1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * CPU Microcode Update Driver for Linux
4 *
5 * Copyright (C) 2000-2006 Tigran Aivazian <aivazian.tigran@gmail.com>
6 * 2006 Shaohua Li <shaohua.li@intel.com>
7 * 2013-2016 Borislav Petkov <bp@alien8.de>
8 *
9 * X86 CPU microcode early update for Linux:
10 *
11 * Copyright (C) 2012 Fenghua Yu <fenghua.yu@intel.com>
12 * H Peter Anvin" <hpa@zytor.com>
13 * (C) 2015 Borislav Petkov <bp@alien8.de>
14 *
15 * This driver allows to upgrade microcode on x86 processors.
16 */
17
18 #define pr_fmt(fmt) "microcode: " fmt
19
20 #include <linux/stop_machine.h>
21 #include <linux/device/faux.h>
22 #include <linux/syscore_ops.h>
23 #include <linux/miscdevice.h>
24 #include <linux/capability.h>
25 #include <linux/firmware.h>
26 #include <linux/cpumask.h>
27 #include <linux/kernel.h>
28 #include <linux/delay.h>
29 #include <linux/mutex.h>
30 #include <linux/cpu.h>
31 #include <linux/nmi.h>
32 #include <linux/fs.h>
33 #include <linux/mm.h>
34
35 #include <asm/apic.h>
36 #include <asm/cpu_device_id.h>
37 #include <asm/perf_event.h>
38 #include <asm/processor.h>
39 #include <asm/cmdline.h>
40 #include <asm/msr.h>
41 #include <asm/setup.h>
42
43 #include "internal.h"
44
45 static struct microcode_ops *microcode_ops;
46 static bool dis_ucode_ldr;
47
48 bool force_minrev = IS_ENABLED(CONFIG_MICROCODE_LATE_FORCE_MINREV);
49
50 /*
51 * Those below should be behind CONFIG_MICROCODE_DBG ifdeffery but in
52 * order to not uglify the code with ifdeffery and use IS_ENABLED()
53 * instead, leave them in. When microcode debugging is not enabled,
54 * those are meaningless anyway.
55 */
56 /* base microcode revision for debugging */
57 u32 base_rev;
58 u32 microcode_rev[NR_CPUS] = {};
59
60 bool hypervisor_present;
61
62 /*
63 * Synchronization.
64 *
65 * All non cpu-hotplug-callback call sites use:
66 *
67 * - cpus_read_lock/unlock() to synchronize with
68 * the cpu-hotplug-callback call sites.
69 *
70 * We guarantee that only a single cpu is being
71 * updated at any particular moment of time.
72 */
73 struct ucode_cpu_info ucode_cpu_info[NR_CPUS];
74
75 /*
76 * Those patch levels cannot be updated to newer ones and thus should be final.
77 */
78 static u32 final_levels[] = {
79 0x01000098,
80 0x0100009f,
81 0x010000af,
82 0, /* T-101 terminator */
83 };
84
85 struct early_load_data early_data;
86
87 /*
88 * Check the current patch level on this CPU.
89 *
90 * Returns:
91 * - true: if update should stop
92 * - false: otherwise
93 */
amd_check_current_patch_level(void)94 static bool amd_check_current_patch_level(void)
95 {
96 u32 lvl, dummy, i;
97 u32 *levels;
98
99 if (x86_cpuid_vendor() != X86_VENDOR_AMD)
100 return false;
101
102 native_rdmsr(MSR_AMD64_PATCH_LEVEL, lvl, dummy);
103
104 levels = final_levels;
105
106 for (i = 0; levels[i]; i++) {
107 if (lvl == levels[i])
108 return true;
109 }
110 return false;
111 }
112
microcode_loader_disabled(void)113 bool __init microcode_loader_disabled(void)
114 {
115 if (dis_ucode_ldr)
116 return true;
117
118 /*
119 * Disable when:
120 *
121 * 1) The CPU does not support CPUID.
122 */
123 if (!cpuid_feature()) {
124 dis_ucode_ldr = true;
125 return dis_ucode_ldr;
126 }
127
128 /*
129 * 2) Bit 31 in CPUID[1]:ECX is clear
130 * The bit is reserved for hypervisor use. This is still not
131 * completely accurate as XEN PV guests don't see that CPUID bit
132 * set, but that's good enough as they don't land on the BSP
133 * path anyway.
