From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DD2BC636CD for ; Mon, 30 Jan 2023 21:40:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230514AbjA3VkQ (ORCPT ); Mon, 30 Jan 2023 16:40:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229963AbjA3VkO (ORCPT ); Mon, 30 Jan 2023 16:40:14 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B81B01BDD for ; Mon, 30 Jan 2023 13:40:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114813; x=1706650813; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=TFZOhQupMCyhWl530Dlvg8nqRMsH2GVlEz63WCWbwRI=; b=SX+jIj1QJrEkquhHr4DStUzH1VPzQ8DjADtvPk64+b3tKGBstOKXr5TI ScoLb3mqoJNHYkVB/JCl493x3GY9JjK2MmO54cXe4RvY2w24c3z8jC7JF INS1yO1GjmmctFQntOJdkfKAGmUhQOlXQ1vrlZgEOoNx2LsS+4SMdV+3n Z/+k3DWuheSfQj/c/eW7IyFvsZHNexxEuf/+2jzvMgwGHQvQVWtKc2a6z a3E8XDRKWvAN5+VCy9NKIl9QMS2R8VRn/u6I+HVWxDjQNOKvzXfmcHxkE JawMsHOU5RjS14qJZ6cLCxARzDwhFQsL7Y3ApIHgNtLY7RgwXmOEXVzvY A==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955479" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955479" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571856" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571856" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 1/9] x86/microcode: Taint kernel only if microcode loading was successful Date: Mon, 30 Jan 2023 13:39:47 -0800 Message-Id: <20230130213955.6046-2-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Currently when late loading is aborted due to check_online_cpu(), kernel still ends up tainting the kernel. Taint only when microcode loading was successful. Suggested-by: Thomas Gleixner Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- v1->v2: (Thomas) - Remove unnecessary assignment of ret that's being overwritten. - Taint kernel only of loading was successful --- arch/x86/kernel/cpu/microcode/core.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index 61d57d9b93ee..1c6831b8b244 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -472,7 +472,8 @@ static ssize_t reload_store(struct device *dev, enum ucode_state tmp_ret =3D UCODE_OK; int bsp =3D boot_cpu_data.cpu_index; unsigned long val; - ssize_t ret =3D 0; + int load_ret =3D -1; + ssize_t ret; =20 ret =3D kstrtoul(buf, 0, &val); if (ret) @@ -488,20 +489,26 @@ static ssize_t reload_store(struct device *dev, goto put; =20 tmp_ret =3D microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev= ); - if (tmp_ret !=3D UCODE_NEW) + if (tmp_ret !=3D UCODE_NEW) { + ret =3D size; goto put; + } =20 mutex_lock(µcode_mutex); - ret =3D microcode_reload_late(); + load_ret =3D microcode_reload_late(); mutex_unlock(µcode_mutex); =20 put: cpus_read_unlock(); =20 - if (ret =3D=3D 0) + /* + * Taint only when loading was successful + */ + if (load_ret =3D=3D 0) { ret =3D size; - - add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); + add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); + pr_warn("Microcode late loading tainted the kernel\n"); + } =20 return ret; } --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E039C54EAA for ; Mon, 30 Jan 2023 21:40:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231350AbjA3VkT (ORCPT ); Mon, 30 Jan 2023 16:40:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230104AbjA3VkP (ORCPT ); Mon, 30 Jan 2023 16:40:15 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A04011727 for ; Mon, 30 Jan 2023 13:40:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114814; x=1706650814; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=VdG1GGA8W0DfnPFwDcohOqulqfW3saP77d/Ow4pY9zI=; b=KNTZ9IGxF0iuFD3oUdMIY02uE6iRC9MsJXJY5Khs8hbwe4wgOO7weLpu 1wwdPGPRjCCfGIhphPK4YYhoOhjGLudy5PW5tTuwJLQ92k2orEtg+wxR5 IdCAThhuFhbqYHPdnEKsnpFOaj1W2tExpmGdSQgvW3h84gk9EQqOjC59m kD02y9abNJWRVNf5ROwRGULrmE4b+JBgf6/5HSZD7rDqc5Yb7EjulYFbc 5H0k0IkgLBVyqTeL/xXmMq+yOY+WTneH7TV+6VkNLj8yiYwFIuU0KO7om E1XlWtIf+Ni4wyRvYi9MMRdiQECWjvhR7piM6B2R/ywqGOqSjb3QPJ7m9 g==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955492" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955492" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571860" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571860" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 2/9] x86/microcode: Report invalid writes to reload sysfs file Date: Mon, 30 Jan 2023 13:39:48 -0800 Message-Id: <20230130213955.6046-3-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Semantics of the microcode reload file are only defined if a "1" is written. But the code silently treats any other unsigned integer as a successful write even though no actions are performed to load microcode. Report those erroneous writes back to user. Suggested-by: Thomas Gleixner Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/kernel/cpu/microcode/core.