[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] x86, amd_ucode: Verify max allowed patch size before apply
On 25/04/14 20:48, Aravind Gopalakrishnan wrote: > On 4/24/2014 3:26 PM, Andrew Cooper wrote: >> On 24/04/14 20:54, Aravind Gopalakrishnan wrote: >>> -static bool_t microcode_fits(const struct microcode_amd *mc_amd, >>> int cpu) >>> +static bool_t verify_patch_size(uint32_t patch_size) >>> +{ >>> + uint8_t family; >>> + uint32_t max_size; >>> + >>> +#define F1XH_MPB_MAX_SIZE 2048 >>> +#define F14H_MPB_MAX_SIZE 1824 >>> +#define F15H_MPB_MAX_SIZE 4096 >>> +#define F16H_MPB_MAX_SIZE 3458 >>> + >>> + family = boot_cpu_data.x86; >>> + switch (family) >> You can drop the family variable and just switch on boot_cpu_data.x86 > > Noted. >>> +static int microcode_fits(const struct microcode_amd *mc_amd, int cpu) >>> { >>> struct ucode_cpu_info *uci = &per_cpu(ucode_cpu_info, cpu); >>> const struct microcode_header_amd *mc_header = mc_amd->mpb; >>> @@ -118,19 +151,25 @@ static bool_t microcode_fits(const struct >>> microcode_amd *mc_amd, int cpu) >>> } >>> if ( !equiv_cpu_id ) >>> - return 0; >>> + return -EINVAL; >>> if ( (mc_header->processor_rev_id) != equiv_cpu_id ) >>> - return 0; >>> + return -EINVAL; >>> + >>> + if ( !verify_patch_size(mc_amd->mpb_size) ) >>> + { >>> + printk(KERN_ERR "microcode: patch size mismatch\n"); >>> + return -EINVAL; >> XENLOG_ERR "microcode patch size too large" >> return -E2BIG; >> >> And is this really worth being an error as opposed to a warning, or >> frankly even just debug? It is presumably one of N possible blobs in the >> hypercall. > > Right. Modified it to use XENLOG_DEBUG instead. >>> static int apply_microcode(int cpu) >>> @@ -319,7 +358,8 @@ static int cpu_request_microcode(int cpu, const >>> void *buf, size_t bufsize) >>> while ( (error = get_ucode_from_buffer_amd(mc_amd, buf, bufsize, >>> &offset)) == 0 ) >>> { >>> - if ( microcode_fits(mc_amd, cpu) ) >>> + error = microcode_fits(mc_amd, cpu); >>> + if ( !error ) >>> { >>> error = apply_microcode(cpu); >>> if ( error ) >>> @@ -329,6 +369,11 @@ static int cpu_request_microcode(int cpu, const >>> void *buf, size_t bufsize) >>> last_offset = offset; >>> + if ( error == -EEXIST ) { >>> + printk(KERN_DEBUG "microcode: patch is already at >>> required level or greater.\n"); >>> + break; >> You can't break from the loop here. What if a subsequent blob in the >> buffer contains a newer piece of microcode? >> > > Right. Didn't think about that. Sorry.. > > But I ran into larger issues here: > Since we don't break on the first match and continue to parse the > entire fw image till the very end; > *and* since I modified the error handling around 'microcode_fits' thus: > > if ( (mc_header->processor_rev_id) != equiv_cpu_id ) > > -return 0; > > +return -EINVAL; > > + > > The last returned error val is '-22' which is bubbled up to > microcode.c. 'microcode_presmp_init' as a result > flushes out ucode_blob or NULL-ifies ucode_mod_map. > > Which means 'microcode_init' returns early as it can't validate > ucode_mod.mod_end or ucode_blob.size > Now, this breaks original functionality (sorry for catching this > late), *but* > doesn't cause any problem to updating(,applying) ucode patches to cpus > as we apply the patches during > 'microcode_resume_cpu' anyway. (which is why I thought at first all > is fine) > > Could someone please help me understand why there are two initcalls - > 'microcode_presmp_init' && 'microcode_init' > that perform the same tasks? > > It results in these functions - 'collect_cpu_info', > 'cpu_request_microcode' to run a second time through 'microcode_init' > when we have already accomplished the job of updating cpu with > microcode patches > through 'microcode_presmp_init' and 'microcode_resume_cpu' > > If there is particular reason for 'microcode_init''s existence, then > I'll modify the patch so that the error handling around 'microcode_fits' > is not altered. But if not, then I simply have to just remove the > 'break' statement. Good grief this looks mad. Ignoring for a moment what the code actually does, lets consider what it should do. The administrator has an option of providing a microcode blob in a multiboot module, and instructing Xen where to look. In this case if a valid blob is found, Xen will want to load the microcode ASAP and cache it for the other processors. This can be done as early as is suitable on the BSP. The administrator has an option of providing a microcode blob by hypercall (either automatically as part of their kernel microcode patching code, or perhaps from a userspace tool in dom0). For a valid blob, Xen will want to cache it and apply to all active processors. This can be done by whichever cpu processes the hypercall. At any point, a new cpu coming online (AP boot, S3 etc) should look at the cached microcode and try to load it. So it would occur to me to have something such as as presmp initcall which sets up a cpunotifier for any cpu coming online. It checks to see whether there are any blobs provided at boot, tries to load them and caches the best result. The hypercall tries to apply the blob from userspace and if successful, caches the new microcode and instructs all other cpus to load this new microcode. I dont see a need for two initcalls in the slightest, nor do I see a need for using tasklets on boot. If the earlier initcall hasn't found any microcode in a multiboot module then there will be nothing for the latter one to do. If the earlier did find microcode, then it should be applied automatically whenever a new cpu comes up, rather than when explicitly prodded by the later initcall. Does this make sense? ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |