Received: by 10.223.185.111 with SMTP id b44csp1550994wrg; Sat, 10 Mar 2018 08:18:45 -0800 (PST) X-Google-Smtp-Source: AG47ELuSInU4WbvNZTeC4Imwyoil75aKfJtbmrfbSJZKAKH1h/e78WN2vigIjA/Fhf97+G8Aun2x X-Received: by 10.99.126.14 with SMTP id z14mr2033005pgc.429.1520698725742; Sat, 10 Mar 2018 08:18:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520698725; cv=none; d=google.com; s=arc-20160816; b=c8U/JX4QqFCC/qx6PcPbt4eeUHgSWg0IM+ZNB4oxa2qN+1Hsx/FETHxzDIikTsiVIZ 9JPuCYZ1FzPk9WWe3xDvbTkw7CWC4DbsoorBx5bd7cIy5LA6CAilYCeyNjomhGep+DHA J18S5bwU56lGdtMEiO9OeVKbEEsRHf2Tjiv5cq0jmgRbd27qgsD2aPu6XuUI9URtPEvC K9Pm9CxTjXpURLoMRRNRYtSNOCu5LSLKQZi90vo9twWG4b7/Ay29Hr3tRq51OHTRtc6F hW7tDq6YeQrxW5fbbiC/+KkwCiRjfpd6V03+bhyZz0kkpSvaIjgUh1nLkoHk8Ckp3G4T 16tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:from:subject:arc-authentication-results; bh=uLdrE7uo12+eBtQkfa/oFjor3QbZ4D6khqSuVUTgae4=; b=RRfWWXGfKAvMrX0Hs+aGtm2cAEz+xc20ZvIWEoa6+yDUjWb3PrMgc3S+eImxhDHdaW Lq3FfOQQ4HhzmGf3dlY4Heu260oYoxCnULdLy+SNVu4OPRRiMyREza3hmRPZ1yPYs029 wwasd1iFTYvFx5rf1xGlnJ8+5JWflwqGLGcjy/iRVoYAAnDjIpmUSgPeByTj40dPgX1U PrLmoEPvy1QRrfV/HpKhgwotcpO/y+kYFJZAc2KYLd6QF99LaG0n++t/TU7iOOEImDf4 v0b+1f1XKXtbayNNAxgIl+pJ+spABANagnlj14K1uyBkiwM2xklN3RZwbrjoLasgiPjK gHSg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 23si2918016pfy.85.2018.03.10.08.18.31; Sat, 10 Mar 2018 08:18:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932493AbeCJQQp (ORCPT + 99 others); Sat, 10 Mar 2018 11:16:45 -0500 Received: from vps-vb.mhejs.net ([37.28.154.113]:53394 "EHLO vps-vb.mhejs.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932329AbeCJQQo (ORCPT ); Sat, 10 Mar 2018 11:16:44 -0500 Received: by vps-vb.mhejs.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) (envelope-from ) id 1euhAm-00032A-Du; Sat, 10 Mar 2018 17:16:40 +0100 Subject: Re: [PATCH] x86/microcode/AMD: check microcode file sanity before loading it From: "Maciej S. Szmigiero" To: Borislav Petkov Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org References: <34e9d679-2eca-90cf-9a95-3864f0be060e@maciej.szmigiero.name> Message-ID: Date: Sat, 10 Mar 2018 17:16:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <34e9d679-2eca-90cf-9a95-3864f0be060e@maciej.szmigiero.name> Content-Type: text/plain; charset=US-ASCII Content-Language: en-US Content-Transfer-Encoding: 7BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10.03.2018 01:34, Maciej S. Szmigiero wrote: > Currently, it is very easy to make the AMD microcode update driver crash > or spin on a malformed microcode file since it does very little > consistency checking on data loaded from such file. > > This commit introduces various checks, mostly on length-type fields, so > all corrupted microcode files are (hopefully) correctly rejected instead. > > Signed-off-by: Maciej S. Szmigiero To make sure that it is clear what this patch is about: It *isn't* about verifying the actual microcode update, that is, the blob that gets sent to the CPU as the new microcode. Such verification is (hopefully) done by the CPU itself. It is about verifying *this driver-specific* container file that includes many microcode updates for different CPUs of a particular CPU family, along with metadata that helps the driver select the right microcode update to actually sent to the CPU. The microcode container files in linux-firmware don't contain the newest microcode versions, even for older CPUs. They are generally updated VERY rarely - I can see only three updates for them: on 2016-03-18, 2014-11-30 and 2013-07-11. There is no container file at all for family 17h (Zen) so distributions like OpenSUSE that include this file must have gotten it from some other source (or made from raw updates themselves). That's why to get things like IBPB it is sometimes necessary to use a newer microcode version than included in linux-firmware, sourced for example from a BIOS update. Since BIOS updates contain only actual (raw) microcode updates one has to place it in a microcode container file so this driver can parse it. As far I know there is no tool to automate this work so one has to manually tweak the container metadata. And this is prone to mistakes this patch protects against. Sorry for not making this 100% clear in the commit log. Maciej