[v1,Part2,2/5] x86/microcode/intel: Add minimum required revision to microcode header
Commit Message
In general users don't have the necessary information to determine
whether a late loading of a new microcode version has removed any feature
(MSR, CPUID etc) between what is currently loaded and this new microcode.
To address this issue, Intel has added a "minimum required version" field
to a previously reserved field in the file header. Microcode updates
should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions[1] on how meta-data in the microcode file
could provide Linux with information to decide if the new microcode is
suitable candidate for late loading. But even the "simpler" option#1
requires a lot of metadata and corresponding kernel code to parse it.
The proposal here is an even simpler option. Simply "OS visible features"
such as CPUID and MSRs are the only two examples. The microcode must not
change these OS visible features because they cause problems after late
loading. When microcode changes features, microcode will change the min_rev
to prevent such microcodes from being late loaded.
Pseudo code for late loading is as follows:
if header.min_required_id == 0
This is old format microcode, block late loading
else if current_ucode_version < header.min_required_id
Current version is too old, block late loading of this microcode.
else
OK to proceed with late loading.
Any microcode that modifies the interface to an OS-visible feature
will set the min_version to itself. This will enforce this microcode is
not suitable for late loading unless the currently loaded revision is
greater or equal to the new microcode affecting the change.
The enforcement is not in hardware and limited to kernel loader enforcing
the requirement. It is not required for early loading of microcode to
enforce this requirement, since the new features are only
evaluated after early loading in the boot process.
Check if the new microcode specifies the minimum version for safe late
loading. Otherwise reject late load.
Test cases covered:
1. With new kernel, attempting to load an older format microcode with the
min_rev=0 should be blocked by kernel.
[ 210.541802] Late loading denied: Microcode header does not specify a
required min version.
2. New microcode with a non-zero min_rev in the header, but the specified
min_rev is greater than what is currently loaded in the CPU should be
blocked by kernel.
245.139828] microcode: Late loading denied: Current revision 0x8f685300 is too old to update, must be at 0xaa000050 version or higher. Use early loading instead.
3. New microcode with a min_rev < currently loaded should allow loading the
microcode
4. Build initrd with microcode that has min_rev=0, or min_rev > currently
loaded should permit early loading microcode from initrd.
[1] https://lore.kernel.org/linux-kernel/alpine.DEB.2.21.1909062237580.1902@nanos.tec.linutronix.de/
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Cc: LKML <linux-kernel@vger.kernel.org>
Cc: x86 <x86@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Alison Schofield <alison.schofield@intel.com>
Cc: Reinette Chatre <reinette.chatre@intel.com>
Cc: Thomas Gleixner (Intel) <tglx@linutronix.de>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Stefan Talpalaru <stefantalpalaru@yahoo.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Peter Zilstra (Intel) <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Cooper <Andrew.Cooper3@citrix.com>
---
arch/x86/include/asm/microcode_intel.h | 3 ++-
arch/x86/kernel/cpu/microcode/intel.c | 34 +++++++++++++++++++++++++-
2 files changed, 35 insertions(+), 2 deletions(-)
Comments
On Fri, Jan 13 2023 at 09:29, Ashok Raj wrote:
> In general users don't have the necessary information to determine
> whether a late loading of a new microcode version has removed any feature
> (MSR, CPUID etc) between what is currently loaded and this new microcode.
s/this new microcode/a newer microcode revision/
> To address this issue, Intel has added a "minimum required version" field
> to a previously reserved field in the file header. Microcode updates
s/file header/microcode header/ perhaps?
> should only be applied if the current microcode version is equal
> to, or greater than this minimum required version.
>
> Thomas made some suggestions[1] on how meta-data in the microcode file
> could provide Linux with information to decide if the new microcode is
> suitable candidate for late loading. But even the "simpler" option#1
> requires a lot of metadata and corresponding kernel code to parse it.
>
> The proposal here is an even simpler option.
IIRC this was also suggested by this Thomas dude, right?
> Simply "OS visible features" such as CPUID and MSRs are the only two
> examples. The microcode must not change these OS visible features
> because they cause problems after late loading. When microcode changes
> features, microcode will change the min_rev to prevent such microcodes
> from being late loaded.
>
> Pseudo code for late loading is as follows:
>
> if header.min_required_id == 0
> This is old format microcode, block late loading
> else if current_ucode_version < header.min_required_id
> Current version is too old, block late loading of this microcode.
> else
> OK to proceed with late loading.
>
> Any microcode that modifies the interface to an OS-visible feature
> will set the min_version to itself. This will enforce this microcode is
> not suitable for late loading unless the currently loaded revision is
> greater or equal to the new microcode affecting the change.
Up to this paragraph the changelog made sense.
If the currently loaded revision is the same as the to be loaded
revision, then there is nothing to do.
If the currently loaded revision is greater than the to be loaded
revision then it is not loaded as the kernel does not support
downgrading in the first place.
Even if it would support downgrading then this would be outright wrong
for this case:
Rev: 10
Min-Rev: 10
Rev: 20
Min-Rev: 20
If Rev 20 is loaded, then you absolutely cannot load Rev 10 because that
would have the reverse side effects due to which Rev 20 prevents late
loading.
See?