134 *
135 * 3) Certain AMD patch levels are not allowed to be
136 * overwritten.
137 */
138 hypervisor_present = native_cpuid_ecx(1) & BIT(31);
139
140 if ((hypervisor_present && !IS_ENABLED(CONFIG_MICROCODE_DBG)) ||
141 amd_check_current_patch_level())
142 dis_ucode_ldr = true;
143
144 return dis_ucode_ldr;
145 }
146
early_parse_cmdline(void)147 static void __init early_parse_cmdline(void)
148 {
149 char cmd_buf[64] = {};
150 char *s, *p = cmd_buf;
151
152 if (cmdline_find_option(boot_command_line, "microcode", cmd_buf, sizeof(cmd_buf)) > 0) {
153 while ((s = strsep(&p, ","))) {
154 if (IS_ENABLED(CONFIG_MICROCODE_DBG)) {
155 if (strstr(s, "base_rev=")) {
156 /* advance to the option arg */
157 strsep(&s, "=");
158 if (kstrtouint(s, 16, &base_rev)) { ; }
159 }
160 }
161
162 if (!strcmp("force_minrev", s))
163 force_minrev = true;
164
165 if (!strcmp(s, "dis_ucode_ldr"))
166 dis_ucode_ldr = true;
167 }
168 }
169
170 /* old, compat option */
171 if (cmdline_find_option_bool(boot_command_line, "dis_ucode_ldr") > 0)
172 dis_ucode_ldr = true;
173 }
174
load_ucode_bsp(void)175 void __init load_ucode_bsp(void)
176 {
177 unsigned int cpuid_1_eax;
178 bool intel = true;
179
180 early_parse_cmdline();
181
182 if (microcode_loader_disabled())
183 return;
184
185 cpuid_1_eax = native_cpuid_eax(1);
186
187 switch (x86_cpuid_vendor()) {
188 case X86_VENDOR_INTEL:
189 if (x86_family(cpuid_1_eax) < 6)
190 return;
191 break;
192
193 case X86_VENDOR_AMD:
194 if (x86_family(cpuid_1_eax) < 0x10)
195 return;
196 intel = false;
197 break;
198
199 default:
200 return;
201 }
202
203 if (intel)
204 load_ucode_intel_bsp(&early_data);
205 else
206 load_ucode_amd_bsp(&early_data, cpuid_1_eax);
207 }
208
load_ucode_ap(void)209 void load_ucode_ap(void)
210 {
211 unsigned int cpuid_1_eax;
212
213 /*
214 * Can't use microcode_loader_disabled() here - .init section
215 * hell. It doesn't have to either - the BSP variant must've
216 * parsed cmdline already anyway.
217 */
218 if (dis_ucode_ldr)
219 return;
220
221 cpuid_1_eax = native_cpuid_eax(1);
222
223 switch (x86_cpuid_vendor()) {
224 case X86_VENDOR_INTEL:
225 if (x86_family(cpuid_1_eax) >= 6)
226 load_ucode_intel_ap();
227 break;
228 case X86_VENDOR_AMD:
229 if (x86_family(cpuid_1_eax) >= 0x10)
230 load_ucode_amd_ap(cpuid_1_eax);
231 break;
232 default:
233 break;
234 }
235 }
236
find_microcode_in_initrd(const char * path)237 struct cpio_data __init find_microcode_in_initrd(const char *path)
238 {
239 #ifdef CONFIG_BLK_DEV_INITRD
240 unsigned long start = 0;
241 size_t size;
242
243 #ifdef CONFIG_X86_32
244 size = boot_params.hdr.ramdisk_size;
245 /* Early load on BSP has a temporary mapping. */
246 if (size)
247 start = initrd_start_early;
248
249 #else /* CONFIG_X86_64 */
250 size = (unsigned long)boot_params.ext_ramdisk_size << 32;
251 size |= boot_params.hdr.ramdisk_size;
252
253 if (size) {
254 start = (unsigned long)boot_params.ext_ramdisk_image << 32;
255 start |= boot_params.hdr.ramdisk_image;
256 start += PAGE_OFFSET;
257 }
258 #endif
259
260 /*
261 * Fixup the start address: after reserve_initrd() runs, initrd_start
262 * has the virtual address of the beginning of the initrd. It also
263 * possibly relocates the ramdisk. In either case, initrd_start contains
264 * the updated address so use that instead.
