Blob Blame History Raw
#! /bin/bash -eu

# Script for checking various microcode caveats
#
#
# SPDX-License-Identifier: CC0-1.0

: ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats}
: ${FW_DIR=/lib/firmware}
: ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats}

usage() {
	echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]'
	echo '                     [-m] [-v]'
	echo
	echo '   -d - enables disclaimer printing mode'
	echo '   -e - check for early microcode load possibility (instead of'
	echo '        late microcode load)'
	echo '   -k - target version to check against, $(uname -r) is used'
	echo '        otherwise'
	echo '   -c - caveat config(s) to check, all configs are checked'
	echo '        otherwise'
	echo '   -m - check that caveats actually apply to the current model'
	echo '   -v - verbose output'
	echo
	echo 'Environment:'
	echo '  MC_CAVEATS_DATA_DIR - directory that contains caveats'
	echo '                        configuration data'
}

debug() { [ 0 = "$verbose" ] || echo "$*" >&2; }

# A simplified RPM version comparison that takes into account knowledge about
# Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if
# the version against which comparison is performed has appropriate versioning
# scheme).
#
# $1 - kernel version to check
# $* - list of kernel versions to check against
check_kver()
{
	local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest=
	local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest=
	local cmp_type=

	# IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1"
	# "cannot create temp file for here-document: Read-only file system"
	# that's why we can't have nice things.
	t_major=${1%%.*}
	t_rest=${1#${t_major}}
	t_rest=${t_rest#.}
	t_minor=${t_rest%%.*}
	t_rest=${t_rest#${t_minor}}
	t_rest=${t_rest#.}
	t_patch=${t_rest%%-*}
	t_rest=${t_rest#${t_patch}}
	t_rest=${t_rest#-}
	t_y=${t_rest%%.*}
	t_rest=${t_rest#${t_y}}
	t_rest=${t_rest#.}
	t_z1=${t_rest%%.*}
	t_rest=${t_rest#${t_z1}}
	t_rest=${t_rest#.}
	t_z2=${t_rest%%.*}

	# minor/major/patch/y should be numeric
	[ -n "${t_major##*[!0-9]*}" ] || return 1
	[ -n "${t_minor##*[!0-9]*}" ] || return 1
	[ -n "${t_patch##*[!0-9]*}" ] || return 1
	[ -n "${t_y##*[!0-9]*}" ] || return 1
	# reset z1/z2 to zero if non-numeric
	[ -n "${t_z1##*[!0-9]*}" ] || t_z1=0
	[ -n "${t_z2##*[!0-9]*}" ] || t_z2=0

	while [ 1 -lt "$#" ]; do
		cmp_type=upstream

		shift
		m_major=${1%%.*}
		m_rest=${1#${m_major}}
		m_rest=${m_rest#.}
		m_minor=${m_rest%%.*}
		m_rest=${m_rest#${m_minor}}
		m_rest=${m_rest#.}
		m_patch=${m_rest%%-*}
		m_rest=${m_rest#${m_patch}}
		m_rest=${m_rest#-}
		m_y=${m_rest%%.*}
		m_rest=${m_rest#${m_y}}
		m_rest=${m_rest#.}
		m_z1=${m_rest%%.*}
		m_rest=${m_rest#${m_z1}}
		m_rest=${m_rest#.}
		m_z2=${m_rest%%.*}

		# minor/major/patch should be numeric
		[ -n "${m_major##*[!0-9]*}" ] || continue
		[ -n "${m_minor##*[!0-9]*}" ] || continue
		[ -n "${m_patch##*[!0-9]*}" ] || continue
		# reset z1/z2 to zero if non-numeric
		[ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0
		[ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0
		[ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0

