How to patch cpu with xen

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to patch cpu with xen

Christoph Kaminski

Hi

is there any step by step howto for patching cpu with xen/dom0?

microcode service cant do it because there is no
/sys/devices/system/cpu/microcode/reload in dom0

------
Greetz

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: How to patch cpu with xen

Bugzilla from ajlill@ajlc.waterloo.on.ca
On 05/28/2018 03:18 AM, Christoph wrote:

>
> Hi
>
> is there any step by step howto for patching cpu with xen/dom0?
>
> microcode service cant do it because there is no
> /sys/devices/system/cpu/microcode/reload in dom0
>
> ------
> Greetz
>

It's hard to find the info, but here's what I use. It works for amd, but
my only intel box doesn't have updated firmware, so I can't confirm. I
looked in the xen source, and xen looks for both microcode bundles in
the same directory, so it should work.

The latest amd microcode in now in git with all the other firmware, get
it with

git clone -q
git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
The latest intel microcode can be downloaded from their website google
intel microcode download.

Add ucode=scan to the xen command line args in grub.

# Assuming you have the new micrcode in /lib/firmware
# Set up for early firmware load for xen
rm -rf /var/tmp/initrd-for-xen-with_append
mkdir -p /var/tmp/initrd-for-xen-with_append/kernel/x86/microcode

# For intel
iucode_tool -tb -w
/var/tmp/initrd-for-xen-with_append/kernel/x86/microcode/GenuineIntel.bin
 /lib/firmware/intel-ucode/*

# For amd
cat /lib/firmware/amd-ucode/*.bin >
/var/tmp/initrd-for-xen-with_append/kernel/x86/microcode/AuthenticAMD.bin

cd /var/tmp/initrd-for-xen-with_append
find . | cpio -o -H newc > /boot/ucode.cpio

cd /boot
cat ucode.cpio initrd.img-4.4.73 > initrd.new
mv initrd.new initrd.img-4.4.73
--
Tony Lill, OCT,                       [hidden email]
President, A. J. Lill Consultants                 (519) 650 0660
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------



_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users
Reply | Threaded
Open this post in threaded view
|

Re: How to patch cpu with xen

andy smith-10
In reply to this post by Christoph Kaminski
Hello,

On Mon, May 28, 2018 at 09:18:44AM +0200, Christoph wrote:
> is there any step by step howto for patching cpu with xen/dom0?

On Debian I was able to do it by:

- Install intel-microcode or amd-microcode package from non-free
  repository. This rebuilds initramfs to have microcode concatenated
  on the end of it.

- Add "ucode=scan" to the hypervisor command line by editing
  /etc/default/grub to add that to the GRUB_CMDLINE_XEN variable.

- Run update-grub to rebuild /boot/grub/grub/cfg with the new
  command line argument.

- Reboot and if your loglvl is at info ("loglvl=info" in the
  hypervisor command line) you will see it patching the first CPU
  before dom0 loads:

  (XEN) microcode: CPU0 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21

  and then after that every other CPU:

  (XEN) microcode: CPU2 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21  
  (XEN) microcode: CPU4 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21  
  (XEN) microcode: CPU6 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21  
  (XEN) microcode: CPU8 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21  
  (XEN) microcode: CPU10 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21
  (XEN) microcode: CPU12 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21
  (XEN) microcode: CPU14 updated from revision 0xb00001d to 0xb00002c, date = 2018-03-21
  (XEN) Brought up 16 CPUs

  If your loglvl isn't high enough (and "info" is not recommended
  for production) then you won't see any of that and will have to
  verify later by looking at /proc/cpuinfo.

Cheers,
Andy

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users