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index 1c6831b8b244..e4b4dfcf2d18 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -476,11 +476,8 @@ static ssize_t reload_store(struct device *dev, ssize_t ret; =20 ret =3D kstrtoul(buf, 0, &val); - if (ret) - return ret; - - if (val !=3D 1) - return size; + if (ret || val !=3D 1) + return -EINVAL; =20 cpus_read_lock(); =20 --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A96BC636D3 for ; Mon, 30 Jan 2023 21:40:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231441AbjA3Vka (ORCPT ); Mon, 30 Jan 2023 16:40:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57108 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231300AbjA3VkR (ORCPT ); Mon, 30 Jan 2023 16:40:17 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EA3616A61 for ; Mon, 30 Jan 2023 13:40:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114815; x=1706650815; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=1ribreiqlw4yvFYe7h9+NZncTm/1TctmT/8aknEK0LI=; b=OzKVkUvVnKeg3UpOE7lkzX6YYuk9bYTzvOPhiI62JK7ADrPzk5AAscOG tDeNwm1Y1SyBjGxiLswsMvFjlXIokpN84w9UQAB4WUaiSDOL+SA2wrVLj 2gvJDu+G1MY0z38YOqeupWKzizGdJ1WJcN2GxkJYvjJcgcS0pykFUTTQj 44xV6MPI8ZHcExcvGdj4JcohvJnj3sez+iMgbD56Y+/idHB7L+RUkJU8Z pMt1X2jYi6ET1dgm47ityTx043TE64Lg+wkDugmUt23DAEMO/D8OFz3JC XvF+fUI+d7N5ZWcNI9BfA7NYc9AtfKi1EraX7bR0i9ydOoofHjTCAZFqB g==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955504" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955504" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571863" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571863" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 3/9] x86/microcode/intel: Fix collect_cpu_info() to reflect current microcode Date: Mon, 30 Jan 2023 13:39:49 -0800 Message-Id: <20230130213955.6046-4-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Currently collect_cpu_info() is only returning what was cached earlier instead of reading the current revision from the proper MSR. Collect the current revision and report that value instead of reflecting what was cached in the past. [TBD: Need to change microcode/amd.c. I didn't quite follow the logic since it reports the revision from the patch file, instead of reporting the real PATCH_LEVEL MSR. Untested on AMD. ] Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/kernel/cpu/microcode/intel.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/mi= crocode/intel.c index 467cf37ea90a..de8e591c42cd 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -542,6 +542,13 @@ static int collect_cpu_info(int cpu_num, struct cpu_si= gnature *csig) { struct cpuinfo_x86 *c =3D &cpu_data(cpu_num); unsigned int val[2]; + int rev; + + /* + * intel_get_microcode_revision() reads a per-core MSR + * to read the revision (MSR_IA32_UCODE_REV). + */ + WARN_ON_ONCE(cpu_num !=3D smp_processor_id()); =20 memset(csig, 0, sizeof(*csig)); =20 @@ -553,7 +560,9 @@ static int collect_cpu_info(int cpu_num, struct cpu_sig= nature *csig) csig->pf =3D 1 << ((val[1] >> 18) & 7); } =20 - csig->rev =3D c->microcode; + rev =3D intel_get_microcode_revision(); + c->microcode =3D rev; + csig->rev =3D rev; =20 return 0; } --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98BD9C54EAA for ; Mon, 30 Jan 2023 21:40:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231388AbjA3VkY (ORCPT ); Mon, 30 Jan 2023 16:40:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230480AbjA3VkQ (ORCPT ); Mon, 30 Jan 2023 16:40:16 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 90F9546B0 for ; Mon, 30 Jan 2023 13:40:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114815; x=1706650815; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=l2C4mQekfCyd1yvV8K4Udyf0Ac0fLPq/4sH1liSL9+g=; b=C0jv8lXIN8PPRqhuTota0XaWw/eSl2psMv/MvmhbvJmzcoNmgfKM21Ox 2hLmFfMlfUNViJjuQxhKWs7gd8bfK9aDqvaiSMmqcAR6Gde8ugX8kWwFx EhOnaQS/48WoKL7anf+bcvv3VY9jBT4buIwZYJ8D/qYau7x685ilO9PgW Pq7nAI9llc4ljYMsGGipbZMPGonUmjAY8iuFlb828uRwag5WZhKkhwvKa TfkJSliQUDLj2448hErV6hOGGwEJuQvVfpjnFzPU52bQ5s6WMp5OFGFuB bB/i6GqHV2/GYCJSFptpu1L4h95iCcjQl69x+gICkS54vGTmB+yv4Z02E g==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955516" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955516" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571867" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571867" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 