265 */
266 if (initrd_start)
267 start = initrd_start;
268
269 return find_cpio_data(path, (void *)start, size, NULL);
270 #else /* !CONFIG_BLK_DEV_INITRD */
271 return (struct cpio_data){ NULL, 0, "" };
272 #endif
273 }
274
reload_early_microcode(unsigned int cpu)275 static void reload_early_microcode(unsigned int cpu)
276 {
277 int vendor, family;
278
279 vendor = x86_cpuid_vendor();
280 family = x86_cpuid_family();
281
282 switch (vendor) {
283 case X86_VENDOR_INTEL:
284 if (family >= 6)
285 reload_ucode_intel();
286 break;
287 case X86_VENDOR_AMD:
288 if (family >= 0x10)
289 reload_ucode_amd(cpu);
290 break;
291 default:
292 break;
293 }
294 }
295
296 /* fake device for request_firmware */
297 static struct faux_device *microcode_fdev;
298
299 #ifdef CONFIG_MICROCODE_LATE_LOADING
300 /*
301 * Late loading dance. Why the heavy-handed stomp_machine effort?
302 *
303 * - HT siblings must be idle and not execute other code while the other sibling
304 * is loading microcode in order to avoid any negative interactions caused by
305 * the loading.
306 *
307 * - In addition, microcode update on the cores must be serialized until this
308 * requirement can be relaxed in the future. Right now, this is conservative
309 * and good.
310 */
311 enum sibling_ctrl {
312 /* Spinwait with timeout */
313 SCTRL_WAIT,
314 /* Invoke the microcode_apply() callback */
315 SCTRL_APPLY,
316 /* Proceed without invoking the microcode_apply() callback */
317 SCTRL_DONE,
318 };
319
320 struct microcode_ctrl {
321 enum sibling_ctrl ctrl;
322 enum ucode_state result;
323 unsigned int ctrl_cpu;
324 bool nmi_enabled;
325 };
326
327 DEFINE_STATIC_KEY_FALSE(microcode_nmi_handler_enable);
328 static DEFINE_PER_CPU(struct microcode_ctrl, ucode_ctrl);
329 static atomic_t late_cpus_in, offline_in_nmi;
330 static unsigned int loops_per_usec;
331 static cpumask_t cpu_offline_mask;
332
wait_for_cpus(atomic_t * cnt)333 static noinstr bool wait_for_cpus(atomic_t *cnt)
334 {
335 unsigned int timeout, loops;
336
337 WARN_ON_ONCE(raw_atomic_dec_return(cnt) < 0);
338
339 for (timeout = 0; timeout < USEC_PER_SEC; timeout++) {
340 if (!raw_atomic_read(cnt))
341 return true;
342
343 for (loops = 0; loops < loops_per_usec; loops++)
344 cpu_relax();
345
346 /* If invoked directly, tickle the NMI watchdog */
347 if (!microcode_ops->use_nmi && !(timeout % USEC_PER_MSEC)) {
348 instrumentation_begin();
349 touch_nmi_watchdog();
350 instrumentation_end();
351 }
352 }
353 /* Prevent the late comers from making progress and let them time out */
354 raw_atomic_inc(cnt);
355 return false;
356 }
357
wait_for_ctrl(void)358 static noinstr bool wait_for_ctrl(void)
359 {
360 unsigned int timeout, loops;
361
362 for (timeout = 0; timeout < USEC_PER_SEC; timeout++) {
363 if (raw_cpu_read(ucode_ctrl.ctrl) != SCTRL_WAIT)
364 return true;
365
366 for (loops = 0; loops < loops_per_usec; loops++)
367 cpu_relax();
368
369 /* If invoked directly, tickle the NMI watchdog */
370 if (!microcode_ops->use_nmi && !(timeout % USEC_PER_MSEC)) {
371 instrumentation_begin();
372 touch_nmi_watchdog();
373 instrumentation_end();
374 }
375 }
376 return false;
377 }
378
379 /*
380 * Protected against instrumentation up to the point where the primary
381 * thread completed the update. See microcode_nmi_handler() for details.
