2019-05-27 08:55:01 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-16 15:20:36 -07:00
|
|
|
/*
|
2015-05-11 10:15:47 +02:00
|
|
|
* Intel CPU Microcode Update Driver for Linux
|
2005-04-16 15:20:36 -07:00
|
|
|
*
|
2017-05-12 15:46:44 -07:00
|
|
|
* Copyright (C) 2000-2006 Tigran Aivazian <aivazian.tigran@gmail.com>
|
2015-05-11 10:15:47 +02:00
|
|
|
* 2006 Shaohua Li <shaohua.li@intel.com>
|
2005-04-16 15:20:36 -07:00
|
|
|
*
|
2015-10-20 11:54:45 +02:00
|
|
|
* Intel CPU microcode early update for Linux
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2012 Fenghua Yu <fenghua.yu@intel.com>
|
|
|
|
|
* H Peter Anvin" <hpa@zytor.com>
|
2005-04-16 15:20:36 -07:00
|
|
|
*/
|
2015-10-20 11:54:46 +02:00
|
|
|
#define pr_fmt(fmt) "microcode: " fmt
|
2015-10-20 11:54:45 +02:00
|
|
|
#include <linux/earlycpio.h>
|
2009-03-11 11:19:46 +01:00
|
|
|
#include <linux/firmware.h>
|
|
|
|
|
#include <linux/uaccess.h>
|
2015-10-20 11:54:45 +02:00
|
|
|
#include <linux/initrd.h>
|
2009-03-11 11:19:46 +01:00
|
|
|
#include <linux/kernel.h>
|
2015-10-20 11:54:45 +02:00
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/cpu.h>
|
2019-04-04 13:11:28 +02:00
|
|
|
#include <linux/uio.h>
|
2015-10-20 11:54:45 +02:00
|
|
|
#include <linux/mm.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2024-04-24 11:15:13 -07:00
|
|
|
#include <asm/cpu_device_id.h>
|
2009-03-11 11:19:46 +01:00
|
|
|
#include <asm/processor.h>
|
2015-10-20 11:54:45 +02:00
|
|
|
#include <asm/tlbflush.h>
|
|
|
|
|
#include <asm/setup.h>
|
2009-03-11 11:19:46 +01:00
|
|
|
#include <asm/msr.h>
|
2005-04-16 15:20:36 -07:00
|
|
|
|
2023-08-12 21:58:47 +02:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
static const char ucode_path[] = "kernel/x86/microcode/GenuineIntel.bin";
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
#define UCODE_BSP_LOADED ((struct microcode_intel *)0x1UL)
|
|
|
|
|
|
2017-01-20 21:29:40 +01:00
|
|
|
/* Current microcode patch used in early patching on the APs. */
|
2023-10-02 13:59:43 +02:00
|
|
|
static struct microcode_intel *ucode_patch_va __read_mostly;
|
2023-10-02 13:59:44 +02:00
|
|
|
static struct microcode_intel *ucode_patch_late __read_mostly;
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2018-01-23 11:41:32 +01:00
|
|
|
/* last level cache size per core */
|
2023-10-02 13:59:41 +02:00
|
|
|
static unsigned int llc_size_per_core __ro_after_init;
|
2018-01-23 11:41:32 +01:00
|
|
|
|
2023-08-12 21:58:41 +02:00
|
|
|
/* microcode format is extended from prescott processors */
|
|
|
|
|
struct extended_signature {
|
|
|
|
|
unsigned int sig;
|
|
|
|
|
unsigned int pf;
|
|
|
|
|
unsigned int cksum;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct extended_sigtable {
|
|
|
|
|
unsigned int count;
|
|
|
|
|
unsigned int cksum;
|
|
|
|
|
unsigned int reserved[3];
|
|
|
|
|
struct extended_signature sigs[];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#define DEFAULT_UCODE_TOTALSIZE (DEFAULT_UCODE_DATASIZE + MC_HEADER_SIZE)
|
|
|
|
|
#define EXT_HEADER_SIZE (sizeof(struct extended_sigtable))
|
|
|
|
|
#define EXT_SIGNATURE_SIZE (sizeof(struct extended_signature))
|
|
|
|
|
|
|
|
|
|
static inline unsigned int get_totalsize(struct microcode_header_intel *hdr)
|
|
|
|
|
{
|
|
|
|
|
return hdr->datasize ? hdr->totalsize : DEFAULT_UCODE_TOTALSIZE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned int exttable_size(struct extended_sigtable *et)
|
|
|
|
|
{
|
|
|
|
|
return et->count * EXT_SIGNATURE_SIZE + EXT_HEADER_SIZE;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-17 23:23:45 +02:00
|
|
|
void intel_collect_cpu_info(struct cpu_signature *sig)
|
2023-08-12 21:58:41 +02:00
|
|
|
{
|
2023-10-17 23:23:45 +02:00
|
|
|
sig->sig = cpuid_eax(1);
|
|
|
|
|
sig->pf = 0;
|
|
|
|
|
sig->rev = intel_get_microcode_revision();
|
2023-08-12 21:58:41 +02:00
|
|
|
|
2023-10-17 23:23:45 +02:00
|
|
|
if (x86_model(sig->sig) >= 5 || x86_family(sig->sig) > 6) {
|
|
|
|
|
unsigned int val[2];
|
2023-08-12 21:58:41 +02:00
|
|
|
|
|
|
|
|
/* get processor flags from MSR 0x17 */
|
|
|
|
|
native_rdmsr(MSR_IA32_PLATFORM_ID, val[0], val[1]);
|
2023-10-17 23:23:45 +02:00
|
|
|
sig->pf = 1 << ((val[1] >> 18) & 7);
|
2023-08-12 21:58:41 +02:00
|
|
|
}
|
|
|
|
|
}
|
2023-10-17 23:23:45 +02:00
|
|
|
EXPORT_SYMBOL_GPL(intel_collect_cpu_info);
|
2023-08-12 21:58:41 +02:00
|
|
|
|
2023-10-02 13:59:50 +02:00
|
|
|
static inline bool cpu_signatures_match(struct cpu_signature *s1, unsigned int sig2,
|
|
|
|
|
unsigned int pf2)
|
|
|
|
|
{
|
|
|
|
|
if (s1->sig != sig2)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
/* Processor flags are either both 0 or they intersect. */
|
|
|
|
|
return ((!s1->pf && !pf2) || (s1->pf & pf2));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool intel_find_matching_signature(void *mc, struct cpu_signature *sig)
|
2023-08-12 21:58:41 +02:00
|
|
|
{
|
|
|
|
|
struct microcode_header_intel *mc_hdr = mc;
|
|
|
|
|
struct extended_signature *ext_sig;
|
2023-10-02 13:59:50 +02:00
|
|
|
struct extended_sigtable *ext_hdr;
|
2023-08-12 21:58:41 +02:00
|
|
|
int i;
|
|
|
|
|
|
2023-10-02 13:59:50 +02:00
|
|
|
if (cpu_signatures_match(sig, mc_hdr->sig, mc_hdr->pf))
|
|
|
|
|
return true;
|
2023-08-12 21:58:41 +02:00
|
