From patchwork Sat Aug 12 19:59:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Gleixner X-Patchwork-Id: 134952 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b824:0:b0:3f2:4152:657d with SMTP id z4csp1898784vqi; Sat, 12 Aug 2023 14:14:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHr9nIWyRCKxWVlGaJkIMmHBJX6Tf4f6oMuhbYexEFFnAsxoxkvqjjfRjvBARXd5VMAZkV4 X-Received: by 2002:a05:6a00:1402:b0:687:5fdb:59ee with SMTP id l2-20020a056a00140200b006875fdb59eemr4739321pfu.12.1691874873187; Sat, 12 Aug 2023 14:14:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691874873; cv=none; d=google.com; s=arc-20160816; b=Kd6caEne0DD0Kb6XijtBkwYGW+CYYprFsJljwvo/M0+tPMIv1PdMtEV6z+twH6dDlO xsc+jjh7hXYa92ApbZKjGPpeglyyxpf8QewImnclBezDbsGHveZ0k9tVqd+XRDsS3/Lq LZBqRf5kXhW56yG4eFEeMNsldFCT6nOvUCfTr5aYRXQjqWdvEQAQ+KJzaLXOxhTNlCAT BmTZkSVLVq175RyHCr1o8mXkTeoOQrOSzcZJeEflqZvv8QMRykIe4GMXWuLvnG3WdPUd cwAiKhFOqQPWHBD053mqB+u5a0ywOURXSlVxC2f4Ysyh41yyOt7Zh4a8jghkFYowDegP URsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:mime-version:references:subject:cc:to:from :dkim-signature:dkim-signature:message-id; bh=w1SyTFpa9lrhJ4lGTg0lf2YQXOnASSGU3DRXcCp/oHw=; fh=yVae3u0BRTnDkPuniOcxLkA1wgvMDfOA8XxNsc4ELm4=; b=oZjXiO1fazj1e7yId6BNWNwvi9YDdYK83sJcsSqWVwtwBJxg3nT6J2SabAw98NmwqL b7ZlpLHaPxEfVleREpzcsGJFgMQXqbwqk4eamhzmzaNjVQ5CHTk7F1cdHPSGdcPM9vwa Dymen/99D0pk41dLiL9mmtd2R/Yp8UU+drCYavCddM1KBcGz56TbJRT7WMwA4fk0k599 ueZoJ3nuPPL1dC2P/ke+NrnUlqBDIZtCU6imX7Qv8RRRiIuHQZEBgU+aSgf30aTTcN26 3zleFM8bUYdMls0IrJQIGzWjEr+vrSwLMunL+cX55mQRO/ZQJvzjP/RYu9HhPgzYradH mfkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=lkdpuxaI; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y8-20020a056a00190800b006870c16c9d4si5546777pfi.123.2023.08.12.14.14.19; Sat, 12 Aug 2023 14:14:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=lkdpuxaI; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231409AbjHLURG (ORCPT + 99 others); Sat, 12 Aug 2023 16:17:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230395AbjHLURE (ORCPT ); Sat, 12 Aug 2023 16:17:04 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DDDC1BFD for ; Sat, 12 Aug 2023 13:16:46 -0700 (PDT) Message-ID: <20230812195729.693640265@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1691870374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=w1SyTFpa9lrhJ4lGTg0lf2YQXOnASSGU3DRXcCp/oHw=; b=lkdpuxaIgkKAw5/H2Cjjkkt3E9IS48OQmBpLVgwS6/4waEGKkgxjV5zag6Av25xXqGHls3 T+wg6tYpc1Q8KPV0KiL/kvbBkJZj3Pv+mEmIpUG0nw2OhxJ55Rx0F2SqhgvpZy0LYjQYgR 1LI2B5WVo/34ZrOAnr/H1WR/S3x3unOOz23bvMOMud5iPKI03OuSfKwH4pYd8nt6tmRbSI nyHzL4WVXcw7/a6NHGnNEmk/krmItPAOCUkgkM6nvbA7m5/V6gEhYucNFx2bHnJMH5jfj9 SpCSG4ZF26p21p60IjvgbhyZrfTyd4rZyYys0Ls0H/o1HHzCdmoBaRiLf4z7Yw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1691870374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=w1SyTFpa9lrhJ4lGTg0lf2YQXOnASSGU3DRXcCp/oHw=; b=QYYU2YXfHxQxYyLceD1EhSyLtOtNBnYmAgJCVOHPRNZaMURvzcwfUyLeAPdpLpH6V0hF6s GiTOI9G/SE/bbnAQ== From: Thomas Gleixner To: LKML Cc: x86@kernel.org, Borislav Petkov , Ashok Raj , Arjan van de Ven , Nikolay Borisov Subject: [patch V2 37/37] x86/microcode/intel: Add a minimum required revision for late-loads References: <20230812194003.682298127@linutronix.de> MIME-Version: 1.0 Date: Sat, 12 Aug 2023 21:59:34 +0200 (CEST) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1774059386775586502 X-GMAIL-MSGID: 1774059386775586502 From: Ashok Raj In general users don't have the necessary information to determine whether late loading of a new microcode version is safe and does not modify anything which the currently running kernel uses already, e.g. removal of CPUID bits or behavioural changes of MSRs. To address this issue, Intel has added a "minimum required version" field to a previously reserved field in the microcode header. Microcode updates should only be applied if the current microcode version is equal to, or greater than this minimum required version. Thomas made some suggestions on how meta-data in the microcode file could provide