lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 27 Apr 2020 10:27:56 +0300
From:   Mihai Carabas <mihai.carabas@...cle.com>
To:     linux-kernel@...r.kernel.org
Cc:     Mihai Carabas <mihai.carabas@...cle.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
        Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org
Subject: [PATCH RFC] Microcode late loading feature identification

This RFC patch set aims to provide a way to identify the modifications
brought in by the new microcode updated at runtime (aka microcode late
loading). This was debated last year and this patch set implements
point #1 from Thomas Gleixner's idea:
https://lore.kernel.org/lkml/alpine.DEB.2.21.1909062237580.1902@nanos.tec.linutronix.de/

This patch set has the following patches:

- patch 1 is introducing a new metadata file that comes with the microcode
(provided by the CPU manufacture) that describes what modifications are
done by loading the new microcode

- patch 2 parses the metadata file and is verifying it against kernel
policy. In this patch, as an RFC, as a kernel policy, it was imposed
the rule of not allowing to remove any feature. If so, it won't be
loaded a new microcode. The policy can be further extended and describe
in different ways

- patch 3 adds the documentation of the metadata file format


How to test:

- place metadata file in /lib/firmware/intel-ucode/ together with the
microcode blob:

[root@...108 ~]# ls -l /lib/firmware/intel-ucode
total 96
-rw-r--r--.   1 root root 34816 Mar 11 00:27 06-55-04
-rw-r--r--.   1 root root    84 Mar 25 03:13 06-55-04.metadata

The microcode blob can be taken from the microcode_ctl package.

- after installing the kernel and rebooting the machine run "dracut -f
--no-early-microcode" to create an initramfs without the microcode (and
avoid early loading)

- reboot

- after rebooting issue: echo 1 > /sys/devices/system/cpu/microcode/reload

[root@...108 ~]# cat /lib/firmware/intel-ucode/06-55-04.metadata
m - 0x00000122
c + 0x00000007 0x00 0x00000000 0x021cbfbb 0x00000000 0x00000000

[root@...108 ~]# echo 1 > /sys/devices/system/cpu/microcode/reload
[root@...108 ~]# dmesg | tail -2
[ 1285.729841] microcode: Kernel policy does not allow to remove MSR: 122
[ 1285.737144] microcode: kernel does not support the new microcode: intel-ucode/06-55-04

[root@...108 ~]# cat /lib/firmware/intel-ucode/06-55-04.metadata
m + 0x00000122
c + 0x00000007 0x00 0x00000000 0x021cbfbb 0x00000000 0x00000000
[root@...108 ~]# echo 1 > /sys/devices/system/cpu/microcode/reload
[root@...108 ~]# dmesg | tail -10
[ 1220.212415] microcode: updated to revision 0x2000065, date = 2019-09-05
[ 1220.212645] microcode: Reload completed, microcode revision: 0x2000065

Mihai Carabas (3):
  x86: microcode: intel: read microcode metadata file
  x86: microcode: intel: process microcode metadata
  Documentation: x86: microcode: add description for metadata file

 Documentation/x86/microcode.rst       | 36 +++++++++++++
 arch/x86/kernel/cpu/microcode/intel.c | 97 +++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