1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * CPU Microcode Update Driver for Linux
4 *
5 * Copyright (C) 2000-2006 Tigran Aivazian <aivazian.tigran@gmail.com>
6 * 2006 Shaohua Li <shaohua.li@intel.com>
7 * 2013-2016 Borislav Petkov <bp@alien8.de>
8 *
9 * X86 CPU microcode early update for Linux:
10 *
11 * Copyright (C) 2012 Fenghua Yu <fenghua.yu@intel.com>
12 * H Peter Anvin" <hpa@zytor.com>
13 * (C) 2015 Borislav Petkov <bp@alien8.de>
14 *
15 * This driver allows to upgrade microcode on x86 processors.
16 */
17
18 #define pr_fmt(fmt) "microcode: " fmt
19
20 #include <linux/platform_device.h>
21 #include <linux/stop_machine.h>
22 #include <linux/syscore_ops.h>
23 #include <linux/miscdevice.h>
24 #include <linux/capability.h>
25 #include <linux/firmware.h>
26 #include <linux/kernel.h>
27 #include <linux/delay.h>
28 #include <linux/mutex.h>
29 #include <linux/cpu.h>
30 #include <linux/nmi.h>
31 #include <linux/fs.h>
32 #include <linux/mm.h>
33
34 #include <asm/microcode_intel.h>
35 #include <asm/cpu_device_id.h>
36 #include <asm/microcode_amd.h>
37 #include <asm/perf_event.h>
38 #include <asm/microcode.h>
39 #include <asm/processor.h>
40 #include <asm/cmdline.h>
41 #include <asm/setup.h>
42
43 #define DRIVER_VERSION "2.2"
44
45 static struct microcode_ops *microcode_ops;
46 static bool dis_ucode_ldr = true;
47
48 bool initrd_gone;
49
50 LIST_HEAD(microcode_cache);
51
52 /*
53 * Synchronization.
54 *
55 * All non cpu-hotplug-callback call sites use:
56 *
57 * - microcode_mutex to synchronize with each other;
58 * - cpus_read_lock/unlock() to synchronize with
59 * the cpu-hotplug-callback call sites.
60 *
61 * We guarantee that only a single cpu is being
62 * updated at any particular moment of time.
63 */
64 static DEFINE_MUTEX(microcode_mutex);
65
66 struct ucode_cpu_info ucode_cpu_info[NR_CPUS];
67
68 struct cpu_info_ctx {
69 struct cpu_signature *cpu_sig;
70 int err;
71 };
72
73 /*
74 * Those patch levels cannot be updated to newer ones and thus should be final.
75 */
76 static u32 final_levels[] = {
77 0x01000098,
78 0x0100009f,
79 0x010000af,
80 0, /* T-101 terminator */
81 };
82
83 /*
84 * Check the current patch level on this CPU.
85 *
86 * Returns:
87 * - true: if update should stop
88 * - false: otherwise
89 */
amd_check_current_patch_level(void)90 static bool amd_check_current_patch_level(void)
91 {
92 u32 lvl, dummy, i;
93 u32 *levels;
94
95 native_rdmsr(MSR_AMD64_PATCH_LEVEL, lvl, dummy);
96
97 if (IS_ENABLED(CONFIG_X86_32))
98 levels = (u32 *)__pa_nodebug(&final_levels);
99 else
100 levels = final_levels;
101
102 for (i = 0; levels[i]; i++) {
103 if (lvl == levels[i])
104 return true;
105 }
106 return false;
107 }
108
check_loader_disabled_bsp(void)109 static bool __init check_loader_disabled_bsp(void)
110 {
111 static const char *__dis_opt_str = "dis_ucode_ldr";
112
113 #ifdef CONFIG_X86_32
114 const char *cmdline = (const char *)__pa_nodebug(boot_command_line);
115 const char *option = (const char *)__pa_nodebug(__dis_opt_str);
116 bool *res = (bool *)__pa_nodebug(&dis_ucode_ldr);
117
118 #else /* CONFIG_X86_64 */
119 const char *cmdline = boot_command_line;
120 const char *option = __dis_opt_str;
121 bool *res = &dis_ucode_ldr;
122 #endif
123
124 /*
125 * CPUID(1).ECX[31]: reserved for hypervisor use. This is still not
126 * completely accurate as xen pv guests don't see that CPUID bit set but
127 * that's good enough as they don't land on the BSP path anyway.
