1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * CPU Microcode Update Driver for Linux 4 * 5 * Copyright (C) 2000-2006 Tigran Aivazian <[email protected]> 6 * 2006 Shaohua Li <[email protected]> 7 * 2013-2016 Borislav Petkov <[email protected]> 8 * 9 * X86 CPU microcode early update for Linux: 10 * 11 * Copyright (C) 2012 Fenghua Yu <[email protected]> 12 * H Peter Anvin" <[email protected]> 13 * (C) 2015 Borislav Petkov <[email protected]> 14 * 15 * This driver allows to upgrade microcode on x86 processors. 16 */ 17 18 #define pr_fmt(fmt) "microcode: " fmt 19 20 #include <linux/platform_device.h> 21 #include <linux/stop_machine.h> 22 #include <linux/syscore_ops.h> 23 #include <linux/miscdevice.h> 24 #include <linux/capability.h> 25 #include <linux/firmware.h> 26 #include <linux/kernel.h> 27 #include <linux/delay.h> 28 #include <linux/mutex.h> 29 #include <linux/cpu.h> 30 #include <linux/nmi.h> 31 #include <linux/fs.h> 32 #include <linux/mm.h> 33 34 #include <asm/cpu_device_id.h> 35 #include <asm/perf_event.h> 36 #include <asm/processor.h> 37 #include <asm/cmdline.h> 38 #include <asm/setup.h> 39 40 #include "internal.h" 41 42 #define DRIVER_VERSION "2.2" 43 44 static struct microcode_ops *microcode_ops; 45 static bool dis_ucode_ldr = true; 46 47 bool initrd_gone; 48 49 LIST_HEAD(microcode_cache); 50 51 /* 52 * Synchronization. 53 * 54 * All non cpu-hotplug-callback call sites use: 55 * 56 * - cpus_read_lock/unlock() to synchronize with 57 * the cpu-hotplug-callback call sites. 58 * 59 * We guarantee that only a single cpu is being 60 * updated at any particular moment of time. 61 */ 62 struct ucode_cpu_info ucode_cpu_info[NR_CPUS]; 63 64 struct cpu_info_ctx { 65 struct cpu_signature *cpu_sig; 66 int err; 67 }; 68 69 /* 70 * Those patch levels cannot be updated to newer ones and thus should be final. 71 */ 72 static u32 final_levels[] = { 73 0x01000098, 74 0x0100009f, 75 0x010000af, 76 0, /* T-101 terminator */ 77 }; 78 79 /* 80 * Check the current patch level on this CPU. 81 * 82 * Returns: 83 * - true: if update should stop 84 * - false: otherwise 85 */ 86 static bool amd_check_current_patch_level(void) 87 { 88 u32 lvl, dummy, i; 89 u32 *levels; 90 91 native_rdmsr(MSR_AMD64_PATCH_LEVEL, lvl, dummy); 92 93 levels = final_levels; 94 95 for (i = 0; levels[i]; i++) { 96 if (lvl == levels[i]) 97 return true; 98 } 99 return false; 100 } 101 102 static bool __init check_loader_disabled_bsp(void) 103 { 104 static const char *__dis_opt_str = "dis_ucode_ldr"; 105 const char *cmdline = boot_command_line; 106 const char *option = __dis_opt_str; 107 108 /* 109 * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not 110 * completely accurate as xen pv guests don't see that CPUID bit set but 111 * that's good enough as they don't land on the BSP path anyway. 