| Message ID | 1568272949-1086-2-git-send-email-chao.gao@intel.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | improve late microcode loading | expand |
On 12.09.2019 09:22, Chao Gao wrote: > --- a/xen/arch/x86/microcode_intel.c > +++ b/xen/arch/x86/microcode_intel.c > @@ -134,21 +134,11 @@ static int collect_cpu_info(unsigned int cpu_num, struct cpu_signature *csig) > return 0; > } > > -static inline int microcode_update_match( > - unsigned int cpu_num, const struct microcode_header_intel *mc_header, > - int sig, int pf) > +static int microcode_sanity_check(const void *mc) > { > - struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu_num); > - > - return (sigmatch(sig, uci->cpu_sig.sig, pf, uci->cpu_sig.pf) && > - (mc_header->rev > uci->cpu_sig.rev)); > -} > - > -static int microcode_sanity_check(void *mc) > -{ > - struct microcode_header_intel *mc_header = mc; > - struct extended_sigtable *ext_header = NULL; > - struct extended_signature *ext_sig; > + const struct microcode_header_intel *mc_header = mc; > + const struct extended_sigtable *ext_header = NULL; > + const struct extended_signature *ext_sig; > unsigned long total_size, data_size, ext_table_size; > unsigned int ext_sigcount = 0, i; > uint32_t sum, orig_sum; > @@ -234,6 +224,42 @@ static int microcode_sanity_check(void *mc) > return 0; > } > > +/* Check an update against the CPU signature and current update revision */ > +static enum microcode_match_result microcode_update_match( > + const struct microcode_header_intel *mc_header, unsigned int cpu) > +{ > + const struct extended_sigtable *ext_header; > + const struct extended_signature *ext_sig; > + unsigned int i; > + struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); > + unsigned int sig = uci->cpu_sig.sig; > + unsigned int pf = uci->cpu_sig.pf; > + unsigned int rev = uci->cpu_sig.rev; > + unsigned long data_size = get_datasize(mc_header); > + const void *end = (const void *)mc_header + get_totalsize(mc_header); > + > + ASSERT(!microcode_sanity_check(mc_header)); > + if ( sigmatch(sig, mc_header->sig, pf, mc_header->pf) ) > + return (mc_header->rev > rev) ? NEW_UCODE : OLD_UCODE; > + > + ext_header = (const void *)(mc_header + 1) + data_size; > + ext_sig = (const void *)(ext_header + 1); > + > + /* > + * Make sure there is enough space to hold an extended header and enough > + * array elements. > + */ > + if ( (end < (const void *)ext_sig) || > + (end < (const void *)(ext_sig + ext_header->count)) ) > + return MIS_UCODE; With you now assuming that the blob has previously passed microcode_sanity_check(), this only needs to be if ( (end <= (const void *)ext_sig) ) return MIS_UCODE; now afaict. Reviewed-by: Jan Beulich <jbeulich@suse.com> preferably with this adjustment (assuming you agree). Jan
On 12.09.2019 12:24, Jan Beulich wrote: > On 12.09.2019 09:22, Chao Gao wrote: >> --- a/xen/arch/x86/microcode_intel.c >> +++ b/xen/arch/x86/microcode_intel.c >> @@ -134,21 +134,11 @@ static int collect_cpu_info(unsigned int cpu_num, struct cpu_signature *csig) >> return 0; >> } >> >> -static inline int microcode_update_match( >> - unsigned int cpu_num, const struct microcode_header_intel *mc_header, >> - int sig, int pf) >> +static int microcode_sanity_check(const void *mc) >> { >> - struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu_num); >> - >> - return (sigmatch(sig, uci->cpu_sig.sig, pf, uci->cpu_sig.pf) && >> - (mc_header->rev > uci->cpu_sig.rev)); >> -} >> - >> -static int microcode_sanity_check(void *mc) >> -{ >> - struct