lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250815092025.GCaJ772U9p_UpEasfa@fat_crate.local>
Date: Fri, 15 Aug 2025 11:20:25 +0200
From: Borislav Petkov <bp@...en8.de>
To: "Chang S. Bae" <chang.seok.bae@...el.com>
Cc: Borislav Petkov <bp@...nel.org>, X86 ML <x86@...nel.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/2] x86/microcode: Add microcode= cmdline parsing

On Thu, Aug 14, 2025 at 04:08:57PM -0700, Chang S. Bae wrote:
> It looks like microcode=dis_ucode_ldr is also supported.
> This could be added here:
> 			ldr_ucode_ldr
> 			Disable the microcode loader.		

Done.

> I also noticed in arch/x86/Kconfig:
> 
> config MICROCODE_LATE_LOADING
> 	bool "Late microcode loading (DANGEROUS)"
> 	default n
> 	depends on MICROCODE && SMP
> 	help
> 	  ...
> 	  the kernel command line with "microcode.minrev=Y".
> 
> This outdated has been there already. Perhaps, it might be better to fix
> this typo with the new one while updating the option.

Done. Good catch.

> nit: s/64/sizeof(cmd_bug)/

Done.

> I think the behavior here differs from before:
> 
> Previously, the minrev requirement could be enforced by either
>   (a) Build with MICROCODE_LATE_FORCE_MINREV=y, or
>   (b) microcode.force_minrev with MICROCODE_LATE=y.
> 
> Now, this requires both. I don't know this is intentional, but it’s like
> asking for more from the user.

Yeah, you're right. FORCE_MINREV is not a CONFIG item which enables
force_minrev support. 

Ok, here's a diff ontop with all the changes I've caught up until now:

---

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index fc002b1a9f57..e7badf2aba63 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3770,16 +3770,17 @@
 	microcode=      [X86] Control the behavior of the microcode loader.
 	                Available options, comma separated:
 
-			dbg - Format: <bool>
-			enable debugging mode when run in a guest
-
 			base_rev=X - with <X> with format: <u32>
 			Set the base microcode revision of each thread when in
 			debug mode.
 
-			force_minrev
+			dbg: enable debugging mode when run in a guest
+
+			dis_ucode_ldr: disable the microcode loader
+
+			force_minrev:
 			Enable or disable the microcode minimal revision
- 			enforcement for the runtime microcode loader.
+			enforcement for the runtime microcode loader.
 
 	mini2440=	[ARM,HW,KNL]
 			Format:[0..2][b][c][t]
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 462bf03aeda5..77f72f075d89 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1340,7 +1340,7 @@ config MICROCODE_LATE_LOADING
 	  use this at your own risk. Late loading taints the kernel unless the
 	  microcode header indicates that it is safe for late loading via the
 	  minimal revision check. This minimal revision check can be enforced on
-	  the kernel command line with "microcode.minrev=Y".
+	  the kernel command line with "microcode=force_minrev".
 
 config MICROCODE_LATE_FORCE_MINREV
 	bool "Enforce late microcode loading minimal revision check"
@@ -1356,7 +1356,7 @@ config MICROCODE_LATE_FORCE_MINREV
 	  revision check fails.
 
 	  This minimal revision check can also be controlled via the
-	  "microcode.minrev" parameter on the kernel command line.
+	  "microcode=force_minrev" parameter on the kernel command line.
 
 	  If unsure say Y.
 
diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
index 3a4e210f6cf3..f045670a1fae 100644
--- a/arch/x86/kernel/cpu/microcode/core.c
+++ b/arch/x86/kernel/cpu/microcode/core.c
@@ -45,7 +45,7 @@
 static struct microcode_ops *microcode_ops;
 static bool dis_ucode_ldr;
 
-bool force_minrev = false;
+bool force_minrev = IS_ENABLED(CONFIG_MICROCODE_LATE_FORCE_MINREV);
 
 /*
  * Those below should be behind CONFIG_MICROCODE_DBG ifdeffery but in
@@ -142,7 +142,7 @@ static void early_parse_cmdline(void)
 	char cmd_buf[64] = {};
 	char *s, *p = cmd_buf;
 
-	if (cmdline_find_option(boot_command_line, "microcode", cmd_buf, 64) > 0) {
+	if (cmdline_find_option(boot_command_line, "microcode", cmd_buf, sizeof(cmd_buf)) > 0) {
 		while ((s = strsep(&p, ","))) {
 			if (IS_ENABLED(CONFIG_MICROCODE_DBG)) {
 				if (!strcmp(s, "dbg"))
@@ -155,10 +155,8 @@ static void early_parse_cmdline(void)
 				}
 			}
 
-			if (IS_ENABLED(CONFIG_MICROCODE_LATE_FORCE_MINREV)) {
-				if (!strcmp("force_minrev", s))
-					force_minrev = true;
-			}
+			if (!strcmp("force_minrev", s))
+				force_minrev = true;
 
 			if (!strcmp(s, "dis_ucode_ldr"))
 				dis_ucode_ldr = true;

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