4/9] x86/microcode: Do not call apply_microcode() on sibling threads Date: Mon, 30 Jan 2023 13:39:50 -0800 Message-Id: <20230130213955.6046-5-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Microcode updates are applied at the core, so an update to one HT sibling is effective on all HT siblings of the same core. During late-load, after the primary has updated the microcode, it also reflects that in the per-cpu structure (cpuinfo_x86) holding the current revision. Current code calls apply_microcode() to update the SW per-cpu revision. But in the odd case when primary returned with an error, and as a result the secondary didn't get the revision updated, will attempt to perform a patch load and the primary has already been released to the system. This could be problematic, because the whole rendezvous dance is to prevent updates when one of the siblings could be executing arbitrary code. Replace apply_microcode() with a call to collect_cpu_info() and let that call also update the per-cpu structure instead of returning the previously cached values. Suggested-by: Thomas Gleixner Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/kernel/cpu/microcode/core.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index e4b4dfcf2d18..8452fad89bf6 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -386,6 +386,7 @@ static int __wait_for_cpus(atomic_t *t, long long timeo= ut) static int __reload_late(void *info) { int cpu =3D smp_processor_id(); + struct ucode_cpu_info *uci; enum ucode_state err; int ret =3D 0; =20 @@ -421,12 +422,13 @@ static int __reload_late(void *info) =20 /* * At least one thread has completed update on each core. - * For others, simply call the update to make sure the - * per-cpu cpuinfo can be updated with right microcode - * revision. + * For siblings, collect the cpuinfo and update the + * per-cpu cpuinfo with the current microcode revision. */ - if (cpumask_first(topology_sibling_cpumask(cpu)) !=3D cpu) - err =3D microcode_ops->apply_microcode(cpu); + if (cpumask_first(topology_sibling_cpumask(cpu)) !=3D cpu) { + uci =3D ucode_cpu_info + cpu; + microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig); + } =20 return ret; } --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D57BAC54EAA for ; Mon, 30 Jan 2023 21:40:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231402AbjA3Vk1 (ORCPT ); Mon, 30 Jan 2023 16:40:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230526AbjA3VkQ (ORCPT ); Mon, 30 Jan 2023 16:40:16 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA0AC1727 for ; Mon, 30 Jan 2023 13:40:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114815; x=1706650815; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=voF6jjo5dj3mRofutynhvBZdyYRA2mgyQE5q7XMzfyI=; b=IGhswbX6MwpHgvW1cRRt3pbfTQqQApeymmgRsgLmalGvnNteEuuAFZVL 8N/6WHsaNjI9NTlmRkBoSFpB+Jjg+rt/jIDjT2ADZ08fwGFz/vkbwObTa 3WgPgo5CbWNKXDYLyg88MULdv4fTETRNYBR/2/RjiSQ18mfYqz1SeyXlz k6mETPivLePnCNVrDqyj/gCU7UqSk5tcvVx8wlKYaCbcRzrcfvUGklcc5 nPVqcMg118EzPqluxD17bMiC+rCIjWuMflYTcso22mxZQRZVXuvXoFFND NKSwWexDfaGhNhNYYtZkwnCAyxFtYhjDU7kHyoGPwyYGeapJ0jSDXuGBl A==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955530" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955530" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571870" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571870" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , Tony Luck , LKML , x86 , Ingo Molnar , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 5/9] x86/microcode: Move late load warning to the same function that taints kernel Date: Mon, 30 Jan 2023 13:39:51 -0800 Message-Id: <20230130213955.6046-6-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Late microcode loading issues a warning and taints the kernel. Tainting the kernel and emitting the warning happens in two different functions. The upcoming support for safe late loading under certain conditions needs to prevent both the warning and the tainting when the safe conditions are met. That would require to hand the result of the safe condition check into the function which emits the warning. To avoid this awkward construct, move the warning into reload_store() next to the taint() invocation as that is also the function which will later contain the safe condition check. No functional change. Signed-off-by: Ashok Raj Reviewed-by: Tony Luck Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/kernel/cpu/microcode/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index 8452fad89bf6..bff566c05f46 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -442,9 +442,6 @@ static int microcode_reload_late(void) int old =3D boot_cpu_data.microcode, ret; struct cpuinfo_x86 prev_info; =20 - pr_err("Attempting late microcode loading - it is dangerous and taints th= e kernel.