#! /bin/bash -eu

# Script for checking various microcode caveats

#

#

# SPDX-License-Identifier: CC0-1.0

: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}

: ${FW_DIR=/lib/firmware}

: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}

usage() {

	echo 'Usage: check_caveats [-e] [-k TARGET_KVER] [-c CONFIG] [-m] [-v]'

	echo

	echo '   -e - check for early microcode load possibility (instead of'

	echo '        late microcode load)'

	echo '   -k - target version to check against, $(uname -r) is used'

	echo '        otherwise'

	echo '   -c - caveat config(s) to check, all configs are checked'

	echo '        otherwise'

	echo '   -m - check that caveats actually apply to the current model'

	echo '   -v - verbose output'

	echo

	echo 'Environment:'

	echo '  MC_CAVEATS_DATA_DIR - directory that contains caveats'

	echo '                        configuration data'

}

debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }

# A simplified RPM version comparison that takes into account knowledge about

# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if

# the version against which comparison is performed has appropriate versioning

# scheme).

#

# $1 - kernel version to check

# $* - list of kernel versions to check against

check_kver()

{

	local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest=

	local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest=

	local cmp_type=

	# IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1"

	# "cannot create temp file for here-document: Read-only file system"

	# that's why we can't have nice things.

	t_major=${1%%.*}

	t_rest=${1#${t_major}}

	t_rest=${t_rest#.}

	t_minor=${t_rest%%.*}

	t_rest=${t_rest#${t_minor}}

	t_rest=${t_rest#.}

	t_patch=${t_rest%%-*}

	t_rest=${t_rest#${t_patch}}

	t_rest=${t_rest#-}

	t_y=${t_rest%%.*}

	t_rest=${t_rest#${t_y}}

	t_rest=${t_rest#.}

	t_z1=${t_rest%%.*}

	t_rest=${t_rest#${t_z1}}

	t_rest=${t_rest#.}

	t_z2=${t_rest%%.*}

	# minor/major/patch/y should be numeric

	[ -n "${t_major##*[!0-9]*}" ] || return 1

	[ -n "${t_minor##*[!0-9]*}" ] || return 1

	[ -n "${t_patch##*[!0-9]*}" ] || return 1

	[ -n "${t_y##*[!0-9]*}" ] || return 1

	# reset z1/z2 to zero if non-numeric

	[ -n "${t_z1##*[!0-9]*}" ] || t_z1=0

	[ -n "${t_z2##*[!0-9]*}" ] || t_z2=0

	while [ 1 -lt "$#" ]; do

		cmp_type=upstream

		shift

		m_major=${1%%.*}

		m_rest=${1#${m_major}}

		m_rest=${m_rest#.}

		m_minor=${m_rest%%.*}

		m_rest=${m_rest#${m_minor}}

		m_rest=${m_rest#.}

		m_patch=${m_rest%%-*}

		m_rest=${m_rest#${m_patch}}

		m_rest=${m_rest#-}

		m_y=${m_rest%%.*}

		m_rest=${m_rest#${m_y}}

		m_rest=${m_rest#.}

		m_z1=${m_rest%%.*}

		m_rest=${m_rest#${m_z1}}

		m_rest=${m_rest#.}

		m_z2=${m_rest%%.*}

		# minor/major/patch should be numeric

		[ -n "${m_major##*[!0-9]*}" ] || continue

		[ -n "${m_minor##*[!0-9]*}" ] || continue

		[ -n "${m_patch##*[!0-9]*}" ] || continue

		# reset z1/z2 to zero if non-numeric

		[ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0

		[ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0

		[ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0

		# Comparing versions

		case "$cmp_type" in

		upstream)

			[ "$t_major" -ge "$m_major" ] || continue

			[ "$t_minor" -ge "$m_minor" ] || continue

			[ "$t_patch" -ge "$m_patch" ] || continue

			return 0

			;;

		y)

			[ "$t_major" -eq "$m_major" ] || continue

			[ "$t_minor" -eq "$m_minor" ] || continue

			[ "$t_patch" -eq "$m_patch" ] || continue

			[ "$t_y" -ge "$m_y" ] || continue

			return 0

			;;

		z)

			[ "$t_major" -eq "$m_major" ] || continue

			[ "$t_minor" -eq "$m_minor" ] || continue

			[ "$t_patch" -eq "$m_patch" ] || continue

			[ "$t_y" -eq "$m_y" ] || continue

			[ "$t_z1" -ge "$m_z1" ] || continue

			[ "$t_z2" -ge "$m_z2" ] || continue

			return 0

			;;

		esac

	done

	return 1

}

# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING"