382 */
load_secondary_wait(unsigned int ctrl_cpu)383 static noinstr bool load_secondary_wait(unsigned int ctrl_cpu)
384 {
385 /* Initial rendezvous to ensure that all CPUs have arrived */
386 if (!wait_for_cpus(&late_cpus_in)) {
387 raw_cpu_write(ucode_ctrl.result, UCODE_TIMEOUT);
388 return false;
389 }
390
391 /*
392 * Wait for primary threads to complete. If one of them hangs due
393 * to the update, there is no way out. This is non-recoverable
394 * because the CPU might hold locks or resources and confuse the
395 * scheduler, watchdogs etc. There is no way to safely evacuate the
396 * machine.
397 */
398 if (wait_for_ctrl())
399 return true;
400
401 instrumentation_begin();
402 panic("Microcode load: Primary CPU %d timed out\n", ctrl_cpu);
403 instrumentation_end();
404 }
405
406 /*
407 * Protected against instrumentation up to the point where the primary
408 * thread completed the update. See microcode_nmi_handler() for details.
409 */
load_secondary(unsigned int cpu)410 static noinstr void load_secondary(unsigned int cpu)
411 {
412 unsigned int ctrl_cpu = raw_cpu_read(ucode_ctrl.ctrl_cpu);
413 enum ucode_state ret;
414
415 if (!load_secondary_wait(ctrl_cpu)) {
416 instrumentation_begin();
417 pr_err_once("load: %d CPUs timed out\n",
418 atomic_read(&late_cpus_in) - 1);
419 instrumentation_end();
420 return;
421 }
422
423 /* Primary thread completed. Allow to invoke instrumentable code */
424 instrumentation_begin();
425 /*
426 * If the primary succeeded then invoke the apply() callback,
427 * otherwise copy the state from the primary thread.
428 */
429 if (this_cpu_read(ucode_ctrl.ctrl) == SCTRL_APPLY)
430 ret = microcode_ops->apply_microcode(cpu);
431 else
432 ret = per_cpu(ucode_ctrl.result, ctrl_cpu);
433
434 this_cpu_write(ucode_ctrl.result, ret);
435 this_cpu_write(ucode_ctrl.ctrl, SCTRL_DONE);
436 instrumentation_end();
437 }
438
__load_primary(unsigned int cpu)439 static void __load_primary(unsigned int cpu)
440 {
441 struct cpumask *secondaries = topology_sibling_cpumask(cpu);
442 enum sibling_ctrl ctrl;
443 enum ucode_state ret;
444 unsigned int sibling;
445
446 /* Initial rendezvous to ensure that all CPUs have arrived */
447 if (!wait_for_cpus(&late_cpus_in)) {
448 this_cpu_write(ucode_ctrl.result, UCODE_TIMEOUT);
449 pr_err_once("load: %d CPUs timed out\n", atomic_read(&late_cpus_in) - 1);
450 return;
451 }
452
453 ret = microcode_ops->apply_microcode(cpu);
454 this_cpu_write(ucode_ctrl.result, ret);
455 this_cpu_write(ucode_ctrl.ctrl, SCTRL_DONE);
456
457 /*
458 * If the update was successful, let the siblings run the apply()
459 * callback. If not, tell them it's done. This also covers the
460 * case where the CPU has uniform loading at package or system
461 * scope implemented but does not advertise it.