		# Comparing versions
		case "$cmp_type" in
		upstream)
			[ "$t_major" -ge "$m_major" ] || continue
			[ "$t_minor" -ge "$m_minor" ] || continue
			[ "$t_patch" -ge "$m_patch" ] || continue
			return 0
			;;
		y)
			[ "$t_major" -eq "$m_major" ] || continue
			[ "$t_minor" -eq "$m_minor" ] || continue
			[ "$t_patch" -eq "$m_patch" ] || continue
			[ "$t_y" -ge "$m_y" ] || continue
			return 0
			;;
		z)
			[ "$t_major" -eq "$m_major" ] || continue
			[ "$t_minor" -eq "$m_minor" ] || continue
			[ "$t_patch" -eq "$m_patch" ] || continue
			[ "$t_y" -eq "$m_y" ] || continue
			[ "$t_z1" -ge "$m_z1" ] || continue
			[ "$t_z2" -ge "$m_z2" ] || continue
			return 0
			;;
		esac
	done

	return 1
}

# It is needed for SKX[1] for which different product segments
# are differentiated by a value in the CAPID0 field of PCU registers
# device[2].
# [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21
# [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13
#
# $1 - params in config file, space-spearated, in key=value form:
#   domain=* - PCI domain, '*' or number
#   bus=* - PCI bus, '*' or number
#   device=* - PCI device, '*' or number
#   function=* - PCI function, '*' or number
#   vid= - PCI vendor ID, empty or number
#   did= - PCI device ID, empty or number
#   offset=0 - offset in configuration space
#   size=4 - field size
#   mask=0 - mask applied to the data read
#   val=0 - comma-separated list of possible values
#   mode=success-any [ success-ail, fail-any, fail-all ] - matching mode:
#     success-any: Returns 0 if there was at least one match, otherwise 1.
#     success-all: Returns 0 if there was at least one device checked and all
#                  the checked devices have matches, otherwise 1.
#     fail-any:    Returns 1 if there was at least one match, otherwise 0.
#     fail-all:    Returns 1 if there was at least one device checked and all
#                  the checked devices have matches, otherwise 0.
# $2 - whether model filter is engaged (if it is not '1', just return the result
#      based on "mode" value that assumes that there were 0 checks/0 matches).
check_pci_config_val()
{
	local domain='*' bus='*' device='*' func='*' vid= did=
	local offset=0 size=4 mask=0 val=0 mode=success-any
	local checked=0 matched=0 path=''
	local dev_path dev_vid dev_did dev_val
	local opts="${1:-}"
	local match_model="${2:0}"

	set -- $1
	while [ "$#" -gt 0 ]; do
		[ "x${1#domain=}" = "x${1}" ] || domain="${1#domain=}"
		[ "x${1#bus=}" = "x${1}" ] || bus="${1#bus=}"
		[ "x${1#device=}" = "x${1}" ] || device="${1#device=}"
		[ "x${1#function=}" = "x${1}" ] || func="${1#function=}"
		[ "x${1#vid=}" = "x${1}" ] || vid="${1#vid=}"
		[ "x${1#did=}" = "x${1}" ] || did="${1#did=}"
		[ "x${1#offset=}" = "x${1}" ] || offset="${1#offset=}"
		[ "x${1#size=}" = "x${1}" ] || size="${1#size=}"
		[ "x${1#mask=}" = "x${1}" ] || mask="${1#mask=}"
		[ "x${1#val=}" = "x${1}" ] || val="${1#val=}"
		[ "x${1#mode=}" = "x${1}" ] || mode="${1#mode=}"

		shift
	done

	path="$domain"
	if [ "x$bus" = 'x*' ]; then
		path="$path:$bus";
	else
		path=$(printf '%s:%02x' "$path" "$bus")
	fi
	if [ "x$device" = 'x*' ]; then
		path="$path:$device";
	else
		path=$(printf '%s:%02x' "$path" "$device")
	fi
	if [ "x$func" = 'x*' ]; then
		path="$path.$func";
	else
		path=$(printf '%s.%01x' "$path" "$func")
	fi