#

# We check only the first processor as we don't expect non-symmetrical setups

# with CPUs with caveats

get_model_string()

{

	/usr/bin/printf "%s %02x-%02x-%02x" \

		$(/bin/sed -rn '1,/^$/{

			s/^vendor_id[[:space:]]*: (.*)$/\1/p;

			s/^cpu family[[:space:]]*: (.*)$/\1/p;

			s/^model[[:space:]]*: (.*)$/\1/p;

			s/^stepping[[:space:]]*: (.*)$/\1/p;

		}' /proc/cpuinfo)

}

get_model_name()

{

	/bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo

}

get_vendor_id()

{

	/bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo

}

get_mc_path()

{

	case "$1" in

	GenuineIntel)

		echo "intel-ucode/$2"

		;;

	AuthenticAMD)

		echo "amd-ucode/$2"

		;;

	esac

}

get_mc_ver()

{

	/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo

}

fail()

{

	ret=1

	fail_cfgs="$fail_cfgs $cfg"

	fail_paths="$fail_paths $cfg_path"

}

#check_kver "$@"

#get_model_name

match_model=0

configs=

kver=$(/bin/uname -r)

verbose=0

early_check=0

ret=0

while getopts "ek:c:mv" opt; do

	case "${opt}" in

	e)

		early_check=1

		;;

	k)

		kver="$OPTARG"

		;;

	c)

		configs="$configs $OPTARG"

		;;

	m)

		match_model=1

		;;

	v)

		verbose=1

		;;

	*)

		usage

		exit 1;

		;;

	esac

done

: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}

cpu_model=$(get_model_string)

cpu_model_name=$(get_model_name)

cpu_vendor=$(get_vendor_id)

ret_paths=""

ok_paths=""

fail_paths=""

ret_cfgs=""

ok_cfgs=""

fail_cfgs=""

skip_cfgs=""

if [ 1 -eq "$early_check" ]; then

	stage="early"

else

	stage="late"

fi

for cfg in $(echo "${configs}"); do

	dir="$MC_CAVEATS_DATA_DIR/$cfg"

	# We add cfg to the skip list first and then, if we do not skip it,

	# we remove the configuration from the list.

	skip_cfgs="$skip_cfgs $cfg"

	[ -r "${dir}/readme" ] || {

		debug "File 'readme' in ${dir} is not found, skipping"

		continue

	}

	[ -r "${dir}/config" ] || {

		debug "File 'config' in ${dir} is not found, skipping"

		continue

	}

	cfg_model=

	cfg_vendor=

	cfg_path=

	cfg_kvers=

	cfg_kvers_early=

	cfg_blacklist=

	cfg_mc_min_ver_late=

	cfg_disable=

	while read -r key value; do

		case "$key" in

		model)

			cfg_model="$value"

			;;

		vendor)

			cfg_vendor="$value"

			;;

		path)

			cfg_path="$cfg_path $value"

			;;

		kernel)

			cfg_kvers="$cfg_kvers $value"

			;;

		kernel_early)

			cfg_kvers_early="$cfg_kvers_early $value"

			;;

		mc_min_ver_late)

			cfg_mc_min_ver_late="$value"

			;;

		disable)

			cfg_disable="$cfg_disable $value "

			;;

		blacklist)

			cfg_blacklist=1

			break

			;;

		esac

	done < "${dir}/config"

	[ -z "${cfg_blacklist}" ] || \

		cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |

					/usr/bin/tail -n +2)

	debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"

	debug "${cfg}: blacklist '$cfg_blacklist'"

	# Check for override files in the following order:

	#  - disallow early/late specific caveat for specific kernel

	#  - force early/late specific caveat for specific kernel

	#  - disallow specific caveat for specific kernel

	#  - force specific caveat for specific kernel

	#

	#  - disallow early/late specific caveat for any kernel

	#  - disallow early/late any caveat for specific kernel

	#  - force early/late specific caveat for any kernel

	#  - force early/late any caveat for specific kernel

	#  - disallow specific caveat for any kernel

	#  - disallow any caveat for specific kernel

	#  - force specific caveat for any kernel

	#  - force any caveat for specific kernel

	#

	#  - disallow early/late everything

	#  - force early/late everyhting

	#  - disallow everything

	#  - force everyhting

	ignore_cfg=0

	force_cfg=0

	override_file=""

	overrides="

