGlollaE21eBSS1C9bQ5mR
	h/o+PrZQSRLfA982tFFKfWtYMP2jqnlRjB4ZGnQpgcfUUmgC/jfhvMi78mxhZR/iwRbM5qYqpno
	pY2SUsFchlHCs0bEjylHjNg5w6NAIckMiKxghsqCtRCSaZX68gp+Oee4+xBURz5KDpWuyMZnC9
X-Google-Smtp-Source: 
 AGHT+IER6ICzkL2n8lei/6i4csotkzlCDa/kIlpUSGfsF3aRvPi4qahkAO0j7r/zmP4iNSUNmJjvPQ==
X-Received: by 2002:a05:6000:2308:b0:426:da92:d39d with SMTP id
 ffacd0b85a97d-42704beea3fmr9649737f8f.24.1760966402605;
        Mon, 20 Oct 2025 06:20:02 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH 3/5] x86/ucode: Refine TLB flush fix for AMD Fam17h CPUs
Date: Mon, 20 Oct 2025 14:19:53 +0100
Message-Id: <20251020131955.2928261-4-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
References: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1760966437014154100

In the time since Xen discovered this, Linux stubled on it too and AMD
produced a narrower fix, limited to Fam17h CPUs only.  To my knowledge,
there's no erratum or other public statement from AMD on the matter.

Adjust Xen to match the narrower fix.

Link: https://lore.kernel.org/lkml/ZyulbYuvrkshfsd2@antipodes/T/#u
Fixes: f19a199281a2 ("x86/AMD: flush TLB after ucode update")
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>

There is a difference in memory clobber with the invlpg() wrapper.
apply_microcode() specifically does not want a memory clobber, whereas
flush_area_local() doesn't need it as far as I can tell (there's nothing
unsafe to move across this instruction).
---
 xen/arch/x86/cpu/microcode/amd.c    | 14 +++++++++++---
 xen/arch/x86/flushtlb.c             |  3 +--
 xen/arch/x86/include/asm/flushtlb.h |  5 +++++
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/=
amd.c
index 59332da2b827..7ff702c06caf 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -306,10 +306,18 @@ static int cf_check apply_microcode(const struct micr=
ocode_patch *patch,
     sig->rev =3D rev;
=20
     /*
-     * Some processors leave the ucode blob mapping as UC after the update.
-     * Flush the mapping to regain normal cacheability.
+     * Family 0x17 processors leave the mapping of the ucode as UC after t=
he
+     * update.  Flush the mapping to regain normal cacheability.
+     *
+     * We do not know the granularity of mapping, and at 3200 bytes in size
+     * there is a good chance of crossing a 4k page boundary.  Shoot-down =
the
+     * start and end just to be safe.
      */
-    flush_area_local(patch, FLUSH_TLB_GLOBAL | FLUSH_ORDER(0));
+    if ( boot_cpu_data.family =3D=3D 0x17 )
+    {
+        invlpg(patch);
+        invlpg((const void *)patch + F17H_MPB_MAX_SIZE - 1);
+    }
=20
     /* check current patch id and patch's id for match */
     if ( hw_err || (rev !=3D patch->patch_id) )
diff --git a/xen/arch/x86/flushtlb.c b/xen/arch/x86/flushtlb.c
index 94b2a30e8d30..09e676c151fa 100644
--- a/xen/arch/x86/flushtlb.c
+++ b/xen/arch/x86/flushtlb.c
@@ -222,8 +222,7 @@ unsigned int flush_area_local(const void *va, unsigned =
int flags)
                 }
             }
             else
-                asm volatile ( "invlpg %0"
-                               : : "m" (*(const char *)(va)) : "memory" );
+                invlpg(va);