|
|
|
|
|
|
|
/* Look for ext. headers: */
|
2023-08-12 21:58:45 +02:00
|
|
|
if (get_totalsize(mc_hdr) <= intel_microcode_get_datasize(mc_hdr) + MC_HEADER_SIZE)
|
2023-10-02 13:59:50 +02:00
|
|
|
return false;
|
2023-08-12 21:58:41 +02:00
|
|
|
|
2023-08-12 21:58:45 +02:00
|
|
|
ext_hdr = mc + intel_microcode_get_datasize(mc_hdr) + MC_HEADER_SIZE;
|
2023-08-12 21:58:41 +02:00
|
|
|
ext_sig = (void *)ext_hdr + EXT_HEADER_SIZE;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < ext_hdr->count; i++) {
|
2023-10-02 13:59:50 +02:00
|
|
|
if (cpu_signatures_match(sig, ext_sig->sig, ext_sig->pf))
|
|
|
|
|
return true;
|
2023-08-12 21:58:41 +02:00
|
|
|
ext_sig++;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(intel_find_matching_signature);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* intel_microcode_sanity_check() - Sanity check microcode file.
|
|
|
|
|
* @mc: Pointer to the microcode file contents.
|
|
|
|
|
* @print_err: Display failure reason if true, silent if false.
|
|
|
|
|
* @hdr_type: Type of file, i.e. normal microcode file or In Field Scan file.
|
|
|
|
|
* Validate if the microcode header type matches with the type
|
|
|
|
|
* specified here.
|
|
|
|
|
*
|
|
|
|
|
* Validate certain header fields and verify if computed checksum matches
|
|
|
|
|
* with the one specified in the header.
|
|
|
|
|
*
|
|
|
|
|
* Return: 0 if the file passes all the checks, -EINVAL if any of the checks
|
|
|
|
|
* fail.
|
|
|
|
|
*/
|
|
|
|
|
int intel_microcode_sanity_check(void *mc, bool print_err, int hdr_type)
|
|
|
|
|
{
|
|
|
|
|
unsigned long total_size, data_size, ext_table_size;
|
|
|
|
|
struct microcode_header_intel *mc_header = mc;
|
|
|
|
|
struct extended_sigtable *ext_header = NULL;
|
|
|
|
|
u32 sum, orig_sum, ext_sigcount = 0, i;
|
|
|
|
|
struct extended_signature *ext_sig;
|
|
|
|
|
|
|
|
|
|
total_size = get_totalsize(mc_header);
|
2023-08-12 21:58:45 +02:00
|
|
|
data_size = intel_microcode_get_datasize(mc_header);
|
2023-08-12 21:58:41 +02:00
|
|
|
|
|
|
|
|
if (data_size + MC_HEADER_SIZE > total_size) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Error: bad microcode data file size.\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (mc_header->ldrver != 1 || mc_header->hdrver != hdr_type) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Error: invalid/unknown microcode update format. Header type %d\n",
|
|
|
|
|
mc_header->hdrver);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ext_table_size = total_size - (MC_HEADER_SIZE + data_size);
|
|
|
|
|
if (ext_table_size) {
|
|
|
|
|
u32 ext_table_sum = 0;
|
|
|
|
|
u32 *ext_tablep;
|
|
|
|
|
|
|
|
|
|
if (ext_table_size < EXT_HEADER_SIZE ||
|
|
|
|
|
((ext_table_size - EXT_HEADER_SIZE) % EXT_SIGNATURE_SIZE)) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Error: truncated extended signature table.\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ext_header = mc + MC_HEADER_SIZE + data_size;
|
|
|
|
|
if (ext_table_size != exttable_size(ext_header)) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Error: extended signature table size mismatch.\n");
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ext_sigcount = ext_header->count;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check extended table checksum: the sum of all dwords that
|
|
|
|
|
* comprise a valid table must be 0.
|
|
|
|
|
*/
|
|
|
|
|
ext_tablep = (u32 *)ext_header;
|
|
|
|
|
|
|
|
|
|
i = ext_table_size / sizeof(u32);
|
|
|
|
|
while (i--)
|
|
|
|
|
ext_table_sum += ext_tablep[i];
|
|
|
|
|
|
|
|
|
|
if (ext_table_sum) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_warn("Bad extended signature table checksum, aborting.\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Calculate the checksum of update data and header. The checksum of
|
|
|
|
|
* valid update data and header including the extended signature table
|
|
|
|
|
* must be 0.
|
|
|
|
|
*/
|
|
|
|
|
orig_sum = 0;
|
|
|
|
|
i = (MC_HEADER_SIZE + data_size) / sizeof(u32);
|
|
|
|
|
while (i--)
|
|
|
|
|
orig_sum += ((u32 *)mc)[i];
|
|
|
|
|
|
|
|
|
|
if (orig_sum) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Bad microcode data checksum, aborting.\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!ext_table_size)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check extended signature checksum: 0 => valid.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; i < ext_sigcount; i++) {
|
|
|
|
|
ext_sig = (void *)ext_header + EXT_HEADER_SIZE +
|
|
|
|
|
EXT_SIGNATURE_SIZE * i;
|
|
|
|
|
|
|
|
|
|
sum = (mc_header->sig + mc_header->pf + mc_header->cksum) -
|
|
|
|
|
(ext_sig->sig + ext_sig->pf + ext_sig->cksum);
|
|
|
|
|
if (sum) {
|
|
|
|
|
if (print_err)
|
|
|
|
|
pr_err("Bad extended signature checksum, aborting.\n");
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(intel_microcode_sanity_check);
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
static void update_ucode_pointer(struct microcode_intel *mc)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
2023-10-02 13:59:45 +02:00
|
|
|
kvfree(ucode_patch_va);
|
2023-10-02 13:59:43 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Save the virtual address for early loading and for eventual free
|
|
|
|
|
* on late loading.
