From: Ashok Raj <ashok.raj@intel.com>
To: Borislav Petkov <bp@alien8.de>
Cc: "Ashok Raj" <ashok_raj@linux.intel.com>,
"X86 ML" <x86@kernel.org>, "Andrew Cooper" <amc96@srcf.net>,
LKML <linux-kernel@vger.kernel.org>,
"Ștefan Talpalaru" <stefantalpalaru@yahoo.com>,
"Ashok Raj" <ashok.raj@intel.com>
Subject: Re: [PATCH] x86/microcode/AMD: Attempt applying on every logical thread
Date: Tue, 16 Aug 2022 16:51:49 +0000 [thread overview]
Message-ID: <YvvLJZR+8jS7Asnq@araj-dh-work> (raw)
In-Reply-To: <YvuQgx698T5cgF+C@zn.tnic>
On Tue, Aug 16, 2022 at 02:41:39PM +0200, Borislav Petkov wrote:
> On Tue, Aug 16, 2022 at 09:00:14AM +0000, Ashok Raj wrote:
> > A re-application means, you want to apply even if the cpu_rev <= patch.rev
>
> Yes.
I see, so we probably shouldn't remove the rev check completely but just
permit to reload if the rev is equal?
>
> > if cpu_rev is > patch_rev, clearly its ahead?. say BIOS has a newer
> > version than in the initrd image, do we want to replace the BIOS
> > version since we do no revid checks here.
>
> Can you even downgrade the microcode through the MSR?
I'm not sure what is true for AMD.
For Intel's there is a Security Version Number in the signed encrypted part
of the microcode. As long as the new image has SVN >= what the CPU's SVN is
you can update the microcode.
So if a rev2 is loaded, and rev1 is the new MCU, and rev2 and rev1 have the
same SVN, you can go down rev from rev2->rev1 where rev2 > rev1.
Microcode enforcement for rollback protection has been the SVN. Version
number is a SW feel good thing to identifying which image you are running,
not intended for preventing rollback or any security enforcement.
Cheers,
Ashok
next prev parent reply other threads:[~2022-08-16 16:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-14 12:00 [PATCH] x86/microcode/AMD: Attempt applying on every logical thread Borislav Petkov
2022-08-16 9:00 ` Ashok Raj
2022-08-16 12:41 ` Borislav Petkov
2022-08-16 16:51 ` Ashok Raj [this message]
2022-08-17 12:12 ` Ashok Raj
2022-08-17 14:23 ` Borislav Petkov
2022-08-17 15:29 ` Ashok Raj
2022-08-17 18:13 ` Borislav Petkov
2022-08-17 20:58 ` Ashok Raj
2022-08-17 21:56 ` Borislav Petkov
2022-08-18 9:58 ` Ashok Raj
2022-11-05 3:45 ` Ashok Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvvLJZR+8jS7Asnq@araj-dh-work \
--to=ashok.raj@intel.com \
--cc=amc96@srcf.net \
--cc=ashok_raj@linux.intel.com \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stefantalpalaru@yahoo.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.