	0:$FW_DIR/$kver/disallow-$stage-$cfg

	1:$FW_DIR/$kver/force-$stage-$cfg

	0:$FW_DIR/$kver/disallow-$cfg

	1:$FW_DIR/$kver/force-$cfg

	0:$FW_DIR/$kver/disallow-$stage

	0:$CFG_DIR/disallow-$stage-$cfg

	1:$FW_DIR/$kver/force-$stage

	1:$CFG_DIR/force-$stage-$cfg

	0:$FW_DIR/$kver/disallow

	0:$CFG_DIR/disallow-$cfg

	1:$FW_DIR/$kver/force

	1:$CFG_DIR/force-$cfg

	0:$CFG_DIR/disallow-$stage

	1:$CFG_DIR/force-$stage

	0:$CFG_DIR/disallow

	1:$CFG_DIR/force"

	for o in $(echo "$overrides"); do

		o_force=${o%%:*}

		override_file=${o#$o_force:}

		[ -e "$override_file" ] || continue

		if [ 0 -eq "$o_force" ]; then

			ignore_cfg=1

		else

			force_cfg=1

		fi

		break

	done

	[ 0 -eq "$ignore_cfg" ] || {

		debug "Configuration \"$cfg\" is ignored due to presence of" \

		      "\"$override_file\"."

		continue

	}

	# Check model if model filter is enabled

	if [ 1 -eq "$match_model" -a  -n "$cfg_model" ]; then

		[ "x$cpu_model" = "x$cfg_model" ] || {

			debug "Current CPU model '$cpu_model' doesn't" \

			      "match configuration CPU model '$cfg_model'," \

			      "skipping"

			continue

		}

	fi

	# Check paths if model filter is enabled

	if [ 1 -eq "$match_model" -a  -n "$cfg_path" ]; then

		cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \

			"$cpu_vendor" "${cpu_model#* }")"

		cfg_mc_present=0

		for p in $(printf "%s" "$cfg_path"); do

			find "$MC_CAVEATS_DATA_DIR/$cfg" \

				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \

			    | grep -zFxq "$cpu_mc_path" \

			    || continue

			cfg_mc_present=1

		done

		[ 1 = "$cfg_mc_present" ] || {

			debug "No matching microcode files in '$cfg_path'" \

			      "for CPU model '$cpu_model', skipping"

			continue

		}

	fi

	# Check vendor if model filter is enabled

	if [ 1 -eq "$match_model" -a  -n "$cfg_vendor" ]; then

		[ "x$cpu_vendor" = "x$cfg_vendor" ] || {

			debug "Current CPU vendor '$cpu_vendor' doesn't" \

			      "match configuration CPU vendor '$cfg_vendor'," \

			      "skipping"

			continue

		}

	fi

	# Check configuration files

	ret_cfgs="$ret_cfgs $cfg"

	ret_paths="$ret_paths $cfg_path"

	skip_cfgs="${skip_cfgs% $cfg}"

	[ 0 -eq "$force_cfg" ] || {

		debug "Checks for configuration \"$cfg\" are ignored due to" \

		      "presence of \"$override_file\"."

		ok_cfgs="$ok_cfgs $cfg"

		ok_paths="$ok_paths $cfg_path"

		continue

	}

	[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {

		debug "${cfg}: caveat is disabled in configuration"

		fail

		continue

	}

	# Check late load kernel version

	if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then

		check_kver "$kver" $cfg_kvers || {

			debug "${cfg}: late load kernel version check for" \

			      " '$kver' against '$cfg_kvers' failed"

			fail

			continue

		}

	fi

	# Check early load kernel version

	if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then

		check_kver "$kver" $cfg_kvers_early || {

			debug "${cfg}: early load kernel version check for" \

			      "'$kver' against '$cfg_kvers_early' failed"

			fail

			continue

		}

	fi

	# Check model blacklist

	if [ -n "$cfg_blacklist" ]; then

		echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {

			debug "${cfg}: model '${cpu_model_name}' is blacklisted"

			fail

			continue

		}

	fi

	# Check current microcode version for the late update

	if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \

	   "x$cpu_model" = "x$cfg_model" ]; then

		cpu_mc_ver="$(get_mc_ver)"

		[ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || {

			debug "${cfg}: CPU microcode version $cpu_mc_ver" \

			      "failed check (should be at least" \

			      "${cfg_mc_min_ver_late})"

			fail

			continue

		}

	fi

	ok_cfgs="$ok_cfgs $cfg"

	ok_paths="$ok_paths $cfg_path"

done

echo "cfgs$ret_cfgs"

echo "skip_cfgs$skip_cfgs"

echo "paths$ret_paths"

echo "ok_cfgs$ok_cfgs"

echo "ok_paths$ok_paths"

echo "fail_cfgs$fail_cfgs"

echo "fail_paths$fail_paths"

exit $ret