1 /*
2 * AMD CPU Microcode Update Driver for Linux
3 * Copyright (C) 2008 Advanced Micro Devices Inc.
4 *
5 * Author: Peter Oruba <peter.oruba@amd.com>
6 *
7 * Based on work by:
8 * Tigran Aivazian <tigran@aivazian.fsnet.co.uk>
9 *
10 * This driver allows to upgrade microcode on AMD
11 * family 0x10 and later.
12 *
13 * Licensed unter the terms of the GNU General Public
14 * License version 2. See file COPYING for details.
15 */
16
17 #include <xen/bsearch.h>
18 #include <xen/err.h>
19 #include <xen/init.h>
20 #include <xen/mm.h> /* TODO: Fix asm/tlbflush.h breakage */
21 #include <xen/sha2.h>
22
23 #include <asm/msr.h>
24
25 #include "private.h"
26
27 #define pr_debug(x...) ((void)0)
28
29 struct equiv_cpu_entry {
30 uint32_t installed_cpu;
31 uint32_t fixed_errata_mask;
32 uint32_t fixed_errata_compare;
33 uint16_t equiv_cpu;
34 uint16_t reserved;
35 };
36
37 struct microcode_patch {
38 uint16_t year;
39 uint8_t day;
40 uint8_t month;
41 uint32_t patch_id;
42 uint8_t mc_patch_data_id[2];
43 uint8_t mc_patch_data_len;
44 uint8_t init_flag;
45 uint32_t mc_patch_data_checksum;
46 uint32_t nb_dev_id;
47 uint32_t sb_dev_id;
48 uint16_t processor_rev_id;
49 uint8_t nb_rev_id;
50 uint8_t sb_rev_id;
51 uint8_t bios_api_rev;
52 uint8_t reserved1[3];
53 };
54
55 #define UCODE_MAGIC 0x00414d44
56 #define UCODE_EQUIV_TYPE 0x00000000
57 #define UCODE_UCODE_TYPE 0x00000001
58
59 struct container_equiv_table {
60 uint32_t type; /* UCODE_EQUIV_TYPE */
61 uint32_t len;
62 struct equiv_cpu_entry eq[];
63 };
64 struct container_microcode {
65 uint32_t type; /* UCODE_UCODE_TYPE */
66 uint32_t len;
67 struct microcode_patch patch[];
68 };
69
70 /*
71 * Microcode updates for different CPUs are distinguished by their
72 * processor_rev_id in the header. This denotes the format of the internals
73 * of the microcode engine, and is fixed for an individual CPU.
74 *
75 * There is a mapping from the CPU signature (CPUID.1.EAX -
76 * family/model/stepping) to the "equivalent CPU identifier" which is
77 * similarly fixed. In some cases, multiple different CPU signatures map to
78 * the same equiv_id for processor lines which share identical microcode
79 * facilities.
80 *
81 * This mapping can't be calculated in the general case, but is provided in
82 * the microcode container, so the correct piece of microcode for the CPU can
83 * be identified. We cache it the first time we encounter the correct mapping
84 * for this system.
85 *
86 * Note: for now, we assume a fully homogeneous setup, meaning that there is
87 * exactly one equiv_id we need to worry about for microcode blob
88 * identification. This may need revisiting in due course.
89 */
90 static struct {
91 uint32_t sig;
92 uint16_t id;
93 } equiv __read_mostly;
94
95 static const struct patch_digest {
96 uint32_t patch_id;
97 uint8_t digest[SHA2_256_DIGEST_SIZE];
98 } patch_digests[] = {
99 #include "amd-patch-digests.c"
100 };
101
cmp_patch_id(const void * key,const void * elem)102 static int cf_check cmp_patch_id(const void *key, const void *elem)
103 {
104 const struct patch_digest *pd = elem;
105 uint32_t patch_id = *(uint32_t *)key;
106
107 if ( patch_id == pd->patch_id )
108 return 0;
109 else if ( patch_id < pd->patch_id )
110 return -1;
111 return 1;
112 }
113
check_digest(const struct container_microcode * mc)114 static bool check_digest(const struct container_microcode *mc)
115 {
116 const struct microcode_patch *patch = mc->patch;
117 const struct patch_digest *pd;
118 uint8_t digest[SHA2_256_DIGEST_SIZE];
119
120 /*
121 * Zen1 thru Zen5 CPUs are known to use a weak signature algorithm on
122 * microcode updates. Mitigate by checking the digest of the patch
123 * against a list of known provenance.