|
|
|
|
|
*/
|
|
|
|
|
ucode_patch_va = mc;
|
|
|
|
|
}
|
2017-06-14 16:06:26 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
static void save_microcode_patch(struct microcode_intel *patch)
|
|
|
|
|
{
|
2023-10-02 13:59:45 +02:00
|
|
|
unsigned int size = get_totalsize(&patch->hdr);
|
2023-10-02 13:59:43 +02:00
|
|
|
struct microcode_intel *mc;
|
2017-08-25 12:04:56 +02:00
|
|
|
|
2023-10-02 13:59:45 +02:00
|
|
|
mc = kvmemdup(patch, size, GFP_KERNEL);
|
2023-10-02 13:59:43 +02:00
|
|
|
if (mc)
|
|
|
|
|
update_ucode_pointer(mc);
|
2023-10-02 13:59:45 +02:00
|
|
|
else
|
|
|
|
|
pr_err("Unable to allocate microcode memory size: %u\n", size);
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
/* Scan blob for microcode matching the boot CPUs family, model, stepping */
|
|
|
|
|
static __init struct microcode_intel *scan_microcode(void *data, size_t size,
|
|
|
|
|
struct ucode_cpu_info *uci,
|
|
|
|
|
bool save)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
2016-02-03 12:33:43 +01:00
|
|
|
struct microcode_header_intel *mc_header;
|
2016-10-25 11:55:21 +02:00
|
|
|
struct microcode_intel *patch = NULL;
|
2023-10-17 23:23:33 +02:00
|
|
|
u32 cur_rev = uci->cpu_sig.rev;
|
2016-02-03 12:33:43 +01:00
|
|
|
unsigned int mc_size;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2023-10-02 13:59:39 +02:00
|
|
|
for (; size >= sizeof(struct microcode_header_intel); size -= mc_size, data += mc_size) {
|
2016-10-25 11:55:21 +02:00
|
|
|
mc_header = (struct microcode_header_intel *)data;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
|
|
|
|
mc_size = get_totalsize(mc_header);
|
2023-10-17 23:23:33 +02:00
|
|
|
if (!mc_size || mc_size > size ||
|
2022-11-16 19:59:27 -08:00
|
|
|
intel_microcode_sanity_check(data, false, MC_HEADER_TYPE_MICROCODE) < 0)
|
2015-10-20 11:54:45 +02:00
|
|
|
break;
|
|
|
|
|
|
2023-10-02 13:59:50 +02:00
|
|
|
if (!intel_find_matching_signature(data, &uci->cpu_sig))
|
2015-10-20 11:54:45 +02:00
|
|
|
continue;
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
/*
|
|
|
|
|
* For saving the early microcode, find the matching revision which
|
|
|
|
|
* was loaded on the BSP.
|
|
|
|
|
*
|
|
|
|
|
* On the BSP during early boot, find a newer revision than
|
|
|
|
|
* actually loaded in the CPU.
|
|
|
|
|
*/
|
|
|
|
|
if (save) {
|
|
|
|
|
if (cur_rev != mc_header->rev)
|
|
|
|
|
continue;
|
|
|
|
|
} else if (cur_rev >= mc_header->rev) {
|
2023-10-02 13:59:39 +02:00
|
|
|
continue;
|
2023-10-02 13:59:43 +02:00
|
|
|
}
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
patch = data;
|
2023-10-17 23:23:33 +02:00
|
|
|
cur_rev = mc_header->rev;
|
2016-10-25 11:55:21 +02:00
|
|
|
}
|
2016-02-03 12:33:43 +01:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
return size ? NULL : patch;
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
static enum ucode_state __apply_microcode(struct ucode_cpu_info *uci,
|
|
|
|
|
struct microcode_intel *mc,
|
|
|
|
|
u32 *cur_rev)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
2023-10-17 23:23:44 +02:00
|
|
|
u32 rev;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2016-02-03 12:33:37 +01:00
|
|
|
if (!mc)
|
2023-10-02 13:59:43 +02:00
|
|
|
return UCODE_NFOUND;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2018-02-28 11:28:41 +01:00
|
|
|
/*
|
|
|
|
|
* Save us the MSR write below - which is a particular expensive
|
|
|
|
|
* operation - when the other hyperthread has updated the microcode
|
|
|
|
|
* already.
|
|
|
|
|
*/
|
2023-10-17 23:23:44 +02:00
|
|
|
*cur_rev = intel_get_microcode_revision();
|
|
|
|
|
if (*cur_rev >= mc->hdr.rev) {
|
|
|
|
|
uci->cpu_sig.rev = *cur_rev;
|
2018-02-28 11:28:41 +01:00
|
|
|
return UCODE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-28 11:28:42 +01:00
|
|
|
/*
|
|
|
|
|
* Writeback and invalidate caches before updating microcode to avoid
|
|
|
|
|
* internal issues depending on what the microcode is updating.