Thanks,
tglx
On Thu, Jan 19, 2023 at 11:03:14PM +0100, Thomas Gleixner wrote:
> On Fri, Jan 13 2023 at 09:29, Ashok Raj wrote:
> > In general users don't have the necessary information to determine
> > whether a late loading of a new microcode version has removed any feature
> > (MSR, CPUID etc) between what is currently loaded and this new microcode.
>
> s/this new microcode/a newer microcode revision/
Yes.
>
> > To address this issue, Intel has added a "minimum required version" field
> > to a previously reserved field in the file header. Microcode updates
>
> s/file header/microcode header/ perhaps?
Yep!
>
> > should only be applied if the current microcode version is equal
> > to, or greater than this minimum required version.
> >
> > Thomas made some suggestions[1] on how meta-data in the microcode file
> > could provide Linux with information to decide if the new microcode is
> > suitable candidate for late loading. But even the "simpler" option#1
> > requires a lot of metadata and corresponding kernel code to parse it.
> >
> > The proposal here is an even simpler option.
>
> IIRC this was also suggested by this Thomas dude, right?
Same dude.. might have been your twin :-)
I'll fix it.
>
> > Simply "OS visible features" such as CPUID and MSRs are the only two
> > examples. The microcode must not change these OS visible features
> > because they cause problems after late loading. When microcode changes
> > features, microcode will change the min_rev to prevent such microcodes
> > from being late loaded.
> >
> > Pseudo code for late loading is as follows:
> >
> > if header.min_required_id == 0
> > This is old format microcode, block late loading
> > else if current_ucode_version < header.min_required_id
> > Current version is too old, block late loading of this microcode.
> > else
> > OK to proceed with late loading.
> >
> > Any microcode that modifies the interface to an OS-visible feature
> > will set the min_version to itself. This will enforce this microcode is
> > not suitable for late loading unless the currently loaded revision is
> > greater or equal to the new microcode affecting the change.
>
> Up to this paragraph the changelog made sense.
>
> If the currently loaded revision is the same as the to be loaded
> revision, then there is nothing to do.
>
> If the currently loaded revision is greater than the to be loaded
> revision then it is not loaded as the kernel does not support
> downgrading in the first place.
>
> Even if it would support downgrading then this would be outright wrong
> for this case:
>
> Rev: 10
> Min-Rev: 10
>
> Rev: 20
> Min-Rev: 20
>
> If Rev 20 is loaded, then you absolutely cannot load Rev 10 because that
> would have the reverse side effects due to which Rev 20 prevents late
> loading.
>
> See?
Yes, that's accurate, and in sprit it works that way.
The current_rev > mc_hdr->rev is done in apply_microcode_intel() but I
suppose we could do that check early.
I didn't touch those parts to make sure only minimal changes were done and
we can do cleanup's later. I should certainly add a note to make sure we
aren't breaking the rev is always greater than what's in the CPU for
clarity.
I do have several cleanups lined up, but didn't want to hold the minrev and
the nmi series.
Cheers,
Ashok
@@ -15,7 +15,8 @@ struct microcode_header_intel {
unsigned int datasize;
unsigned int totalsize;
unsigned int metasize;
- unsigned int reserved[2];
+ unsigned int min_req_ver;
+ unsigned int reserved3;
};
struct microcode_intel {
@@ -137,6 +137,33 @@ static void save_microcode_patch(struct ucode_cpu_info *uci, void *data, unsigne
intel_ucode_patch = p->data;
}
+static int is_lateload_safe(struct microcode_header_intel *mc_header)
+{
+ struct ucode_cpu_info uci;
+
+ /*
+ * When late-loading, ensure the header declares a minimum revision
+ * required to perform a late-load.
+ */
+ if (!mc_header->min_req_ver) {
+ pr_warn("Late loading denied: Microcode header does not specify a required min version\n");
+ return -EINVAL;
+ }
+
+ intel_cpu_collect_info(&uci);
+
+ /*
+ * Enforce the minimum revision specified in the header is either
+ * greater or equal to the current revision.
+ */
+ if (uci.cpu_sig.rev < mc_header->min_req_ver) {
+ pr_warn("Late loading denied: Current revision 0x%x too old to update, must be at 0x%x or higher. Use early loading instead\n",
+ uci.cpu_sig.rev, mc_header->min_req_ver);
+ return -EINVAL;
+ }
+ return 0;
+}
+
/*
* Get microcode matching with BSP's model. Only CPUs with the same model as
* BSP can stay in the platform.
@@ -678,7 +705,9 @@ static enum ucode_state generic_load_microcode(int cpu, struct iov_iter *iter)
memcpy(mc, &mc_header, sizeof(mc_header));
data = mc + sizeof(mc_header);
if (!copy_from_iter_full(data, data_size, iter) ||
- intel_microcode_sanity_check(mc, true, MC_HEADER_TYPE_MICROCODE) < 0) {
+ intel_microcode_sanity_check(mc, true, MC_HEADER_TYPE_MICROCODE) < 0 ||
+ is_lateload_safe(&mc_header)) {
+ ret = UCODE_ERROR;
break;
}
@@ -701,6 +730,9 @@ static enum ucode_state generic_load_microcode(int cpu, struct iov_iter *iter)
return UCODE_ERROR;
}
+ if (ret == UCODE_ERROR)
+ return ret;
+
if (!new_mc)
return UCODE_NFOUND;