128 */
129 if (native_cpuid_ecx(1) & BIT(31))
130 return *res;
131
132 if (x86_cpuid_vendor() == X86_VENDOR_AMD) {
133 if (amd_check_current_patch_level())
134 return *res;
135 }
136
137 if (cmdline_find_option_bool(cmdline, option) <= 0)
138 *res = false;
139
140 return *res;
141 }
142
load_ucode_bsp(void)143 void __init load_ucode_bsp(void)
144 {
145 unsigned int cpuid_1_eax;
146 bool intel = true;
147
148 if (!have_cpuid_p())
149 return;
150
151 cpuid_1_eax = native_cpuid_eax(1);
152
153 switch (x86_cpuid_vendor()) {
154 case X86_VENDOR_INTEL:
155 if (x86_family(cpuid_1_eax) < 6)
156 return;
157 break;
158
159 case X86_VENDOR_AMD:
160 if (x86_family(cpuid_1_eax) < 0x10)
161 return;
162 intel = false;
163 break;
164
165 default:
166 return;
167 }
168
169 if (check_loader_disabled_bsp())
170 return;
171
172 if (intel)
173 load_ucode_intel_bsp();
174 else
175 load_ucode_amd_bsp(cpuid_1_eax);
176 }
177
check_loader_disabled_ap(void)178 static bool check_loader_disabled_ap(void)
179 {
180 #ifdef CONFIG_X86_32
181 return *((bool *)__pa_nodebug(&dis_ucode_ldr));
182 #else
183 return dis_ucode_ldr;
184 #endif
185 }
186
load_ucode_ap(void)187 void load_ucode_ap(void)
188 {
189 unsigned int cpuid_1_eax;
190
191 if (check_loader_disabled_ap())
192 return;
193
194 cpuid_1_eax = native_cpuid_eax(1);
195
196 switch (x86_cpuid_vendor()) {
197 case X86_VENDOR_INTEL:
198 if (x86_family(cpuid_1_eax) >= 6)
199 load_ucode_intel_ap();
200 break;
201 case X86_VENDOR_AMD:
202 if (x86_family(cpuid_1_eax) >= 0x10)
203 load_ucode_amd_ap(cpuid_1_eax);
204 break;
205 default:
206 break;
207 }
208 }
209
save_microcode_in_initrd(void)210 static int __init save_microcode_in_initrd(void)
211 {
212 struct cpuinfo_x86 *c = &boot_cpu_data;
213 int ret = -EINVAL;
214
215 switch (c->x86_vendor) {
216 case X86_VENDOR_INTEL:
217 if (c->x86 >= 6)
218 ret = save_microcode_in_initrd_intel();
219 break;
220 case X86_VENDOR_AMD:
221 if (c->x86 >= 0x10)
222 ret = save_microcode_in_initrd_amd(cpuid_eax(1));
223 break;
224 default:
225 break;
226 }
227
228 initrd_gone = true;
229
230 return ret;
231 }
232
find_microcode_in_initrd(const char * path,bool use_pa)233 struct cpio_data find_microcode_in_initrd(const char *path, bool use_pa)
234 {
235 #ifdef CONFIG_BLK_DEV_INITRD
236 unsigned long start = 0;
237 size_t size;
238
239 #ifdef CONFIG_X86_32
240 struct boot_params *params;
241
242 if (use_pa)
243 params = (struct boot_params *)__pa_nodebug(&boot_params);
244 else
245 params = &boot_params;
246
247 size = params->hdr.ramdisk_size;
248
249 /*
250 * Set start only if we have an initrd image. We cannot use initrd_start
251 * because it is not set that early yet.
252 */
253 if (size)
254 start = params->hdr.ramdisk_image;
255
256 # else /* CONFIG_X86_64 */
257 size = (unsigned long)boot_params.ext_ramdisk_size << 32;
258 size |= boot_params.hdr.ramdisk_size;
259
260 if (size) {
261 start = (unsigned long)boot_params.ext_ramdisk_image << 32;
262 start |= boot_params.hdr.ramdisk_image;
263
264 start += PAGE_OFFSET;
265 }
266 # endif
267
268 /*
269 * Fixup the start address: after reserve_initrd() runs, initrd_start
270 * has the virtual address of the beginning of the initrd. It also
271 * possibly relocates the ramdisk. In either case, initrd_start contains
272 * the updated address so use that instead.
273 *
274 * initrd_gone is for the hotplug case where we've thrown out initrd
275 * already.