\n"); - pr_err("You should switch to early loading, if possible.\n"); - atomic_set(&late_cpus_in, 0); atomic_set(&late_cpus_out, 0); =20 @@ -487,6 +484,9 @@ static ssize_t reload_store(struct device *dev, if (ret) goto put; =20 + pr_err("Attempting late microcode loading - it is dangerous and taints th= e kernel.\n"); + pr_err("You should switch to early loading, if possible.\n"); + tmp_ret =3D microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev= ); if (tmp_ret !=3D UCODE_NEW) { ret =3D size; --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A9B1C636CD for ; Mon, 30 Jan 2023 21:40:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231532AbjA3Vko (ORCPT ); Mon, 30 Jan 2023 16:40:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229832AbjA3VkT (ORCPT ); Mon, 30 Jan 2023 16:40:19 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DCE944B4 for ; Mon, 30 Jan 2023 13:40:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114817; x=1706650817; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=782tPInWyNWww11wtOIG78CU8X6ISLOcwEBBBjgrn+E=; b=EtOampvAZWL3a/8CYGiTC2/tPKKyLzPv9tDwQOkgfpm5rPzLRUnhP1G8 u6dw9KxbqzbSCNgRCET4GTaKyJOn/Y1BcBF961HkzJGjvrEnOl+NIjRG5 5lxILnbcB1BxXbjEVytmRXaNgB681vdLP8MU6OTRPBH+VBlhcRZNpdgco niyYwPuHWFU8H24jDVg75rSru7GrskV8TRcjIeJZ5Wf2VhmeDR2e8PDul XHk+RPE5AzlTenu5CqUMl46QJvgxfCzXbTJ9z8WS5H5HYppYjJwpJhb1G 4yxc5g3S0RDwHj9I0kVLaOBQls7GakFd0E/VZxqFN+s5ITEy1CbFM96ES Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955542" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955542" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571873" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571873" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper Subject: [Patch v3 Part2 6/9] x86/microcode/intel: Add minimum required revision to microcode header Date: Mon, 30 Jan 2023 13:39:52 -0800 Message-Id: <20230130213955.6046-7-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In general users don't have the necessary information to determine whether a late loading of a new microcode version has removed any feature (MSR, CPUID etc) between what is currently loaded and a new microcode revision. To address this issue, Intel has added a "minimum required version" field to a previously reserved field in the microcode header. Microcode updates should only be applied if the current microcode version is equal to, or greater than this minimum required version. Thomas made some suggestions[1] on how meta-data in the microcode file could provide Linux with information to decide if the new microcode is suitable candidate for late loading. But even the "simpler" option#1 requires a lot of metadata and corresponding kernel code to parse it. Simply "OS visible features" such as CPUID and MSRs are the only two examples. The microcode must not change these OS visible features because they cause problems after late loading. When microcode changes features, microcode will change the min_rev to prevent such microcodes from being late loaded. Pseudo code for late loading is as follows: if header.min_required_id =3D=3D 0 This is old format microcode, block late loading else if current_ucode_version < header.rev Abort update, can't update to older rev else if current_ucode_version < header.min_required_id Current version is too old, block late loading of this microcode. else OK to proceed with late loading. Any microcode that modifies the interface to an OS-visible feature will set the min_version to itself. This will enforce this microcode is not suitable for late loading unless the currently loaded revision is greater or equal to the new microcode affecting the change. The enforcement is not in hardware and limited to kernel loader enforcing the requirement. It is not required for early loading of microcode to enforce this requirement, since the new features are only evaluated after early loading in the boot process. When new features are added, there is no need for minrev enforcement. Check if the new microcode specifies the minimum version for safe late loading. Otherwise reject late load. Test cases covered: 1. With new kernel, attempting to load an older format microcode with the min_rev=3D0 should be blocked by kernel. [ 210.541802] Late loading denied: Microcode header does not specify a required min version. 