         }
         else
             do_tlb_flush();
diff --git a/xen/arch/x86/include/asm/flushtlb.h b/xen/arch/x86/include/asm=
/flushtlb.h
index 019d886f2b80..37bc203652b3 100644
--- a/xen/arch/x86/include/asm/flushtlb.h
+++ b/xen/arch/x86/include/asm/flushtlb.h
@@ -98,6 +98,11 @@ static inline unsigned long read_cr3(void)
     return cr3;
 }
=20
+static inline void invlpg(const void *p)
+{
+    asm volatile ( "invlpg %0" :: "m" (*(const char *)p) );
+}
+
 /* Write pagetable base and implicitly tick the tlbflush clock. */
 void switch_cr3_cr4(unsigned long cr3, unsigned long cr4);
=20
--=20
2.39.5


From nobody Wed Oct 29 21:57:39 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1760966431; cv=none;
	d=zohomail.com; s=zohoarc;
	b=a7EnPYjnbCGUJhpYzybA57j/AihTzAihjdbs5+kMKtnUtbpCYECcWFiwLE+BmYbZrevVjnXSidZIntgsZtVznfZmfEDuvvRcXcFfz0y9CHav/R3qO/eqDw8BopBv8+aOvkrmvNdPIvYdgOArGIrm8U7Nq5zxtogoKlB8yC1w/wA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1760966431;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=aiMBgNSpV6Z/AQuEKw3FQ4WzlNp/3uFz69n7J0JInTY=;
	b=ZejxNVlsRBb1TtKi1UUK6UY3jCiUwXj3ucL8C0nahUOjtSqqSv0D+DM8xY17g9Aw2k8dA2ngJUbh5mqrlKgSr967tBkInOu52lmLJZ5r1GFJ+iq08A1BjiYALKsY5xbYcF1t2QcmeMI6Nz4/Tu7mxjhwqROgGjhg+DTFx+sspPg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1760966431630941.6877947804134;
 Mon, 20 Oct 2025 06:20:31 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1146291.1478768 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnz-0000nN-Bc; Mon, 20 Oct 2025 13:20:07 +0000
Received: by outflank-mailman (output) from mailman id 1146291.1478768;
 Mon, 20 Oct 2025 13:20:07 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApnz-0000my-89; Mon, 20 Oct 2025 13:20:07 +0000
Received: by outflank-mailman (input) for mailman id 1146291;
 Mon, 20 Oct 2025 13:20:05 +0000
Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254]
 helo=se1-gles-sth1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=ZoK0=45=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1vApnx-0007gg-Aj
 for xen-devel@lists.xenproject.org; Mon, 20 Oct 2025 13:20:05 +0000
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com
 [2a00:1450:4864:20::434])
 by se1-gles-sth1.inumbo.com (Halon) with ESMTPS
 id 7d75b6b2-adb7-11f0-9d15-b5c5bf9af7f9;
 Mon, 20 Oct 2025 15:20:04 +0200 (CEST)
Received: by mail-wr1-x434.google.com with SMTP id
 ffacd0b85a97d-3ece0e4c5faso4394940f8f.1
 for <xen-devel@lists.xenproject.org>; Mon, 20 Oct 2025 06:20:04 -0700 (PDT)
Received: from localhost.localdomain (host-78-149-11-196.as13285.net.
 [78.149.11.196]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-427ea5b3c65sm15267835f8f.15.2025.10.20.06.20.02
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Oct 2025 06:20:02 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 7d75b6b2-adb7-11f0-9d15-b5c5bf9af7f9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1760966404; x=1761571204;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=aiMBgNSpV6Z/AQuEKw3FQ4WzlNp/3uFz69n7J0JInTY=;
        b=QJN7loJ7PmgaxCuuwvcAYIuFXC3XXrCdVm10nNt5MhH27fpjdEZAJRH72PfzCyPgV3
         dTZSQRL5FJcZHAtRNyuxn5R99rS2qQjmZ1dE5s5JLUA0MjCvtRVgHsM1kxJXw9CB5Soh
