Blame SOURCES/check_caveats

539655
#! /bin/bash -eu
539655
539655
# Script for checking various microcode caveats
539655
#
539655
#
539655
# SPDX-License-Identifier: CC0-1.0
539655
539655
: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}
4eb1a6
: ${FW_DIR=/lib/firmware}
4eb1a6
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}
539655
539655
usage() {
ee041c
	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
ee041c
	echo '                     [-m] [-v]'
539655
	echo
ee041c
	echo '   -d - enables disclaimer printing mode'
4eb1a6
	echo '   -e - check for early microcode load possibility (instead of'
4eb1a6
	echo '        late microcode load)'
539655
	echo '   -k - target version to check against, $(uname -r) is used'
539655
	echo '        otherwise'
539655
	echo '   -c - caveat config(s) to check, all configs are checked'
539655
	echo '        otherwise'
539655
	echo '   -m - check that caveats actually apply to the current model'
539655
	echo '   -v - verbose output'
539655
	echo
539655
	echo 'Environment:'
539655
	echo '  MC_CAVEATS_DATA_DIR - directory that contains caveats'
539655
	echo '                        configuration data'
539655
}
539655
539655
debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }
539655
539655
# A simplified RPM version comparison that takes into account knowledge about
539655
# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if
539655
# the version against which comparison is performed has appropriate versioning
539655
# scheme).
539655
#
539655
# $1 - kernel version to check
539655
# $* - list of kernel versions to check against
539655
check_kver()
539655
{
539655
	local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest=
539655
	local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest=
539655
	local cmp_type=
539655
539655
	# IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1"
539655
	# "cannot create temp file for here-document: Read-only file system"
539655
	# that's why we can't have nice things.
4eb1a6
	t_major=${1%%.*}
539655
	t_rest=${1#${t_major}}
4eb1a6
	t_rest=${t_rest#.}
4eb1a6
	t_minor=${t_rest%%.*}
539655
	t_rest=${t_rest#${t_minor}}
4eb1a6
	t_rest=${t_rest#.}
4eb1a6
	t_patch=${t_rest%%-*}
539655
	t_rest=${t_rest#${t_patch}}
4eb1a6
	t_rest=${t_rest#-}
4eb1a6
	t_y=${t_rest%%.*}
539655
	t_rest=${t_rest#${t_y}}
4eb1a6
	t_rest=${t_rest#.}
4eb1a6
	t_z1=${t_rest%%.*}
539655
	t_rest=${t_rest#${t_z1}}
4eb1a6
	t_rest=${t_rest#.}
4eb1a6
	t_z2=${t_rest%%.*}
539655
539655
	# minor/major/patch/y should be numeric
539655
	[ -n "${t_major##*[!0-9]*}" ] || return 1
539655
	[ -n "${t_minor##*[!0-9]*}" ] || return 1
539655
	[ -n "${t_patch##*[!0-9]*}" ] || return 1
539655
	[ -n "${t_y##*[!0-9]*}" ] || return 1
539655
	# reset z1/z2 to zero if non-numeric
539655
	[ -n "${t_z1##*[!0-9]*}" ] || t_z1=0
539655
	[ -n "${t_z2##*[!0-9]*}" ] || t_z2=0
539655
539655
	while [ 1 -lt "$#" ]; do
539655
		cmp_type=upstream
539655
539655
		shift
4eb1a6
		m_major=${1%%.*}
539655
		m_rest=${1#${m_major}}
4eb1a6
		m_rest=${m_rest#.}
4eb1a6
		m_minor=${m_rest%%.*}
539655
		m_rest=${m_rest#${m_minor}}
4eb1a6
		m_rest=${m_rest#.}
4eb1a6
		m_patch=${m_rest%%-*}
539655
		m_rest=${m_rest#${m_patch}}
