Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Jul 2018 12:11:33 -0400
From:      Mark Johnston <markj@freebsd.org>
To:        Konstantin Belousov <kostikbel@gmail.com>
Cc:        Poul-Henning Kamp <phk@phk.freebsd.dk>, freebsd-arch@freebsd.org
Subject:   Re: early x86 microcode loading
Message-ID:  <20180713161133.GC26064@raichu>
In-Reply-To: <20180713125054.GK5562@kib.kiev.ua>
References:  <20180712183116.GB15892@raichu> <50839.1531428749@critter.freebsd.dk> <20180712224631.GF15892@raichu> <20180713125054.GK5562@kib.kiev.ua>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 13, 2018 at 03:50:54PM +0300, Konstantin Belousov wrote:
> On Thu, Jul 12, 2018 at 06:46:31PM -0400, Mark Johnston wrote:
> > On Thu, Jul 12, 2018 at 08:52:29PM +0000, Poul-Henning Kamp wrote:
> > > --------
> > > In message <20180712183116.GB15892@raichu>, Mark Johnston writes:
> > > 
> > > >My plan is to extend cpucontrol(8) to determine the
> > > >correct microcode update for the running system, and have the devcpu-data
> > > >port install the corresponding file to /boot/firmware.
> > > 
> > > This is problematic when a diskimage is migrated to a different CPU,
> > > only on the second reboot on the new hardware are you certain to
> > > have the correct microcode.
> > > 
> > > For images which are resurrected on demand on whatever hardware is
> > > available this really problematic.

(To be clear, this case can be handled with my proposal: one would
concatenate all of the updates together and load the result, and the
kernel would select the correct update and apply it during boot.  The
issue is with the default behaviour of the devcpu-data port.)

> > I can think of three ways to address this case:
> > 
> > 1a) Always load all of the updates as a single file, and select the
> >     correct update during boot.  As I pointed out, this wastes some
> >     memory (a couple of megabytes currently).  On at least amd64 it
> >     doesn't look very practical to release the pages backing the
> >     update file back to the VM.  That is, I don't think we can easily
> >     "shed" the preloaded file data once the correct update has been
> >     selected and saved.
> > 
> > 1b) Have the devcpu-data port operate in one of two modes: either the
> >     port selects the update for the current machine, as I outlined in my
> >     original mail, or it concatenates all of the updates as in 1a) and
> >     the kernel selects the correct update.  This way we'd only
> >     waste memory if the disk image is to be shared among multiple
> >     machines.  I'm not sure what the mechanism should be for selecting
> >     the mode.
> > 
> >  2) Install all updates to a directory under /boot and add code to the
> >     loader to perform the selection, and pass only the required microcode
> >     file to the kernel.  This seems straightforward to me, though I'm not
> >     yet sure exactly where in the loader this logic should go.
> 
> What is the problem with having the microcode blob unmatched ? The
> result would be only lack of the update for the CPU. If user cares about
> having the updated microcode, he would run the required command anew.
> Or you might add an automatic run of such command on shutdown.

Given that the trend seems to be for new CPU vulnerabilities to be
mitigated by microcode updates, I think we'd want a mechanism that makes
a reasonable effort to work reliably once it is configured by the
administrator.  From this perspective, special cases which require an
extra reboot or an extra command invocation at shutdown (what if the
system panics?) are undesirable.  Perhaps we should indeed declare these
special cases as unsupported by devcpu-data, but I would prefer not to
do so if possible.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180713161133.GC26064>