124 */
125 if ( boot_cpu_data.family < 0x17 ||
126 !opt_digest_check )
127 return true;
128
129 pd = bsearch(&patch->patch_id, patch_digests, ARRAY_SIZE(patch_digests),
130 sizeof(struct patch_digest), cmp_patch_id);
131 if ( !pd )
132 {
133 printk(XENLOG_WARNING "No digest found for patch_id %08x\n",
134 patch->patch_id);
135 return false;
136 }
137
138 sha2_256_digest(digest, patch, mc->len);
139
140 if ( memcmp(digest, pd->digest, sizeof(digest)) )
141 {
142 printk(XENLOG_WARNING "Patch %08x SHA256 mismatch:\n"
143 " expected %" STR(SHA2_256_DIGEST_SIZE) "phN\n"
144 " got %" STR(SHA2_256_DIGEST_SIZE) "phN\n",
145 patch->patch_id, pd->digest, digest);
146 return false;
147 }
148
149 return true;
150 }
151
collect_cpu_info(void)152 static void cf_check collect_cpu_info(void)
153 {
154 struct cpu_signature *csig = &this_cpu(cpu_sig);
155
156 memset(csig, 0, sizeof(*csig));
157
158 csig->sig = cpuid_eax(1);
159 rdmsrl(MSR_AMD_PATCHLEVEL, csig->rev);
160
161 pr_debug("microcode: CPU%d collect_cpu_info: patch_id=%#x\n",
162 smp_processor_id(), csig->rev);
163 }
164
verify_patch_size(uint32_t patch_size)165 static bool verify_patch_size(uint32_t patch_size)
166 {
167 uint32_t max_size;
168
169 #define F1XH_MPB_MAX_SIZE 2048
170 #define F14H_MPB_MAX_SIZE 1824
171 #define F15H_MPB_MAX_SIZE 4096
172 #define F16H_MPB_MAX_SIZE 3458
173 #define F17H_MPB_MAX_SIZE 3200
174 #define F19H_MPB_MAX_SIZE 5568
175 #define F1AH_MPB_MAX_SIZE 15296
176
177 switch ( boot_cpu_data.family )
178 {
179 case 0x14:
180 max_size = F14H_MPB_MAX_SIZE;
181 break;
182 case 0x15:
183 max_size = F15H_MPB_MAX_SIZE;
184 break;
185 case 0x16:
186 max_size = F16H_MPB_MAX_SIZE;
187 break;
188 case 0x17:
189 max_size = F17H_MPB_MAX_SIZE;
190 break;
191 case 0x19:
192 max_size = F19H_MPB_MAX_SIZE;
193 break;
194 case 0x1a:
195 max_size = F1AH_MPB_MAX_SIZE;
196 break;
197 default:
198 max_size = F1XH_MPB_MAX_SIZE;
199 break;
200 }
201
202 return patch_size <= max_size;
203 }
204
check_final_patch_levels(const struct cpu_signature * sig)205 static bool check_final_patch_levels(const struct cpu_signature *sig)
206 {
207 /*
208 * The 'final_levels' of patch ids have been obtained empirically.
209 * Refer bug https://bugzilla.suse.com/show_bug.cgi?id=913996
210 * for details of the issue. The short version is that people
211 * using certain Fam10h systems noticed system hang issues when
212 * trying to update microcode levels beyond the patch IDs below.