112 */ 113 if (native_cpuid_ecx(1) & BIT(31)) 114 return true; 115 116 if (x86_cpuid_vendor() == X86_VENDOR_AMD) { 117 if (amd_check_current_patch_level()) 118 return true; 119 } 120 121 if (cmdline_find_option_bool(cmdline, option) <= 0) 122 dis_ucode_ldr = false; 123 124 return dis_ucode_ldr; 125 } 126 127 void __init load_ucode_bsp(void) 128 { 129 unsigned int cpuid_1_eax; 130 bool intel = true; 131 132 if (!have_cpuid_p()) 133 return; 134 135 cpuid_1_eax = native_cpuid_eax(1); 136 137 switch (x86_cpuid_vendor()) { 138 case X86_VENDOR_INTEL: 139 if (x86_family(cpuid_1_eax) < 6) 140 return; 141 break; 142 143 case X86_VENDOR_AMD: 144 if (x86_family(cpuid_1_eax) < 0x10) 145 return; 146 intel = false; 147 break; 148 149 default: 150 return; 151 } 152 153 if (check_loader_disabled_bsp()) 154 return; 155 156 if (intel) 157 load_ucode_intel_bsp(); 158 else 159 load_ucode_amd_early(cpuid_1_eax); 160 } 161 162 void load_ucode_ap(void) 163 { 164 unsigned int cpuid_1_eax; 165 166 if (dis_ucode_ldr) 167 return; 168 169 cpuid_1_eax = native_cpuid_eax(1); 170 171 switch (x86_cpuid_vendor()) { 172 case X86_VENDOR_INTEL: 173 if (x86_family(cpuid_1_eax) >= 6) 174 load_ucode_intel_ap(); 175 break; 176 case X86_VENDOR_AMD: 177 if (x86_family(cpuid_1_eax) >= 0x10) 178 load_ucode_amd_early(cpuid_1_eax); 179 break; 180 default: 181 break; 182 } 183 } 184 185 static int __init save_microcode_in_initrd(void) 186 { 187 struct cpuinfo_x86 *c = &boot_cpu_data; 188 int ret = -EINVAL; 189 190 switch (c->x86_vendor) { 191 case X86_VENDOR_INTEL: 192 if (c->x86 >= 6) 193 ret = save_microcode_in_initrd_intel(); 194 break; 195 case X86_VENDOR_AMD: 196 if (c->x86 >= 0x10) 197 ret = save_microcode_in_initrd_amd(cpuid_eax(1)); 198 break; 199 default: 200 break; 201 } 202 203 initrd_gone = true; 204 205 return ret; 206 } 207 208 struct cpio_data find_microcode_in_initrd(const char *path) 209 { 210 #ifdef CONFIG_BLK_DEV_INITRD 211 unsigned long start = 0; 212 size_t size; 213 214 #ifdef CONFIG_X86_32 215 size = boot_params.hdr.ramdisk_size; 216 /* Early load on BSP has a temporary mapping. */ 217 if (size) 218 start = initrd_start_early; 219 220 #else /* CONFIG_X86_64 */ 221 size = (unsigned long)boot_params.ext_ramdisk_size << 32; 222 size |= boot_params.hdr.ramdisk_size; 223 224 if (size) { 225 start = (unsigned long)boot_params.ext_ramdisk_image << 32; 226 start |= boot_params.hdr.ramdisk_image; 227 start += PAGE_OFFSET; 228 } 229 #endif 230 231 /* 232 * Fixup the start address: after reserve_initrd() runs, initrd_start 233 * has the virtual address of the beginning of the initrd. It also 234 * possibly relocates the ramdisk. In either case, initrd_start contains 235 * the updated address so use that instead. 236 * 237 * initrd_gone is for the hotplug case where we've thrown out initrd 238 * already. 239 */ 240 if (initrd_gone) 241 return (struct cpio_data){ NULL, 0, "" }; 242 if (initrd_start) 243 start = initrd_start; 244 245 return find_cpio_data(path, (void *)start, size, NULL); 246 #else /* !CONFIG_BLK_DEV_INITRD */ 247 return (struct cpio_data){ NULL, 0, "" }; 248 #endif 249 } 250 251 static void reload_early_microcode(unsigned int cpu) 252 { 253 int vendor, family; 254 255 vendor = x86_cpuid_vendor(); 256 family = x86_cpuid_family(); 257 258 switch (vendor) { 259 case X86_VENDOR_INTEL: 260 if (family >= 6) 261 reload_ucode_intel(); 262 break; 263 case X86_VENDOR_AMD: 264 if (family >= 0x10) 265 reload_ucode_amd(cpu); 266 break; 267 default: 268 break; 269 } 270 } 271 272 /* fake device for request_firmware */ 273 static struct platform_device *microcode_pdev; 274 275 #ifdef CONFIG_MICROCODE_LATE_LOADING 276 /* 277 * Late loading dance. Why the heavy-handed stomp_machine effort? 