4eb1a6
		m_rest=${m_rest#-}
4eb1a6
		m_y=${m_rest%%.*}
539655
		m_rest=${m_rest#${m_y}}
4eb1a6
		m_rest=${m_rest#.}
4eb1a6
		m_z1=${m_rest%%.*}
539655
		m_rest=${m_rest#${m_z1}}
4eb1a6
		m_rest=${m_rest#.}
4eb1a6
		m_z2=${m_rest%%.*}
539655
539655
		# minor/major/patch should be numeric
539655
		[ -n "${m_major##*[!0-9]*}" ] || continue
539655
		[ -n "${m_minor##*[!0-9]*}" ] || continue
539655
		[ -n "${m_patch##*[!0-9]*}" ] || continue
539655
		# reset z1/z2 to zero if non-numeric
539655
		[ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0
539655
		[ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0
539655
		[ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0
539655
539655
		# Comparing versions
539655
		case "$cmp_type" in
539655
		upstream)
539655
			[ "$t_major" -ge "$m_major" ] || continue
539655
			[ "$t_minor" -ge "$m_minor" ] || continue
539655
			[ "$t_patch" -ge "$m_patch" ] || continue
539655
			return 0
539655
			;;
539655
		y)
539655
			[ "$t_major" -eq "$m_major" ] || continue
539655
			[ "$t_minor" -eq "$m_minor" ] || continue
539655
			[ "$t_patch" -eq "$m_patch" ] || continue
539655
			[ "$t_y" -ge "$m_y" ] || continue
539655
			return 0
539655
			;;
539655
		z)
539655
			[ "$t_major" -eq "$m_major" ] || continue
539655
			[ "$t_minor" -eq "$m_minor" ] || continue
539655
			[ "$t_patch" -eq "$m_patch" ] || continue
539655
			[ "$t_y" -eq "$m_y" ] || continue
539655
			[ "$t_z1" -ge "$m_z1" ] || continue
539655
			[ "$t_z2" -ge "$m_z2" ] || continue
539655
			return 0
539655
			;;
539655
		esac
539655
	done
539655
539655
	return 1
539655
}
539655
539655
# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING"
539655
#
539655
# We check only the first processor as we don't expect non-symmetrical setups
539655
# with CPUs with caveats
539655
get_model_string()
539655
{
539655
	/usr/bin/printf "%s %02x-%02x-%02x" \
539655
		$(/bin/sed -rn '1,/^$/{
539655
			s/^vendor_id[[:space:]]*: (.*)$/\1/p;
539655
			s/^cpu family[[:space:]]*: (.*)$/\1/p;
539655
			s/^model[[:space:]]*: (.*)$/\1/p;
539655
			s/^stepping[[:space:]]*: (.*)$/\1/p;
539655
		}' /proc/cpuinfo)
539655
}
539655
539655
get_model_name()
539655
{
539655
	/bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
539655
}
539655
4eb1a6
get_vendor_id()
4eb1a6
{
4eb1a6
	/bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
4eb1a6
}
4eb1a6
742279
get_mc_path()
742279
{
742279
	case "$1" in
742279
	GenuineIntel)
742279
		echo "intel-ucode/$2"
742279
		;;
742279
	AuthenticAMD)
742279
		echo "amd-ucode/$2"
742279
		;;
742279
	esac
742279
}
742279
4eb1a6
get_mc_ver()
4eb1a6
{
4eb1a6
	/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
4eb1a6
}
4eb1a6
4eb1a6
fail()
4eb1a6
{
4eb1a6
	ret=1
4eb1a6
4eb1a6
	fail_cfgs="$fail_cfgs $cfg"
4eb1a6
	fail_paths="$fail_paths $cfg_path"
ee041c
ee041c
	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
ee041c
		|| cat "${dir}/disclaimer"
4eb1a6
}
4eb1a6
539655
#check_kver "$@"
539655
#get_model_name
539655
539655
match_model=0
539655
configs=
539655
kver=$(/bin/uname -r)
539655
verbose=0
4eb1a6
early_check=0
ee041c
print_disclaimers=0
4eb1a6
4eb1a6
ret=0
539655
ee041c
while getopts "dek:c:mv" opt; do
539655
	case "${opt}" in