213 * From internal discussions, we gathered that OS/hypervisor
214 * cannot reliably perform microcode updates beyond these levels
215 * due to hardware issues. Therefore, we need to abort microcode
216 * update process if we hit any of these levels.
217 */
218 static const unsigned int final_levels[] = {
219 0x01000098,
220 0x0100009f,
221 0x010000af,
222 };
223 unsigned int i;
224
225 if ( boot_cpu_data.family != 0x10 )
226 return false;
227
228 for ( i = 0; i < ARRAY_SIZE(final_levels); i++ )
229 if ( sig->rev == final_levels[i] )
230 return true;
231
232 return false;
233 }
234
compare_revisions(uint32_t old_rev,uint32_t new_rev)235 static int compare_revisions(uint32_t old_rev, uint32_t new_rev)
236 {
237 if ( new_rev > old_rev )
238 return NEW_UCODE;
239
240 if ( new_rev == old_rev )
241 return SAME_UCODE;
242
243 return OLD_UCODE;
244 }
245
246 /*
247 * Check whether this microcode patch is applicable for the current CPU.
248 *
249 * AMD microcode blobs only have the "equivalent CPU identifier" which is a 16
250 * bit contraction of the 32 bit Family/Model/Stepping.
251 *
252 * We expect to only be run after scan_equiv_cpu_table() has found a valid
253 * mapping for the current CPU. If this is violated, the 0 in equiv.id will
254 * cause the patch to be rejected too.
255 */
microcode_fits_cpu(const struct microcode_patch * patch)256 static bool microcode_fits_cpu(const struct microcode_patch *patch)
257 {
258 ASSERT(equiv.sig);
259
260 return equiv.id == patch->processor_rev_id;
261 }
262
amd_compare(const struct microcode_patch * old,const struct microcode_patch * new)263 static int cf_check amd_compare(
264 const struct microcode_patch *old, const struct microcode_patch *new)
265 {
266 /* Both patches to compare are supposed to be applicable to local CPU. */
267 ASSERT(microcode_fits_cpu(new));
268 ASSERT(microcode_fits_cpu(old));
269
270 return compare_revisions(old->patch_id, new->patch_id);
271 }
272
apply_microcode(const struct microcode_patch * patch,unsigned int flags)273 static int cf_check apply_microcode(const struct microcode_patch *patch,
274 unsigned int flags)
275 {
276 int hw_err, result;
277 unsigned int cpu = smp_processor_id();
278 struct cpu_signature *sig = &per_cpu(cpu_sig, cpu);
279 uint32_t rev, old_rev = sig->rev;
280 bool ucode_force = flags & XENPF_UCODE_FORCE;
281
282 if ( !microcode_fits_cpu(patch) )
283 return -EINVAL;
284
285 result = compare_revisions(old_rev, patch->patch_id);
286
287 /*
288 * Allow application of the same revision to pick up SMT-specific changes
289 * even if the revision of the other SMT thread is already up-to-date.
290 */
291 if ( !ucode_force && (result == SAME_UCODE || result == OLD_UCODE) )
292 return -EEXIST;
293
294 if ( check_final_patch_levels(sig) )
295 {
296 printk(XENLOG_ERR
297 "microcode: CPU%u current rev %#x unsafe to update\n",
298 cpu, sig->rev);
299 return -ENXIO;
300 }
301
302 hw_err = wrmsr_safe(MSR_AMD_PATCHLOADER, (unsigned long)patch);
303
304 /* get patch id after patching */
305 rdmsrl(MSR_AMD_PATCHLEVEL, rev);
306 sig->rev = rev;
307
308 /*
309 * Some processors leave the ucode blob mapping as UC after the update.
310 * Flush the mapping to regain normal cacheability.