	# Normalise VID, DID
	[ -n "$vid" ] || vid="$(printf '0x%04x' "$vid")"
	[ -n "$did" ] || did="$(printf '0x%04x' "$did")"

	( [ 1 != "$match_model" ] \
	  || /usr/bin/find /sys/bus/pci/devices/ -maxdepth 1 -name "$path" \
	  || : ) | (
		while read -r dev_path; do
			# Filter VID, DID
			if [ -n "$vid" ]; then
				dev_vid=$(/bin/cat "$dev_path/vendor")
				[ "x$vid" = "x$dev_vid" ] || continue
			fi
			if [ -n "$did" ]; then
				dev_did=$(/bin/cat "$dev_path/device")
				[ "x$did" = "x$dev_did" ] || continue
			fi

			checked="$((checked + 1))"

			dev_val="$(/usr/bin/od -j "$offset" -N "$size" -A n \
					       -t "u$size" "$dev_path/config")"

			val_rest="${val}"
			while :; do
				cur_val="${val_rest%%,*}"
				if [ "$((dev_val & mask))" = "$((cur_val & mask))" ]
				then
					matched="$((matched + 1))"
					break
				fi
				[ "x${val_rest}" != "x${val_rest#*,}" ] || break
				val_rest="${val_rest#*,}"
			done

			case "$mode" in
			success-any) [ "$matched" -eq 0 ] || { echo 0; exit; } ;;
			success-all) [ "$matched" -eq "$checked" ] || { echo 1; exit; } ;;
			fail-any)    [ "$matched" -eq 0 ] || { echo 1; exit; } ;;
			fail-all)    [ "$matched" -eq "$checked" ] || { echo 0; exit; } ;;
			*)           echo 2; exit;;
			esac
		done

		debug "PCI config value check ($opts): checked $checked," \
		      "matched $matched (model check is set to $match_model)"

		case "$mode" in
		success-any) if [ "$matched" -eq 0 ]; then echo 1; else echo 0; fi ;;
		success-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 0; else echo 1; fi ;;
		fail-any)    if [ "$matched" -eq 0 ]; then echo 0; else echo 1; fi  ;;
		fail-all)    if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 1; else echo 0; fi ;;
		*)           echo 2; exit;;
		esac
	)
}

# Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING"
#
# We check only the first processor as we don't expect non-symmetrical setups
# with CPUs with caveats
get_model_string()
{
	/usr/bin/printf "%s %02x-%02x-%02x" \
		$(/bin/sed -rn '1,/^$/{
			s/^vendor_id[[:space:]]*: (.*)$/\1/p;
			s/^cpu family[[:space:]]*: (.*)$/\1/p;
			s/^model[[:space:]]*: (.*)$/\1/p;
			s/^stepping[[:space:]]*: (.*)$/\1/p;
		}' /proc/cpuinfo)
}

get_model_name()
{
	/bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

get_vendor_id()
{
	/bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

get_mc_path()
{
	case "$1" in
	GenuineIntel)
		echo "intel-ucode/$2"
		;;
	AuthenticAMD)
		echo "amd-ucode/$2"
		;;
	esac
}

get_mc_ver()
{
	/bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo
}

fail()
{
	ret=1

	fail_cfgs="$fail_cfgs $cfg"
	fail_paths="$fail_paths $cfg_path"

	[ 0 -eq "$print_disclaimers" ] || [ ! -e "${dir}/disclaimer" ] \
		|| /bin/cat "${dir}/disclaimer"
}

#check_kver "$@"
#get_model_name

match_model=0
configs=
kver=$(/bin/uname -r)
verbose=0
early_check=0
print_disclaimers=0

ret=0

while getopts "dek:c:mv" opt; do
	case "${opt}" in
	d)
		print_disclaimers=1
		early_check=2
		;;
	e)
		early_check=1
		;;
	k)
		kver="$OPTARG"
		;;
	c)
		configs="$configs $OPTARG"
		;;
	m)
		match_model=1
		;;
	v)
		verbose=1
		;;
	*)
		usage
		exit 1;
		;;
	esac
done

: "${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}"

cpu_model=$(get_model_string)
cpu_model_name=$(get_model_name)
cpu_vendor=$(get_vendor_id)

ret_paths=""
ok_paths=""
fail_paths=""

ret_cfgs=""
ok_cfgs=""
fail_cfgs=""

skip_cfgs=""

if [ 1 -eq "$early_check" ]; then
	stage="early"
else
	stage="late"
fi


for cfg in $(echo "${configs}"); do
	dir="$MC_CAVEATS_DATA_DIR/$cfg"