|
|
|
|
|
*/
|
|
|
|
|
native_wbinvd();
|
|
|
|
|
|
2015-10-20 11:54:45 +02:00
|
|
|
/* write microcode via MSR 0x79 */
|
2016-02-03 12:33:40 +01:00
|
|
|
native_wrmsrl(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2017-01-09 12:41:45 +01:00
|
|
|
rev = intel_get_microcode_revision();
|
|
|
|
|
if (rev != mc->hdr.rev)
|
2023-10-02 13:59:43 +02:00
|
|
|
return UCODE_ERROR;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2017-01-09 12:41:45 +01:00
|
|
|
uci->cpu_sig.rev = rev;
|
2023-10-02 13:59:43 +02:00
|
|
|
return UCODE_UPDATED;
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
static enum ucode_state apply_microcode_early(struct ucode_cpu_info *uci)
|
|
|
|
|
{
|
|
|
|
|
struct microcode_intel *mc = uci->mc;
|
2023-11-15 22:02:12 +01:00
|
|
|
u32 cur_rev;
|
|
|
|
|
|
|
|
|
|
return __apply_microcode(uci, mc, &cur_rev);
|
2023-10-17 23:23:44 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
static __init bool load_builtin_intel_microcode(struct cpio_data *cp)
|
2023-10-02 13:59:41 +02:00
|
|
|
{
|
|
|
|
|
unsigned int eax = 1, ebx, ecx = 0, edx;
|
|
|
|
|
struct firmware fw;
|
|
|
|
|
char name[30];
|
|
|
|
|
|
|
|
|
|
if (IS_ENABLED(CONFIG_X86_32))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
native_cpuid(&eax, &ebx, &ecx, &edx);
|
|
|
|
|
|
|
|
|
|
sprintf(name, "intel-ucode/%02x-%02x-%02x",
|
|
|
|
|
x86_family(eax), x86_model(eax), x86_stepping(eax));
|
|
|
|
|
|
|
|
|
|
if (firmware_request_builtin(&fw, name)) {
|
|
|
|
|
cp->size = fw.size;
|
|
|
|
|
cp->data = (void *)fw.data;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
static __init struct microcode_intel *get_microcode_blob(struct ucode_cpu_info *uci, bool save)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
2016-10-25 11:55:21 +02:00
|
|
|
struct cpio_data cp;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2023-12-01 14:35:06 +01:00
|
|
|
intel_collect_cpu_info(&uci->cpu_sig);
|
|
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
if (!load_builtin_intel_microcode(&cp))
|
x86/microcode/32: Move early loading after paging enable
32-bit loads microcode before paging is enabled. The commit which
introduced that has zero justification in the changelog. The cover
letter has slightly more content, but it does not give any technical
justification either:
"The problem in current microcode loading method is that we load a
microcode way, way too late; ideally we should load it before turning
paging on. This may only be practical on 32 bits since we can't get
to 64-bit mode without paging on, but we should still do it as early
as at all possible."
Handwaving word salad with zero technical content.
Someone claimed in an offlist conversation that this is required for
curing the ATOM erratum AAE44/AAF40/AAG38/AAH41. That erratum requires
an microcode update in order to make the usage of PSE safe. But during
early boot, PSE is completely irrelevant and it is evaluated way later.
Neither is it relevant for the AP on single core HT enabled CPUs as the
microcode loading on the AP is not doing anything.
On dual core CPUs there is a theoretical problem if a split of an
executable large page between enabling paging including PSE and loading
the microcode happens. But that's only theoretical, it's practically
irrelevant because the affected dual core CPUs are 64bit enabled and
therefore have paging and PSE enabled before loading the microcode on
the second core. So why would it work on 64-bit but not on 32-bit?
The erratum:
"AAG38 Code Fetch May Occur to Incorrect Address After a Large Page is
Split Into 4-Kbyte Pages
Problem: If software clears the PS (page size) bit in a present PDE
(page directory entry), that will cause linear addresses mapped through
this PDE to use 4-KByte pages instead of using a large page after old
TLB entries are invalidated. Due to this erratum, if a code fetch uses
this PDE before the TLB entry for the large page is invalidated then it
may fetch from a different physical address than specified by either the
old large page translation or the new 4-KByte page translation. This
erratum may also cause speculative code fetches from incorrect addresses."
The practical relevance for this is exactly zero because there is no
splitting of large text pages during early boot-time, i.e. between paging
enable and microcode loading, and neither during CPU hotplug.
IOW, this load microcode before paging enable is yet another voodoo
programming solution in search of a problem. What's worse is that it causes
at least two serious problems:
1) When stackprotector is enabled, the microcode loader code has the
stackprotector mechanics enabled. The read from the per CPU variable
__stack_chk_guard is always accessing the virtual address either
directly on UP or via %fs on SMP. In physical address mode this
results in an access to memory above 3GB. So this works by chance as
the hardware returns the same value when there is no RAM at this
physical address. When there is RAM populated above 3G then the read
is by chance the same as nothing changes that memory during the very
early boot stage. That's not necessarily true during runtime CPU
hotplug.
2) When function tracing is enabled, the relevant microcode loader
functions and the functions invoked from there will call into the
tracing code and evaluate global and per CPU variables in physical
address mode. What could potentially go wrong?
Cure this and move the microcode loading after the early paging enable, use
the new temporary initrd mapping and remove the gunk in the microcode
loader which is required to handle physical address mode.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231017211722.348298216@linutronix.de
2023-10-17 23:23:32 +02:00
|
|
|
cp = find_microcode_in_initrd(ucode_path);
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
if (!(cp.data && cp.size))
|
2023-10-02 13:59:43 +02:00
|
|
|
return NULL;
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
return scan_microcode(cp.data, cp.size, uci, save);
|
2016-10-25 11:55:21 +02:00
|
|
|
}
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
/*
|
2023-10-02 13:59:43 +02:00
|
|
|
* Invoked from an early init call to save the microcode blob which was
|
|
|
|
|
* selected during early boot when mm was not usable. The microcode must be
|
|
|
|
|
* saved because initrd is going away. It's an early init call so the APs
|
|
|
|
|
* just can use the pointer and do not have to scan initrd/builtin firmware
|
|
|
|
|
* again.