462 */
463 if (ret == UCODE_UPDATED || ret == UCODE_OK)
464 ctrl = SCTRL_APPLY;
465 else
466 ctrl = SCTRL_DONE;
467
468 for_each_cpu(sibling, secondaries) {
469 if (sibling != cpu)
470 per_cpu(ucode_ctrl.ctrl, sibling) = ctrl;
471 }
472 }
473
kick_offline_cpus(unsigned int nr_offl)474 static bool kick_offline_cpus(unsigned int nr_offl)
475 {
476 unsigned int cpu, timeout;
477
478 for_each_cpu(cpu, &cpu_offline_mask) {
479 /* Enable the rendezvous handler and send NMI */
480 per_cpu(ucode_ctrl.nmi_enabled, cpu) = true;
481 apic_send_nmi_to_offline_cpu(cpu);
482 }
483
484 /* Wait for them to arrive */
485 for (timeout = 0; timeout < (USEC_PER_SEC / 2); timeout++) {
486 if (atomic_read(&offline_in_nmi) == nr_offl)
487 return true;
488 udelay(1);
489 }
490 /* Let the others time out */
491 return false;
492 }
493
release_offline_cpus(void)494 static void release_offline_cpus(void)
495 {
496 unsigned int cpu;
497
498 for_each_cpu(cpu, &cpu_offline_mask)
499 per_cpu(ucode_ctrl.ctrl, cpu) = SCTRL_DONE;
500 }
501
load_primary(unsigned int cpu)502 static void load_primary(unsigned int cpu)
503 {
504 unsigned int nr_offl = cpumask_weight(&cpu_offline_mask);
505 bool proceed = true;
506
507 /* Kick soft-offlined SMT siblings if required */
508 if (!cpu && nr_offl)
509 proceed = kick_offline_cpus(nr_offl);
510
511 /* If the soft-offlined CPUs did not respond, abort */
512 if (proceed)
513 __load_primary(cpu);
514
515 /* Unconditionally release soft-offlined SMT siblings if required */
516 if (!cpu && nr_offl)
517 release_offline_cpus();
518 }
519
520 /*
521 * Minimal stub rendezvous handler for soft-offlined CPUs which participate
522 * in the NMI rendezvous to protect against a concurrent NMI on affected
523 * CPUs.
524 */
microcode_offline_nmi_handler(void)525 void noinstr microcode_offline_nmi_handler(void)
526 {
527 if (!raw_cpu_read(ucode_ctrl.nmi_enabled))
528 return;
529 raw_cpu_write(ucode_ctrl.nmi_enabled, false);
530 raw_cpu_write(ucode_ctrl.result, UCODE_OFFLINE);
531 raw_atomic_inc(&offline_in_nmi);
532 wait_for_ctrl();
533 }
534
microcode_update_handler(void)535 static noinstr bool microcode_update_handler(void)
536 {
537 unsigned int cpu = raw_smp_processor_id();
538
539 if (raw_cpu_read(ucode_ctrl.ctrl_cpu) == cpu) {
540 instrumentation_begin();
541 load_primary(cpu);
542 instrumentation_end();
543 } else {
544 load_secondary(cpu);
545 }
546
547 instrumentation_begin();
548 touch_nmi_watchdog();
549 instrumentation_end();
550
551 return true;
552 }
553
554 /*
555 * Protection against instrumentation is required for CPUs which are not
556 * safe against an NMI which is delivered to the secondary SMT sibling
557 * while the primary thread updates the microcode. Instrumentation can end
558 * up in #INT3, #DB and #PF. The IRET from those exceptions reenables NMI
559 * which is the opposite of what the NMI rendezvous is trying to achieve.
560 *
561 * The primary thread is safe versus instrumentation as the actual
562 * microcode update handles this correctly. It's only the sibling code
563 * path which must be NMI safe until the primary thread completed the
564 * update.
565 */
microcode_nmi_handler(void)566 bool noinstr microcode_nmi_handler(void)
567 {
568 if (!raw_cpu_read(ucode_ctrl.nmi_enabled))
569 return false;
570
571 raw_cpu_write(ucode_ctrl.nmi_enabled, false);
572 return microcode_update_handler();
573 }
574
load_cpus_stopped(void * unused)575 static int load_cpus_stopped(void *unused)
576 {
577 if (microcode_ops->use_nmi) {
578 /* Enable the NMI handler and raise NMI */
579 this_cpu_write(ucode_ctrl.nmi_enabled, true);
580 apic->send_IPI(smp_processor_id(), NMI_VECTOR);
581 } else {
582 /* Just invoke the handler directly */
583 microcode_update_handler();
584 }
585 return 0;
586 }
587
load_late_stop_cpus(bool is_safe)588 static int load_late_stop_cpus(bool is_safe)
589 {
590 unsigned int cpu, updated = 0, failed = 0, timedout = 0, siblings = 0;
591 unsigned int nr_offl, offline = 0;
592 int old_rev = boot_cpu_data.microcode;
593 struct cpuinfo_x86 prev_info;
594
595 if (!is_safe) {
596 pr_err("Late microcode loading without minimal revision check.\n");
597 pr_err("You should switch to early loading, if possible.\n");
598 }
599
600 /*
601 * Pre-load the microcode image into a staging device. This
602 * process is preemptible and does not require stopping CPUs.