         1F0PAfWG9iEOcGGvFgRIOakz9asEjmekmLZ3E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760966404; x=1761571204;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aiMBgNSpV6Z/AQuEKw3FQ4WzlNp/3uFz69n7J0JInTY=;
        b=BvPovgGbtyRUVfXT3Fl58hiuDX+DqQcTYz5NbylMHCqqDV7DiRjDKx7V4yQu0mgLmO
         RAAM0JN9sStkGArglXf9JmxBzuGsoqe7aIxpfo0UMue7rdJe6iQuTf3CHw9Rhi7JLB3B
         zBF0yXXwMMkXlq9Tx9ElGTqt4aNwcMd7YViCgQRLNjAQQDE7hQZk74ArFD0JcBVqzA+z
         Hg0OBTOiPsuDyTdYnTPIgO7vlFWSIBsequ/VQvnPd7+CvzQSgI0N7TO4uv8BFhM2QZk5
         B/llFrzeCa0YPQE42aIkBjuTFq1nXXrnQ1MFzDZVJX1Pdta+8f6oVEM4Q3fJzvEJmj6a
         Kp4w==
X-Gm-Message-State: AOJu0Yx4D//57yw6UNhzP+cqY8fXRP8Cb6UQB+0944cSDUYXS0kxEaKs
	x5rT7il3eRbPMAjHoFv8rpT7n078YuM4Px4tMFZ5mMUR1iWLvTXlaGUakR0t4aBRiG0AkbK7N+3
	AJAkig4fwWA==
X-Gm-Gg: ASbGncvLRmoa8ZYn2VlNXyqb8JBmweiP/DgSD84d4eD+mtPsXEOxLao6A8PSiy3PsPQ
	9eOdudaFZJ6LokWOZwtK6eAKtE/rbcDwBioYhw6KHpRDBePCbyxl92Gx0Mr8lFB0KhP7G7YhyL9
	xwiD1FWorb1xk0k37z1K4wGAj1pvZPN9tdxdjghrUFLHSFxcNJWLpB+ESo/NtuGSxP17hqP1U1j
	lAN7Zh7jI81RudokJ4/khCIjx7okKJb15yy8YEHsi7UnP3/0qJwjIyDOz4gnZqIIBhrEIqRrh0d
	cB+OCdpbamYMQkODLF4pAYRDAyRGQfGTMXnkpNQFmnGpw+dFBvY7r8X9yuA2M0y8JoFW7lynsqE
	7qbjRSU2fHXdR7TghicyFbJb5s57voMBodb+JERiL494CiWA22+nDZqYWh929lLy1NR98gXXC4s
	Yy3i0WWhijD6OsC9Tlp8ngO9vfMEWx9mf5//trEnXp3VnylEBKBC85tZxPdMON0w==
X-Google-Smtp-Source: 
 AGHT+IH3MbQNWKdt1hTlmBLRBjbMqSexQnDeS9k5yRzFvZq0vyl2IymUVAu6WK/5tEVjbQgkznVQTQ==
X-Received: by 2002:a05:6000:1ac5:b0:3ee:141a:ede5 with SMTP id
 ffacd0b85a97d-42704dc6d3cmr7956436f8f.57.1760966403591;
        Mon, 20 Oct 2025 06:20:03 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH 4/5] x86/ucode: Cross check the minimum revision
Date: Mon, 20 Oct 2025 14:19:54 +0100
Message-Id: <20251020131955.2928261-5-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
References: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1760966433583158500

For Zen3-5 microcode blobs signed with the updated signature scheme, the
checksum field has been reused to be a min_revision field, referring to the
microcode revision which fixed Entrysign (SB-7033, CVE-2024-36347).

Cross-check this when trying to load microcode, but allow --force to overri=
de
it.  If the signature scheme is genuinely different, a #GP will occur.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>
---
 xen/arch/x86/cpu/microcode/amd.c | 48 +++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/=
amd.c
index 7ff702c06caf..30bddc89da0a 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -42,7 +42,10 @@ struct microcode_patch {
     uint8_t  mc_patch_data_id[2];
     uint8_t  mc_patch_data_len;
     uint8_t  init_flag;
-    uint32_t mc_patch_data_checksum;
+    union {
+        uint32_t checksum; /* Fam12h and earlier */
+        uint32_t min_rev;  /* Zen3-5, post Entrysign */
+    };
     uint32_t nb_dev_id;
     uint32_t sb_dev_id;
     uint16_t processor_rev_id;
@@ -270,6 +273,41 @@ static int cf_check amd_compare(
     return compare_revisions(old->patch_id, new->patch_id);
 }
=20
+/*
+ * Check whether this patch has a minimum revision given, and whether the
+ * condition is satisfied.