	# We add cfg to the skip list first and then, if we do not skip it,
	# we remove the configuration from the list.
	skip_cfgs="$skip_cfgs $cfg"

	[ -r "${dir}/readme" ] || {
		debug "File 'readme' in ${dir} is not found, skipping"
		continue
	}

	[ -r "${dir}/config" ] || {
		debug "File 'config' in ${dir} is not found, skipping"
		continue
	}

	cfg_model=
	cfg_vendor=
	cfg_path=
	cfg_kvers=
	cfg_kvers_early=
	cfg_blacklist=
	cfg_mc_min_ver_late=
	cfg_disable=
	cfg_pci=

	while read -r key value; do
		case "$key" in
		model)
			cfg_model="$value"
			;;
		vendor)
			cfg_vendor="$value"
			;;
		path)
			cfg_path="$cfg_path $value"
			;;
		kernel)
			cfg_kvers="$cfg_kvers $value"
			;;
		kernel_early)
			cfg_kvers_early="$cfg_kvers_early $value"
			;;
		mc_min_ver_late)
			cfg_mc_min_ver_late="$value"
			;;
		disable)
			cfg_disable="$cfg_disable $value "
			;;
		blacklist)
			cfg_blacklist=1
			;;
		pci_config_val)
			cfg_pci="$cfg_pci
				$value"
			;;
		'#'*|'')
			continue
			;;
		*)
			debug "Unknown key '$key' (value '$value') in config" \
			      "'$cfg'"
			;;
		esac
	done < "${dir}/config"

	[ -z "${cfg_blacklist}" ] || \
		cfg_blacklist=$(/bin/sed -n '/^blacklist$/,$p' "${dir}/config" |
					/usr/bin/tail -n +2)

	debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'"
	debug "${cfg}: blacklist '$cfg_blacklist'"

	# Check for override files in the following order:
	#  - disallow early/late specific caveat for specific kernel
	#  - force early/late specific caveat for specific kernel
	#  - disallow specific caveat for specific kernel
	#  - force specific caveat for specific kernel
	#
	#  - disallow early/late specific caveat for any kernel
	#  - disallow early/late any caveat for specific kernel
	#  - force early/late specific caveat for any kernel
	#  - force early/late any caveat for specific kernel
	#  - disallow specific caveat for any kernel
	#  - disallow any caveat for specific kernel
	#  - force specific caveat for any kernel
	#  - force any caveat for specific kernel
	#
	#  - disallow early/late everything
	#  - force early/late everyhting
	#  - disallow everything
	#  - force everyhting
	ignore_cfg=0
	force_cfg=0
	override_file=""
	overrides="
	0:$FW_DIR/$kver/disallow-$stage-$cfg
	1:$FW_DIR/$kver/force-$stage-$cfg
	0:$FW_DIR/$kver/disallow-$cfg
	1:$FW_DIR/$kver/force-$cfg
	0:$FW_DIR/$kver/disallow-$stage
	0:$CFG_DIR/disallow-$stage-$cfg
	1:$FW_DIR/$kver/force-$stage
	1:$CFG_DIR/force-$stage-$cfg
	0:$FW_DIR/$kver/disallow
	0:$CFG_DIR/disallow-$cfg
	1:$FW_DIR/$kver/force
	1:$CFG_DIR/force-$cfg
	0:$CFG_DIR/disallow-$stage
	1:$CFG_DIR/force-$stage
	0:$CFG_DIR/disallow
	1:$CFG_DIR/force"
	for o in $(echo "$overrides"); do
		o_force=${o%%:*}
		override_file=${o#$o_force:}

		[ -e "$override_file" ] || continue

		if [ 0 -eq "$o_force" ]; then
			ignore_cfg=1
		else
			force_cfg=1
		fi

		break
	done

	[ 0 -eq "$ignore_cfg" ] || {
		debug "Configuration \"$cfg\" is ignored due to presence of" \
		      "\"$override_file\"."
		continue
	}

	# Check model if model filter is enabled
	if [ 1 -eq "$match_model" -a  -n "$cfg_model" ]; then
		[ "x$cpu_model" = "x$cfg_model" ] || {
			debug "Current CPU model '$cpu_model' doesn't" \
			      "match configuration CPU model '$cfg_model'," \
			      "skipping"
			continue
		}
	fi