2. New microcode with a non-zero min_rev in the header, but the specified min_rev is greater than what is currently loaded in the CPU should be blocked by kernel. 245.139828] microcode: Late loading denied: Current revision 0x8f685300 = is too old to update, must be at 0xaa000050 version or higher. Use early lo= ading instead. 3. New microcode with a min_rev < currently loaded should allow loading the microcode 4. Build initrd with microcode that has min_rev=3D0, or min_rev > currently loaded should permit early loading microcode from initrd. [1] https://lore.kernel.org/linux-kernel/alpine.DEB.2.21.1909062237580.1902= @nanos.tec.linutronix.de/ Suggested-by: Thomas Gleixner Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper --- arch/x86/include/asm/microcode_intel.h | 3 +- arch/x86/kernel/cpu/microcode/intel.c | 39 +++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/microcode_intel.h b/arch/x86/include/asm/= microcode_intel.h index f1fa979e05bf..e83afe919b10 100644 --- a/arch/x86/include/asm/microcode_intel.h +++ b/arch/x86/include/asm/microcode_intel.h @@ -15,7 +15,8 @@ struct microcode_header_intel { unsigned int datasize; unsigned int totalsize; unsigned int metasize; - unsigned int reserved[2]; + unsigned int min_req_ver; + unsigned int reserved3; }; =20 struct microcode_intel { diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/mi= crocode/intel.c index de8e591c42cd..4b3df85f2ca6 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -135,6 +135,38 @@ static void save_microcode_patch(struct ucode_cpu_info= *uci, void *data, unsigne intel_ucode_patch =3D p->data; } =20 +static int is_lateload_safe(struct microcode_header_intel *mc_header) +{ + struct ucode_cpu_info uci; + + /* + * When late-loading, ensure the header declares a minimum revision + * required to perform a late-load. + */ + if (!mc_header->min_req_ver) { + pr_warn("Late loading denied: Microcode header does not specify a requir= ed min version\n"); + return -EINVAL; + } + + intel_cpu_collect_info(&uci); + + if (uci.cpu_sig.rev > mc_header->rev) { + pr_warn("Current microcode rev 0x%x greater than 0x%x, aborting\n", + uci.cpu_sig.rev, mc_header->rev); + return -EINVAL; + } + /* + * Enforce the minimum revision specified in the header is either + * greater or equal to the current revision. + */ + if (uci.cpu_sig.rev < mc_header->min_req_ver) { + pr_warn("Late loading denied: Current revision 0x%x too old to update, m= ust be at 0x%x or higher. Use early loading instead\n", + uci.cpu_sig.rev, mc_header->min_req_ver); + return -EINVAL; + } + return 0; +} + /* * Get microcode matching with BSP's model. Only CPUs with the same model = as * BSP can stay in the platform. @@ -681,7 +713,9 @@ static enum ucode_state generic_load_microcode(int cpu,= struct iov_iter *iter) memcpy(mc, &mc_header, sizeof(mc_header)); data =3D mc + sizeof(mc_header); if (!copy_from_iter_full(data, data_size, iter) || - intel_microcode_sanity_check(mc, true, MC_HEADER_TYPE_MICROCODE) < 0= ) { + intel_microcode_sanity_check(mc, true, MC_HEADER_TYPE_MICROCODE) < 0= || + is_lateload_safe(&mc_header)) { + ret =3D UCODE_ERROR; break; } =20 @@ -704,6 +738,9 @@ static enum ucode_state generic_load_microcode(int cpu,= struct iov_iter *iter) return UCODE_ERROR; } =20 + if (ret =3D=3D UCODE_ERROR) + return ret; + if (!new_mc) return UCODE_NFOUND; =20 --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 036E3C636CD for ; Mon, 30 Jan 2023 21:40:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231300AbjA3Vkg (ORCPT ); Mon, 30 Jan 2023 16:40:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231342AbjA3VkS (ORCPT ); Mon, 30 Jan 2023 16:40:18 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2EE1410413 for ; Mon, 30 Jan 2023 13:40:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114817; x=1706650817; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HcSaC88LySiU87nVNq6tS5eJMTjnQLKhunjdjxrCwrw=; b=MBT0Ii+4iWY/DX0eRrG6QCMjwtcad1sq7lFMDVspShz8/u1H6fW5Dua8 6faPPy/pVkXBItuTW8c04YoKfGfhdCZrHxWxQXY8bTJmhSDapRknX3Ud6 ogpp/X+/VwJWI7KO8Awc2U9BXZjFfy5mRmMbA4Fi/PKatRkVQ4+q40jxQ ugXtbcAnW7f1V2UGifsG3eW+Ov0QRqKnhWA7w6LZzpeh5mZBkNQxNKeM6 4xyfxuQeLciRxbC9wwIznICzhNPJ9IzKbvQe3kNjesUx8F5P5mr0Oe4xv FEy3ALnA/GBVT19UJW1PW29iMzvRZDNM2BRfk3wLRSZ+6yR/KhFpPul5h g==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955554" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955554" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571876" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571876" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:12 