278 * 279 * - HT siblings must be idle and not execute other code while the other sibling 280 * is loading microcode in order to avoid any negative interactions caused by 281 * the loading. 282 * 283 * - In addition, microcode update on the cores must be serialized until this 284 * requirement can be relaxed in the future. Right now, this is conservative 285 * and good. 286 */ 287 #define SPINUNIT 100 /* 100 nsec */ 288 289 static int check_online_cpus(void) 290 { 291 unsigned int cpu; 292 293 /* 294 * Make sure all CPUs are online. It's fine for SMT to be disabled if 295 * all the primary threads are still online. 296 */ 297 for_each_present_cpu(cpu) { 298 if (topology_is_primary_thread(cpu) && !cpu_online(cpu)) { 299 pr_err("Not all CPUs online, aborting microcode update.\n"); 300 return -EINVAL; 301 } 302 } 303 304 return 0; 305 } 306 307 static atomic_t late_cpus_in; 308 static atomic_t late_cpus_out; 309 310 static int __wait_for_cpus(atomic_t *t, long long timeout) 311 { 312 int all_cpus = num_online_cpus(); 313 314 atomic_inc(t); 315 316 while (atomic_read(t) < all_cpus) { 317 if (timeout < SPINUNIT) { 318 pr_err("Timeout while waiting for CPUs rendezvous, remaining: %d\n", 319 all_cpus - atomic_read(t)); 320 return 1; 321 } 322 323 ndelay(SPINUNIT); 324 timeout -= SPINUNIT; 325 326 touch_nmi_watchdog(); 327 } 328 return 0; 329 } 330 331 /* 332 * Returns: 333 * < 0 - on error 334 * 0 - success (no update done or microcode was updated) 335 */ 336 static int __reload_late(void *info) 337 { 338 int cpu = smp_processor_id(); 339 enum ucode_state err; 340 int ret = 0; 341 342 /* 343 * Wait for all CPUs to arrive. A load will not be attempted unless all 344 * CPUs show up. 345 * */ 346 if (__wait_for_cpus(&late_cpus_in, NSEC_PER_SEC)) 347 return -1; 348 349 /* 350 * On an SMT system, it suffices to load the microcode on one sibling of 351 * the core because the microcode engine is shared between the threads. 352 * Synchronization still needs to take place so that no concurrent 353 * loading attempts happen on multiple threads of an SMT core. See 354 * below. 355 */ 356 if (cpumask_first(topology_sibling_cpumask(cpu)) == cpu) 357 err = microcode_ops->apply_microcode(cpu); 358 else 359 goto wait_for_siblings; 360 361 if (err >= UCODE_NFOUND) { 362 if (err == UCODE_ERROR) { 363 pr_warn("Error reloading microcode on CPU %d\n", cpu); 364 ret = -1; 365 } 366 } 367 368 wait_for_siblings: 369 if (__wait_for_cpus(&late_cpus_out, NSEC_PER_SEC)) 370 panic("Timeout during microcode update!\n"); 371 372 /* 373 * At least one thread has completed update on each core. 374 * For others, simply call the update to make sure the 375 * per-cpu cpuinfo can be updated with right microcode 376 * revision. 377 */ 378 if (cpumask_first(topology_sibling_cpumask(cpu)) != cpu) 379 err = microcode_ops->apply_microcode(cpu); 380 381 return ret; 382 } 383 384 /* 385 * Reload microcode late on all CPUs. Wait for a sec until they 386 * all gather together. 