	# Check paths if model filter is enabled
	if [ 1 -eq "$match_model" -a  -n "$cfg_path" ]; then
		cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \
			"$cpu_vendor" "${cpu_model#* }")"
		cfg_mc_present=0

		for p in $(printf "%s" "$cfg_path"); do
			{ /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \
				-path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0;
			  /bin/true; } \
			    | /bin/grep -zFxq "$cpu_mc_path" \
			    || continue

			cfg_mc_present=1
			break
		done

		[ 1 = "$cfg_mc_present" ] || {
			debug "No matching microcode files in '$cfg_path'" \
			      "for CPU model '$cpu_model', skipping"
			continue
		}
	fi

	# Check vendor if model filter is enabled
	if [ 1 -eq "$match_model" -a  -n "$cfg_vendor" ]; then
		[ "x$cpu_vendor" = "x$cfg_vendor" ] || {
			debug "Current CPU vendor '$cpu_vendor' doesn't" \
			      "match configuration CPU vendor '$cfg_vendor'," \
			      "skipping"
			continue
		}
	fi

	# Check configuration files

	ret_cfgs="$ret_cfgs $cfg"
	ret_paths="$ret_paths $cfg_path"
	skip_cfgs="${skip_cfgs% $cfg}"

	[ 0 -eq "$force_cfg" ] || {
		debug "Checks for configuration \"$cfg\" are ignored due to" \
		      "presence of \"$override_file\"."

		ok_cfgs="$ok_cfgs $cfg"
		ok_paths="$ok_paths $cfg_path"

		continue
	}

	[ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || {
		debug "${cfg}: caveat is disabled in configuration"
		fail
		continue
	}

	# Check late load kernel version
	if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then
		check_kver "$kver" $cfg_kvers || {
			debug "${cfg}: late load kernel version check for" \
			      " '$kver' against '$cfg_kvers' failed"
			fail
			continue
		}
	fi

	# Check early load kernel version
	if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then
		check_kver "$kver" $cfg_kvers_early || {
			debug "${cfg}: early load kernel version check for" \
			      "'$kver' against '$cfg_kvers_early' failed"
			fail
			continue
		}
	fi

	# Check model blacklist
	if [ -n "$cfg_blacklist" ]; then
		echo "$cfg_blacklist" | /bin/grep -vqFx "${cpu_model_name}" || {
			debug "${cfg}: model '${cpu_model_name}' is blacklisted"
			fail
			continue
		}
	fi

	# Check current microcode version for the late update
	if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \
	   "x$cpu_model" = "x$cfg_model" ]; then
		cpu_mc_ver="$(get_mc_ver)"

		[ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || {
			debug "${cfg}: CPU microcode version $cpu_mc_ver" \
			      "failed check (should be at least" \
			      "${cfg_mc_min_ver_late})"
			fail
			continue
		}
	fi

	# Check PCI devices if model filter is enabled
	# Note that the model filter check is done inside check_pci_config_val
	# based on the 'mode=' parameter.
	if [ -n "$cfg_pci" ]; then
		pci_res=0
		pci_line=
		while read -r pci_line; do
			[ -n "$pci_line" ] || continue
			pci_res=$(check_pci_config_val "$pci_line" "$match_model")
			[ "x$pci_res" = x0 ] || break
		done <<- EOF
		$cfg_pci
		EOF

		[ "x$pci_res" = x0 ] || {
			debug "PCI configuration word check '$pci_line' " \
			      "failed (with return code $pci_res)"
			fail
			continue
		}
	fi

	ok_cfgs="$ok_cfgs $cfg"
	ok_paths="$ok_paths $cfg_path"
done

[ 0 -eq "$print_disclaimers" ] || exit 0

echo "cfgs$ret_cfgs"
echo "skip_cfgs$skip_cfgs"
echo "paths$ret_paths"
echo "ok_cfgs$ok_cfgs"
echo "ok_paths$ok_paths"
echo "fail_cfgs$fail_cfgs"
echo "fail_paths$fail_paths"

exit $ret