| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <56ae9070-5960-1498-c021-74ef4451c222@oracle.com>
Date: Mon, 11 May 2020 17:11:23 +0300
From: Mihai Carabas <mihai.carabas@...cle.com>
To: linux-kernel@...r.kernel.org
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>,
Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
"Raj, Ashok" <ashok.raj@...el.com>,
Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [PATCH RFC] Microcode late loading feature identification
La 27.04.2020 10:27, Mihai Carabas a scris:
> This RFC patch set aims to provide a way to identify the modifications
> brought in by the new microcode updated at runtime (aka microcode late
> loading). This was debated last year and this patch set implements
> point #1 from Thomas Gleixner's idea:
> https://lore.kernel.org/lkml/alpine.DEB.2.21.1909062237580.1902@nanos.tec.linutronix.de/
>
+Ashok and Thomas to get a feedback from vendor side on file
format/integration in the microcode blob and signature.
Thank you,
Mihai
> This patch set has the following patches:
>
> - patch 1 is introducing a new metadata file that comes with the microcode
> (provided by the CPU manufacture) that describes what modifications are
> done by loading the new microcode
>
> - patch 2 parses the metadata file and is verifying it against kernel
> policy. In this patch, as an RFC, as a kernel policy, it was imposed
> the rule of not allowing to remove any feature. If so, it won't be
> loaded a new microcode. The policy can be further extended and describe
> in different ways
>
> - patch 3 adds the documentation of the metadata file format
>
>
> How to test:
>
> - place metadata file in /lib/firmware/intel-ucode/ together with the
> microcode blob:
>
> [root@...108 ~]# ls -l /lib/firmware/intel-ucode
> total 96
> -rw-r--r--. 1 root root 34816 Mar 11 00:27 06-55-04
> -rw-r--r--. 1 root root 84 Mar 25 03:13 06-55-04.metadata
>
> The microcode blob can be taken from the microcode_ctl package.
>
> - after installing the kernel and rebooting the machine run "dracut -f
> --no-early-microcode" to create an initramfs without the microcode (and
> avoid early loading)
>
> - reboot
>
> - after rebooting issue: echo 1 > /sys/devices/system/cpu/microcode/reload
>
> [root@...108 ~]# cat /lib/firmware/intel-ucode/06-55-04.metadata
> m - 0x00000122
> c + 0x00000007 0x00 0x00000000 0x021cbfbb 0x00000000 0x00000000
>
> [root@...108 ~]# echo 1 > /sys/devices/system/cpu/microcode/reload
> [root@...108 ~]# dmesg | tail -2
> [ 1285.729841] microcode: Kernel policy does not allow to remove MSR: 122
> [ 1285.737144] microcode: kernel does not support the new microcode: intel-ucode/06-55-04
>
> [root@...108 ~]# cat /lib/firmware/intel-ucode/06-55-04.metadata
> m + 0x00000122
> c + 0x00000007 0x00 0x00000000 0x021cbfbb 0x00000000 0x00000000
> [root@...108 ~]# echo 1 > /sys/devices/system/cpu/microcode/reload
> [root@...108 ~]# dmesg | tail -10
> [ 1220.212415] microcode: updated to revision 0x2000065, date = 2019-09-05
> [ 1220.212645] microcode: Reload completed, microcode revision: 0x2000065
>
> Mihai Carabas (3):
> x86: microcode: intel: read microcode metadata file
> x86: microcode: intel: process microcode metadata
> Documentation: x86: microcode: add description for metadata file
>
> Documentation/x86/microcode.rst | 36 +++++++++++++
> arch/x86/kernel/cpu/microcode/intel.c | 97 +++++++++++++++++++++++++++++++++++
> 2 files changed, 133 insertions(+)
>
Powered by blists - more mailing lists