603 * Successful staging simplifies the subsequent late-loading
604 * process, reducing rendezvous time.
605 *
606 * Even if the transfer fails, the update will proceed as usual.
607 */
608 if (microcode_ops->use_staging)
609 microcode_ops->stage_microcode();
610
611 atomic_set(&late_cpus_in, num_online_cpus());
612 atomic_set(&offline_in_nmi, 0);
613 loops_per_usec = loops_per_jiffy / (TICK_NSEC / 1000);
614
615 /*
616 * Take a snapshot before the microcode update in order to compare and
617 * check whether any bits changed after an update.
618 */
619 store_cpu_caps(&prev_info);
620
621 if (microcode_ops->use_nmi)
622 static_branch_enable_cpuslocked(µcode_nmi_handler_enable);
623
624 stop_machine_cpuslocked(load_cpus_stopped, NULL, cpu_online_mask);
625
626 if (microcode_ops->use_nmi)
627 static_branch_disable_cpuslocked(µcode_nmi_handler_enable);
628
629 /* Analyze the results */
630 for_each_cpu_and(cpu, cpu_present_mask, &cpus_booted_once_mask) {
631 switch (per_cpu(ucode_ctrl.result, cpu)) {
632 case UCODE_UPDATED: updated++; break;
633 case UCODE_TIMEOUT: timedout++; break;
634 case UCODE_OK: siblings++; break;
635 case UCODE_OFFLINE: offline++; break;
636 default: failed++; break;
637 }
638 }
639
640 if (microcode_ops->finalize_late_load)
641 microcode_ops->finalize_late_load(!updated);
642
643 if (!updated) {
644 /* Nothing changed. */
645 if (!failed && !timedout)
646 return 0;
647
648 nr_offl = cpumask_weight(&cpu_offline_mask);
649 if (offline < nr_offl) {
650 pr_warn("%u offline siblings did not respond.\n",
651 nr_offl - atomic_read(&offline_in_nmi));
652 return -EIO;
653 }
654 pr_err("update failed: %u CPUs failed %u CPUs timed out\n",
655 failed, timedout);
656 return -EIO;
657 }
658
659 if (!is_safe || failed || timedout)
660 add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
661
662 pr_info("load: updated on %u primary CPUs with %u siblings\n", updated, siblings);
663 if (failed || timedout) {
664 pr_err("load incomplete. %u CPUs timed out or failed\n",
665 num_online_cpus() - (updated + siblings));
666 }
667 pr_info("revision: 0x%x -> 0x%x\n", old_rev, boot_cpu_data.microcode);
668 microcode_check(&prev_info);
669
670 return updated + siblings == num_online_cpus() ? 0 : -EIO;
671 }
672
673 /*
674 * This function does two things:
675 *
676 * 1) Ensure that all required CPUs which are present and have been booted
677 * once are online.
678 *
679 * To pass this check, all primary threads must be online.
680 *
681 * If the microcode load is not safe against NMI then all SMT threads
682 * must be online as well because they still react to NMIs when they are
683 * soft-offlined and parked in one of the play_dead() variants. So if a
684 * NMI hits while the primary thread updates the microcode the resulting
685 * behaviour is undefined. The default play_dead() implementation on
686 * modern CPUs uses MWAIT, which is also not guaranteed to be safe
687 * against a microcode update which affects MWAIT.
688 *
689 * As soft-offlined CPUs still react on NMIs, the SMT sibling
690 * restriction can be lifted when the vendor driver signals to use NMI
691 * for rendezvous and the APIC provides a mechanism to send an NMI to a
692 * soft-offlined CPU. The soft-offlined CPUs are then able to
693 * participate in the rendezvous in a trivial stub handler.
