lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 22 Jun 2012 05:36:34 +0200
From:	Borislav Petkov <bp@...64.org>
To:	"H. Peter Anvin" <hpa@...or.com>
Cc:	Borislav Petkov <bp@...64.org>,
	Henrique de Moraes Holschuh <hmh@....eng.br>,
	Peter Zijlstra <peterz@...radead.org>,
	"Yu, Fenghua" <fenghua.yu@...el.com>, X86-ML <x86@...nel.org>,
	Ingo Molnar <mingo@...nel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	LKML <linux-kernel@...r.kernel.org>,
	Andreas Herrmann <andreas.herrmann3@....com>
Subject: Re: [PATCH 2/2] x86, microcode: Make reload interface per system

On Thu, Jun 21, 2012 at 08:19:04PM -0700, H. Peter Anvin wrote:
> On 06/21/2012 07:56 PM, Borislav Petkov wrote:
> >>
> >> That is orthogonal.  Anyway, my only concern about the request_firmware
> >> interface is that the timing will be inherently wrong.
> > 
> > Timing? Please elaborate.
> > 
> 
> The request_firmware will happen as soon as the driver is loaded; with
> the early microcode blob scheme the driver will need to be built in and
> so the request_firmware will happen, redundantly, immediately...

I see the problem: we will just have updated the latest ucode from the
early scheme and then shortly after do a request_firmware to find out
that we don't have a newer patch anyway.

Hmm, ok, when I tried compiling in the microcode driver this week, it
didn't wait for 60 seconds because there was no userspace at 3 seconds
within the boot - it simply continued booting.

I think there's a guard for this in microcode_init_cpu:

        if (system_state != SYSTEM_RUNNING)
		return UCODE_NFOUND;

so that we don't call request_firmware that early.

But I haven't verified this yet.

In any case, we should disallow the request_firmware call temporarily
during init when the early scheme is in place.

But there is another problem:

What if BIOS has patch version 1 (numbers are only for showing what I
mean), then early scheme applies patch v2 but there is a newer patch
version 3 in /lib/firmware?

If the ucode driver is built in, we don't get to update to v3
automatically. User has to do it.

The current fix for this situation is have the microcode.ko as module
(and only allow it as M) which then automatically does request_firmware
at module init time and loads v3.

Which doesn't help people who don't build modules...

Hmmm.

-- 
Regards/Gruss,
Boris.

Advanced Micro Devices GmbH
Einsteinring 24, 85609 Dornach
GM: Alberto Bozzo
Reg: Dornach, Landkreis Muenchen
HRB Nr. 43632 WEEE Registernr: 129 19551
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