• Ashok Raj's avatar
    x86/microcode/intel: Add a minimum required revision for late loading · cf5ab01c
    Ashok Raj authored
    In general users, don't have the necessary information to determine
    whether late loading of a new microcode version is safe and does not
    modify anything which the currently running kernel uses already, e.g.
    removal of CPUID bits or behavioural changes of MSRs.
    
    To address this issue, Intel has added a "minimum required version"
    field to a previously reserved field in the microcode header.  Microcode
    updates should only be applied if the current microcode version is equal
    to, or greater than this minimum required version.
    
    Thomas made some suggestions on how meta-data in the microcode file could
    provide Linux with information to decide if the new microcode is suitable
    candidate for late loading. But even the "simpler" option requires a lot of
    metadata and corresponding kernel code to parse it, so the final suggestion
    was to add the 'minimum required version' field in the header.
    
    When microcode changes visible features, microcode will set the minimum
    required version to its own revision which prevents late loading.
    
    Old microcode blobs have the minimum revision field always set to 0, which
    indicates that there is no information and the kernel considers it
    unsafe.
    
    This is a pure OS software mechanism. The hardware/firmware ignores this
    header field.
    
    For early loading there is no restriction because OS visible features
    are enumerated after the early load and therefore a change has no
    effect.
    
    The check is always enabled, but by default not enforced. It can be
    enforced via Kconfig or kernel command line.
    
    If enforced, the kernel refuses to late load microcode with a minimum
    required version field which is zero or when the currently loaded
    microcode revision is smaller than the minimum required revision.
    
    If not enforced the load happens independent of the revision check to
    stay compatible with the existing behaviour, but it influences the
    decision whether the kernel is tainted or not. If the check signals that
    the late load is safe, then the kernel is not tainted.
    
    Early loading is not affected by this.
    
    [ tglx: Massaged changelog and fixed up the implementation ]
    Suggested-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarAshok Raj <ashok.raj@intel.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
    Link: https://lore.kernel.org/r/20231002115903.776467264@linutronix.de
    cf5ab01c
intel.c 17.2 KB