Xen project Mailing List

Re: [PATCH v3 4/4] x86/ucode: Add Kconfig option to remove microcode loading

From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>

Date: Tue, 13 Jan 2026 17:12:11 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=suse.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XWNOwq1lrhQvLqw3PU5BGCqafDNlZIEQ6aIGHgr/KpE=; b=lyQpeBflycrJFCJmsPqh5RnGBf9tjd2lWo1S92VBFY9YhRfnUBXEAWSLgEJHhuYVTg8U8V2lNmrgGBBaJNpe2Uacf2tu3e2gQZiqDDZlAAmwMK9DjhMERiOz7wy8PfBYP1+BXcIOmBTcfZ3YXpQKGl4x0KDMcb2NzRrlcUMNe4U4dqc7jYyRBrYV4yCgHhjxbXKtjLg/I2CsHp8BmppX0QWEsPlNWi3PLg3nDANj6AZQtlaK1xehDuP0UGmiO9iIvo8oudCEqLM+6Lq39Au74IzG0sPBtk49akDBuM/TVWUYQUZdbkq5fZQ0xa13h36v2eZW/LrQ7iUjuRo5IK+NOA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cD7LVDJwJgpy1pRR6rBHAdnUys3k0MpZXPP2UfzDdCw/kEkRQ0DYHUg/CnM/bKFzoWuXLZV6bMdnz8r2ed8SATD7kVvvF7yUA8j/VU2CUfLHkIiOOkM0hNy3CyfwuuddlUdyPsC3hdghZ92lRq/UqP9DEksl4IUq+ui1/91aB07+6WkfrfTf4moPlyt0y2K4uGziYwMHCYotPN1Wi2du32riq8xV9usmHovi669Dy+N9mLfWWVLnnyNXX1GEN3A7YS9qnvnF20ge4caQ6lDhi+Azc65gzc+dwHjVvdRO7dPRCTEy6V4y6ULs2ZviwAh5H5s1+sukh1QNktCZ3eAqgA==

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 13 Jan 2026 16:12:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue Jan 13, 2026 at 4:27 PM CET, Jan Beulich wrote: > On 13.01.2026 13:21, Alejandro Vallejo wrote: >> @@ -469,7 +471,7 @@ struct ucode_buf { >> char buffer[]; >> }; >> >> -static long cf_check ucode_update_hcall_cont(void *data) >> +static long cf_check __maybe_unused ucode_update_hcall_cont(void *data) >> { >> struct microcode_patch *patch = NULL; >> int ret, result; > > Why this change when ... > >> @@ -613,6 +615,7 @@ static long cf_check ucode_update_hcall_cont(void *data) >> return ret; >> } >> >> +#ifdef CONFIG_MICROCODE_LOADING > > ... this can simply be moved up accordingly? After all ... > >> int ucode_update_hcall(XEN_GUEST_HANDLE(const_void) buf, >> unsigned long len, unsigned int flags) >> { >> @@ -645,6 +648,7 @@ int ucode_update_hcall(XEN_GUEST_HANDLE(const_void) buf, >> */ >> return continue_hypercall_on_cpu(0, ucode_update_hcall_cont, buffer); > > ... this is the only user of that other function. To minimise the scope of the ifdef. It's hard to know where things start/end when they cover several functions. This way it's (imo) clearer. I don't mind much though. > >> --- a/xen/arch/x86/cpu/microcode/intel.c >> +++ b/xen/arch/x86/cpu/microcode/intel.c >> @@ -408,17 +408,20 @@ static const char __initconst intel_cpio_path[] = >> "kernel/x86/microcode/GenuineIntel.bin"; >> >> static const struct microcode_ops __initconst_cf_clobber intel_ucode_ops = { >> - .cpu_request_microcode = cpu_request_microcode, >> + .cpu_request_microcode = MICROCODE_OP(cpu_request_microcode), >> .collect_cpu_info = collect_cpu_info, >> - .apply_microcode = apply_microcode, >> - .compare = intel_compare, >> - .cpio_path = intel_cpio_path, >> + .apply_microcode = MICROCODE_OP(apply_microcode), >> + .compare = MICROCODE_OP(intel_compare), >> + .cpio_path = MICROCODE_OP(intel_cpio_path), >> }; > > While I appreciate the intention with MICROCODE_OP(), I'm not really happy > with function pointer members left in place just for them to be NULL > everywhere. What if a call site remains unguarded? With PV guests that > would be a privilege escalation XSA. I see where you're coming from, but these are already NULL if microcode loading is not exposed by the underlying hypervisor (if any), or is blocked by hardware in Intel, so arguably that worry is orthogonal to this. Also, only a privileged domain can perform late microcode loading, so the XSM check would prevent any such XSA from coming to pass. dom0 crashing the system on a bad hypercall (while wrong) would just be unfortunate, not a security issue, as far as I can tell. I could indeed get rid of it all. But that'd cause a sea a ifdefs anywhere the fields are accessed, which is contrary to the current intent of relying on DCE for readability. Cheers, Alejandro

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.