Xen project Mailing List

Re: [PATCH] x86/microcode: Prevent attempting updates known to fail

To: Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 2 Jun 2023 21:35:56 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=w4QfV6U25NfTxLj23TKZ5MdViJ2rhU+xT3CjB/7jyQw=; b=mPef6cclYqF52jV8LYAyoEBBFuj7voaprGKHD1SIY2g4pBzIwglcQxc/8PeZJ5VILGIQthtkaqR7tYGK4+/iGHTaPVqKMyKyugcqNR47nztiNHVz83Ube6XSrI0CnsuESFcdNsJDxDHC0siVJNxEsRnYW1BeNKzNFzWd5geYs8zA6XyhW7pny17mrck87GOry5c4xONzbpUBpTOVNV1WKwdWKAoUN1gZmjUnCGsFPGc6KWx2pBNfauslNQOdyWODSBW0geQTpGko4NddxX5bv5bK/X0OPKt1mClUSfeDwvnHmUJXZV4donOqinKI+YMLJxYUboovR77BJtfLRAYkFQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oc53hHVg5tR202bVXPBG2AVznhUPkDFSM9R4ZK1GAC8dJExmDkr1pWdY6udDYP0EhFjd5bk+ZgYjhqocK4gQonUTgKrbCQhl5Fkh7AQWOGrsphv/6vpinDLciLDkr4CczZZwnUOxRGrrG6XLPcUF9lVJBzqc9acsVNpmjQmFeQg6atqgK//n0tJOYOrUDyvyF/LKoRbx3QdnBFOeUQq6G2E1l98tnfObF9hCl6W1/i+ZalLkImEwC4mV9si8Rf75BCg7Za3sZbfZcgu8cSnLEc3WFgV1A1unrTGD3hnTbxk7h6T1+a9Pe7E2D7IQg16PaltWNEuL0Tra5Y3ZBmJT1w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Fri, 02 Jun 2023 20:36:27 +0000

Ironport-data: A9a23:HUI0G677T8Pmpnq7ST9sKAxRtPjGchMFZxGqfqrLsTDasY5as4F+v mYeW2/QafaCZGHyKoxyYY/l9UtQ75XSztQ2Sgdv+Hg0Hi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35JwehBtC5gZlPa4T5geC/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5mz P8JCDQcfBq6mvOqx5y6FMpXg/kyBZy+VG8fkikIITDxK98DGMmGb4CUoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6Ok0ooj+aF3Nn9I7RmQe18mEqCq 32A1GP+GhwAb/SUyCaf82LqjejK9c/+cNtLT+zhra802TV/wEQYDxgSCQqKiMOLtWCDButjJ RUO1HMx+P1aGEuDC4OVsweDiHeAsxwVXdZKFKsk4QWJx6jTyw2dAXUICDVGbbQOpMIwADAny FKNt9foHiB09q2YT2qH8bWZpi/0PjIaRUcAbyIZSQoO4/H4vZo+yBnIS75LD6qdntDzXzbqz Fi3QDMWgrwSiYsH0vu99FWe2ja0/MGWEEgy+xndWX+j4kVhfom5aoe06F/dq/FdMIKeSVrHt 38B8ySD0N0z4Vi2vHTlaI0w8HuBvp5p7BW0bYZTIqQc

Ironport-hdrordr: A9a23:12URSaB9m0jlSGDlHemT55DYdb4zR+YMi2TDGXoBMCC9E/bo7/ xG+c5w6faaskd1ZJhNo6HjBEDEewK+yXcX2+gs1NWZLW3bUQKTRekI0WKh+V3d8kbFh4lgPM lbAs5D4R7LYWSST/yW3OB1KbkdKRC8npyVuQ==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01/06/2023 11:54 am, Andrew Cooper wrote: > Instead, I recommend the following: > > 1) One patch moving the early-cpuid/msr read from tsx_init() into > early_microcode_init(), adjusting the comment as it goes. No point > duplicating that logic, and we need it earlier on boot now. > 2) This patch, adjusting early_microcode_init() only. Have a printk() > saying "microcode loading disabled by firmware" and avoid filling in > ucode_ops. Every other part of ucode handling understands "loading not > available". So, having fallen over "x86/ucode: Exit early from early_update_cache() if loading not available" for other reasons, I've realised that this isn't a completely sensible suggestion. By not filling in ucode_ops, nothing ever calls collect_info(), meaning that external components which peek at this_cpu(cpu_sig).rev get 0's back in place of the actual microcode revision. That's probably the best we can do for genuinely no ucode facilities available. But there's another case we ought to cope with. Some hypervisors deliberately report a microcode revision of ~0, and we should take to mean "no microcode loading available" too. For this MCU_CONTROL_DIS_MCU_LOAD case, we don't want to be trying to load new microcode because that's a waste of time, but we absolutely should query the current microcode revision. It is frequently relevant for security reasons. So I think we want to fine-grain things a little, and separate the concepts of "ucode info available" and "ucode loading available". Per the current mechanism, that would involve supporting a case where ucode_ops.collect_cpu_info() is available but ucode_ops.apply_microcode() is not. ~Andrew P.S. also in our copious free time, we need to start supporting the Intel min_rev field, which is more complicated than it sounds. min_rev is vaguely defined as being relevant to block updates "after you've evaluated CPUID and made decisions based on it", but here in Xen we do also do livepatching and late loading to explicitly make use of newly enumerated features. So we need a way of xen-ucode saying "please really do load this, because I as the admin think it will be fine in combination with the livepatch I'm about to apply". My best idea for this is to have a `--force` option to pass to Xen to skip the revision checks, which will require either a new hypercall, or perhaps borrowing a high bit from the size field in the current hypercall. With a force option in place, the boot time ucode=allow-same can go away. It has become distinctly less useful now that we were forced do this unilaterally on AMD CPUs, and separating "allow same because of HW bugs" from "the Admin promised they knew what they were doing" would be better for testing.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.