694 *
695 * 2) Initialize the per CPU control structure and create a cpumask
696 * which contains "offline"; secondary threads, so they can be handled
697 * correctly by a control CPU.
698 */
setup_cpus(void)699 static bool setup_cpus(void)
700 {
701 struct microcode_ctrl ctrl = { .ctrl = SCTRL_WAIT, .result = -1, };
702 bool allow_smt_offline;
703 unsigned int cpu;
704
705 allow_smt_offline = microcode_ops->nmi_safe ||
706 (microcode_ops->use_nmi && apic->nmi_to_offline_cpu);
707
708 cpumask_clear(&cpu_offline_mask);
709
710 for_each_cpu_and(cpu, cpu_present_mask, &cpus_booted_once_mask) {
711 /*
712 * Offline CPUs sit in one of the play_dead() functions
713 * with interrupts disabled, but they still react on NMIs
714 * and execute arbitrary code. Also MWAIT being updated
715 * while the offline CPU sits there is not necessarily safe
716 * on all CPU variants.
717 *
718 * Mark them in the offline_cpus mask which will be handled
719 * by CPU0 later in the update process.
720 *
721 * Ensure that the primary thread is online so that it is
722 * guaranteed that all cores are updated.
723 */
724 if (!cpu_online(cpu)) {
725 if (topology_is_primary_thread(cpu) || !allow_smt_offline) {
726 pr_err("CPU %u not online, loading aborted\n", cpu);
727 return false;
728 }
729 cpumask_set_cpu(cpu, &cpu_offline_mask);
730 per_cpu(ucode_ctrl, cpu) = ctrl;
731 continue;
732 }
733
734 /*
735 * Initialize the per CPU state. This is core scope for now,
736 * but prepared to take package or system scope into account.
737 */
738 ctrl.ctrl_cpu = cpumask_first(topology_sibling_cpumask(cpu));
739 per_cpu(ucode_ctrl, cpu) = ctrl;
740 }
741 return true;
742 }
743
load_late_locked(void)744 static int load_late_locked(void)
745 {
746 if (!setup_cpus())
747 return -EBUSY;
748
749 switch (microcode_ops->request_microcode_fw(0, µcode_fdev->dev)) {
750 case UCODE_NEW:
751 return load_late_stop_cpus(false);
752 case UCODE_NEW_SAFE:
753 return load_late_stop_cpus(true);
754 case UCODE_NFOUND:
755 return -ENOENT;
756 case UCODE_OK:
757 return 0;
758 default:
759 return -EBADFD;
760 }
761 }
762
reload_store(struct device * dev,struct device_attribute * attr,const char * buf,size_t size)763 static ssize_t reload_store(struct device *dev,
764 struct device_attribute *attr,
765 const char *buf, size_t size)
766 {
767 unsigned long val;
768 ssize_t ret;
769
770 ret = kstrtoul(buf, 0, &val);
771 if (ret || val != 1)
772 return -EINVAL;
773
774 cpus_read_lock();
775 ret = load_late_locked();
776 cpus_read_unlock();
777
778 return ret ? : size;
779 }
780
781 static DEVICE_ATTR_WO(reload);
782 #endif
783
version_show(struct device * dev,struct device_attribute * attr,char * buf)784 static ssize_t version_show(struct device *dev,
785 struct device_attribute *attr, char *buf)
786 {
787 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id;
788
789 return sprintf(buf, "0x%x\n", uci->cpu_sig.rev);
790 }
791
processor_flags_show(struct device * dev,struct device_attribute * attr,char * buf)792 static ssize_t processor_flags_show(struct device *dev,
793 struct device_attribute *attr, char *buf)
794 {
795 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id;
796
797 return sprintf(buf, "0x%x\n", uci->cpu_sig.pf);
798 }
799
800 static DEVICE_ATTR_RO(version);
801 static DEVICE_ATTR_RO(processor_flags);
802
803 static struct attribute *mc_default_attrs[] = {
804 &dev_attr_version.attr,
805 &dev_attr_processor_flags.attr,
806 NULL
807 };
808
809 static const struct attribute_group mc_attr_group = {
810 .attrs = mc_default_attrs,
811 .name = "microcode",
812 };
813
microcode_fini_cpu(int cpu)814 static void microcode_fini_cpu(int cpu)
815 {
816 if (microcode_ops->microcode_fini_cpu)
817 microcode_ops->microcode_fini_cpu(cpu);
818 }
819
820 /**
821 * microcode_bsp_resume - Update boot CPU microcode during resume.