|
2016-10-25 11:55:21 +02:00
|
|
|
*/
|
2023-10-02 13:59:43 +02:00
|
|
|
static int __init save_builtin_microcode(void)
|
2016-10-25 11:55:21 +02:00
|
|
|
{
|
2023-10-02 13:59:43 +02:00
|
|
|
struct ucode_cpu_info uci;
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
if (xchg(&ucode_patch_va, NULL) != UCODE_BSP_LOADED)
|
|
|
|
|
return 0;
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
if (dis_ucode_ldr || boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
|
|
|
|
|
return 0;
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
uci.mc = get_microcode_blob(&uci, true);
|
|
|
|
|
if (uci.mc)
|
|
|
|
|
save_microcode_patch(uci.mc);
|
|
|
|
|
return 0;
|
2016-06-06 17:10:42 +02:00
|
|
|
}
|
2023-10-02 13:59:43 +02:00
|
|
|
early_initcall(save_builtin_microcode);
|
2016-06-06 17:10:42 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
/* Load microcode on BSP from initrd or builtin blobs */
|
2023-11-15 22:02:12 +01:00
|
|
|
void __init load_ucode_intel_bsp(struct early_load_data *ed)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
|
|
|
|
struct ucode_cpu_info uci;
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
uci.mc = get_microcode_blob(&uci, false);
|
2023-12-01 14:35:06 +01:00
|
|
|
ed->old_rev = uci.cpu_sig.rev;
|
2023-11-15 22:02:12 +01:00
|
|
|
|
2023-12-01 14:35:06 +01:00
|
|
|
if (uci.mc && apply_microcode_early(&uci) == UCODE_UPDATED) {
|
|
|
|
|
ucode_patch_va = UCODE_BSP_LOADED;
|
|
|
|
|
ed->new_rev = uci.cpu_sig.rev;
|
|
|
|
|
}
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2016-10-25 11:55:21 +02:00
|
|
|
void load_ucode_intel_ap(void)
|
2015-10-20 11:54:45 +02:00
|
|
|
{
|
2016-10-25 11:55:21 +02:00
|
|
|
struct ucode_cpu_info uci;
|
2016-02-03 12:33:30 +01:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
uci.mc = ucode_patch_va;
|
|
|
|
|
if (uci.mc)
|
|
|
|
|
apply_microcode_early(&uci);
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
/* Reload microcode on resume */
|
2015-10-20 11:54:45 +02:00
|
|
|
void reload_ucode_intel(void)
|
|
|
|
|
{
|
2023-10-02 13:59:43 +02:00
|
|
|
struct ucode_cpu_info uci = { .mc = ucode_patch_va, };
|
2015-10-20 11:54:45 +02:00
|
|
|
|
2023-10-02 13:59:43 +02:00
|
|
|
if (uci.mc)
|
|
|
|
|
apply_microcode_early(&uci);
|
2015-10-20 11:54:45 +02:00
|
|
|
}
|
|
|
|
|
|
2008-08-20 00:22:26 +02:00
|
|
|
static int collect_cpu_info(int cpu_num, struct cpu_signature *csig)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2023-10-02 13:59:49 +02:00
|
|
|
intel_collect_cpu_info(csig);
|
2008-08-20 00:22:26 +02:00
|
|
|
return 0;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
static enum ucode_state apply_microcode_late(int cpu)
|
2005-04-16 15:20:36 -07:00
|
|
|
{
|
2018-02-28 11:28:44 +01:00
|
|
|
struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
|
2023-10-17 23:23:44 +02:00
|
|
|
struct microcode_intel *mc = ucode_patch_late;
|
2018-07-31 17:29:30 +02:00
|
|
|
enum ucode_state ret;
|
2023-10-17 23:23:44 +02:00
|
|
|
u32 cur_rev;
|
2009-03-11 11:19:46 +01:00
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
if (WARN_ON_ONCE(smp_processor_id() != cpu))
|
2018-02-16 12:26:38 +01:00
|
|
|
return UCODE_ERROR;
|
2006-09-27 01:50:51 -07:00
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
ret = __apply_microcode(uci, mc, &cur_rev);
|
|
|
|
|
if (ret != UCODE_UPDATED && ret != UCODE_OK)
|
|
|
|
|
return ret;
|
2012-12-20 23:44:22 -08:00
|
|
|
|
2023-10-17 23:23:44 +02:00
|
|
|
cpu_data(cpu).microcode = uci->cpu_sig.rev;
|
|
|
|
|
if (!cpu)
|
|
|
|
|
boot_cpu_data.microcode = uci->cpu_sig.rev;
|
2018-07-31 07:27:39 -04:00
|
|
|
|
2018-07-31 17:29:30 +02:00
|
|
|
return ret;
|
2005-04-16 15:20:36 -07:00
|
|
|
}
|
|
|
|
|
|
x86/microcode/intel: Add a minimum required revision for late loading
In general users, don't have the necessary information to determine
whether late loading of a new microcode version is safe and does not
modify anything which the currently running kernel uses already, e.g.
removal of CPUID bits or behavioural changes of MSRs.
To address this issue, Intel has added a "minimum required version"
field to a previously reserved field in the microcode header. Microcode
updates should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions on how meta-data in the microcode file could
provide Linux with information to decide if the new microcode is suitable
candidate for late loading. But even the "simpler" option requires a lot of
metadata and corresponding kernel code to parse it, so the final suggestion
was to add the 'minimum required version' field in the header.
When microcode changes visible features, microcode will set the minimum
required version to its own revision which prevents late loading.
Old microcode blobs have the minimum revision field always set to 0, which
indicates that there is no information and the kernel considers it
unsafe.
This is a pure OS software mechanism. The hardware/firmware ignores this
header field.
For early loading there is no restriction because OS visible features
are enumerated after the early load and therefore a change has no
effect.
The check is always enabled, but by default not enforced. It can be
enforced via Kconfig or kernel command line.
If enforced, the kernel refuses to late load microcode with a minimum
required version field which is zero or when the currently loaded
microcode revision is smaller than the minimum required revision.
If not enforced the load happens independent of the revision check to
stay compatible with the existing behaviour, but it influences the
decision whether the kernel is tainted or not. If the check signals that
the late load is safe, then the kernel is not tainted.
Early loading is not affected by this.
[ tglx: Massaged changelog and fixed up the implementation ]
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
2023-10-02 14:00:11 +02:00
|
|
|
static bool ucode_validate_minrev(struct microcode_header_intel *mc_header)
|
|
|
|
|
{
|
|
|
|
|
int cur_rev = boot_cpu_data.microcode;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* When late-loading, ensure the header declares a minimum revision
|
|
|
|
|
* required to perform a late-load. The previously reserved field
|
|
|
|
|
* is 0 in older microcode blobs.
|
|
|
|
|
*/
|
|
|
|
|
if (!mc_header->min_req_ver) {
|
|
|
|
|
pr_info("Unsafe microcode update: Microcode header does not specify a required min version\n");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check whether the current revision is either greater or equal to
|
|
|
|
|
* to the minimum revision specified in the header.
|
|
|
|
|
*/
|
|
|
|
|
if (cur_rev < mc_header->min_req_ver) {
|
|
|
|
|
pr_info("Unsafe microcode update: Current revision 0x%x too old\n", cur_rev);
|
|
|
|
|
pr_info("Current should be at 0x%x or higher. Use early loading instead\n", mc_header->min_req_ver);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:40 +02:00
|
|
|
static enum ucode_state parse_microcode_blobs(int cpu, struct iov_iter *iter)
|
2006-09-27 01:50:51 -07:00
|
|
|
{
|
2008-09-11 23:27:52 +02:00
|
|
|
struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
|
x86/microcode/intel: Add a minimum required revision for late loading
In general users, don't have the necessary information to determine
whether late loading of a new microcode version is safe and does not
modify anything which the currently running kernel uses already, e.g.
removal of CPUID bits or behavioural changes of MSRs.