387 */ 388 static int microcode_reload_late(void) 389 { 390 int old = boot_cpu_data.microcode, ret; 391 struct cpuinfo_x86 prev_info; 392 393 pr_err("Attempting late microcode loading - it is dangerous and taints the kernel.\n"); 394 pr_err("You should switch to early loading, if possible.\n"); 395 396 atomic_set(&late_cpus_in, 0); 397 atomic_set(&late_cpus_out, 0); 398 399 /* 400 * Take a snapshot before the microcode update in order to compare and 401 * check whether any bits changed after an update. 402 */ 403 store_cpu_caps(&prev_info); 404 405 ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask); 406 if (!ret) { 407 pr_info("Reload succeeded, microcode revision: 0x%x -> 0x%x\n", 408 old, boot_cpu_data.microcode); 409 microcode_check(&prev_info); 410 } else { 411 pr_info("Reload failed, current microcode revision: 0x%x\n", 412 boot_cpu_data.microcode); 413 } 414 415 return ret; 416 } 417 418 static ssize_t reload_store(struct device *dev, 419 struct device_attribute *attr, 420 const char *buf, size_t size) 421 { 422 enum ucode_state tmp_ret = UCODE_OK; 423 int bsp = boot_cpu_data.cpu_index; 424 unsigned long val; 425 ssize_t ret = 0; 426 427 ret = kstrtoul(buf, 0, &val); 428 if (ret || val != 1) 429 return -EINVAL; 430 431 cpus_read_lock(); 432 433 ret = check_online_cpus(); 434 if (ret) 435 goto put; 436 437 tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev); 438 if (tmp_ret != UCODE_NEW) 439 goto put; 440 441 ret = microcode_reload_late(); 442 put: 443 cpus_read_unlock(); 444 445 if (ret == 0) 446 ret = size; 447 448 add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK); 449 450 return ret; 451 } 452 453 static DEVICE_ATTR_WO(reload); 454 #endif 455 456 static ssize_t version_show(struct device *dev, 457 struct device_attribute *attr, char *buf) 458 { 459 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id; 460 461 return sprintf(buf, "0x%x\n", uci->cpu_sig.rev); 462 } 463 464 static ssize_t processor_flags_show(struct device *dev, 465 struct device_attribute *attr, char *buf) 466 { 467 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id; 468 469 return sprintf(buf, "0x%x\n", uci->cpu_sig.pf); 470 } 471 472 static DEVICE_ATTR_RO(version); 473 static DEVICE_ATTR_RO(processor_flags); 474 475 static struct attribute *mc_default_attrs[] = { 476 &dev_attr_version.attr, 477 &dev_attr_processor_flags.attr, 478 NULL 479 }; 480 481 static const struct attribute_group mc_attr_group = { 482 .attrs = mc_default_attrs, 483 .name = "microcode", 484 }; 485 486 static void microcode_fini_cpu(int cpu) 487 { 488 if (microcode_ops->microcode_fini_cpu) 489 microcode_ops->microcode_fini_cpu(cpu); 490 } 491 492 static enum ucode_state microcode_init_cpu(int cpu) 493 { 494 struct ucode_cpu_info *uci = ucode_cpu_info + cpu; 495 496 memset(uci, 0, sizeof(*uci)); 497 498 microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig); 499 500 return microcode_ops->apply_microcode(cpu); 501 } 502 503 /** 504 * microcode_bsp_resume - Update boot CPU microcode during resume. 