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , Tony Luck , LKML , x86 , Ingo Molnar , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 7/9] x86/microcode: Add a generic mechanism to declare support for minrev Date: Mon, 30 Jan 2023 13:39:53 -0800 Message-Id: <20230130213955.6046-8-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Intel microcode adds some meta-data to report a minimum required revision before this new microcode can be safely late loaded. There are no generic mechanism to declare support for all vendors. Add generic support to microcode core to declare such support, this allows late-loading to be permitted in those architectures that report support for safe late loading. Late loading has added support for - New images declaring a required minimum base version before a late-load is performed. Tainting only happens on architectures that don't support minimum required version reporting. Add a new variable in microcode_ops to allow an architecture to declare support for safe microcode late loading. Also make CONFIG_MICROCODE_LOADING by default, now that kernel enforces the "minrev" requirement strictly. Signed-off-by: Ashok Raj Reviewed-by: Tony Luck Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/include/asm/microcode.h | 2 ++ arch/x86/kernel/cpu/microcode/core.c | 26 +++++++++++++++++++++----- arch/x86/kernel/cpu/microcode/intel.c | 1 + arch/x86/Kconfig | 7 ++++--- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microc= ode.h index d5a58bde091c..3d48143e84a9 100644 --- a/arch/x86/include/asm/microcode.h +++ b/arch/x86/include/asm/microcode.h @@ -33,6 +33,8 @@ enum ucode_state { }; =20 struct microcode_ops { + bool safe_late_load; + enum ucode_state (*request_microcode_fw) (int cpu, struct device *); =20 void (*microcode_fini_cpu) (int cpu); diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index bff566c05f46..be5d70396b79 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -470,6 +470,7 @@ static ssize_t reload_store(struct device *dev, { enum ucode_state tmp_ret =3D UCODE_OK; int bsp =3D boot_cpu_data.cpu_index; + bool safe_late_load =3D false; unsigned long val; int load_ret =3D -1; ssize_t ret; @@ -484,12 +485,25 @@ static ssize_t reload_store(struct device *dev, if (ret) goto put; =20 - pr_err("Attempting late microcode loading - it is dangerous and taints th= e kernel.\n"); - pr_err("You should switch to early loading, if possible.\n"); + safe_late_load =3D microcode_ops->safe_late_load; + + /* + * If safe loading indication isn't present, bail out. + */ + if (!safe_late_load) { + pr_err("Attempting late microcode loading - it is dangerous and taints t= he kernel.\n"); + pr_err("You should switch to early loading, if possible.\n"); + ret =3D -EINVAL; + goto put; + } =20 tmp_ret =3D microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev= ); if (tmp_ret !=3D UCODE_NEW) { - ret =3D size; + /* + * If loading fails for some other reason, + * inform user appropriately + */ + ret =3D (tmp_ret =3D=3D UCODE_ERROR) ? -EINVAL : size; goto put; } =20 @@ -505,8 +519,10 @@ static ssize_t reload_store(struct device *dev, */ if (load_ret =3D=3D 0) { ret =3D size; - add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); - pr_warn("Microcode late loading tainted the kernel\n"); + if (!safe_late_load) { + add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); + pr_warn("Microcode late loading tainted the kernel\n"); + } } =20 return ret; diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/mi= crocode/intel.c index 4b3df85f2ca6..98c92b9affa2 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -814,6 +814,7 @@ static enum ucode_state request_microcode_fw(int cpu, s= truct device *device) } =20 static struct microcode_ops microcode_intel_ops =3D { + .safe_late_load =3D true, .request_microcode_fw =3D request_microcode_fw, .collect_cpu_info =3D collect_cpu_info, .apply_microcode =3D apply_microcode_intel, diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 3604074a878b..ddc4130e6f8c 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1352,15 +1352,16 @@ config MICROCODE_AMD processors will be enabled. =20 config MICROCODE_LATE_LOADING - bool "Late microcode loading (DANGEROUS)" - default n + bool "Late microcode loading" + default y depends on MICROCODE help Loading microcode late, when the system is up and executing instructions is a tricky business and should be avoided if possible. Just the