822 */
microcode_bsp_resume(void)823 void microcode_bsp_resume(void)
824 {
825 int cpu = smp_processor_id();
826 struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
827
828 if (uci->mc)
829 microcode_ops->apply_microcode(cpu);
830 else
831 reload_early_microcode(cpu);
832 }
833
microcode_bsp_syscore_resume(void * data)834 static void microcode_bsp_syscore_resume(void *data)
835 {
836 microcode_bsp_resume();
837 }
838
839 static const struct syscore_ops mc_syscore_ops = {
840 .resume = microcode_bsp_syscore_resume,
841 };
842
843 static struct syscore mc_syscore = {
844 .ops = &mc_syscore_ops,
845 };
846
mc_cpu_online(unsigned int cpu)847 static int mc_cpu_online(unsigned int cpu)
848 {
849 struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
850 struct device *dev = get_cpu_device(cpu);
851
852 memset(uci, 0, sizeof(*uci));
853
854 microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig);
855 cpu_data(cpu).microcode = uci->cpu_sig.rev;
856 if (!cpu)
857 boot_cpu_data.microcode = uci->cpu_sig.rev;
858
859 if (sysfs_create_group(&dev->kobj, &mc_attr_group))
860 pr_err("Failed to create group for CPU%d\n", cpu);
861 return 0;
862 }
863
mc_cpu_down_prep(unsigned int cpu)864 static int mc_cpu_down_prep(unsigned int cpu)
865 {
866 struct device *dev = get_cpu_device(cpu);
867
868 microcode_fini_cpu(cpu);
869 sysfs_remove_group(&dev->kobj, &mc_attr_group);
870 return 0;
871 }
872
873 static struct attribute *cpu_root_microcode_attrs[] = {
874 #ifdef CONFIG_MICROCODE_LATE_LOADING
875 &dev_attr_reload.attr,
876 #endif
877 NULL
878 };
879
880 static const struct attribute_group cpu_root_microcode_group = {
881 .name = "microcode",
882 .attrs = cpu_root_microcode_attrs,
883 };
884
microcode_init(void)885 static int __init microcode_init(void)
886 {
887 struct device *dev_root;
888 struct cpuinfo_x86 *c = &boot_cpu_data;
889 int error;
890
891 if (microcode_loader_disabled())
892 return -EINVAL;
893
894 if (c->x86_vendor == X86_VENDOR_INTEL)
895 microcode_ops = init_intel_microcode();
896 else if (c->x86_vendor == X86_VENDOR_AMD)
897 microcode_ops = init_amd_microcode();
898 else
899 pr_err("no support for this CPU vendor\n");
900
901 if (!microcode_ops)
902 return -ENODEV;
903
904 pr_info_once("Current revision: 0x%08x\n", (early_data.new_rev ?: early_data.old_rev));
905
906 if (early_data.new_rev)
907 pr_info_once("Updated early from: 0x%08x\n", early_data.old_rev);
908
909 microcode_fdev = faux_device_create("microcode", NULL, NULL);
910 if (!microcode_fdev)
911 return -ENODEV;
912
913 dev_root = bus_get_dev_root(&cpu_subsys);
914 if (dev_root) {
915 error = sysfs_create_group(&dev_root->kobj, &cpu_root_microcode_group);
916 put_device(dev_root);
917 if (error) {
918 pr_err("Error creating microcode group!\n");
919 goto out_pdev;
920 }
921 }
922
923 register_syscore(&mc_syscore);
924 cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "x86/microcode:online",
925 mc_cpu_online, mc_cpu_down_prep);
926
927 return 0;
928
929 out_pdev:
930 faux_device_destroy(microcode_fdev);
931 return error;
932
933 }
934 late_initcall(microcode_init);
935