microcode_header_intel *mc_header = mc; >> - struct extended_sigtable *ext_header = NULL; >> - struct extended_signature *ext_sig; >> + const struct microcode_header_intel *mc_header = mc; >> + const struct extended_sigtable *ext_header = NULL; >> + const struct extended_signature *ext_sig; >> unsigned long total_size, data_size, ext_table_size; >> unsigned int ext_sigcount = 0, i; >> uint32_t sum, orig_sum; >> @@ -234,6 +224,42 @@ static int microcode_sanity_check(void *mc) >> return 0; >> } >> >> +/* Check an update against the CPU signature and current update revision */ >> +static enum microcode_match_result microcode_update_match( >> + const struct microcode_header_intel *mc_header, unsigned int cpu) >> +{ >> + const struct extended_sigtable *ext_header; >> + const struct extended_signature *ext_sig; >> + unsigned int i; >> + struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); >> + unsigned int sig = uci->cpu_sig.sig; >> + unsigned int pf = uci->cpu_sig.pf; >> + unsigned int rev = uci->cpu_sig.rev; >> + unsigned long data_size = get_datasize(mc_header); >> + const void *end = (const void *)mc_header + get_totalsize(mc_header); >> + >> + ASSERT(!microcode_sanity_check(mc_header)); >> + if ( sigmatch(sig, mc_header->sig, pf, mc_header->pf) ) >> + return (mc_header->rev > rev) ? NEW_UCODE : OLD_UCODE; >> + >> + ext_header = (const void *)(mc_header + 1) + data_size; >> + ext_sig = (const void *)(ext_header + 1); >> + >> + /* >> + * Make sure there is enough space to hold an extended header and enough >> + * array elements. >> + */ >> + if ( (end < (const void *)ext_sig) || >> + (end < (const void *)(ext_sig + ext_header->count)) ) >> + return MIS_UCODE; > > With you now assuming that the blob has previously passed > microcode_sanity_check(), this only needs to be > > if ( (end <= (const void *)ext_sig) ) > return MIS_UCODE; > > now afaict. > > Reviewed-by: Jan Beulich <jbeulich@suse.com> > preferably with this adjustment (assuming you agree). FAOD: I'd be happy to make the adjustment while committing, but I'd like to have your consent (or you proving me wrong). This would, as it looks, allow everything up to patch 8 to go in. Jan
On Fri, Sep 13, 2019 at 08:50:59AM +0200, Jan Beulich wrote: >On 12.09.2019 12:24, Jan Beulich wrote: >> On 12.09.2019 09:22, Chao Gao wrote: >>> --- a/xen/arch/x86/microcode_intel.c >>> +++ b/xen/arch/x86/microcode_intel.c >>> @@ -134,21 +134,11 @@ static int collect_cpu_info(unsigned int cpu_num, struct cpu_signature *csig) >>> return 0; >>> } >>> >>> -static inline int microcode_update_match( >>> - unsigned int cpu_num, const struct microcode_header_intel *mc_header, >>> - int sig, int pf) >>> +static int microcode_sanity_check(const void *mc) >>> { >>> - struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu_num); >>> - >>> - return (sigmatch(sig, uci->cpu_sig.sig, pf, uci->cpu_sig.pf) && >>> - (mc_header->rev > uci->cpu_sig.rev)); >>> -} >>> - >>> -static int microcode_sanity_check(void *mc) >>> -{ >>> - struct microcode_header_intel *mc_header = mc; >>> - struct extended_sigtable *ext_header = NULL; >>> - struct extended_signature *ext_sig; >>> + const struct microcode_header_intel *mc_header = mc; >>> + const struct extended_sigtable *ext_header = NULL; >>> + const struct extended_signature *ext_sig; >>> unsigned long total_size, data_size, ext_table_size; >>> unsigned int ext_sigcount = 0, i; >>> uint32_t sum, orig_sum; >>> @@ -234,6 +224,42 @@ static int microcode_sanity_check(void *mc) >>> return 0; >>> } >>> >>> +/* Check