Previously, per-package staging invocations and their associated state
data were established. The next step is to implement the actual staging
handler according to the specified protocol. Below are key aspects to
note:
(a) Each staging process must begin by resetting the staging hardware.
(b) The staging hardware processes up to a page-sized chunk of the
microcode image per iteration, requiring software to submit data
incrementally.
(c) Once a data chunk is processed, the hardware responds with an
offset in the image for the next chunk.
(d) The offset may indicate completion or request retransmission of an
already transferred chunk. As long as the total transferred data
remains within the predefined limit (twice the image size),
retransmissions should be acceptable.
With that, incorporate these code sequences to the staging handler:
1. Initialization: Map the MMIO space via ioremap(). Reset the staging
hardware and initialize software state, ensuring a fresh staging
process aligned with (a).
2. Processing Loop: Introduce a loop iterating over data chunk,
following (b), with proper termination conditions established from
(d) -- stop staging when the hardware signals completion, or if the
total transmitted data exceeds the predefined limit.
3. Loop Body: Finally, compose the loop body with two steps --
transmitting a data chunk and retrieving the next offset from the
hardware response, aligning with (b) and (c).
Since data transmission and mailbox format handling require additional
details, they are implemented separately in next changes.
Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
Tested-by: Anselm Busse <abusse@amazon.de>
---
V2 -> V3:
* Rework code to eliminate global variables (Dave)
* Remove redundant variable resets (Chao)
V1 -> V2:
* Re-write the changelog for clarity (Dave).
* Move staging handling code into intel.c (Boris).
* Add extensive comments to clarify staging logic and hardware
interactions, along with function renaming (Dave).
---
arch/x86/kernel/cpu/microcode/intel.c | 120 +++++++++++++++++++++++++-
1 file changed, 116 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 36b426a90844..3eb3331c5012 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -20,6 +20,8 @@
#include <linux/cpu.h>
#include <linux/uio.h>
#include <linux/mm.h>
+#include <linux/delay.h>
+#include <linux/io.h>
#include <asm/cpu_device_id.h>
#include <asm/processor.h>
@@ -33,6 +35,29 @@ static const char ucode_path[] = "kernel/x86/microcode/GenuineIntel.bin";
#define UCODE_BSP_LOADED ((struct microcode_intel *)0x1UL)
+/* Defines for the microcode staging mailbox interface */
+
+#define MBOX_REG_NUM 4
+#define MBOX_REG_SIZE sizeof(u32)
+
+#define MBOX_CONTROL_OFFSET 0x0
+#define MBOX_STATUS_OFFSET 0x4
+
+#define MASK_MBOX_CTRL_ABORT BIT(0)
+
+/*
+ * Each microcode image is divided into chunks, each at most
+ * MBOX_XACTION_SIZE in size. A 10-chunk image would typically require
+ * 10 transactions. However, the hardware managing the mailbox has
+ * limited resources and may not cache the entire image, potentially
+ * requesting the same chunk multiple times.
+ *
+ * To accommodate this behavior, allow up to twice the expected number of
+ * transactions (i.e., a 10-chunk image can take up to 20 attempts).
+ */
+#define MBOX_XACTION_SIZE PAGE_SIZE
+#define MBOX_XACTION_MAX(imgsz) ((imgsz) * 2)
+
/* Current microcode patch used in early patching on the APs. */
static struct microcode_intel *ucode_patch_va __read_mostly;
static struct microcode_intel *ucode_patch_late __read_mostly;
@@ -321,13 +346,100 @@ static __init struct microcode_intel *scan_microcode(void *data, size_t size,
}
/*
- * Handle the staging process using the mailbox MMIO interface.
- * Return the result state.
+ * Prepare for a new microcode transfer by resetting hardware and
+ * configuring microcode image info.
+ */
+static void init_stage(struct staging_state *ss)
+{
+ ss->ucode_ptr = ucode_patch_late;
+ ss->ucode_len = get_totalsize(&ucode_patch_late->hdr);
+
+ /*
+ * Abort any ongoing process, effectively resetting the device.
+ * Unlike regular mailbox data processing requests, this
+ * operation does not require a status check.
+ */
+ writel(MASK_MBOX_CTRL_ABORT, ss->mmio_base + MBOX_CONTROL_OFFSET);
+}
+
+/*
+ * Check if the staging process has completed. The hardware signals
+ * completion by setting a unique end offset.
+ */
+static inline bool is_stage_complete(unsigned int offset)
+{
+ return offset == UINT_MAX;
+}
+
+/*
+ * Determine if the next data chunk can be sent. Each chunk is typically
+ * one page unless the remaining data is smaller. If the total
+ * transmitted data exceeds the defined limit, a timeout occurs.
+ */
+static bool can_send_next_chunk(struct staging_state *ss)
+{
+ WARN_ON_ONCE(ss->ucode_len < ss->offset);
+ ss->chunk_size = min(MBOX_XACTION_SIZE, ss->ucode_len - ss->offset);
+
+ if (ss->bytes_sent + ss->chunk_size > MBOX_XACTION_MAX(ss->ucode_len)) {
+ ss->state = UCODE_TIMEOUT;
+ return false;
+ }
+ return true;
+}
+
+/*
+ * Transmit a chunk of the microcode image to the hardware.
+ * Return true if the chunk is processed successfully.
+ */
+static bool send_data_chunk(struct staging_state *ss)
+{
+ pr_debug_once("Staging mailbox loading code needs to be implemented.\n");
+ ss->state = UCODE_ERROR;
+ return false;
+}
+
+/*
+ * Retrieve the next offset from the hardware response.
+ * Return true if the response is valid, false otherwise.
+ */
+static bool fetch_next_offset(struct staging_state *ss)
+{
+ pr_debug_once("Staging mailbox response handling code needs to be implemented.\n\n");
+ ss->state = UCODE_ERROR;
+ return false;
+}
+
+/*
+ * Handle the staging process using the mailbox MMIO interface. The
+ * microcode image is transferred in chunks until completion. Return the
+ * result state.
*/
static enum ucode_state do_stage(u64 mmio_pa)
{
- pr_debug_once("Staging implementation is pending.\n");
- return UCODE_ERROR;
+ struct staging_state ss = {};
+
+ ss.mmio_base = ioremap(mmio_pa, MBOX_REG_NUM * MBOX_REG_SIZE);
+ if (WARN_ON_ONCE(!ss.mmio_base))
+ return UCODE_ERROR;
+
+ init_stage(&ss);
+
+ /* Perform the staging process while within the retry limit */
+ while (!is_stage_complete(ss.offset) && can_send_next_chunk(&ss)) {
+ /* Send a chunk of microcode each time: */
+ if (!send_data_chunk(&ss))
+ break;
+ /*
+ * Then, ask the hardware which piece of the image it
+ * needs next. The same piece may be sent more than once.
+ */
+ if (!fetch_next_offset(&ss))
+ break;
+ }
+
+ iounmap(ss.mmio_base);
+ return ss.state;
}
static void stage_microcode(void)
--
2.48.1> +/*
> + * Determine if the next data chunk can be sent. Each chunk is typically
> + * one page unless the remaining data is smaller. If the total
> + * transmitted data exceeds the defined limit, a timeout occurs.
> + */
This comment isn't really telling the whole story. It's not just
determining if the chunk can be sent, it's calculating it and filling it in.
> +static bool can_send_next_chunk(struct staging_state *ss)
> +{
> + WARN_ON_ONCE(ss->ucode_len < ss->offset);
Please don't WARN_ON() they can be fatal because of panic_on_warn. Also
I think this is the wrong spot for this. We should enforce this at the
time ss->offset is _established_ which is oddly enough in the next patch.
ss->offset = read_mbox_dword(ss->mmio_base);
if (ss->offset > ss->ucode_len)
// error out
> + ss->chunk_size = min(MBOX_XACTION_SIZE, ss->ucode_len - ss->offset);
It's a _little_ non-obvious that "can_send_next_chunk()" is also setting
->chunk_size. It would be easier to grok if it was something like:
ok = calc_next_chunk_size(&ss);
if (!ok)
// error out
> + if (ss->bytes_sent + ss->chunk_size > MBOX_XACTION_MAX(ss->ucode_len)) {
> + ss->state = UCODE_TIMEOUT;
> + return false;
> + }
"TIMEOUT" seems like an odd thing to call this failure. Can you explain
the choice of this error code a bit, please?
> +/*
> + * Handle the staging process using the mailbox MMIO interface. The
> + * microcode image is transferred in chunks until completion. Return the
> + * result state.