Linux with information to decide if the new microcode is suitable candidate for late loading. But even the "simpler" option requires a lot of metadata and corresponding kernel code to parse it, so the final suggestion was to add the 'minimum required version' field in the header. When microcode changes visible features, microcode will set the minimum required version to its own revision which prevents late loading. Old microcode blobs have the minimum revision field always set to 0, which indicates that there is no information and the kernel considers it as unsafe. This is a pure OS software mechanism. The hardware/firmware ignores this header field. For early loading there is no restriction because OS visible features are enumerated after the early load and therefor a change has no effect. The check is always enabled, but by default not enforced. It can be enforced via Kconfig or kernel command line. If enforced, the kernel refuses to late load microcode with a minium required version field which is zero or when the currently loaded microcode revision is smaller than the minimum required revision. If not enforced the load happens independent of the revision check to stay compatible with the existing behaviour, but it influences the decision whether the kernel is tainted or not. If the check signals that the late load is safe, then the kernel is not tainted. Early loading is not affected by this. [ tglx: Massaged changelog and fixed up the implementation ] Suggested-by: Thomas Gleixner Signed-off-by: Ashok Raj Signed-off-by: Thomas Gleixner --- arch/x86/include/asm/microcode.h | 3 +- arch/x86/kernel/cpu/microcode/intel.c | 37 ++++++++++++++++++++++++++++++---- 2 files changed, 35 insertions(+), 5 deletions(-) --- --- a/arch/x86/include/asm/microcode.h +++ b/arch/x86/include/asm/microcode.h @@ -36,7 +36,8 @@ struct microcode_header_intel { unsigned int datasize; unsigned int totalsize; unsigned int metasize; - unsigned int reserved[2]; + unsigned int min_req_ver; + unsigned int reserved; }; struct microcode_intel { --- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -544,16 +544,40 @@ static enum ucode_state apply_microcode_ return ret; } +static bool ucode_validate_minrev(struct microcode_header_intel *mc_header) +{ + int cur_rev = boot_cpu_data.microcode; + + /* + * When late-loading, ensure the header declares a minimum revision + * required to perform a late-load. The previously reserved field + * is 0 in older microcode blobs. + */ + if (!mc_header->min_req_ver) { + pr_info("Unsafe microcode update: Microcode header does not specify a required min version\n"); + return false; + } + + /* + * Check whether the minimum revision specified in the header is either + * greater or equal to the current revision. + */ + if (cur_rev < mc_header->min_req_ver) { + pr_info("Unsafe microcode update: Current revision 0x%x too old\n", cur_rev); + pr_info("Current should be at 0x%x or higher. Use early loading instead\n", mc_header->min_req_ver); + return false; + } + return true; +} + static enum ucode_state read_ucode_intel(int cpu, struct iov_iter *iter) { struct ucode_cpu_info *uci = ucode_cpu_info + cpu; unsigned int curr_mc_size = 0, new_mc_size = 0; + bool is_safe, new_is_safe = false; int cur_rev = uci->cpu_sig.rev; u8 *new_mc = NULL, *mc = NULL; - if (force_minrev) - return UCODE_NFOUND; - while (iov_iter_count(iter)) { struct microcode_header_intel mc_header; unsigned int mc_size, data_size; @@ -596,10 +620,15 @@ static enum ucode_state read_ucode_intel if (!intel_find_matching_signature(mc, &uci->cpu_sig)) continue; + is_safe = ucode_validate_minrev(&mc_header); + if (force_minrev && !is_safe) + continue; + kvfree(new_mc); cur_rev = mc_header.rev; new_mc = mc; new_mc_size = mc_size; + new_is_safe = is_safe; mc = NULL; } @@ -616,7 +645,7 @@ static enum ucode_state read_ucode_intel return UCODE_NFOUND; ucode_patch_late = (struct microcode_intel *)new_mc; - return UCODE_NEW; + return new_is_safe ? UCODE_NEW_SAFE : UCODE_NEW; fail: kvfree(mc);