sequen= ce of synchronizing all cores and SMT threads is one fragile dance which d= oes not guarantee that cores might not softlock after the loading. Therefor= e, - use this at your own risk. Late loading taints the kernel too. + use this at your own risk. Late loading taints the kernel, if it + doesn't support a minimum required base version before an update. =20 config X86_MSR tristate "/dev/cpu/*/msr - Model-specific register support" --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F2C4C636D3 for ; Mon, 30 Jan 2023 21:40:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229792AbjA3Vkd (ORCPT ); Mon, 30 Jan 2023 16:40:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231328AbjA3VkS (ORCPT ); Mon, 30 Jan 2023 16:40:18 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B59614E93 for ; Mon, 30 Jan 2023 13:40:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114817; x=1706650817; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=A80r7oChGS9LbqR+hFTuIEP18vZwaZTsItqNNyj9g5M=; b=ZtsGPKsHIq6wCx/m3kReHBMqDMp6+3HOE3M8RJ8Pc17FBbC/PWLjDFbW GEl50DD/VEK4FtP70OUki0VoZ6N6cCl2JW4sG19d5UjxnCxMT23IabSMU TXGkw4lQ7CZI6ske3zeKv0C+9fFj2mbF+EItV9T4SgBje9K5lcJpyWxQ1 lMUrnm5iUye5kLUm+EOnlQtNKAVs29z/hlbYyoj0u6ArSRgu8lde235FZ J9Uy0M+YznelwYX528+j4MfcdAleYTVtMI7XqUJkXSjI8koMrx6Qt0JuA gue8Eu/eL79uGUYi0fvtZRbDMeV62pZ6FFWTF5nOOf2JeR4xKfnTUZih1 A==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955565" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955565" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571879" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571879" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , Tony Luck , LKML , x86 , Ingo Molnar , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper , Boris Ostrovsky , Martin Pohlack Subject: [Patch v3 Part2 8/9] x86/microcode/intel: Drop wbinvd() from microcode loading Date: Mon, 30 Jan 2023 13:39:54 -0800 Message-Id: <20230130213955.6046-9-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Some older processors had a bad interaction when updating microcode if the caches were dirty causing machine checks. The wbinvd() was added to mitigate that before performing microcode updates. Now that Linux checks for the minimum version before performing an update, those microcode revisions can't be loaded. Early loading is also not required to use wbinvd() any longer, that was added as a safety net. Remove calls to wbinvd(). Signed-off-by: Ashok Raj Reviewed-by: Tony Luck Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper Cc: Boris Ostrovsky Cc: Martin Pohlack --- arch/x86/kernel/cpu/microcode/intel.c | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/mi= crocode/intel.c index 98c92b9affa2..601c586be7b6 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -415,12 +415,6 @@ static int apply_microcode_early(struct ucode_cpu_info= *uci, bool early) =20 old_rev =3D rev; =20 - /* - * Writeback and invalidate caches before updating microcode to avoid - * internal issues depending on what the microcode is updating. - */ - native_wbinvd(); - /* write microcode via MSR 0x79 */ native_wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits); =20 @@ -632,12 +626,6 @@ static enum ucode_state apply_microcode_intel(int cpu) goto out; } =20 - /* - * Writeback and invalidate caches before updating microcode to avoid - * internal issues depending on what the microcode is updating. - */ - native_wbinvd(); - /* write microcode via MSR 0x79 */ wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits); =20 --=20 2.37.2 From nobody Sat Dec 13 23:02:21 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F2B6C636D3 for ; Mon, 30 Jan 2023 21:40:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230261AbjA3Vkj (ORCPT ); Mon, 30 Jan 2023 16:40:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57526 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230073AbjA3Vk1 (ORCPT ); Mon, 30 Jan 2023 16:40:27 -0500 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4995B3A848 for ; Mon, 30 Jan 2023 13:40:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1675114818; x=1706650818; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=iIQEszT1vO2aPTOWcm3Liobv4FND6X8rf9yqm6IiYKw=; b=I+8f5VlsB2TvnSZiS98a+BmZ65dKJr1JcSuBd5jDeJNHAt7F7qCqWoJN 1azwrfnwbVgvaR0EeP+por4b2eLJ9l2pl3creRONjdx9sMOklzmWnZOa4 44OWR+Q6p253THgFQMmjZwKe0csNiXwjblyP4xWpF0mbnIzTZcfL+ovk1 Bk32EHpv0EVKaNyTE4i43ripob/b8oLgjyFPtAjCbNzc9A4fab2FJP8vF 9/2LWnhTphtZqRQ2GUC/u8NSHAM3yF6sY7VjAyvtzte7k5AUpxIvH/FSU