To address this issue, Intel has added a "minimum required version"
field to a previously reserved field in the microcode header. Microcode
updates should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions on how meta-data in the microcode file could
provide Linux with information to decide if the new microcode is suitable
candidate for late loading. But even the "simpler" option requires a lot of
metadata and corresponding kernel code to parse it, so the final suggestion
was to add the 'minimum required version' field in the header.
When microcode changes visible features, microcode will set the minimum
required version to its own revision which prevents late loading.
Old microcode blobs have the minimum revision field always set to 0, which
indicates that there is no information and the kernel considers it
unsafe.
This is a pure OS software mechanism. The hardware/firmware ignores this
header field.
For early loading there is no restriction because OS visible features
are enumerated after the early load and therefore a change has no
effect.
The check is always enabled, but by default not enforced. It can be
enforced via Kconfig or kernel command line.
If enforced, the kernel refuses to late load microcode with a minimum
required version field which is zero or when the currently loaded
microcode revision is smaller than the minimum required revision.
If not enforced the load happens independent of the revision check to
stay compatible with the existing behaviour, but it influences the
decision whether the kernel is tainted or not. If the check signals that
the late load is safe, then the kernel is not tainted.
Early loading is not affected by this.
[ tglx: Massaged changelog and fixed up the implementation ]
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
2023-10-02 14:00:11 +02:00
|
|
|
bool is_safe, new_is_safe = false;
|
2023-10-02 13:59:40 +02:00
|
|
|
int cur_rev = uci->cpu_sig.rev;
|
2023-10-02 13:59:43 +02:00
|
|
|
unsigned int curr_mc_size = 0;
|
2019-04-04 13:11:28 +02:00
|
|
|
u8 *new_mc = NULL, *mc = NULL;
|
2006-09-27 01:50:51 -07:00
|
|
|
|
2019-04-04 13:11:28 +02:00
|
|
|
while (iov_iter_count(iter)) {
|
2008-09-11 23:27:52 +02:00
|
|
|
struct microcode_header_intel mc_header;
|
2019-04-04 13:11:28 +02:00
|
|
|
unsigned int mc_size, data_size;
|
|
|
|
|
u8 *data;
|
2006-09-27 01:50:51 -07:00
|
|
|
|
2019-04-04 13:11:28 +02:00
|
|
|
if (!copy_from_iter_full(&mc_header, sizeof(mc_header), iter)) {
|
|
|
|
|
pr_err("error! Truncated or inaccessible header in microcode data file\n");
|
2023-10-02 13:59:45 +02:00
|
|
|
goto fail;
|
2015-02-03 13:00:24 +01:00
|
|
|
}
|
|
|
|
|
|
2008-09-11 23:27:52 +02:00
|
|
|
mc_size = get_totalsize(&mc_header);
|
2019-04-04 13:11:28 +02:00
|
|
|
if (mc_size < sizeof(mc_header)) {
|
|
|
|
|
pr_err("error! Bad data in microcode data file (totalsize too small)\n");
|
2023-10-02 13:59:45 +02:00
|
|
|
goto fail;
|
2019-04-04 13:11:28 +02:00
|
|
|
}
|
|
|
|
|
data_size = mc_size - sizeof(mc_header);
|
|
|
|
|
if (data_size > iov_iter_count(iter)) {
|
|
|
|
|
pr_err("error! Bad data in microcode data file (truncated file?)\n");
|
2023-10-02 13:59:45 +02:00
|
|
|
goto fail;
|
2008-09-11 23:27:52 +02:00
|
|
|
}
|
2006-09-27 01:50:52 -07:00
|
|
|
|
2010-03-05 11:42:03 -06:00
|
|
|
/* For performance reasons, reuse mc area when possible */
|
|
|
|
|
if (!mc || mc_size > curr_mc_size) {
|
2023-10-02 13:59:45 +02:00
|
|
|
kvfree(mc);
|
|
|
|
|
mc = kvmalloc(mc_size, GFP_KERNEL);
|
2010-03-05 11:42:03 -06:00
|
|
|
if (!mc)
|
2023-10-02 13:59:45 +02:00
|
|
|
goto fail;
|
2010-03-05 11:42:03 -06:00
|
|
|
curr_mc_size = mc_size;
|
|
|
|
|
}
|
2008-09-11 23:27:52 +02:00
|
|
|
|
2019-04-04 13:11:28 +02:00
|
|
|
memcpy(mc, &mc_header, sizeof(mc_header));
|
|
|
|
|
data = mc + sizeof(mc_header);
|
|
|
|
|
if (!copy_from_iter_full(data, data_size, iter) ||
|
2023-10-02 13:59:45 +02:00
|
|
|
intel_microcode_sanity_check(mc, true, MC_HEADER_TYPE_MICROCODE) < 0)
|
|
|
|
|
goto fail;
|
2008-09-11 23:27:52 +02:00
|
|
|
|
2023-10-02 13:59:40 +02:00
|
|
|
if (cur_rev >= mc_header.rev)
|
|
|
|
|
continue;
|
|
|
|
|
|
2023-10-02 13:59:50 +02:00
|
|
|
if (!intel_find_matching_signature(mc, &uci->cpu_sig))
|
2023-10-02 13:59:40 +02:00
|
|
|
continue;
|
|
|
|
|
|
x86/microcode/intel: Add a minimum required revision for late loading
In general users, don't have the necessary information to determine
whether late loading of a new microcode version is safe and does not
modify anything which the currently running kernel uses already, e.g.
removal of CPUID bits or behavioural changes of MSRs.
To address this issue, Intel has added a "minimum required version"
field to a previously reserved field in the microcode header. Microcode
updates should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions on how meta-data in the microcode file could
provide Linux with information to decide if the new microcode is suitable
candidate for late loading. But even the "simpler" option requires a lot of
metadata and corresponding kernel code to parse it, so the final suggestion
was to add the 'minimum required version' field in the header.
