Commit 69cb33e2 authored by Ingo Molnar's avatar Ingo Molnar
Browse files

Merge branch 'x86/microcode' into x86/core, to merge dependent commits 

Prepare to resolve conflicts with an upstream series of fixes that conflict
with pending x86 changes:

  6f5bf947 Merge tag 'its-for-linus-20250509' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip



Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
parents ec8f353f 4804f5ad

Documentation/ABI/testing/sysfs-devices-system-cpu

+1 −0
Original line number Diff line number Diff line
@@ -516,6 +516,7 @@ What: /sys/devices/system/cpu/vulnerabilities 
		/sys/devices/system/cpu/vulnerabilities/mds

		/sys/devices/system/cpu/vulnerabilities/meltdown

		/sys/devices/system/cpu/vulnerabilities/mmio_stale_data

		/sys/devices/system/cpu/vulnerabilities/old_microcode

		/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling

		/sys/devices/system/cpu/vulnerabilities/retbleed

		/sys/devices/system/cpu/vulnerabilities/spec_store_bypass

Documentation/admin-guide/hw-vuln/index.rst

+1 −0
Original line number Diff line number Diff line
@@ -23,3 +23,4 @@ are configurable at compile, boot or run time. 
   gather_data_sampling

   reg-file-data-sampling

   rsb

   old_microcode

Documentation/admin-guide/hw-vuln/old_microcode.rst

0 → 100644
+21 −0
Original line number Diff line number Diff line 
.. SPDX-License-Identifier: GPL-2.0



=============

Old Microcode

=============



The kernel keeps a table of released microcode. Systems that had

microcode older than this at boot will say "Vulnerable".  This means

that the system was vulnerable to some known CPU issue. It could be

security or functional, the kernel does not know or care.



You should update the CPU microcode to mitigate any exposure. This is

usually accomplished by updating the files in

/lib/firmware/intel-ucode/ via normal distribution updates. Intel also

distributes these files in a github repo:



	https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git



Just like all the other hardware vulnerabilities, exposure is

determined at boot. Runtime microcode updates do not change the status

of this vulnerability.

arch/x86/include/asm/cpufeatures.h

+2 −0
Original line number Diff line number Diff line
@@ -534,4 +534,6 @@ 
#define X86_BUG_BHI			X86_BUG( 1*32+ 3) /* "bhi" CPU is affected by Branch History Injection */

#define X86_BUG_IBPB_NO_RET		X86_BUG( 1*32+ 4) /* "ibpb_no_ret" IBPB omits return target predictions */

#define X86_BUG_SPECTRE_V2_USER		X86_BUG( 1*32+ 5) /* "spectre_v2_user" CPU is affected by Spectre variant 2 attack between user processes */

#define X86_BUG_OLD_MICROCODE		X86_BUG( 1*32+ 6) /* "old_microcode" CPU has old microcode, it is surely vulnerable to something */



#endif /* _ASM_X86_CPUFEATURES_H */

arch/x86/kernel/cpu/bugs.c

+16 −0
Original line number Diff line number Diff line
@@ -2963,6 +2963,14 @@ static ssize_t rfds_show_state(char *buf) 
	return sysfs_emit(buf, "%s\n", rfds_strings[rfds_mitigation]);

}



static ssize_t old_microcode_show_state(char *buf)

{

	if (boot_cpu_has(X86_FEATURE_HYPERVISOR))

		return sysfs_emit(buf, "Unknown: running under hypervisor");



	return sysfs_emit(buf, "Vulnerable\n");

}



static char *stibp_state(void)

{

	if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
@@ -3144,6 +3152,9 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr 
	case X86_BUG_RFDS:

		return rfds_show_state(buf);



	case X86_BUG_OLD_MICROCODE:

		return old_microcode_show_state(buf);



	default:

		break;

	}
@@ -3220,6 +3231,11 @@ ssize_t cpu_show_reg_file_data_sampling(struct device *dev, struct device_attrib 
{

	return cpu_show_common(dev, attr, buf, X86_BUG_RFDS);

}



ssize_t cpu_show_old_microcode(struct device *dev, struct device_attribute *attr, char *buf)

{

	return cpu_show_common(dev, attr, buf, X86_BUG_OLD_MICROCODE);

}

#endif



void __warn_thunk(void)