276 */
277 if (!use_pa) {
278 if (initrd_gone)
279 return (struct cpio_data){ NULL, 0, "" };
280 if (initrd_start)
281 start = initrd_start;
282 } else {
283 /*
284 * The picture with physical addresses is a bit different: we
285 * need to get the *physical* address to which the ramdisk was
286 * relocated, i.e., relocated_ramdisk (not initrd_start) and
287 * since we're running from physical addresses, we need to access
288 * relocated_ramdisk through its *physical* address too.
289 */
290 u64 *rr = (u64 *)__pa_nodebug(&relocated_ramdisk);
291 if (*rr)
292 start = *rr;
293 }
294
295 return find_cpio_data(path, (void *)start, size, NULL);
296 #else /* !CONFIG_BLK_DEV_INITRD */
297 return (struct cpio_data){ NULL, 0, "" };
298 #endif
299 }
300
reload_early_microcode(unsigned int cpu)301 void reload_early_microcode(unsigned int cpu)
302 {
303 int vendor, family;
304
305 vendor = x86_cpuid_vendor();
306 family = x86_cpuid_family();
307
308 switch (vendor) {
309 case X86_VENDOR_INTEL:
310 if (family >= 6)
311 reload_ucode_intel();
312 break;
313 case X86_VENDOR_AMD:
314 if (family >= 0x10)
315 reload_ucode_amd(cpu);
316 break;
317 default:
318 break;
319 }
320 }
321
322 /* fake device for request_firmware */
323 static struct platform_device *microcode_pdev;
324
325 #ifdef CONFIG_MICROCODE_LATE_LOADING
326 /*
327 * Late loading dance. Why the heavy-handed stomp_machine effort?
328 *
329 * - HT siblings must be idle and not execute other code while the other sibling
330 * is loading microcode in order to avoid any negative interactions caused by
331 * the loading.
332 *
333 * - In addition, microcode update on the cores must be serialized until this
334 * requirement can be relaxed in the future. Right now, this is conservative
335 * and good.
336 */
337 #define SPINUNIT 100 /* 100 nsec */
338
check_online_cpus(void)339 static int check_online_cpus(void)
340 {
341 unsigned int cpu;
342
343 /*
344 * Make sure all CPUs are online. It's fine for SMT to be disabled if
345 * all the primary threads are still online.
346 */
347 for_each_present_cpu(cpu) {
348 if (topology_is_primary_thread(cpu) && !cpu_online(cpu)) {
349 pr_err("Not all CPUs online, aborting microcode update.\n");
350 return -EINVAL;
351 }
352 }
353
354 return 0;
355 }
356
357 static atomic_t late_cpus_in;
358 static atomic_t late_cpus_out;
359
__wait_for_cpus(atomic_t * t,long long timeout)360 static int __wait_for_cpus(atomic_t *t, long long timeout)
361 {
362 int all_cpus = num_online_cpus();
363
364 atomic_inc(t);
365
366 while (atomic_read(t) < all_cpus) {
367 if (timeout < SPINUNIT) {
368 pr_err("Timeout while waiting for CPUs rendezvous, remaining: %d\n",
369 all_cpus - atomic_read(t));
370 return 1;
371 }
372
373 ndelay(SPINUNIT);
374 timeout -= SPINUNIT;
375
376 touch_nmi_watchdog();
377 }
378 return 0;
379 }
380
381 /*
382 * Returns:
383 * < 0 - on error
384 * 0 - success (no update done or microcode was updated)
385 */
__reload_late(void * info)386 static int __reload_late(void *info)
387 {
388 int cpu = smp_processor_id();
389 enum ucode_state err;
390 int ret = 0;
391
392 /*
393 * Wait for all CPUs to arrive. A load will not be attempted unless all
394 * CPUs show up.
395 * */
396 if (__wait_for_cpus(&late_cpus_in, NSEC_PER_SEC))
397 return -1;
398
399 /*
400 * On an SMT system, it suffices to load the microcode on one sibling of
401 * the core because the microcode engine is shared between the threads.
402 * Synchronization still needs to take place so that no concurrent
403 * loading attempts happen on multiple threads of an SMT core. See
404 * below.
405 */
406 if (cpumask_first(topology_sibling_cpumask(cpu)) == cpu)
407 err = microcode_ops->apply_microcode(cpu);
408 else
409 goto wait_for_siblings;
410
411 if (err >= UCODE_NFOUND) {
412 if (err == UCODE_ERROR) {
413 pr_warn("Error reloading microcode on CPU %d\n", cpu);
414 ret = -1;
415 }
416 }
417
418 wait_for_siblings:
419 if (__wait_for_cpus(&late_cpus_out, NSEC_PER_SEC))
420 panic("Timeout during microcode update!\n");
421
422 /*
423 * At least one thread has completed update on each core.