> */
> static enum ucode_state do_stage(u64 mmio_pa)
> {
> - pr_debug_once("Staging implementation is pending.\n");
> - return UCODE_ERROR;
> + struct staging_state ss = {};
> +
> + ss.mmio_base = ioremap(mmio_pa, MBOX_REG_NUM * MBOX_REG_SIZE);
> + if (WARN_ON_ONCE(!ss.mmio_base))
> + return UCODE_ERROR;
> +
> + init_stage(&ss);
> +
> + /* Perform the staging process while within the retry limit */
> + while (!is_stage_complete(ss.offset) && can_send_next_chunk(&ss)) {
> + /* Send a chunk of microcode each time: */
> + if (!send_data_chunk(&ss))
> + break;
> + /*
> + * Then, ask the hardware which piece of the image it
> + * needs next. The same piece may be sent more than once.
> + */
> + if (!fetch_next_offset(&ss))
> + break;
> + }
The return types here are a _bit_ wonky. The 'bool' returns make sense
for things like is_stage_complete(). But they don't look right for:
if (!send_data_chunk(&ss))
break;
where we'd typically use an -ERRNO and where 0 mean success. It would
look something like this:
while (!staging_is_complete(&ss)) {
err = send_data_chunk(&ss);
if (err)
break;
err = fetch_next_offset(&ss);
if (err)
break;
}
That's utterly unambiguous about the intent and what types the send and
fetch function _must_ have.
Note I also moved the can_send_next_chunk() call into
staging_is_complete(). I think that makes sense as well for the
top-level loop.
Previously, per-package staging invocations and their associated state
data were established. The next step is to implement the actual staging
handler according to the specified protocol. Below are key aspects to
note:
(a) Each staging process must begin by resetting the staging hardware.
(b) The staging hardware processes up to a page-sized chunk of the
microcode image per iteration, requiring software to submit data
incrementally.
(c) Once a data chunk is processed, the hardware responds with an
offset in the image for the next chunk.
(d) The offset may indicate completion or request retransmission of an
already transferred chunk. As long as the total transferred data
remains within the predefined limit (twice the image size),
retransmissions should be acceptable.
With that, incorporate these code sequences to the staging handler:
1. Initialization: Map the MMIO space via ioremap(). Reset the staging
hardware and initialize software state, ensuring a fresh staging
process aligned with (a).
2. Processing Loop: Introduce a loop iterating over data chunk,
following (b), with proper termination conditions established from
(d) -- stop staging when the hardware signals completion, or if the
total transmitted data exceeds the predefined limit.
3. Loop Body: Finally, compose the loop body with two steps --
transmitting a data chunk and retrieving the next offset from the
hardware response, aligning with (b) and (c).
Since data transmission and mailbox format handling require additional
details, they are implemented separately in next changes.
Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
Tested-by: Anselm Busse <abusse@amazon.de>
---
V4 -> V4a:
* Convert helper functions to return error codes (Dave)
* Consolidate loop-control logic
* Refactor next-chunk calculation/check for clarity
* Remove offset sanity check (moved to next patch)
---
arch/x86/kernel/cpu/microcode/intel.c | 137 +++++++++++++++++++++++++-
1 file changed, 133 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index 3ca22457d839..a1b13202330d 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -20,6 +20,8 @@
#include <linux/cpu.h>
#include <linux/uio.h>
#include <linux/mm.h>
+#include <linux/delay.h>
+#include <linux/io.h>
#include <asm/cpu_device_id.h>
#include <asm/processor.h>
@@ -33,6 +35,16 @@ static const char ucode_path[] = "kernel/x86/microcode/GenuineIntel.bin";
#define UCODE_BSP_LOADED ((struct microcode_intel *)0x1UL)
+/* Defines for the microcode staging mailbox interface */
+
+#define MBOX_REG_NUM 4
+#define MBOX_REG_SIZE sizeof(u32)
+
+#define MBOX_CONTROL_OFFSET 0x0
+#define MBOX_STATUS_OFFSET 0x4
+
+#define MASK_MBOX_CTRL_ABORT BIT(0)
+
/* Current microcode patch used in early patching on the APs. */
static struct microcode_intel *ucode_patch_va __read_mostly;
static struct microcode_intel *ucode_patch_late __read_mostly;
@@ -319,13 +331,130 @@ static __init struct microcode_intel *scan_microcode(void *data, size_t size,
}
/*
- * Handle the staging process using the mailbox MMIO interface.
- * Return the result state.