When microcode changes visible features, microcode will set the minimum
required version to its own revision which prevents late loading.
Old microcode blobs have the minimum revision field always set to 0, which
indicates that there is no information and the kernel considers it
unsafe.
This is a pure OS software mechanism. The hardware/firmware ignores this
header field.
For early loading there is no restriction because OS visible features
are enumerated after the early load and therefore a change has no
effect.
The check is always enabled, but by default not enforced. It can be
enforced via Kconfig or kernel command line.
If enforced, the kernel refuses to late load microcode with a minimum
required version field which is zero or when the currently loaded
microcode revision is smaller than the minimum required revision.
If not enforced the load happens independent of the revision check to
stay compatible with the existing behaviour, but it influences the
decision whether the kernel is tainted or not. If the check signals that
the late load is safe, then the kernel is not tainted.
Early loading is not affected by this.
[ tglx: Massaged changelog and fixed up the implementation ]
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
2023-10-02 14:00:11 +02:00
|
|
|
is_safe = ucode_validate_minrev(&mc_header);
|
|
|
|
|
if (force_minrev && !is_safe)
|
|
|
|
|
continue;
|
|
|
|
|
|
2023-10-02 13:59:45 +02:00
|
|
|
kvfree(new_mc);
|
2023-10-02 13:59:40 +02:00
|
|
|
cur_rev = mc_header.rev;
|
|
|
|
|
new_mc = mc;
|
x86/microcode/intel: Add a minimum required revision for late loading
In general users, don't have the necessary information to determine
whether late loading of a new microcode version is safe and does not
modify anything which the currently running kernel uses already, e.g.
removal of CPUID bits or behavioural changes of MSRs.
To address this issue, Intel has added a "minimum required version"
field to a previously reserved field in the microcode header. Microcode
updates should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions on how meta-data in the microcode file could
provide Linux with information to decide if the new microcode is suitable
candidate for late loading. But even the "simpler" option requires a lot of
metadata and corresponding kernel code to parse it, so the final suggestion
was to add the 'minimum required version' field in the header.
When microcode changes visible features, microcode will set the minimum
required version to its own revision which prevents late loading.
Old microcode blobs have the minimum revision field always set to 0, which
indicates that there is no information and the kernel considers it
unsafe.
This is a pure OS software mechanism. The hardware/firmware ignores this
header field.
For early loading there is no restriction because OS visible features
are enumerated after the early load and therefore a change has no
effect.
The check is always enabled, but by default not enforced. It can be
enforced via Kconfig or kernel command line.
If enforced, the kernel refuses to late load microcode with a minimum
required version field which is zero or when the currently loaded
microcode revision is smaller than the minimum required revision.
If not enforced the load happens independent of the revision check to
stay compatible with the existing behaviour, but it influences the
decision whether the kernel is tainted or not. If the check signals that
the late load is safe, then the kernel is not tainted.
Early loading is not affected by this.
[ tglx: Massaged changelog and fixed up the implementation ]
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
2023-10-02 14:00:11 +02:00
|
|
|
new_is_safe = is_safe;
|
2023-10-02 13:59:40 +02:00
|
|
|
mc = NULL;
|
2006-09-27 01:50:52 -07:00
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:45 +02:00
|
|
|
if (iov_iter_count(iter))
|
|
|
|
|
goto fail;
|
2009-03-11 11:19:46 +01:00
|
|
|
|
2023-10-02 13:59:45 +02:00
|
|
|
kvfree(mc);
|
2016-10-25 11:55:13 +02:00
|
|
|
if (!new_mc)
|
|
|
|
|
return UCODE_NFOUND;
|
2008-09-11 23:27:52 +02:00
|
|
|
|
2023-10-02 13:59:44 +02:00
|
|
|
ucode_patch_late = (struct microcode_intel *)new_mc;
|
x86/microcode/intel: Add a minimum required revision for late loading
In general users, don't have the necessary information to determine
whether late loading of a new microcode version is safe and does not
modify anything which the currently running kernel uses already, e.g.
removal of CPUID bits or behavioural changes of MSRs.
To address this issue, Intel has added a "minimum required version"
field to a previously reserved field in the microcode header. Microcode
updates should only be applied if the current microcode version is equal
to, or greater than this minimum required version.
Thomas made some suggestions on how meta-data in the microcode file could
provide Linux with information to decide if the new microcode is suitable
candidate for late loading. But even the "simpler" option requires a lot of
metadata and corresponding kernel code to parse it, so the final suggestion
was to add the 'minimum required version' field in the header.
When microcode changes visible features, microcode will set the minimum
required version to its own revision which prevents late loading.
Old microcode blobs have the minimum revision field always set to 0, which
indicates that there is no information and the kernel considers it
unsafe.
This is a pure OS software mechanism. The hardware/firmware ignores this
header field.
For early loading there is no restriction because OS visible features
are enumerated after the early load and therefore a change has no
effect.
The check is always enabled, but by default not enforced. It can be
enforced via Kconfig or kernel command line.
If enforced, the kernel refuses to late load microcode with a minimum
required version field which is zero or when the currently loaded
microcode revision is smaller than the minimum required revision.
If not enforced the load happens independent of the revision check to
stay compatible with the existing behaviour, but it influences the
decision whether the kernel is tainted or not. If the check signals that
the late load is safe, then the kernel is not tainted.
Early loading is not affected by this.