424 * For others, simply call the update to make sure the
425 * per-cpu cpuinfo can be updated with right microcode
426 * revision.
427 */
428 if (cpumask_first(topology_sibling_cpumask(cpu)) != cpu)
429 err = microcode_ops->apply_microcode(cpu);
430
431 return ret;
432 }
433
434 /*
435 * Reload microcode late on all CPUs. Wait for a sec until they
436 * all gather together.
437 */
microcode_reload_late(void)438 static int microcode_reload_late(void)
439 {
440 int old = boot_cpu_data.microcode, ret;
441 struct cpuinfo_x86 prev_info;
442
443 pr_err("Attempting late microcode loading - it is dangerous and taints the kernel.\n");
444 pr_err("You should switch to early loading, if possible.\n");
445
446 atomic_set(&late_cpus_in, 0);
447 atomic_set(&late_cpus_out, 0);
448
449 /*
450 * Take a snapshot before the microcode update in order to compare and
451 * check whether any bits changed after an update.
452 */
453 store_cpu_caps(&prev_info);
454
455 ret = stop_machine_cpuslocked(__reload_late, NULL, cpu_online_mask);
456 if (!ret) {
457 pr_info("Reload succeeded, microcode revision: 0x%x -> 0x%x\n",
458 old, boot_cpu_data.microcode);
459 microcode_check(&prev_info);
460 } else {
461 pr_info("Reload failed, current microcode revision: 0x%x\n",
462 boot_cpu_data.microcode);
463 }
464
465 return ret;
466 }
467
reload_store(struct device * dev,struct device_attribute * attr,const char * buf,size_t size)468 static ssize_t reload_store(struct device *dev,
469 struct device_attribute *attr,
470 const char *buf, size_t size)
471 {
472 enum ucode_state tmp_ret = UCODE_OK;
473 int bsp = boot_cpu_data.cpu_index;
474 unsigned long val;
475 ssize_t ret = 0;
476
477 ret = kstrtoul(buf, 0, &val);
478 if (ret || val != 1)
479 return -EINVAL;
480
481 cpus_read_lock();
482
483 ret = check_online_cpus();
484 if (ret)
485 goto put;
486
487 tmp_ret = microcode_ops->request_microcode_fw(bsp, µcode_pdev->dev);
488 if (tmp_ret != UCODE_NEW)
489 goto put;
490
491 mutex_lock(µcode_mutex);
492 ret = microcode_reload_late();
493 mutex_unlock(µcode_mutex);
494
495 put:
496 cpus_read_unlock();
497
498 if (ret == 0)
499 ret = size;
500
501 add_taint(TAINT_CPU_OUT_OF_SPEC, LOCKDEP_STILL_OK);
502
503 return ret;
504 }
505
506 static DEVICE_ATTR_WO(reload);
507 #endif
508
version_show(struct device * dev,struct device_attribute * attr,char * buf)509 static ssize_t version_show(struct device *dev,
510 struct device_attribute *attr, char *buf)
511 {
512 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id;
513
514 return sprintf(buf, "0x%x\n", uci->cpu_sig.rev);
515 }
516
processor_flags_show(struct device * dev,struct device_attribute * attr,char * buf)517 static ssize_t processor_flags_show(struct device *dev,
518 struct device_attribute *attr, char *buf)
519 {
520 struct ucode_cpu_info *uci = ucode_cpu_info + dev->id;
521
522 return sprintf(buf, "0x%x\n", uci->cpu_sig.pf);
523 }
524
525 static DEVICE_ATTR_RO(version);
526 static DEVICE_ATTR_RO(processor_flags);
527
528 static struct attribute *mc_default_attrs[] = {
529 &dev_attr_version.attr,
530 &dev_attr_processor_flags.attr,
531 NULL
532 };
533
534 static const struct attribute_group mc_attr_group = {
535 .attrs = mc_default_attrs,
536 .name = "microcode",
537 };
538
microcode_fini_cpu(int cpu)539 static void microcode_fini_cpu(int cpu)
540 {
541 if (microcode_ops->microcode_fini_cpu)
542 microcode_ops->microcode_fini_cpu(cpu);
543 }
544
microcode_init_cpu(int cpu)545 static enum ucode_state microcode_init_cpu(int cpu)
546 {
547 struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
548
549 memset(uci, 0, sizeof(*uci));
550
551 microcode_ops->collect_cpu_info(cpu, &uci->cpu_sig);
552
553 return microcode_ops->apply_microcode(cpu);
554 }
555
556 /**
557 * microcode_bsp_resume - Update boot CPU microcode during resume.