+ * Prepare for a new microcode transfer: reset hardware and record the
+ * image size.
+ */
+static void init_stage(struct staging_state *ss)
+{
+ ss->ucode_len = get_totalsize(&ucode_patch_late->hdr);
+
+ /*
+ * Abort any ongoing process, effectively resetting the device.
+ * Unlike regular mailbox data processing requests, this
+ * operation does not require a status check.
+ */
+ writel(MASK_MBOX_CTRL_ABORT, ss->mmio_base + MBOX_CONTROL_OFFSET);
+}
+
+/*
+ * Return PAGE_SIZE, or remaining bytes if this is the final chunk
+ */
+static inline unsigned int calc_next_chunk_size(unsigned int ucode_len, unsigned int offset)
+{
+ return min(PAGE_SIZE, ucode_len - offset);
+}
+
+/*
+ * Update the chunk size and decide whether another chunk can be sent.
+ * This accounts for remaining data and retry limits.
+ */
+static bool can_send_next_chunk(struct staging_state *ss)
+{
+ ss->chunk_size = calc_next_chunk_size(ss->ucode_len, ss->offset);
+ /*
+ * Each microcode image is divided into chunks, each at most
+ * one page size. A 10-chunk image would typically require 10
+ * transactions.
+ *
+ * However, the hardware managing the mailbox has limited
+ * resources and may not cache the entire image, potentially
+ * requesting the same chunk multiple times.
+ *
+ * To tolerate this behavior, allow up to twice the expected
+ * number of transactions (i.e., a 10-chunk image can take up to
+ * 20 attempts).
+ *
+ * If the number of attempts exceeds this limit, the hardware is
+ * likely stuck and mark the state as timeout.
+ */
+ if (ss->bytes_sent + ss->chunk_size > ss->ucode_len * 2) {
+ ss->state = UCODE_TIMEOUT;
+ return false;
+ }
+
+ return true;
+}
+
+/*
+ * Determine whether staging is complete: either the hardware signaled
+ * the end offset, or no more transactions are permitted (retry limit
+ * reached).
+ */
+static inline bool staging_is_complete(struct staging_state *ss)
+{
+ return (ss->offset == UINT_MAX) || !can_send_next_chunk(ss);
+}
+
+/*
+ * Transmit a chunk of the microcode image to the hardware.
+ * Return 0 on success, or an error code on failure.
+ */
+static int send_data_chunk(struct staging_state *ss, void *ucode_ptr __maybe_unused)
+{
+ pr_debug_once("Staging mailbox loading code needs to be implemented.\n");
+ ss->state = UCODE_ERROR;
+ return -EPROTONOSUPPORT;
+}
+
+/*
+ * Retrieve the next offset from the hardware response.
+ * Return 0 on success, or an error code on failure.
+ */
+static int fetch_next_offset(struct staging_state *ss)
+{
+ pr_debug_once("Staging mailbox response handling code needs to be implemented.\n\n");
+ ss->state = UCODE_ERROR;
+ return -EPROTONOSUPPORT;
+}
+
+/*
+ * Handle the staging process using the mailbox MMIO interface. The
+ * microcode image is transferred in chunks until completion. Return the
+ * result state.
*/
static enum ucode_state do_stage(u64 mmio_pa)
{
- pr_debug_once("Staging implementation is pending.\n");
- return UCODE_ERROR;
+ struct staging_state ss = {};
+ int err;
+
+ ss.mmio_base = ioremap(mmio_pa, MBOX_REG_NUM * MBOX_REG_SIZE);
+ if (WARN_ON_ONCE(!ss.mmio_base))
+ return UCODE_ERROR;
+
+ init_stage(&ss);
+
+ /* Perform the staging process while within the retry limit */
+ while (!staging_is_complete(&ss)) {
+ /* Send a chunk of microcode each time: */
+ err = send_data_chunk(&ss, ucode_patch_late);
+ if (err)
+ break;
+ /*
+ * Then, ask the hardware which piece of the image it
+ * needs next. The same piece may be sent more than once.
+ */
+ err = fetch_next_offset(&ss);
+ if (err)
+ break;
+ }
+
+ iounmap(ss.mmio_base);
+
+ /*
+ * The helpers update ss.state on error. The final state is
+ * returned to the caller.
+ */
+ return ss.state;
}
static void stage_microcode(void)
--
2.48.1© 2016 - 2025 Red Hat, Inc.