311 */
312 flush_area_local(patch, FLUSH_TLB_GLOBAL | FLUSH_ORDER(0));
313
314 /* check current patch id and patch's id for match */
315 if ( hw_err || (rev != patch->patch_id) )
316 {
317 printk(XENLOG_ERR
318 "microcode: CPU%u update rev %#x to %#x failed, result %#x\n",
319 cpu, old_rev, patch->patch_id, rev);
320 return -EIO;
321 }
322
323 printk(XENLOG_WARNING
324 "microcode: CPU%u updated from revision %#x to %#x, date = %04x-%02x-%02x\n",
325 cpu, old_rev, rev, patch->year, patch->month, patch->day);
326
327 amd_check_zenbleed();
328
329 return 0;
330 }
331
scan_equiv_cpu_table(const struct container_equiv_table * et)332 static int scan_equiv_cpu_table(const struct container_equiv_table *et)
333 {
334 const struct cpu_signature *sig = &this_cpu(cpu_sig);
335 unsigned int i, nr = et->len / sizeof(et->eq[0]);
336
337 /* Search the equiv_cpu_table for the current CPU. */
338 for ( i = 0; i < nr && et->eq[i].installed_cpu; ++i )
339 {
340 if ( et->eq[i].installed_cpu != sig->sig )
341 continue;
342
343 if ( !equiv.sig ) /* Cache details on first find. */
344 {
345 equiv.sig = sig->sig;
346 equiv.id = et->eq[i].equiv_cpu;
347 return 0;
348 }
349
350 if ( equiv.sig != sig->sig || equiv.id != et->eq[i].equiv_cpu )
351 {
352 /*
353 * This can only occur if two equiv tables have been seen with
354 * different mappings for the same CPU. The mapping is fixed, so
355 * one of the tables is wrong. As we can't calculate the mapping,
356 * we trusted the first table we saw.
357 */
358 printk(XENLOG_ERR
359 "microcode: Equiv mismatch: cpu %08x, got %04x, cached %04x\n",
360 sig->sig, et->eq[i].equiv_cpu, equiv.id);
361 return -EINVAL;
362 }
363
364 return 0;
365 }
366
367 /* equiv_cpu_table was fine, but nothing found for the current CPU. */
368 return -ESRCH;
369 }
370
cpu_request_microcode(const void * buf,size_t size,bool make_copy)371 static struct microcode_patch *cf_check cpu_request_microcode(
372 const void *buf, size_t size, bool make_copy)
373 {
374 const struct microcode_patch *saved = NULL;
375 struct microcode_patch *patch = NULL;
376 size_t saved_size = 0;
377 int error = 0;
378
379 while ( size )
380 {
381 const struct container_equiv_table *et;
382 bool skip_ucode;
383
384 if ( size < 4 || *(const uint32_t *)buf != UCODE_MAGIC )
385 {
386 printk(XENLOG_ERR "microcode: Wrong microcode patch file magic\n");
387 error = -EINVAL;
388 break;
389 }
390
391 /* Move over UCODE_MAGIC. */
392 buf += 4;
393 size -= 4;
394
395 if ( size < sizeof(*et) || /* No space for header? */
396 (et = buf)->type != UCODE_EQUIV_TYPE || /* Not an Equivalence Table? */
397 size - sizeof(*et) < et->len || /* No space for table? */
398 et->len % sizeof(et->eq[0]) ) /* Not multiple of equiv_cpu_entry? */
399 {
400 printk(XENLOG_ERR "microcode: Bad equivalent cpu table\n");
401 error = -EINVAL;
402 break;
403 }
404
405 /* Move over the Equiv table. */
406 buf += sizeof(*et) + et->len;
407 size -= sizeof(*et) + et->len;
408
409 error = scan_equiv_cpu_table(et);
410
411 /*
412 * -ESRCH means no applicable microcode in this container. But, there
413 * might be subsequent containers in the blob. Skipping to the end of
414 * this container still requires us to follow the UCODE_UCODE_TYPE/len
415 * metadata because there's no overall container length given.