ee041c
	d)
ee041c
		print_disclaimers=1
ee041c
		early_check=2
ee041c
		;;
4eb1a6
	e)
4eb1a6
		early_check=1
4eb1a6
		;;
539655
	k)
539655
		kver="$OPTARG"
539655
		;;
539655
	c)
539655
		configs="$configs $OPTARG"
539655
		;;
539655
	m)
539655
		match_model=1
539655
		;;
539655
	v)
539655
		verbose=1
539655
		;;
539655
	*)
539655
		usage
539655
		exit 1;
539655
		;;
539655
	esac
539655
done
539655
539655
: ${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}
539655
539655
cpu_model=$(get_model_string)
539655
cpu_model_name=$(get_model_name)
4eb1a6
cpu_vendor=$(get_vendor_id)
4eb1a6
4eb1a6
ret_paths=""
4eb1a6
ok_paths=""
4eb1a6
fail_paths=""
4eb1a6
4eb1a6
ret_cfgs=""
4eb1a6
ok_cfgs=""
4eb1a6
fail_cfgs=""
4eb1a6
4eb1a6
skip_cfgs=""
4eb1a6
4eb1a6
if [ 1 -eq "$early_check" ]; then
4eb1a6
	stage="early"
4eb1a6
else
4eb1a6
	stage="late"
4eb1a6
fi
4eb1a6
539655
539655
for cfg in $(echo "${configs}"); do
539655
	dir="$MC_CAVEATS_DATA_DIR/$cfg"
4eb1a6
4eb1a6
	# We add cfg to the skip list first and then, if we do not skip it,
4eb1a6
	# we remove the configuration from the list.
4eb1a6
	skip_cfgs="$skip_cfgs $cfg"
4eb1a6
4eb1a6
	[ -r "${dir}/readme" ] || {
4eb1a6
		debug "File 'readme' in ${dir} is not found, skipping"
4eb1a6
		continue
4eb1a6
	}
4eb1a6
539655
	[ -r "${dir}/config" ] || {
539655
		debug "File 'config' in ${dir} is not found, skipping"
539655
		continue
539655
	}
539655
539655
	cfg_model=
4eb1a6
	cfg_vendor=
539655
	cfg_path=
539655
	cfg_kvers=
4eb1a6
	cfg_kvers_early=
539655
	cfg_blacklist=
4eb1a6
	cfg_mc_min_ver_late=
4eb1a6
	cfg_disable=
539655
539655
	while read -r key value; do
539655
		case "$key" in
539655
		model)
539655
			cfg_model="$value"
539655
			;;
4eb1a6
		vendor)
4eb1a6
			cfg_vendor="$value"
4eb1a6
			;;
539655
		path)
539655
			cfg_path="$cfg_path $value"
539655
			;;
539655
		kernel)
539655
			cfg_kvers="$cfg_kvers $value"
539655
			;;
4eb1a6
		kernel_early)
4eb1a6
			cfg_kvers_early="$cfg_kvers_early $value"
4eb1a6
			;;
4eb1a6
		mc_min_ver_late)
4eb1a6
			cfg_mc_min_ver_late="$value"
4eb1a6
			;;
4eb1a6
		disable)
4eb1a6
			cfg_disable="$cfg_disable $value "
4eb1a6
			;;
539655
		blacklist)
539655
			cfg_blacklist=1
539655
			break
539655
			;;
539655
		esac
539655
	done < "${dir}/config"
539655
539655
	[ -z "${cfg_blacklist}" ] || \
539655
		cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
539655
					/usr/bin/tail -n +2)
539655
539655
	debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
539655
	debug "${cfg}: blacklist '$cfg_blacklist'"
539655
4eb1a6
	# Check for override files in the following order:
4eb1a6
	#  - disallow early/late specific caveat for specific kernel
4eb1a6
	#  - force early/late specific caveat for specific kernel
4eb1a6
	#  - disallow specific caveat for specific kernel
4eb1a6
	#  - force specific caveat for specific kernel
4eb1a6
	#
4eb1a6
	#  - disallow early/late specific caveat for any kernel
4eb1a6
	#  - disallow early/late any caveat for specific kernel
4eb1a6
	#  - force early/late specific caveat for any kernel
4eb1a6
	#  - force early/late any caveat for specific kernel
4eb1a6
	#  - disallow specific caveat for any kernel
4eb1a6
	#  - disallow any caveat for specific kernel