[ tglx: Massaged changelog and fixed up the implementation ]
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
2023-10-02 14:00:11 +02:00
|
|
|
return new_is_safe ? UCODE_NEW_SAFE : UCODE_NEW;
|
2023-10-02 13:59:45 +02:00
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
kvfree(mc);
|
|
|
|
|
kvfree(new_mc);
|
|
|
|
|
return UCODE_ERROR;
|
2006-09-27 01:50:52 -07:00
|
|
|
}
|
|
|
|
|
|
2017-10-18 13:12:25 +02:00
|
|
|
static bool is_blacklisted(unsigned int cpu)
|
|
|
|
|
{
|
|
|
|
|
struct cpuinfo_x86 *c = &cpu_data(cpu);
|
|
|
|
|
|
2018-01-01 10:04:47 +08:00
|
|
|
/*
|
|
|
|
|
* Late loading on model 79 with microcode revision less than 0x0b000021
|
2018-01-23 11:41:32 +01:00
|
|
|
* and LLC size per core bigger than 2.5MB may result in a system hang.
|
|
|
|
|
* This behavior is documented in item BDF90, #334165 (Intel Xeon
|
|
|
|
|
* Processor E7-8800/4800 v4 Product Family).
|
2018-01-01 10:04:47 +08:00
|
|
|
*/
|
2024-04-24 11:15:13 -07:00
|
|
|
if (c->x86_vfm == INTEL_BROADWELL_X &&
|
2018-01-01 09:52:10 +08:00
|
|
|
c->x86_stepping == 0x01 &&
|
2018-01-23 11:41:32 +01:00
|
|
|
llc_size_per_core > 2621440 &&
|
2018-01-01 10:04:47 +08:00
|
|
|
c->microcode < 0x0b000021) {
|
|
|
|
|
pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);
|
|
|
|
|
pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");
|
2017-10-18 13:12:25 +02:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-19 19:16:20 +02:00
|
|
|
static enum ucode_state request_microcode_fw(int cpu, struct device *device)
|
2006-09-27 01:50:52 -07:00
|
|
|
{
|
2007-10-19 20:35:04 +02:00
|
|
|
struct cpuinfo_x86 *c = &cpu_data(cpu);
|
2006-09-27 01:50:52 -07:00
|
|
|
const struct firmware *firmware;
|
2019-04-04 13:11:28 +02:00
|
|
|
struct iov_iter iter;
|
2009-05-11 23:48:27 +02:00
|
|
|
enum ucode_state ret;
|
2019-04-04 13:11:28 +02:00
|
|
|
struct kvec kvec;
|
|
|
|
|
char name[30];
|
2006-09-27 01:50:52 -07:00
|
|
|
|
2017-10-18 13:12:25 +02:00
|
|
|
if (is_blacklisted(cpu))
|
|
|
|
|
return UCODE_NFOUND;
|
|
|
|
|
|
2008-07-28 18:44:17 +02:00
|
|
|
sprintf(name, "intel-ucode/%02x-%02x-%02x",
|
2018-01-01 09:52:10 +08:00
|
|
|
c->x86, c->x86_model, c->x86_stepping);
|
2009-05-11 23:48:27 +02:00
|
|
|
|
2013-12-02 15:38:17 +01:00
|
|
|
if (request_firmware_direct(&firmware, name, device)) {
|
2009-12-08 22:30:50 -08:00
|
|
|
pr_debug("data file %s load failed\n", name);
|
2009-05-11 23:48:27 +02:00
|
|
|
return UCODE_NFOUND;
|
2006-09-27 01:50:52 -07:00
|
|
|
}
|
2008-09-11 23:27:52 +02:00
|
|
|
|
2019-04-04 13:11:28 +02:00
|
|
|
kvec.iov_base = (void *)firmware->data;
|
|
|
|
|
kvec.iov_len = firmware->size;
|
2022-09-15 20:25:47 -04:00
|
|
|
iov_iter_kvec(&iter, ITER_SOURCE, &kvec, 1, firmware->size);
|
2023-10-02 13:59:40 +02:00
|
|
|
ret = parse_microcode_blobs(cpu, &iter);
|
2008-09-11 23:27:52 +02:00
|
|
|
|
2006-09-27 01:50:52 -07:00
|
|
|
release_firmware(firmware);
|
|
|
|
|
|
2008-09-11 23:27:52 +02:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:44 +02:00
|
|
|
static void finalize_late_load(int result)
|
|
|
|
|
{
|
|
|
|
|
if (!result)
|
2023-10-02 13:59:45 +02:00
|
|
|
update_ucode_pointer(ucode_patch_late);
|
|
|
|
|
else
|
|
|
|
|
kvfree(ucode_patch_late);
|
2023-10-02 13:59:44 +02:00
|
|
|
ucode_patch_late = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-23 20:49:52 +01:00
|
|
|
static struct microcode_ops microcode_intel_ops = {
|
2023-10-02 13:59:41 +02:00
|
|
|
.request_microcode_fw = request_microcode_fw,
|
|
|
|
|
.collect_cpu_info = collect_cpu_info,
|
2023-10-17 23:23:44 +02:00
|
|
|
.apply_microcode = apply_microcode_late,
|
2023-10-02 13:59:44 +02:00
|
|
|
.finalize_late_load = finalize_late_load,
|
2023-10-02 14:00:05 +02:00
|
|
|
.use_nmi = IS_ENABLED(CONFIG_X86_64),
|
2008-07-28 18:44:21 +02:00
|
|
|
};
|
|
|
|
|
|
2023-10-02 13:59:41 +02:00
|
|
|
static __init void calc_llc_size_per_core(struct cpuinfo_x86 *c)
|
2018-01-23 11:41:32 +01:00
|
|
|
{
|
2018-02-13 13:22:08 -06:00
|
|
|
u64 llc_size = c->x86_cache_size * 1024ULL;
|
2018-01-23 11:41:32 +01:00
|
|
|
|
2024-02-13 22:06:16 +01:00
|
|
|
do_div(llc_size, topology_num_cores_per_package());
|
2023-10-02 13:59:41 +02:00
|
|
|
llc_size_per_core = (unsigned int)llc_size;
|
2018-01-23 11:41:32 +01:00
|
|
|
}
|
|
|
|
|
|
2008-09-23 12:08:44 +02:00
|
|
|
struct microcode_ops * __init init_intel_microcode(void)
|
2008-07-28 18:44:21 +02:00
|
|
|
{
|
2015-10-20 11:54:44 +02:00
|
|
|
struct cpuinfo_x86 *c = &boot_cpu_data;
|
2012-04-16 14:12:00 +05:30
|
|
|
|
|
|
|
|
if (c->x86_vendor != X86_VENDOR_INTEL || c->x86 < 6 ||
|
|
|
|
|
cpu_has(c, X86_FEATURE_IA64)) {
|
|
|
|
|
pr_err("Intel CPU family 0x%x not supported\n", c->x86);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-02 13:59:41 +02:00
|
|
|
calc_llc_size_per_core(c);
|
2018-01-23 11:41:32 +01:00
|
|
|
|
2008-09-23 12:08:44 +02:00
|
|
|
return µcode_intel_ops;
|
2008-07-28 18:44:21 +02:00
|
|
|
}
|