+ *
+ * In linux-firmware, blobs signed with the updated signature algorithm ha=
ve
+ * reused the checksum field as a min-revision field.  From public archive=
s,
+ * the checksum field appears to have been unused since Fam12h.
+ *
+ * Returns false if there is a min revision given, and it suggests that th=
at
+ * the patch cannot be loaded on the current system.  True otherwise.
+ */
+static bool check_min_rev(const struct microcode_patch *patch)
+{
+    ASSERT(microcode_fits_cpu(patch));
+
+    if ( patch->processor_rev_id < 0xa000 || /* pre Zen3? */
+         patch->min_rev =3D=3D 0 )               /* No min rev specified */
+        return true;
+
+    /*
+     * Sanity check, as this is a reused field.  If this is a true
+     * min_revision field, it will differ only in the bottom byte from the
+     * patch_id.  Otherwise, it's probably a checksum.
+     */
+    if ( (patch->patch_id ^ patch->min_rev) & ~0xff )
+    {
+        printk(XENLOG_WARNING
+               "microcode: patch %#x has unexpected min_rev %#x\n",
+               patch->patch_id, patch->min_rev);
+        return true;
+    }
+
+    return this_cpu(cpu_sig).rev >=3D patch->min_rev;
+}
+
 static int cf_check apply_microcode(const struct microcode_patch *patch,
                                     unsigned int flags)
 {
@@ -299,6 +337,14 @@ static int cf_check apply_microcode(const struct micro=
code_patch *patch,
         return -ENXIO;
     }
=20
+    if ( !ucode_force && !check_min_rev(patch) )
+    {
+        printk(XENLOG_ERR
+               "microcode: CPU%u current rev %#x below patch min_rev %#x\n=
",
+               cpu, sig->rev, patch->min_rev);
+        return -ENXIO;
+    }
+
     hw_err =3D wrmsr_safe(MSR_AMD_PATCHLOADER, (unsigned long)patch);
=20
     /* get patch id after patching */
--=20
2.39.5


From nobody Wed Oct 29 21:57:39 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=citrix.com
ARC-Seal: i=1; a=rsa-sha256; t=1760966428; cv=none;
	d=zohomail.com; s=zohoarc;
	b=nECtmhXDRPDFQ8oW0XTKFVO1ZOofRwf5e9NHbWA4SGZhZ44LIOYPnfKHrD9VEunGf2iIkkgNOeSvdQDxXM9OYhj5pHDj5s1rkrviTAFSniD4ddEuq1Blt7RZvsdzqvFJ1HDSepgtjhm6lYyZvqEogHk5bImIwp3oIw1lKXqrCPc=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1760966428;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=A7U1lvFhiTkuuq1fJOCE2O4Cy9uGnElIdZlJyTgO8ts=;
	b=Ti0lricxUwABUzbeNwJkdzpuutrCMlql2yfQH+nAQz5PbXBfHuYWX0pWB0sIQsQ/mqmfXTJ7TREVdpD1NDXkAdL3/5xQ6jdB9+LHRUmXFRLI9J2oNwvGO6g2b4+kLluIVh6RNG4UFb5Ms+EUWNvN21zWQXg3Z5CHvE2pq3YklFA=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<andrew.cooper3@citrix.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1760966428073803.7627860302233;
 Mon, 20 Oct 2025 06:20:28 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1146292.1478778 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApo0-00019z-Jt; Mon, 20 Oct 2025 13:20:08 +0000
Received: by outflank-mailman (output) from mailman id 1146292.1478778;
 Mon, 20 Oct 2025 13:20:08 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1vApo0-00019o-Fl; Mon, 20 Oct 2025 13:20:08 +0000
Received: by outflank-mailman (input) for mailman id 1146292;
 Mon, 20 Oct 2025 13:20:07 +0000
Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50]
 helo=se1-gles-flk1.inumbo.com)
 by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from
 <SRS0=ZoK0=45=citrix.com=andrew.cooper3@srs-se1.protection.inumbo.net>)
 id 1vApnz-0007j7-8I
 for xen-devel@lists.xenproject.org; Mon, 20 Oct 2025 13:20:07 +0000
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com
 [2a00:1450:4864:20::432])
 by se1-gles-flk1.inumbo.com (Halon) with ESMTPS
 id 7e1128d1-adb7-11f0-980a-7dc792cee155;
 Mon, 20 Oct 2025 15:20:05 +0200 (CEST)
Received: by mail-wr1-x432.google.com with SMTP id
 ffacd0b85a97d-42421b1514fso2728824f8f.2
 for <xen-devel@lists.xenproject.org>; Mon, 20 Oct 2025 06:20:05 -0700 (PDT)
Received: from localhost.localdomain (host-78-149-11-196.as13285.net.