uPFCzRzPpg2bl8KoGJzErnnfk/EehDWekekb9GSogsSZaRhrHbtJoSoew Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="328955574" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="328955574" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10606"; a="696571882" X-IronPort-AV: E=Sophos;i="5.97,259,1669104000"; d="scan'208";a="696571882" Received: from araj-ucode.jf.intel.com ([10.23.0.19]) by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2023 13:40:13 -0800 From: Ashok Raj To: Borislav Petkov , Thomas Gleixner Cc: Ashok Raj , LKML , x86 , Ingo Molnar , Tony Luck , Dave Hansen , Alison Schofield , Reinette Chatre , Tom Lendacky , Stefan Talpalaru , David Woodhouse , Benjamin Herrenschmidt , Jonathan Corbet , "Rafael J . Wysocki" , Peter Zilstra , Andy Lutomirski , Andrew Cooper Subject: [Patch v3 Part2 9/9] x86/microcode: Provide an option to override minrev enforcement Date: Mon, 30 Jan 2023 13:39:55 -0800 Message-Id: <20230130213955.6046-10-ashok.raj@intel.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20230130213955.6046-1-ashok.raj@intel.com> References: <20230130213955.6046-1-ashok.raj@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Minimum Required Revision (minrev) is enforced strictly. All new patches will have a minrev that is not zero. But there might be a transition time for some that need this enforcement to be relaxed. When the override is enabled, the kernel will be tainted. Provide a debugfs variable to override the minrev enforcement. Signed-off-by: Ashok Raj Cc: LKML Cc: x86 Cc: Ingo Molnar Cc: Tony Luck Cc: Dave Hansen Cc: Alison Schofield Cc: Reinette Chatre Cc: Thomas Gleixner (Intel) Cc: Tom Lendacky Cc: Stefan Talpalaru Cc: David Woodhouse Cc: Benjamin Herrenschmidt Cc: Jonathan Corbet Cc: Rafael J. Wysocki Cc: Peter Zilstra (Intel) Cc: Andy Lutomirski Cc: Andrew Cooper --- arch/x86/include/asm/microcode.h | 2 ++ arch/x86/kernel/cpu/microcode/core.c | 15 +++++++++++++-- arch/x86/kernel/cpu/microcode/intel.c | 8 ++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microc= ode.h index 3d48143e84a9..d82f22d50ebd 100644 --- a/arch/x86/include/asm/microcode.h +++ b/arch/x86/include/asm/microcode.h @@ -16,6 +16,8 @@ struct ucode_patch { =20 extern struct list_head microcode_cache; =20 +extern bool override_minrev; + struct cpu_signature { unsigned int sig; unsigned int pf; diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/mic= rocode/core.c index be5d70396b79..dbcccbd46ab8 100644 --- a/arch/x86/kernel/cpu/microcode/core.c +++ b/arch/x86/kernel/cpu/microcode/core.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -43,7 +44,9 @@ #define DRIVER_VERSION "2.2" =20 static struct microcode_ops *microcode_ops; +static struct dentry *dentry_ucode; static bool dis_ucode_ldr =3D true; +bool override_minrev; =20 bool initrd_gone; =20 @@ -494,7 +497,11 @@ static ssize_t reload_store(struct device *dev, pr_err("Attempting late microcode loading - it is dangerous and taints t= he kernel.\n"); pr_err("You should switch to early loading, if possible.\n"); ret =3D -EINVAL; - goto put; + + if (!override_minrev) + goto put; + + pr_info("Overriding minrev\n"); } =20 tmp_ret =3D microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev= ); @@ -519,7 +526,7 @@ static ssize_t reload_store(struct device *dev, */ if (load_ret =3D=3D 0) { ret =3D size; - if (!safe_late_load) { + if (!safe_late_load || override_minrev) { add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); pr_warn("Microcode late loading tainted the kernel\n"); } @@ -692,7 +699,11 @@ static int __init microcode_init(void) cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, "x86/microcode:online", mc_cpu_online, mc_cpu_down_prep); =20 + dentry_ucode =3D debugfs_create_dir("microcode", NULL); + debugfs_create_bool("override_minrev", 0644, dentry_ucode, &override_minr= ev); + pr_info("Microcode Update Driver: v%s.", DRIVER_VERSION); + pr_info("Override minrev %s\n", override_minrev ? "enabled" : "disabled"); =20 return 0; =20 diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/mi= crocode/intel.c index 601c586be7b6..ec5a29ebee8e 100644 --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -139,6 +139,14 @@ static int is_lateload_safe(struct microcode_header_in= tel *mc_header) { struct ucode_cpu_info uci; =20 + /* + * If minrev is bypassed via debugfs, then allow late-load. + */ + if (override_minrev) { + pr_info("Bypassing minrev enforcement via debugfs\n"); + return 0; + } + /* * When late-loading, ensure the header declares a minimum revision * required to perform a late-load. --=20 2.37.2