* new cmdline parameter disable_cpu_features= (microcode update?)
@ 2016-01-04 22:55 Piotr Dąbrowski
2016-01-04 23:16 ` Borislav Petkov
0 siblings, 1 reply; 4+ messages in thread
From: Piotr Dąbrowski @ 2016-01-04 22:55 UTC (permalink / raw)
To: linux-kernel; +Cc: Piotr Dąbrowski
Hello!
I would like to ask about a certain thing closely related to the
kernel's Microcode Update Driver.
Some new features of CPUs (namely TSX/HLE) have caused many problems
in the past (Intel's Haswell) and still continue to be a bleeding edge
technology especially when used with not yet well tested software
[1][2][3].
I thought it would be very handy to be able to temporarily disable
unwanted features of the CPU from the kernel cmdline level. So that
underlying libraries and programs do not know they are available, and
fallback to standard code.
I was in the middle of creating a patch for the disable_cpu_features=
kernel parameter when I realized that ignoring them just in the kernel
will not solve the problem.
Unfortunately glibc does not depend on the CPU flags reported by the
kernel, but by itself queries the CPU directly for its features [4].
And so can any other user-space program.
It seems the only reliable system-wide solution is to force a CPU
microcode update. And here comes my question, as I have no experience
in this area:
Would it be possible to apply only partial (CPU flags bits) microcode
update? Or extract the whole thing, change the requested flags (and
the checksum), and re-apply it?
Is such thing even possible? And would it be a reasonable thing to do
(maybe the rest of the microcode would break badly without the factory
flags set)?
What do you think?
Thank you for any tips on this topic.
[1] glibc hardware lock elision issues:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800574
[2] https://lists.debian.org/debian-glibc/2014/09/msg00076.html
Henrique de Moraes Holschuh <hmh@debian.org>: "I recommend that lock
elision support in glibc should be disabled for Debian jessie. This
thing doesn't look nearly stable enough in glibc 2.19, and any bugs it
might cause *will be subtle*."
[3] nvidia proprietary driver's hardware lock elision bug:
https://devtalk.nvidia.com/default/topic/893325/newest-and-beta-linux-driver-causing-segmentation-fault-core-dumped-on-all-skylake-platforms/
[4] https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/init-arch.h;hb=78bd7499af46d739ce94410eaeea006e874ca9e5#l175
(ex. line 175)
Best Regards,
Piotr Dąbrowski
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: new cmdline parameter disable_cpu_features= (microcode update?)
2016-01-04 22:55 new cmdline parameter disable_cpu_features= (microcode update?) Piotr Dąbrowski
@ 2016-01-04 23:16 ` Borislav Petkov
2016-01-05 0:27 ` Piotr Dąbrowski
0 siblings, 1 reply; 4+ messages in thread
From: Borislav Petkov @ 2016-01-04 23:16 UTC (permalink / raw)
To: Piotr Dąbrowski; +Cc: linux-kernel
On Mon, Jan 04, 2016 at 11:55:57PM +0100, Piotr Dąbrowski wrote:
> Is such thing even possible? And would it be a reasonable thing to do
> (maybe the rest of the microcode would break badly without the factory
> flags set)?
You cannot change the microcode patches - they're supplied by the CPU
vendors as is and are signed/encrypted.
In an ideal world, we should have BIOS disable options for all CPU
features which could turn out to be problematic so that the user remains
in control. Without the need to be applying microcode patches even.
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: new cmdline parameter disable_cpu_features= (microcode update?)
2016-01-04 23:16 ` Borislav Petkov
@ 2016-01-05 0:27 ` Piotr Dąbrowski
2016-01-05 11:38 ` Borislav Petkov
0 siblings, 1 reply; 4+ messages in thread
From: Piotr Dąbrowski @ 2016-01-05 0:27 UTC (permalink / raw)
To: Borislav Petkov; +Cc: linux-kernel
Thank you for your reply.
> You cannot change the microcode patches - they're supplied by the CPU
> vendors as is and are signed/encrypted.
Is the microcode's header encrypted too?
I thought there are two Processor Flags fields ('pf') available [1].
Are they what I think they are?
Is the header signed too, or only the actual microcode blob below the
headers is?
Sorry if I get it all wrong and there is no use for further discussion.
Do you think there is any point in actually implementing the
kernel-only disable_cpu_features= option upstream
and then somehow convince the userland to respect flags reported by
the kernel instead of those from the CPU?
[1] arch/x86/include/asm/microcode_intel.h:
struct microcode_header_intel {
unsigned int hdrver;
unsigned int rev;
unsigned int date;
unsigned int sig;
unsigned int cksum;
unsigned int ldrver;
unsigned int pf;
unsigned int datasize;
unsigned int totalsize;
unsigned int reserved[3];
};
[...]
/* microcode format is extended from prescott processors */
struct extended_signature {
unsigned int sig;
unsigned int pf;
unsigned int cksum;
};
Best Regards,
Piotr Dąbrowski
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: new cmdline parameter disable_cpu_features= (microcode update?)
2016-01-05 0:27 ` Piotr Dąbrowski
@ 2016-01-05 11:38 ` Borislav Petkov
0 siblings, 0 replies; 4+ messages in thread
From: Borislav Petkov @ 2016-01-05 11:38 UTC (permalink / raw)
To: Piotr Dąbrowski; +Cc: linux-kernel
On Tue, Jan 05, 2016 at 01:27:21AM +0100, Piotr Dąbrowski wrote:
> Is the microcode's header encrypted too?
> I thought there are two Processor Flags fields ('pf') available [1].
> Are they what I think they are?
> Is the header signed too, or only the actual microcode blob below the
> headers is?
> Sorry if I get it all wrong and there is no use for further discussion.
Yes, the microcode loader is completely wrong for what you're trying to
achieve. Just forget about it. :)
> Do you think there is any point in actually implementing the
> kernel-only disable_cpu_features= option upstream
> and then somehow convince the userland to respect flags reported by
> the kernel instead of those from the CPU?
I don't think there is any. Because you'd need to force *all* userspace
to not do CPUID but ask the kernel instead and that is a problem
because older kernels won't have the newer features enabled in, say
/proc/cpuinfo, and userspace would have to fallback to CPUID or older
tools won't have the code to check /proc/cpuinfo and would do CPUID
so...
This is going to be one helluva mess.
So I don't think we need to, or can, do anything here - the TSX f*ckup
was a nasty one and I'm not aware of any BIOS chicken bit with which
users can disable it. Which was a bad idea to not have it, in hindsight.
Otherwise there would *not* have been a microcode patch in the first
place. Which, for itself, was a pain to distribute and apply everywhere,
as you've seen.
And if we had a BIOS chicken bit, people would go into the BIOS, turn
TSX off, the CPUID bit would be clear too and userspace would've cleanly
fallen back to the old implementation and things would've worked
smoothly.
Now, if the kernel could control which CPUID bits are set and cleared,
then disable_cpu_features= would work. Unfortunately, this is not the
case. And this would require that all CPU features have corresponding
CPUID bits. Which is not the case either. :-\
Which brings me back to the BIOS chicken bits... :-)
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-01-05 11:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-04 22:55 new cmdline parameter disable_cpu_features= (microcode update?) Piotr Dąbrowski
2016-01-04 23:16 ` Borislav Petkov
2016-01-05 0:27 ` Piotr Dąbrowski
2016-01-05 11:38 ` Borislav Petkov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).