1 .. SPDX-License-Identifier: GPL-2.0
2
3 ==========================
4 The Linux Microcode Loader
5 ==========================
6
7 :Authors: - Fenghua Yu <fenghua.yu@intel.com>
8 - Borislav Petkov <bp@suse.de>
9 - Ashok Raj <ashok.raj@intel.com>
10
11 The kernel has a x86 microcode loading facilit
12 provide microcode loading methods in the OS. P
13 updating the microcode on platforms beyond the
14 and updating the microcode on long-running sys
15
16 The loader supports three loading methods:
17
18 Early load microcode
19 ====================
20
21 The kernel can update microcode very early dur
22 microcode early can fix CPU issues before they
23 kernel boot time.
24
25 The microcode is stored in an initrd file. Dur
26 it and loaded into the CPU cores.
27
28 The format of the combined initrd image is mic
29 cpio format followed by the (possibly compress
30 loader parses the combined initrd image during
31
32 The microcode files in cpio name space are:
33
34 on Intel:
35 kernel/x86/microcode/GenuineIntel.bin
36 on AMD :
37 kernel/x86/microcode/AuthenticAMD.bin
38
39 During BSP (BootStrapping Processor) boot (pre
40 scans the microcode file in the initrd. If mic
41 CPU is found, it will be applied in the BSP an
42 (Application Processors).
43
44 The loader also saves the matching microcode f
45 Thus, the cached microcode patch is applied wh
46 sleep state.
47
48 Here's a crude example how to prepare an initr
49 normally done automatically by the distributio
50 initrd, so you don't really have to do it your
51 here for future reference only).
52 ::
53
54 #!/bin/bash
55
56 if [ -z "$1" ]; then
57 echo "You need to supply an initrd file"
58 exit 1
59 fi
60
61 INITRD="$1"
62
63 DSTDIR=kernel/x86/microcode
64 TMPDIR=/tmp/initrd
65
66 rm -rf $TMPDIR
67
68 mkdir $TMPDIR
69 cd $TMPDIR
70 mkdir -p $DSTDIR
71
72 if [ -d /lib/firmware/amd-ucode ]; then
73 cat /lib/firmware/amd-ucode/microcod
74 fi
75
76 if [ -d /lib/firmware/intel-ucode ]; then
77 cat /lib/firmware/intel-ucode/* > $D
78 fi
79
80 find . | cpio -o -H newc >../ucode.cpio
81 cd ..
82 mv $INITRD $INITRD.orig
83 cat ucode.cpio $INITRD.orig > $INITRD
84
85 rm -rf $TMPDIR
86
87
88 The system needs to have the microcode package
89 /lib/firmware or you need to fixup the paths a
90 somewhere else and/or you've downloaded them d
91 vendor's site.
92
93 Late loading
94 ============
95
96 You simply install the microcode packages your
97 run::
98
99 # echo 1 > /sys/devices/system/cpu/microcode
100
101 as root.
102
103 The loading mechanism looks for microcode blob
104 /lib/firmware/{intel-ucode,amd-ucode}. The def
105 packages already put them there.
106
107 Since kernel 5.19, late loading is not enabled
108
109 The /dev/cpu/microcode method has been removed
110
111 Why is late loading dangerous?
112 ==============================
113
114 Synchronizing all CPUs
115 ----------------------
116
117 The microcode engine which receives the microc
118 between the two logical threads in a SMT syste
119 the update is executed on one SMT thread of th
120 "automatically" gets the update.
121
122 Since the microcode can "simulate" MSRs too, w
123 is in progress, those simulated MSRs transient
124 can result in unpredictable results if the SMT
125 be in the middle of an access to such an MSR.
126 that such MSR accesses cause #GPs to be raised
127 not present.
128
129 The disappearing MSRs are just one common issu
130 Any other instruction that's being patched and
131 executed by the other SMT sibling, can also re
132 unpredictable behavior.
133
134 To eliminate this case, a stop_machine()-based
135 introduced as a way to guarantee that all logi
136 any code but just wait in a spin loop, polling
137
138 While this took care of device or external int
139 LVT ones, such as CMCI etc, it cannot address
140 that can't be shut off. Those are Machine Chec
141 (#SMI) and Non-Maskable interrupts (#NMI).
142
143 Machine Checks
144 --------------
145
146 Machine Checks (#MC) are non-maskable. There a
147 Fatal un-recoverable MCEs and recoverable MCEs
148 errors are fatal, recoverable errors can also
149 are also treated as fatal by the kernel.
150
151 On certain Intel machines, MCEs are also broad
152 system. If one thread is in the middle of exec
153 taken at the end of the flow. Either way, they
154 performing the wrmsr(0x79) to rendezvous in th
155 eventually if any of the threads in the system
156 MCE rendezvous.
157
158 To be paranoid and get predictable behavior, t
159 MCG_STATUS.MCIP. Since MCEs can be at most one
160 MCE was signaled, the above condition will pro
161 automatically. OS can turn off MCIP at the end
162 core.
163
164 System Management Interrupt
165 ---------------------------
166
167 SMIs are also broadcast to all CPUs in the pla
168 requests exclusive access to the core before w
169 it does happen such that, one thread is in WRM
170 an SMI, that thread will be stopped in the fir
171 handler.
172
173 Since the secondary thread is stopped in the f
174 there is very little chance that it would be i
175 an instruction being patched. Plus OS has no w
176 happening.
177
178 Non-Maskable Interrupts
179 -----------------------
180
181 When thread0 of a core is doing the microcode
182 pulled into NMI, that can cause unpredictable
183 reasons above.
184
185 OS can choose a variety of methods to avoid ru
186
187
188 Is the microcode suitable for late loading?
189 -------------------------------------------
190
191 Late loading is done when the system is fully
192 real workloads. Late loading behavior depends
193 the CPU is before upgrading to the new patch.
194
195 This is true for Intel CPUs.
196
197 Consider, for example, a CPU has patch level 1
198 patch level 3.
199
200 Between patch1 and patch3, patch2 might have d
201 feature.
202
203 This is unacceptable if software is even poten
204 For instance, say MSR_X is no longer available
205 accessing that MSR will cause a #GP fault.
206
207 Basically there is no way to declare a new mic
208 for late-loading. This is another one of the p
209 loading to be not enabled by default.
210
211 Builtin microcode
212 =================
213
214 The loader supports also loading of a builtin
215 the regular builtin firmware method CONFIG_EXT
216 currently supported.
217
218 Here's an example::
219
220 CONFIG_EXTRA_FIRMWARE="intel-ucode/06-3a-09
221 CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware"
222
223 This basically means, you have the following t
224
225 /lib/firmware/
226 |-- amd-ucode
227 ...
228 | |-- microcode_amd_fam15h.bin
229 ...
230 |-- intel-ucode
231 ...
232 | |-- 06-3a-09
233 ...
234
235 so that the build system can find those files
236 the final kernel image. The early loader finds
237
238 Needless to say, this method is not the most f
239 requires rebuilding the kernel each time updat
240 vendor is available.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.