Xen project Mailing List

[PATCH 4/4] x86: Add Kconfig option to disable microcode loading

From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>

Date: Wed, 12 Nov 2025 17:22:17 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KlUqvqE/VFp5EaRFjnobC2TG4Ik3upgV5GDSchMkSS8=; b=SRnlvMNMcYmttRYyh3p3x94E0fGPOATi3ZTfLM7wce4gh0pMdzjU9NsTRvzhlMNxCVTsF20Bql3kg9wTD++KicLOYME+N6zJLz78BWecoWz6/WwP5KWEBvg7zNjTtQNmZtFY8drPcWLrZBFxHJalt4J+LcrxgqoVdc1GwYM04Tlx+0ffCWjEBXP560aCzWtQG+bRzaXd+7fDzRtYc/vTSOt/Esgpj1xqITuiLhRCHMkwi9QS3/GXTuYp2figRNs15eWiHbEHv49jawdvpDAQsW2OhgUeUyu2KSkLXexX+ZaOxkyNOabIvAMEZpqOpXreqqJKuHA6kwArfbZZ0MAwVg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xxbhyjluirJVoWJZblUTH8OstIYyf3XwNnUCv0I3+FyeNBkBeCgvDHj20AJIW4/Pc2v55LPPET4CyNwxS5yU3Vyk0Qyn3prniB29ZBNaj3bvwjYLSYWn9J36jrCVxdN9D9I+CrIDyz5O6EWzxhm1Qp86UiAzjXYEyhXFggS+rlXVlRBs4nd3+koZBx9gILvoIWa2iRHHVYR+zechQXx+UcVQRkISkTJsoUbXh6uRtL4oBG42+e7nCdaJFr3QATb35OkPMdCZBvebX64MWv5ruNa1fUbpG5hkQR0PCKQ1CTjrEpuz4Jfl7ypDAo8n1rijNtHu4tckonYPlgkLZUs+5A==