4eb1a6
	#  - force specific caveat for any kernel
4eb1a6
	#  - force any caveat for specific kernel
4eb1a6
	#
4eb1a6
	#  - disallow early/late everything
4eb1a6
	#  - force early/late everyhting
4eb1a6
	#  - disallow everything
4eb1a6
	#  - force everyhting
4eb1a6
	ignore_cfg=0
4eb1a6
	force_cfg=0
4eb1a6
	override_file=""
4eb1a6
	overrides="
4eb1a6
	0:$FW_DIR/$kver/disallow-$stage-$cfg
4eb1a6
	1:$FW_DIR/$kver/force-$stage-$cfg
4eb1a6
	0:$FW_DIR/$kver/disallow-$cfg
4eb1a6
	1:$FW_DIR/$kver/force-$cfg
4eb1a6
	0:$FW_DIR/$kver/disallow-$stage
4eb1a6
	0:$CFG_DIR/disallow-$stage-$cfg
4eb1a6
	1:$FW_DIR/$kver/force-$stage
4eb1a6
	1:$CFG_DIR/force-$stage-$cfg
4eb1a6
	0:$FW_DIR/$kver/disallow
4eb1a6
	0:$CFG_DIR/disallow-$cfg
4eb1a6
	1:$FW_DIR/$kver/force
4eb1a6
	1:$CFG_DIR/force-$cfg
4eb1a6
	0:$CFG_DIR/disallow-$stage
4eb1a6
	1:$CFG_DIR/force-$stage
4eb1a6
	0:$CFG_DIR/disallow
4eb1a6
	1:$CFG_DIR/force"
4eb1a6
	for o in $(echo "$overrides"); do
4eb1a6
		o_force=${o%%:*}
4eb1a6
		override_file=${o#$o_force:}
4eb1a6
4eb1a6
		[ -e "$override_file" ] || continue
4eb1a6
4eb1a6
		if [ 0 -eq "$o_force" ]; then
4eb1a6
			ignore_cfg=1
4eb1a6
		else
4eb1a6
			force_cfg=1
4eb1a6
		fi
4eb1a6
4eb1a6
		break
4eb1a6
	done
4eb1a6
4eb1a6
	[ 0 -eq "$ignore_cfg" ] || {
4eb1a6
		debug "Configuration \"$cfg\" is ignored due to presence of" \
4eb1a6
		      "\"$override_file\"."
4eb1a6
		continue
4eb1a6
	}
4eb1a6
4eb1a6
	# Check model if model filter is enabled
4eb1a6
	if [ 1 -eq "$match_model" -a  -n "$cfg_model" ]; then
4eb1a6
		[ "x$cpu_model" = "x$cfg_model" ] || {
4eb1a6
			debug "Current CPU model '$cpu_model' doesn't" \
4eb1a6
			      "match configuration CPU model '$cfg_model'," \
4eb1a6
			      "skipping"
4eb1a6
			continue
4eb1a6
		}
4eb1a6
	fi
4eb1a6
742279
	# Check paths if model filter is enabled
742279
	if [ 1 -eq "$match_model" -a  -n "$cfg_path" ]; then
742279
		cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
742279
			"$cpu_vendor" "${cpu_model#* }")"
742279
		cfg_mc_present=0
742279
742279
		for p in $(printf "%s" "$cfg_path"); do
742279
			find "$MC_CAVEATS_DATA_DIR/$cfg" \
742279
				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \
742279
			    | grep -zFxq "$cpu_mc_path" \
742279
			    || continue
742279
742279
			cfg_mc_present=1
742279
		done
742279
742279
		[ 1 = "$cfg_mc_present" ] || {
742279
			debug "No matching microcode files in '$cfg_path'" \
742279
			      "for CPU model '$cpu_model', skipping"
742279
			continue
742279
		}
742279
	fi
742279
4eb1a6
	# Check vendor if model filter is enabled
4eb1a6
	if [ 1 -eq "$match_model" -a  -n "$cfg_vendor" ]; then
4eb1a6
		[ "x$cpu_vendor" = "x$cfg_vendor" ] || {
4eb1a6
			debug "Current CPU vendor '$cpu_vendor' doesn't" \
4eb1a6
			      "match configuration CPU vendor '$cfg_vendor'," \
4eb1a6
			      "skipping"
4eb1a6
			continue
539655
		}
539655
	fi
539655
4eb1a6
	# Check configuration files
4eb1a6
4eb1a6
	ret_cfgs="$ret_cfgs $cfg"
4eb1a6
	ret_paths="$ret_paths $cfg_path"
4eb1a6
	skip_cfgs="${skip_cfgs% $cfg}"
4eb1a6
4eb1a6
	[ 0 -eq "$force_cfg" ] || {
4eb1a6
		debug "Checks for configuration \"$cfg\" are ignored due to" \
4eb1a6
		      "presence of \"$override_file\"."