 [78.149.11.196]) by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-427ea5b3c65sm15267835f8f.15.2025.10.20.06.20.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 20 Oct 2025 06:20:03 -0700 (PDT)
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
X-Inumbo-ID: 7e1128d1-adb7-11f0-980a-7dc792cee155
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=citrix.com; s=google; t=1760966405; x=1761571205;
 darn=lists.xenproject.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=A7U1lvFhiTkuuq1fJOCE2O4Cy9uGnElIdZlJyTgO8ts=;
        b=ko2hxvCooupRyF8dxh/FUnLeLK38/sWeG2E1/wHlHtZADmcKo4aQkUplJyu5wm2VSi
         RdsKtWzUfjjBdoLeFLuztavppwo4oCsLMHAAHFYjfgkkfblM+pyGRR6NYN61VN9EkSNz
         auLCXBLybyrL5vitUqgzSm2taRkdwsIUZHbmA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1760966405; x=1761571205;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=A7U1lvFhiTkuuq1fJOCE2O4Cy9uGnElIdZlJyTgO8ts=;
        b=t7qsDktxJZodJ/ZR3CYR14Ihh/kHNow7cjFsdpffmsLhqIHBeJQ3yqy0Z+WcLo9/79
         swQbV31/126K+/dpqNZorhsWolMPNRUNURKax28kjK30n/TCXf0Z4IFPLz+H4igJm3jI
         4PHq3MSKvEbSDGxunHcdiGRa43KjEIeyWFyEjgtNwwcJ8rFhUZLEqkDFQWBPpePW3ods
         0+b8LAHQZMZea/Y0Duoh3k9HNQMmDkRpnl99KR+dCu3BRDfIFz+ONcrgtki4afRAeaTO
         HvX34gY7tee7IS69IEJDzRP1x3M65KfYRHEEJF/js+9pEXq7QPjnuWD/cnU4vakCUsUc
         Dz8A==
X-Gm-Message-State: AOJu0Ywq/jDUY7yxo/huuIplVa6/VLmabeXjFsoSWjCc5rW/Y2fla/BZ
	D/L++uclKd9nYmPyIuT3hgaQU6N3nIq4I5jc9aN2YF29dg7PbFphwMy8bDOwXb2EvRUStbndatj
	IZD+tO741bA==
X-Gm-Gg: ASbGncvCyTeu5Lw7WG8xUvwrhNwSR2cTBlqYVBZx3zz7yk9Dy3gvYATwN++jmByoqB4
	k+s3Q6M7M8ZikufsiHMJvA0AkMegqPrQGH89mmvOjit4BCDnVC3tEUwIrUnGTA6St0puvRXUrYF
	yRcyrfZ93fiy29vAYg+ozdPV2nuwa2aMQxuzhXyMlUQhmTrwJkEL0FrUy6Jooh5z3Z9Eiv3Njoj
	KIMZiLwWHm09Va/qUNOxeHxN8DXQ4xH/N9fwLlnoVo3tmXkXek78//UYtZtJTVa8AeXCbqxyiHY
	t+ZLLS74QomDOkqGXUCw2IefHURDGEp10hBJGF02sTdVElBxpwEu/iNiRoWgrZL9m7d4jBZoUPG
	LJsq3E3gXmgopeb2Bl3j4h+1mP9PZFEF64GLci6V85W0dw5iJHD2K0hB24AQ5Q8wW2l0f9tZC2E
	CTfjFWNNi9Ht/Wi1TJKbUawF3N0XlyXD1de4ujh8Brs/l/wC2XjSw=
X-Google-Smtp-Source: 
 AGHT+IGt6etmuW+YxtwxSmoDBmcjvGWaKMcSQvb4fjMnId8i03Gd+DIzD2e48xJxhfNX75dr+WafbQ==
X-Received: by 2002:a05:6000:2884:b0:428:3f70:4b2 with SMTP id
 ffacd0b85a97d-4283f70078cmr5018119f8f.63.1760966404696;
        Mon, 20 Oct 2025 06:20:04 -0700 (PDT)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <JBeulich@suse.com>,
	=?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= <roger.pau@citrix.com>
Subject: [PATCH 5/5] x86/ucode: Relax digest check when Entrysign is fixed in
 firmware
Date: Mon, 20 Oct 2025 14:19:55 +0100
Message-Id: <20251020131955.2928261-6-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
References: <20251020131955.2928261-1-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @citrix.com)
X-ZM-MESSAGEID: 1760966429449154100

When Entrysign has been mitigated in firwmare, it is believed to be safe to
pass blobs to the CPU again.  This avoids us needing to update the digest
table for new microcodes.