558 */
microcode_bsp_resume(void)559 void microcode_bsp_resume(void)
560 {
561 int cpu = smp_processor_id();
562 struct ucode_cpu_info *uci = ucode_cpu_info + cpu;
563
564 if (uci->mc)
565 microcode_ops->apply_microcode(cpu);
566 else
567 reload_early_microcode(cpu);
568 }
569
570 static struct syscore_ops mc_syscore_ops = {
571 .resume = microcode_bsp_resume,
572 };
573
mc_cpu_starting(unsigned int cpu)574 static int mc_cpu_starting(unsigned int cpu)
575 {
576 enum ucode_state err = microcode_ops->apply_microcode(cpu);
577
578 pr_debug("%s: CPU%d, err: %d\n", __func__, cpu, err);
579
580 return err == UCODE_ERROR;
581 }
582
mc_cpu_online(unsigned int cpu)583 static int mc_cpu_online(unsigned int cpu)
584 {
585 struct device *dev = get_cpu_device(cpu);
586
587 if (sysfs_create_group(&dev->kobj, &mc_attr_group))
588 pr_err("Failed to create group for CPU%d\n", cpu);
589 return 0;
590 }
591
mc_cpu_down_prep(unsigned int cpu)592 static int mc_cpu_down_prep(unsigned int cpu)
593 {
594 struct device *dev;
595
596 dev = get_cpu_device(cpu);
597
598 microcode_fini_cpu(cpu);
599
600 /* Suspend is in progress, only remove the interface */
601 sysfs_remove_group(&dev->kobj, &mc_attr_group);
602 pr_debug("%s: CPU%d\n", __func__, cpu);
603
604 return 0;
605 }
606
setup_online_cpu(struct work_struct * work)607 static void setup_online_cpu(struct work_struct *work)
608 {
609 int cpu = smp_processor_id();
610 enum ucode_state err;
611
612 err = microcode_init_cpu(cpu);
613 if (err == UCODE_ERROR) {
614 pr_err("Error applying microcode on CPU%d\n", cpu);
615 return;
616 }
617
618 mc_cpu_online(cpu);
619 }
620
621 static struct attribute *cpu_root_microcode_attrs[] = {
622 #ifdef CONFIG_MICROCODE_LATE_LOADING
623 &dev_attr_reload.attr,
624 #endif
625 NULL
626 };
627
628 static const struct attribute_group cpu_root_microcode_group = {
629 .name = "microcode",
630 .attrs = cpu_root_microcode_attrs,
631 };
632
microcode_init(void)633 static int __init microcode_init(void)
634 {
635 struct cpuinfo_x86 *c = &boot_cpu_data;
636 int error;
637
638 if (dis_ucode_ldr)
639 return -EINVAL;
640
641 if (c->x86_vendor == X86_VENDOR_INTEL)
642 microcode_ops = init_intel_microcode();
643 else if (c->x86_vendor == X86_VENDOR_AMD)
644 microcode_ops = init_amd_microcode();
645 else
646 pr_err("no support for this CPU vendor\n");
647
648 if (!microcode_ops)
649 return -ENODEV;
650
651 microcode_pdev = platform_device_register_simple("microcode", -1, NULL, 0);
652 if (IS_ERR(microcode_pdev))
653 return PTR_ERR(microcode_pdev);
654
655 error = sysfs_create_group(&cpu_subsys.dev_root->kobj, &cpu_root_microcode_group);
656 if (error) {
657 pr_err("Error creating microcode group!\n");
658 goto out_pdev;
659 }
660
661 /* Do per-CPU setup */
662 schedule_on_each_cpu(setup_online_cpu);
663
664 register_syscore_ops(&mc_syscore_ops);
665 cpuhp_setup_state_nocalls(CPUHP_AP_MICROCODE_LOADER, "x86/microcode:starting",
666 mc_cpu_starting, NULL);
667 cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, "x86/microcode:online",
668 mc_cpu_online, mc_cpu_down_prep);
669
670 pr_info("Microcode Update Driver: v%s.", DRIVER_VERSION);
671
672 return 0;
673
674 out_pdev:
675 platform_device_unregister(microcode_pdev);
676 return error;
677
678 }
679 fs_initcall(save_microcode_in_initrd);
680 late_initcall(microcode_init);
681