Cc: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 12 Nov 2025 16:22:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Keeps around the microcode revision reading logic, as that's security sensitive to detect out-of-date patforms and report them. Move cpu_sig to base.c, because that's externally visible symbol outside the microcode subsystem and we need it always accesible. Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx> --- xen/arch/x86/Kconfig | 12 ++++++++++++ xen/arch/x86/cpu/microcode/Makefile | 6 +++--- xen/arch/x86/cpu/microcode/amd-base.c | 9 +++++++-- xen/arch/x86/cpu/microcode/base.c | 21 +++++++++++---------- xen/arch/x86/cpu/microcode/core.c | 1 - xen/arch/x86/cpu/microcode/intel-base.c | 6 ++++-- xen/arch/x86/efi/efi-boot.h | 2 +- xen/arch/x86/platform_hypercall.c | 2 ++ 8 files changed, 40 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 3f0f3a0f3a..948dd00dbc 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -330,8 +330,20 @@ config REQUIRE_NX was unavailable. However, if enabled, Xen will no longer boot on any CPU which is lacking NX support. +config UCODE + bool "Microcode loading" + default y + help + Support updating the microcode revision of available CPUs with a newer + vendor-provided microcode blob. Microcode updates address some classes of + silicon defects. It's a very common delivery mechanism for fixes or + workarounds for speculative execution vulnerabilities. + + If unsure, say Y + config UCODE_SCAN_DEFAULT bool "Scan for microcode by default" + depends on UCODE help During boot, Xen can scan the multiboot images for a CPIO archive containing CPU microcode to be loaded, which is Linux's mechanism for diff --git a/xen/arch/x86/cpu/microcode/Makefile b/xen/arch/x86/cpu/microcode/Makefile index 765195ada3..4ec38b56a2 100644 --- a/xen/arch/x86/cpu/microcode/Makefile +++ b/xen/arch/x86/cpu/microcode/Makefile @@ -1,6 +1,6 @@ -obj-$(CONFIG_AMD) += amd.o +obj-$(filter $(CONFIG_AMD),$(CONFIG_UCODE)) += amd.o obj-$(CONFIG_AMD) += amd-base.o obj-y += base.o -obj-y += core.o -obj-$(CONFIG_INTEL) += intel.o +obj-$(CONFIG_UCODE) += core.o +obj-$(filter $(CONFIG_INTEL),$(CONFIG_UCODE)) += intel.o obj-$(CONFIG_INTEL) += intel-base.o diff --git a/xen/arch/x86/cpu/microcode/amd-base.c b/xen/arch/x86/cpu/microcode/amd-base.c index f8f5fac1e1..4e705fe602 100644 --- a/xen/arch/x86/cpu/microcode/amd-base.c +++ b/xen/arch/x86/cpu/microcode/amd-base.c @@ -22,19 +22,23 @@ static void cf_check collect_cpu_info(void) } static const struct microcode_ops __initconst_cf_clobber amd_ucode_ops = { - .cpu_request_microcode = amd_cpu_request_microcode, .collect_cpu_info = collect_cpu_info, +#ifdef CONFIG_UCODE + .cpu_request_microcode = amd_cpu_request_microcode, .apply_microcode = amd_apply_microcode, .compare = amd_compare, .cpio_path = amd_cpio_path, +#endif /* CONFIG_UCODE */ }; void __init ucode_probe_amd(struct microcode_ops *ops) { /* * The Entrysign vulnerability (SB-7033, CVE-2024-36347) affects Zen1-5 - * CPUs. Taint Xen if digest checking is turned off. + * CPUs. Taint Xen if digest checking is turned off and microcode loading is + * compiled in. */ +#ifdef CONFIG_UCODE if ( boot_cpu_data.family >= 0x17 && boot_cpu_data.family <= 0x1a && !opt_digest_check ) { @@ -42,6 +46,7 @@ void __init ucode_probe_amd(struct microcode_ops *ops) "Microcode patch additional digest checks disabled\n"); add_taint(TAINT_CPU_OUT_OF_SPEC); } +#endif /* CONFIG_UCODE */ if ( boot_cpu_data.family < 0x10 ) return; diff --git a/xen/arch/x86/cpu/microcode/base.c b/xen/arch/x86/cpu/microcode/base.c index 895ee78d2e..3e0b5a7447 100644 --- a/xen/arch/x86/cpu/microcode/base.c +++ b/xen/arch/x86/cpu/microcode/base.c @@ -13,6 +13,7 @@ #include "private.h" struct microcode_ops __ro_after_init ucode_ops; +DEFINE_PER_CPU(struct cpu_signature, cpu_sig); int microcode_update_one(void) { @@ -23,6 +24,9 @@ int microcode_update_one(void) if ( ucode_ops.collect_cpu_info ) alternative_vcall(ucode_ops.collect_cpu_info); + if ( !IS_ENABLED(CONFIG_UCODE) ) + return 0; + return _microcode_update_one(); } @@ -30,16 +34,10 @@ int __init early_microcode_init(struct boot_info *bi) { const struct cpuinfo_x86 *c = &boot_cpu_data; - switch ( c->vendor ) - { - case X86_VENDOR_AMD: + if ( IS_ENABLED(CONFIG_AMD) && c->vendor == X86_VENDOR_AMD ) ucode_probe_amd(&ucode_ops); - break; - - case X86_VENDOR_INTEL: + else if ( IS_ENABLED(CONFIG_INTEL) && c->vendor == X86_VENDOR_INTEL ) ucode_probe_intel(&ucode_ops); - break; - } if ( !ucode_ops.collect_cpu_info ) { @@ -60,10 +58,13 @@ int __init early_microcode_init(struct boot_info *bi) * * Take the hint in either case and ignore the microcode interface. */ - if ( !ucode_ops.apply_microcode || this_cpu(cpu_sig).rev == ~0 ) + if ( !IS_ENABLED(CONFIG_UCODE) || !ucode_ops.apply_microcode || + this_cpu(cpu_sig).rev == ~0 ) { printk(XENLOG_INFO "Microcode loading disabled due to: %s\n", - ucode_ops.apply_microcode ? "rev = ~0" : "HW toggle"); + !IS_ENABLED(CONFIG_UCODE) ? "not compiled-in" : + ucode_ops.apply_microcode ? "rev = ~0" : + "HW toggle"); ucode_ops.apply_microcode = NULL; return -ENODEV; } diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c index 553a0ced15..d6ba250dca 100644 --- a/xen/arch/x86/cpu/microcode/core.c +++ b/xen/arch/x86/cpu/microcode/core.c @@ -164,7 +164,6 @@ custom_param("ucode", parse_ucode); static DEFINE_SPINLOCK(microcode_mutex); -DEFINE_PER_CPU(struct cpu_signature, cpu_sig); /* Store error code of the work done in NMI handler */ static DEFINE_PER_CPU(int, loading_err); diff --git a/xen/arch/x86/cpu/microcode/intel-base.c b/xen/arch/x86/cpu/microcode/intel-base.c index 4fcacaa192..18fdb4e7fc 100644 --- a/xen/arch/x86/cpu/microcode/intel-base.c +++ b/xen/arch/x86/cpu/microcode/intel-base.c @@ -32,17 +32,19 @@ static void cf_check collect_cpu_info(void) } static const struct microcode_ops __initconst_cf_clobber intel_ucode_ops = { + .collect_cpu_info = collect_cpu_info, +#ifdef CONFIG_UCODE .cpu_request_microcode = intel_cpu_request_microcode, .apply_microcode = intel_apply_microcode, - .collect_cpu_info = collect_cpu_info, .compare = intel_compare, .cpio_path = intel_cpio_path, +#endif /* CONFIG_UCODE */ }; void __init ucode_probe_intel(struct microcode_ops *ops) { *ops = intel_ucode_ops; - if ( !intel_can_load_microcode() ) + if ( IS_ENABLED(CONFIG_UCODE) && !intel_can_load_microcode() ) ops->apply_microcode = NULL; } diff --git a/xen/arch/x86/efi/efi-boot.h b/xen/arch/x86/efi/efi-boot.h index 0194720003..9ec9291681 100644 --- a/xen/arch/x86/efi/efi-boot.h +++ b/xen/arch/x86/efi/efi-boot.h @@ -295,7 +295,7 @@ static void __init efi_arch_cfg_file_late(const EFI_LOADED_IMAGE *image, { union string name; - if ( read_section(image, L"ucode", &ucode, NULL) ) + if ( !IS_ENABLED(CONFIG_UCODE) || read_section(image, L"ucode", &ucode, NULL) ) return; name.s = get_value(&cfg, section, "ucode"); diff --git a/xen/arch/x86/platform_hypercall.c b/xen/arch/x86/platform_hypercall.c index 79bb99e0b6..b2527bca93 100644 --- a/xen/arch/x86/platform_hypercall.c +++ b/xen/arch/x86/platform_hypercall.c @@ -307,6 +307,7 @@ ret_t do_platform_op( break; } +#ifdef CONFIG_UCODE case XENPF_microcode_update: { XEN_GUEST_HANDLE(const_void) data; @@ -327,6 +328,7 @@ ret_t do_platform_op( op->u.microcode2.flags); break; } +#endif /* CONFIG_UCODE */ case XENPF_platform_quirk: { -- 2.43.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.