Relax the digest check when firmware looks to be up to date, and leave behi=
nd
a clear message when not.

This is best-effort only.  If a malicious microcode has been loaded prior to
Xen running, then all bets are off.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monn=C3=A9 <roger.pau@citrix.com>

I need to double check the revision table.  I think I need to submit a
correction to Linux first.
---
 xen/arch/x86/cpu/microcode/amd.c     | 81 +++++++++++++++++++++++++++-
 xen/arch/x86/cpu/microcode/core.c    |  2 +
 xen/arch/x86/cpu/microcode/private.h |  2 +
 3 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/cpu/microcode/amd.c b/xen/arch/x86/cpu/microcode/=
amd.c
index 30bddc89da0a..b5b55b7a00cd 100644
--- a/xen/arch/x86/cpu/microcode/amd.c
+++ b/xen/arch/x86/cpu/microcode/amd.c
@@ -101,6 +101,7 @@ static const struct patch_digest {
 } patch_digests[] =3D {
 #include "amd-patch-digests.c"
 };
+static bool __ro_after_init entrysign_mitigiated_in_firmware;
=20
 static int cf_check cmp_patch_id(const void *key, const void *elem)
 {
@@ -125,7 +126,7 @@ static bool check_digest(const struct container_microco=
de *mc)
      * microcode updates.  Mitigate by checking the digest of the patch
      * against a list of known provenance.
      */
-    if ( boot_cpu_data.family < 0x17 ||
+    if ( boot_cpu_data.family < 0x17 || entrysign_mitigiated_in_firmware ||
          !opt_digest_check )
         return true;
=20
@@ -597,3 +598,81 @@ static void __init __constructor test_digests_sorted(v=
oid)
     }
 }
 #endif /* CONFIG_SELF_TESTS */
+
+/*
+ * The Entrysign vulnerability affects all Zen1 thru Zen5 CPUs.  Firmware
+ * fixes were produced in Nov/Dec 2025.  Zen3 thru Zen5 can continue to ta=
ke
+ * OS-loadable microcode updates using a new signature scheme, as long as
+ * firmware has been updated first.
+ */
+void __init amd_check_entrysign(void)
+{
+    unsigned int curr_rev;
+    uint8_t fixed_rev;
+
+    if ( boot_cpu_data.vendor !=3D X86_VENDOR_AMD ||
+         boot_cpu_data.family < 0x17 ||
+         boot_cpu_data.family > 0x1a )
+        return;
+
+    /*
+     * Table taken from Linux, which is the only known source of informati=
on
+     * about client revisions.