505 */ 506 void microcode_bsp_resume(void) 507 { 508 int cpu = smp_processor_id(); 509 struct ucode_cpu_info *uci = ucode_cpu_info + cpu; 510 511 if (uci->mc) 512 microcode_ops->apply_microcode(cpu); 513 else 514 reload_early_microcode(cpu); 515 } 516 517 static struct syscore_ops mc_syscore_ops = { 518 .resume = microcode_bsp_resume, 519 }; 520 521 static int mc_cpu_starting(unsigned int cpu) 522 { 523 enum ucode_state err = microcode_ops->apply_microcode(cpu); 524 525 pr_debug("%s: CPU%d, err: %d\n", __func__, cpu, err); 526 527 return err == UCODE_ERROR; 528 } 529 530 static int mc_cpu_online(unsigned int cpu) 531 { 532 struct device *dev = get_cpu_device(cpu); 533 534 if (sysfs_create_group(&dev->kobj, &mc_attr_group)) 535 pr_err("Failed to create group for CPU%d\n", cpu); 536 return 0; 537 } 538 539 static int mc_cpu_down_prep(unsigned int cpu) 540 { 541 struct device *dev; 542 543 dev = get_cpu_device(cpu); 544 545 microcode_fini_cpu(cpu); 546 547 /* Suspend is in progress, only remove the interface */ 548 sysfs_remove_group(&dev->kobj, &mc_attr_group); 549 pr_debug("%s: CPU%d\n", __func__, cpu); 550 551 return 0; 552 } 553 554 static void setup_online_cpu(struct work_struct *work) 555 { 556 int cpu = smp_processor_id(); 557 enum ucode_state err; 558 559 err = microcode_init_cpu(cpu); 560 if (err == UCODE_ERROR) { 561 pr_err("Error applying microcode on CPU%d\n", cpu); 562 return; 563 } 564 565 mc_cpu_online(cpu); 566 } 567 568 static struct attribute *cpu_root_microcode_attrs[] = { 569 #ifdef CONFIG_MICROCODE_LATE_LOADING 570 &dev_attr_reload.attr, 571 #endif 572 NULL 573 }; 574 575 static const struct attribute_group cpu_root_microcode_group = { 576 .name = "microcode", 577 .attrs = cpu_root_microcode_attrs, 578 }; 579 580 static int __init microcode_init(void) 581 { 582 struct device *dev_root; 583 struct cpuinfo_x86 *c = &boot_cpu_data; 584 int error; 585 586 if (dis_ucode_ldr) 587 return -EINVAL; 588 589 if (c->x86_vendor == X86_VENDOR_INTEL) 590 microcode_ops = init_intel_microcode(); 591 else if (c->x86_vendor == X86_VENDOR_AMD) 592 microcode_ops = init_amd_microcode(); 593 else 594 pr_err("no support for this CPU vendor\n"); 595 596 if (!microcode_ops) 597 return -ENODEV; 598 599 microcode_pdev = platform_device_register_simple("microcode", -1, NULL, 0); 600 if (IS_ERR(microcode_pdev)) 601 return PTR_ERR(microcode_pdev); 602 603 dev_root = bus_get_dev_root(&cpu_subsys); 604 if (dev_root) { 605 error = sysfs_create_group(&dev_root->kobj, &cpu_root_microcode_group); 606 put_device(dev_root); 607 if (error) { 608 pr_err("Error creating microcode group!\n"); 609 goto out_pdev; 610 } 611 } 612 613 /* Do per-CPU setup */ 614 schedule_on_each_cpu(setup_online_cpu); 615 616 register_syscore_ops(&mc_syscore_ops); 617 cpuhp_setup_state_nocalls(CPUHP_AP_MICROCODE_LOADER, "x86/microcode:starting", 618 mc_cpu_starting, NULL); 619 cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, "x86/microcode:online", 620 mc_cpu_online, mc_cpu_down_prep); 621 622 pr_info("Microcode Update Driver: v%s.", DRIVER_VERSION); 623 624 return 0; 625 626 out_pdev: 627 platform_device_unregister(microcode_pdev); 628 return error; 629 630 } 631 fs_initcall(save_microcode_in_initrd); 632 late_initcall(microcode_init); 633