416 */
417 if ( error && error != -ESRCH )
418 break;
419 skip_ucode = error;
420 error = 0;
421
422 while ( size )
423 {
424 const struct container_microcode *mc;
425
426 if ( size < sizeof(*mc) || /* No space for container header? */
427 (mc = buf)->type != UCODE_UCODE_TYPE || /* Not a ucode blob? */
428 size - sizeof(*mc) < mc->len || /* No space for blob? */
429 mc->len < sizeof(struct microcode_patch) ) /* No space for patch header? */
430 {
431 printk(XENLOG_ERR "microcode: Bad microcode data\n");
432 error = -EINVAL;
433 break;
434 }
435
436 if ( skip_ucode )
437 goto skip;
438
439 if ( !verify_patch_size(mc->len) )
440 {
441 printk(XENLOG_WARNING
442 "microcode: Bad microcode length 0x%08x for cpu 0x%04x\n",
443 mc->len, mc->patch->processor_rev_id);
444 /*
445 * If the blob size sanity check fails, trust the container
446 * length which has already been checked to be at least
447 * plausible at this point.
448 */
449 goto skip;
450 }
451
452 /*
453 * If the new ucode covers current CPU, compare ucodes and store the
454 * one with higher revision.
455 */
456 if ( microcode_fits_cpu(mc->patch) &&
457 (!saved ||
458 compare_revisions(saved->patch_id,
459 mc->patch->patch_id) == NEW_UCODE) &&
460 check_digest(mc) )
461 {
462 saved = mc->patch;
463 saved_size = mc->len;
464 }
465
466 /* Move over the microcode blob. */
467 skip:
468 buf += sizeof(*mc) + mc->len;
469 size -= sizeof(*mc) + mc->len;
470
471 /*
472 * Peek ahead. If we see the start of another container, we've
473 * exhaused all microcode blobs in this container. Exit cleanly.
474 */
475 if ( size >= 4 && *(const uint32_t *)buf == UCODE_MAGIC )
476 break;
477 }
478
479 /*
480 * Any error means we didn't get cleanly to the end of the microcode
481 * container. There isn't an overall length field, so we've got no
482 * way of skipping to the next container in the stream.
483 */
484 if ( error )
485 break;
486 }
487
488 if ( saved )
489 {
490 if ( make_copy )
491 {
492 patch = xmemdup_bytes(saved, saved_size);
493 if ( !patch )
494 error = -ENOMEM;
495 }
496 else
497 patch = (struct microcode_patch *)saved;
498 }
499
500 if ( error && !patch )
501 patch = ERR_PTR(error);
502
503 return patch;
504 }
505
506 static const char __initconst amd_cpio_path[] =
507 "kernel/x86/microcode/AuthenticAMD.bin";
508
509 static const struct microcode_ops __initconst_cf_clobber amd_ucode_ops = {
510 .cpu_request_microcode = cpu_request_microcode,
511 .collect_cpu_info = collect_cpu_info,
512 .apply_microcode = apply_microcode,
513 .compare = amd_compare,
514 .cpio_path = amd_cpio_path,
515 };
516
ucode_probe_amd(struct microcode_ops * ops)517 void __init ucode_probe_amd(struct microcode_ops *ops)
518 {
519 if ( !opt_digest_check && boot_cpu_data.family >= 0x17 )
520 {
521 printk(XENLOG_WARNING
522 "Microcode patch additional digest checks disabled");
523 add_taint(TAINT_CPU_OUT_OF_SPEC);
524 }
525
526 if ( boot_cpu_data.family < 0x10 )
527 return;
528
529 *ops = amd_ucode_ops;
530 }
531
532 #if 0 /* Manual CONFIG_SELF_TESTS */
533 static void __init __constructor test_digests_sorted(void)
534 {
535 for ( unsigned int i = 1; i < ARRAY_SIZE(patch_digests); ++i )
536 {
537 if ( patch_digests[i - 1].patch_id < patch_digests[i].patch_id )
538 continue;
539
540 panic("patch_digests[] not sorted: %08x >= %08x\n",
541 patch_digests[i - 1].patch_id,
542 patch_digests[i].patch_id);
543 }
544 }
545 #endif /* CONFIG_SELF_TESTS */
546