4eb1a6
4eb1a6
		ok_cfgs="$ok_cfgs $cfg"
4eb1a6
		ok_paths="$ok_paths $cfg_path"
4eb1a6
4eb1a6
		continue
4eb1a6
	}
4eb1a6
4eb1a6
	[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
4eb1a6
		debug "${cfg}: caveat is disabled in configuration"
4eb1a6
		fail
4eb1a6
		continue
4eb1a6
	}
4eb1a6
4eb1a6
	# Check late load kernel version
4eb1a6
	if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then
539655
		check_kver "$kver" $cfg_kvers || {
4eb1a6
			debug "${cfg}: late load kernel version check for" \
4eb1a6
			      " '$kver' against '$cfg_kvers' failed"
4eb1a6
			fail
4eb1a6
			continue
539655
		}
539655
	fi
539655
4eb1a6
	# Check early load kernel version
4eb1a6
	if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then
4eb1a6
		check_kver "$kver" $cfg_kvers_early || {
4eb1a6
			debug "${cfg}: early load kernel version check for" \
4eb1a6
			      "'$kver' against '$cfg_kvers_early' failed"
4eb1a6
			fail
4eb1a6
			continue
4eb1a6
		}
4eb1a6
	fi
4eb1a6
4eb1a6
	# Check model blacklist
539655
	if [ -n "$cfg_blacklist" ]; then
539655
		echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
539655
			debug "${cfg}: model '${cpu_model_name}' is blacklisted"
4eb1a6
			fail
4eb1a6
			continue
4eb1a6
		}
4eb1a6
	fi
4eb1a6
4eb1a6
	# Check current microcode version for the late update
4eb1a6
	if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \
4eb1a6
	   "x$cpu_model" = "x$cfg_model" ]; then
4eb1a6
		cpu_mc_ver="$(get_mc_ver)"
4eb1a6
4eb1a6
		[ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || {
4eb1a6
			debug "${cfg}: CPU microcode version $cpu_mc_ver" \
4eb1a6
			      "failed check (should be at least" \
4eb1a6
			      "${cfg_mc_min_ver_late})"
4eb1a6
			fail
4eb1a6
			continue
539655
		}
539655
	fi
539655
4eb1a6
	ok_cfgs="$ok_cfgs $cfg"
4eb1a6
	ok_paths="$ok_paths $cfg_path"
539655
done
539655
ee041c
[ 0 -eq "$print_disclaimers" ] || exit 0
ee041c
4eb1a6
echo "cfgs$ret_cfgs"
4eb1a6
echo "skip_cfgs$skip_cfgs"
4eb1a6
echo "paths$ret_paths"
4eb1a6
echo "ok_cfgs$ok_cfgs"
4eb1a6
echo "ok_paths$ok_paths"
4eb1a6
echo "fail_cfgs$fail_cfgs"
4eb1a6
echo "fail_paths$fail_paths"
4eb1a6
4eb1a6
exit $ret