+     */
+    curr_rev =3D this_cpu(cpu_sig).rev;
+    switch ( curr_rev >> 8 )
+    {
+    case 0x080012: fixed_rev =3D 0x6f; break;
+    case 0x080082: fixed_rev =3D 0x0f; break;
+    case 0x083010: fixed_rev =3D 0x7c; break;
+    case 0x086001: fixed_rev =3D 0x0e; break;
+    case 0x086081: fixed_rev =3D 0x08; break;
+    case 0x087010: fixed_rev =3D 0x34; break;
+    case 0x08a000: fixed_rev =3D 0x0a; break;
+    case 0x0a0010: fixed_rev =3D 0x7a; break;
+    case 0x0a0011: fixed_rev =3D 0xda; break;
+    case 0x0a0012: fixed_rev =3D 0x43; break;
+    case 0x0a0082: fixed_rev =3D 0x0e; break;
+    case 0x0a1011: fixed_rev =3D 0x53; break;
+    case 0x0a1012: fixed_rev =3D 0x4e; break;
+    case 0x0a1081: fixed_rev =3D 0x09; break;
+    case 0x0a2010: fixed_rev =3D 0x2f; break;
+    case 0x0a2012: fixed_rev =3D 0x12; break;
+    case 0x0a4041: fixed_rev =3D 0x09; break;
+    case 0x0a5000: fixed_rev =3D 0x13; break;
+    case 0x0a6012: fixed_rev =3D 0x0a; break;
+    case 0x0a7041: fixed_rev =3D 0x09; break;
+    case 0x0a7052: fixed_rev =3D 0x08; break;
+    case 0x0a7080: fixed_rev =3D 0x09; break;
+    case 0x0a70c0: fixed_rev =3D 0x09; break;
+    case 0x0aa001: fixed_rev =3D 0x16; break;
+    case 0x0aa002: fixed_rev =3D 0x18; break;
+    case 0x0b0021: fixed_rev =3D 0x46; break;
+    case 0x0b1010: fixed_rev =3D 0x46; break;
+    case 0x0b2040: fixed_rev =3D 0x31; break;
+    case 0x0b4040: fixed_rev =3D 0x31; break;
+    case 0x0b6000: fixed_rev =3D 0x31; break;
+    case 0x0b7000: fixed_rev =3D 0x31; break;
+    default:
+        printk(XENLOG_WARNING
+               "Unrecognised CPU %02x-%02x-%02x ucode 0x%08x, assuming vul=
nerable to Entrysign\n",
+               boot_cpu_data.family, boot_cpu_data.model,
+               boot_cpu_data.stepping, curr_rev);
+        return;
+    }
+
+    /*
+     * This check is best-effort.  If the platform looks to be out of date=
, it
+     * probably is.  If the platform looks to be fixed, it either genuinely
+     * is, or malware has gotten in before Xen booted and all bets are off.
+     */
+    if ( (uint8_t)curr_rev >=3D fixed_rev )
+    {
+        entrysign_mitigiated_in_firmware =3D true;
+        return;
+    }
+
+    printk(XENLOG_ERR
+           "Platform vulnerable to Entrysign (SB-7033, CVE-2024-36347) - f=
irmware update required\n");
+    add_taint(TAINT_CPU_OUT_OF_SPEC);
+}
diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode=
/core.c
index 2705bb43c97f..1d1a5aa4b097 100644
--- a/xen/arch/x86/cpu/microcode/core.c
+++ b/xen/arch/x86/cpu/microcode/core.c
@@ -750,6 +750,8 @@ static int __init early_microcode_load(struct boot_info=
 *bi)
     int idx =3D opt_mod_idx;
     int rc;
=20
+    amd_check_entrysign();
+
     /*
      * Cmdline parsing ensures this invariant holds, so that we don't end =
up
      * trying to mix multiple ways of finding the microcode.
diff --git a/xen/arch/x86/cpu/microcode/private.h b/xen/arch/x86/cpu/microc=
ode/private.h
index f5e2bfee00d9..e6c965dc99dd 100644
--- a/xen/arch/x86/cpu/microcode/private.h
+++ b/xen/arch/x86/cpu/microcode/private.h
@@ -81,8 +81,10 @@ extern bool opt_digest_check;
  */
 #ifdef CONFIG_AMD
 void ucode_probe_amd(struct microcode_ops *ops);
+void amd_check_entrysign(void);
 #else
 static inline void ucode_probe_amd(struct microcode_ops *ops) {}
+static inline void amd_check_entrysign(void) {}
 #endif
=20
 #ifdef CONFIG_INTEL
--=20
2.39.5