an update against the CPU signature and current update revision */ >>> +static enum microcode_match_result microcode_update_match( >>> + const struct microcode_header_intel *mc_header, unsigned int cpu) >>> +{ >>> + const struct extended_sigtable *ext_header; >>> + const struct extended_signature *ext_sig; >>> + unsigned int i; >>> + struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); >>> + unsigned int sig = uci->cpu_sig.sig; >>> + unsigned int pf = uci->cpu_sig.pf; >>> + unsigned int rev = uci->cpu_sig.rev; >>> + unsigned long data_size = get_datasize(mc_header); >>> + const void *end = (const void *)mc_header + get_totalsize(mc_header); >>> + >>> + ASSERT(!microcode_sanity_check(mc_header)); >>> + if ( sigmatch(sig, mc_header->sig, pf, mc_header->pf) ) >>> + return (mc_header->rev > rev) ? NEW_UCODE : OLD_UCODE; >>> + >>> + ext_header = (const void *)(mc_header + 1) + data_size; >>> + ext_sig = (const void *)(ext_header + 1); >>> + >>> + /* >>> + * Make sure there is enough space to hold an extended header and enough >>> + * array elements. >>> + */ >>> + if ( (end < (const void *)ext_sig) || >>> + (end < (const void *)(ext_sig + ext_header->count)) ) >>> + return MIS_UCODE; >> >> With you now assuming that the blob has previously passed >> microcode_sanity_check(), this only needs to be >> >> if ( (end <= (const void *)ext_sig) ) >> return MIS_UCODE; >> >> now afaict. >> >> Reviewed-by: Jan Beulich <jbeulich@suse.com> >> preferably with this adjustment (assuming you agree). > >FAOD: I'd be happy to make the adjustment while committing, but >I'd like to have your consent (or you proving me wrong). This >would, as it looks, allow everything up to patch 8 to go in. Please go ahead. Thanks Chao
diff --git a/xen/arch/x86/microcode_intel.c b/xen/arch/x86/microcode_intel.c index 22fdeca..1a3ffa5 100644 --- a/xen/arch/x86/microcode_intel.c +++ b/xen/arch/x86/microcode_intel.c @@ -134,21 +134,11 @@ static int collect_cpu_info(unsigned int cpu_num, struct cpu_signature *csig) return 0; } -static inline int microcode_update_match( - unsigned int cpu_num, const struct microcode_header_intel *mc_header, - int sig, int pf) +static int microcode_sanity_check(const void *mc) { - struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu_num); - - return (sigmatch(sig, uci->cpu_sig.sig, pf, uci->cpu_sig.pf) && - (mc_header->rev > uci->cpu_sig.rev)); -} - -static int microcode_sanity_check(void *mc) -{ - struct microcode_header_intel *mc_header = mc; - struct extended_sigtable *ext_header = NULL; - struct extended_signature *ext_sig; + const struct microcode_header_intel *mc_header = mc; + const struct extended_sigtable *ext_header = NULL; + const struct extended_signature *ext_sig; unsigned long total_size, data_size, ext_table_size; unsigned int ext_sigcount = 0, i; uint32_t sum, orig_sum; @@ -234,6 +224,42 @@ static int microcode_sanity_check(void *mc) return 0; } +/* Check an update against the CPU signature and current update revision */ +static enum microcode_match_result microcode_update_match( + const struct microcode_header_intel *mc_header, unsigned int cpu) +{ + const struct extended_sigtable *ext_header; + const struct extended_signature *ext_sig; + unsigned int i; + struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); + unsigned int sig = uci->cpu_sig.sig; + unsigned int pf = uci->cpu_sig.pf; + unsigned int rev = uci->cpu_sig.rev; + unsigned long data_size = get_datasize(mc_header); + const void *end = (const void *)mc_header + get_totalsize(mc_header); + + ASSERT(!microcode_sanity_check(mc_header)); + if ( sigmatch(sig, mc_header->sig, pf, mc_header->pf) ) + return (mc_header->rev > rev) ? NEW_UCODE : OLD_UCODE; + + ext_header = (const void *)(mc_header + 1) + data_size; + ext_sig = (const void *)(ext_header + 1); + + /* + * Make sure there is enough space to hold an extended header and enough + * array elements. + */ + if ( (end < (const void *)ext_sig) || + (end < (const void *)(ext_sig + ext_header->count)) ) + return MIS_UCODE; + + for ( i = 0; i < ext_header->count; i++ ) + if ( sigmatch(sig, ext_sig[i].sig, pf, ext_sig[i].pf) ) + return (mc_header->rev > rev) ? NEW_UCODE : OLD_UCODE; + + return MIS_UCODE; +} + /* * return 0 - no update found * return 1 - found update @@ -243,31 +269,12 @@ static int get_matching_microcode(const void *mc, unsigned int cpu) { struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); const struct microcode_header_intel *mc_header = mc; - const struct extended_sigtable *ext_header; unsigned long total_size = get_totalsize(mc_header); - int ext_sigcount, i; - struct extended_signature *ext_sig; void *new_mc; - if ( microcode_update_match(cpu, mc_header, - mc_header->sig, mc_header->pf) ) - goto find; - - if ( total_size <= (get_datasize(mc_header) + MC_HEADER_SIZE) ) + if ( microcode_update_match(mc, cpu) != NEW_UCODE ) return 0; - ext_header = mc + get_datasize(mc_header) + MC_HEADER_SIZE; - ext_sigcount = ext_header->count; - ext_sig = (void *)ext_header + EXT_HEADER_SIZE; - for ( i = 0; i < ext_sigcount; i++ ) - { - if ( microcode_update_match(cpu, mc_header, - ext_sig->sig, ext_sig->pf) ) - goto find; - ext_sig++; - } - return 0; - find: pr_debug("microcode: CPU%d found a matching microcode update with" " version %#x (current=%#x)\n", cpu, mc_header->rev, uci->cpu_sig.rev); diff --git a/xen/include/asm-x86/microcode.h b/xen/include/asm-x86/microcode.h index 23ea954..882f560 100644 --- a/xen/include/asm-x86/microcode.h +++ b/xen/include/asm-x86/microcode.h @@ -3,6 +3,12 @@ #include <xen/percpu.h> +enum microcode_match_result { + OLD_UCODE, /* signature matched, but revision id is older or equal */ + NEW_UCODE, /* signature matched, but revision id is newer */ + MIS_UCODE, /* signature mismatched */ +}; + struct cpu_signature; struct ucode_cpu_info;
to a more generic function. So that it can be used alone to check an update against the CPU signature and current update revision. Note that enum microcode_match_result will be used in common code (aka microcode.c), it has been placed in the common header. And constifying the parameter of microcode_sanity_check() such that it can be called by microcode_update_match(). Signed-off-by: Chao Gao <chao.gao@intel.com> --- Changes in v10: - Drop RBs - assert that microcode passed to microcode_update_match() would pass sanity check. Constify the parameter of microcode_sanity_check() Changes in v9: - microcode_update_match() doesn't accept (sig, pf, rev) any longer. Hence, it won't be used to compare two arbitrary updates. - rewrite patch description Changes in v8: - make sure enough room for an extended header and signature array Changes in v6: - eliminate unnecessary type casting in microcode_update_match - check if a patch has an extend header Changes in v5: - constify the extended_signature - use named enum type for the return value of microcode_update_match --- xen/arch/x86/microcode_intel.c | 75 ++++++++++++++++++++++------------------- xen/include/asm-x86/microcode.h | 6 ++++ 2 files changed, 47 insertions(+), 34 deletions(-)