#! /bin/bash -eu # Script for checking various microcode caveats # # # SPDX-License-Identifier: CC0-1.0 export LC_ALL=C : ${MC_CAVEATS_DATA_DIR=/usr/share/microcode_ctl/ucode_with_caveats} : ${FW_DIR=/lib/firmware} : ${CFG_DIR=/etc/microcode_ctl/ucode_with_caveats} MAX_NESTING_LEVEL=8 usage() { echo 'Usage: check_caveats [-d] [-e] [-k TARGET_KVER] [-c CONFIG]' echo ' [-m] [-v]' echo echo ' -d - enables disclaimer printing mode' echo ' -e - check for early microcode load possibility (instead of' echo ' late microcode load)' echo ' -k - target version to check against, $(uname -r) is used' echo ' otherwise' echo ' -c - caveat config(s) to check, all configs are checked' echo ' otherwise' echo ' -m - check that caveats actually apply to the current model' echo ' -v - verbose output' echo echo 'Environment:' echo ' MC_CAVEATS_DATA_DIR - directory that contains caveats' echo ' configuration data' } debug() { [ 0 = "$verbose" ] || echo "$*" >&2; } # A simplified RPM version comparison that takes into account knowledge about # Y- and Z-streams (so it compares versions inside Y-stram or Z-stream if # the version against which comparison is performed has appropriate versioning # scheme). # # $1 - kernel version to check # $* - list of kernel versions to check against check_kver() { local t_major= t_minor= t_patch= t_y= t_z1= t_z2= t_rest= local m_major= m_minor= m_patch= m_y= m_z1= m_z2= m_rest= local cmp_type= # IFS=.- read -r t_major t_minor t_patch t_y t_z1 t_z2 t_rest <<<"$1" # "cannot create temp file for here-document: Read-only file system" # that's why we can't have nice things. t_major=${1%%.*} t_rest=${1#${t_major}} t_rest=${t_rest#.} t_minor=${t_rest%%.*} t_rest=${t_rest#${t_minor}} t_rest=${t_rest#.} t_patch=${t_rest%%-*} t_rest=${t_rest#${t_patch}} t_rest=${t_rest#-} t_y=${t_rest%%.*} t_rest=${t_rest#${t_y}} t_rest=${t_rest#.} t_z1=${t_rest%%.*} t_rest=${t_rest#${t_z1}} t_rest=${t_rest#.} t_z2=${t_rest%%.*} # minor/major/patch/y should be numeric [ -n "${t_major##*[!0-9]*}" ] || return 1 [ -n "${t_minor##*[!0-9]*}" ] || return 1 [ -n "${t_patch##*[!0-9]*}" ] || return 1 [ -n "${t_y##*[!0-9]*}" ] || return 1 # reset z1/z2 to zero if non-numeric [ -n "${t_z1##*[!0-9]*}" ] || t_z1=0 [ -n "${t_z2##*[!0-9]*}" ] || t_z2=0 while [ 1 -lt "$#" ]; do cmp_type=upstream shift m_major=${1%%.*} m_rest=${1#${m_major}} m_rest=${m_rest#.} m_minor=${m_rest%%.*} m_rest=${m_rest#${m_minor}} m_rest=${m_rest#.} m_patch=${m_rest%%-*} m_rest=${m_rest#${m_patch}} m_rest=${m_rest#-} m_y=${m_rest%%.*} m_rest=${m_rest#${m_y}} m_rest=${m_rest#.} m_z1=${m_rest%%.*} m_rest=${m_rest#${m_z1}} m_rest=${m_rest#.} m_z2=${m_rest%%.*} # minor/major/patch should be numeric [ -n "${m_major##*[!0-9]*}" ] || continue [ -n "${m_minor##*[!0-9]*}" ] || continue [ -n "${m_patch##*[!0-9]*}" ] || continue # reset z1/z2 to zero if non-numeric [ -n "${m_y##*[!0-9]*}" ] && cmp_type=y || m_y=0 [ -n "${m_z1##*[!0-9]*}" ] && cmp_type=z || m_z1=0 [ -n "${m_z2##*[!0-9]*}" ] && cmp_type=z || m_z2=0 # Comparing versions case "$cmp_type" in upstream) [ "$t_major" -ge "$m_major" ] || continue [ "$t_minor" -ge "$m_minor" ] || continue [ "$t_patch" -ge "$m_patch" ] || continue return 0 ;; y) [ "$t_major" -eq "$m_major" ] || continue [ "$t_minor" -eq "$m_minor" ] || continue [ "$t_patch" -eq "$m_patch" ] || continue [ "$t_y" -ge "$m_y" ] || continue return 0 ;; z) [ "$t_major" -eq "$m_major" ] || continue [ "$t_minor" -eq "$m_minor" ] || continue [ "$t_patch" -eq "$m_patch" ] || continue [ "$t_y" -eq "$m_y" ] || continue [ "$t_z1" -ge "$m_z1" ] || continue [ "$t_z2" -ge "$m_z2" ] || continue return 0 ;; esac done return 1 } # It is needed for SKX[1] for which different product segments # are differentiated by a value in the CAPID0 field of PCU registers # device[2]. # [1] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/21 # [2] https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-scalable-spec-update.pdf#page=13 # # $1 - params in config file, space-separated, in key=value form: # domain=* - PCI domain, '*' or number # bus=* - PCI bus, '*' or number # device=* - PCI device, '*' or number # function=* - PCI function, '*' or number # vid= - PCI vendor ID, empty or number # did= - PCI device ID, empty or number # offset=0 - offset in configuration space # size=4 - field size # mask=0 - mask applied to the data read # val=0 - comma-separated list of possible values # mode=success-any [ success-ail, fail-any, fail-all ] - matching mode: # success-any: Returns 0 if there was at least one match, otherwise 1. # success-all: Returns 0 if there was at least one device checked and all # the checked devices have matches, otherwise 1. # fail-any: Returns 1 if there was at least one match, otherwise 0. # fail-all: Returns 1 if there was at least one device checked and all # the checked devices have matches, otherwise 0. # $2 - whether model filter is engaged (if it is not '1', just return the result # based on "mode" value that assumes that there were 0 checks/0 matches). check_pci_config_val() { local domain='*' bus='*' device='*' func='*' vid= did= local offset=0 size=4 mask=0 val=0 mode=success-any local checked=0 matched=0 path='' local dev_path dev_vid dev_did dev_val local opts="${1:-}" local match_model="${2:-0}" set -- $1 while [ "$#" -gt 0 ]; do [ "x${1#domain=}" = "x${1}" ] || domain="${1#domain=}" [ "x${1#bus=}" = "x${1}" ] || bus="${1#bus=}" [ "x${1#device=}" = "x${1}" ] || device="${1#device=}" [ "x${1#function=}" = "x${1}" ] || func="${1#function=}" [ "x${1#vid=}" = "x${1}" ] || vid="${1#vid=}" [ "x${1#did=}" = "x${1}" ] || did="${1#did=}" [ "x${1#offset=}" = "x${1}" ] || offset="${1#offset=}" [ "x${1#size=}" = "x${1}" ] || size="${1#size=}" [ "x${1#mask=}" = "x${1}" ] || mask="${1#mask=}" [ "x${1#val=}" = "x${1}" ] || val="${1#val=}" [ "x${1#mode=}" = "x${1}" ] || mode="${1#mode=}" shift done path="$domain" if [ "x$bus" = 'x*' ]; then path="$path:$bus"; else path=$(printf '%s:%02x' "$path" "$bus") fi if [ "x$device" = 'x*' ]; then path="$path:$device"; else path=$(printf '%s:%02x' "$path" "$device") fi if [ "x$func" = 'x*' ]; then path="$path.$func"; else path=$(printf '%s.%01x' "$path" "$func") fi # Normalise VID, DID [ -n "$vid" ] || vid="$(printf '0x%04x' "$vid")" [ -n "$did" ] || did="$(printf '0x%04x' "$did")" ( [ 1 != "$match_model" ] \ || /usr/bin/find /sys/bus/pci/devices/ -maxdepth 1 -name "$path" \ || : ) | ( while read -r dev_path; do # Filter VID, DID if [ -n "$vid" ]; then dev_vid=$(/bin/cat "$dev_path/vendor") [ "x$vid" = "x$dev_vid" ] || continue fi if [ -n "$did" ]; then dev_did=$(/bin/cat "$dev_path/device") [ "x$did" = "x$dev_did" ] || continue fi checked="$((checked + 1))" dev_val="$(/usr/bin/od -j "$offset" -N "$size" -A n \ -t "u$size" "$dev_path/config")" val_rest="${val}" while :; do cur_val="${val_rest%%,*}" if [ "$((dev_val & mask))" = "$((cur_val & mask))" ] then matched="$((matched + 1))" break fi [ "x${val_rest}" != "x${val_rest#*,}" ] || break val_rest="${val_rest#*,}" done case "$mode" in success-any) [ "$matched" -eq 0 ] || { echo 0; exit; } ;; success-all) [ "$matched" -eq "$checked" ] || { echo 1; exit; } ;; fail-any) [ "$matched" -eq 0 ] || { echo 1; exit; } ;; fail-all) [ "$matched" -eq "$checked" ] || { echo 0; exit; } ;; *) echo 2; exit;; esac done debug "PCI config value check ($opts): checked $checked," \ "matched $matched (model check is set to $match_model)" case "$mode" in success-any) if [ "$matched" -eq 0 ]; then echo 1; else echo 0; fi ;; success-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 0; else echo 1; fi ;; fail-any) if [ "$matched" -eq 0 ]; then echo 0; else echo 1; fi ;; fail-all) if [ "$matched" -gt 0 -a "$matched" -eq "$checked" ]; then echo 1; else echo 0; fi ;; *) echo 2; exit;; esac ) } # It is needed for filtering by BIOS vendor name that is available in DMI data # # $1 - params in config file, space-separated, in key=value form: # key= - DMI data record to check. Can be one of the following: bios_date, # bios_vendor, bios_version, board_asset_tag, board_name, board_serial, # board_vendor, board_version, chassis_asset_tag, chassis_serial, # chassis_type, chassis_vendor, chassis_version, product_family, # product_name, product_serial, product_uuid, product_version, # sys_vendor. # val= - a string to match DMI data against. Can be enclosed in single # or double quotes. # keyval= - a string of format "KEY(!)?[=:]VAL" (so, one of "KEY=VAL", # "KEY!=VAL", "KEY:VAL", "KEY!:VAL") that allows providing # a key-value pair in a single parameter. It is possible to provide # multiple keyval= parameters. "!" before :/= means negated match. # The action supplied in the mode= parameter is executed upon # successful (non-)matching of all the keyval pairs (as well # as the pair provided in a pair of key= and val= parameters). # mode=success-equal [ success-equal, fail-equal ] - matching mode: # success-equal: Returns 0 if the all values present in the corresponding # files under /sys/devices/virtual/dmi/id/ are equal # (or not equal in case of a keyval= with negated match) # to the respective values supplied as the values # of the keyval= parameters or the pair of key= vand val= # parameters, otherwise 1. # fail-equal: Returns 1 if all the values present in DMI files in sysfs # match (as described above), otherwise 0. # no-model-mode=success [ success, fail ] - return value if model filter # is not enabled: # success: Return 0. # fail: Return 1. # $2 - whether model filter is engaged (if it is not '1', just return the result # based on "no-model-mode" value). check_dmi_val() { local key= val= keyval= keyvals= mode='success-equal' nm_mode='success' local opts="${1:-}" opt= opt_= local match_model="${2:-0}" local valid_keys=" bios_date bios_vendor bios_version board_asset_tag board_name board_serial board_vendor board_version chassis_asset_tag chassis_serial chassis_type chassis_vendor chassis_version product_family product_name product_serial product_uuid product_version sys_vendor " local success=1 while [ -n "$opts" ]; do opt="${opts%%[ ]*}" [ -n "${opt}" ] || { opts="${opts#[ ]}"; continue; } [ "x${opt#key=}" = "x${opt}" ] || key="${opt#key=}" [ "x${opt#mode=}" = "x${opt}" ] || mode="${opt#mode=}" [ "x${opt#no-model-mode=}" = "x${opt}" ] || \ nm_mode="${opt#no-model-mode=}" # Handle possible quoting [ "x${opt#val=}" = "x${opt}" ] || { case "${opt#val=}" in [\']*) opt_="${opts#val=\'}"; val="${opt_%%\'*}"; opt="val='${val}'" ;; [\"]*) opt_="${opts#val=\"}"; val="${opt_%%\"*}"; opt="val=\"${val}\"" ;; *) val="${opt#val=}" ;; esac } [ "x${opt#keyval=}" = "x${opt}" ] || { case "${opt#keyval=}" in [\']*) opt_="${opts#keyval=\'}" keyval="${opt_%%\'*}" opt="keyval='${keyval}'" keyvals="${keyvals} ${keyval}" ;; [\"]*) opt_="${opts#keyval=\"}" keyval="${opt_%%\"*}" opt="keyval=\"${keyval}\"" keyvals="${keyvals} ${keyval}" ;; *) keyvals="${keyvals} ${opt#keyval=}" ;; esac } opts="${opts#"${opt}"}" continue done [ -z "$key" -a -z "$val" ] || keyvals="${key}=${val}${keyvals}" [ -n "x${keyvals}" ] || { debug "Neither key=, val=, nor keyval= parameters were privoded" echo 2 return } [ 1 = "$match_model" ] || { case "$nm_mode" in success) echo 0 ;; fail) echo 1 ;; *) debug "Invalid no-model-mode value: \"${nm_mode}\"" echo 2 ;; esac return } case "$mode" in success-equal|fail-equal) ;; *) debug "Invalid mode value: \"${nm_mode}\""; echo 2; return ;; esac printf "%s\n" "${keyvals}" | ( while read l; do [ -n "$l" ] || continue key="${l%%[=:]*}" val="${l#${key}[=:]}" cmp="=" [ "x${key%!}" = "x${key}" ] || { cmp="!=" key="${key%!}" } # Check key for validity [ "x${valid_keys#* ${key} *}" != "x${valid_keys}" ] || { debug "Invalid \"key\" parameter value: \"${key}\"" echo 2 return } [ -r "/sys/devices/virtual/dmi/id/${key}" ] || { debug "Can't access /sys/devices/virtual/dmi/id/${key}" echo 3 return } file_val="$(/bin/cat "/sys/devices/virtual/dmi/id/${key}")" [ "x${val}" "${cmp}" "x${file_val}" ] || { case "$mode" in success-equal) echo 1 ;; fail-equal) echo 0 ;; esac return } done case "$mode" in success-equal) echo 0 ;; fail-equal) echo 1 ;; esac ) } # check_dependency CURLEVEL DEP_TYPE DEP_NAME OPTS # DEP_TYPE: # required - caveat can be enabled only if dependency is enabled # (is not forcefully disabled and meets caveat conditions) # OPTS: # match-model-mode=same [ on, off, same ] - what mode matching mode is to be used for dependency # skip=skip [ fail, skip, success ] # force-skip=skip [ fail, skip, success ] # nesting-too-deep=fail [ fail, skip, success ] # Return values: # 0 - success # 1 - fail # 2 - skip # 9 - error check_dependency() { local cur_level="$1" local dep_type="$2" local dep_name="$3" local match_model_mode=same old_match_model="${match_model}" local skip=skip local force_skip=skip local nesting_too_deep=fail local check="Dependency check for ${dep_type} ${dep_name}" set -- ${4:-} while [ "$#" -gt 0 ]; do [ "x${1#match-model-mode=}" = "x${1}" ] || match_model_mode="${1#match-model-mode=}" [ "x${1#skip=}" = "x${1}" ] || skip="${1#skip=}" [ "x${1#force-skip=}" = "x${1}" ] || force_skip="${1#force-skip=}" [ "x${1#nesting-too-deep=}" = "x${1}" ] || nesting_too_deep="${1#nesting-too-deep=}" shift done case "${dep_type}" in required) [ "x${dep_name%/*}" = "x${dep_name}" ] || { debug "${check} error: dependency name (${dep_name})" \ "cannot contain slashes" echo 9 return } [ "${MAX_NESTING_LEVEL}" -ge "$cur_level" ] || { local reason="nesting level is too deep (${cur_level}) and nesting-too-deep='${nesting_too_deep}'" case "$nesting_too_deep" in success) debug "${check} succeeded: ${reason}"; echo 0 ;; fail) debug "${check} failed: ${reason}"; echo 1 ;; skip) debug "${check} skipped: ${reason}"; echo 2 ;; *) debug "${check} error: invalid" \ "nesting-too-deep mode" \ "(${nesting_too_deep})"; echo 9 ;; esac return } case "${match_model_mode}" in same) ;; on) match_model=1 ;; off) match_model=0 ;; *) debug "${check} error: invalid match-model-mode" \ "(${match_model_mode})" echo 9 return ;; esac local result=0 debug "${check}: calling check_caveat '${dep_name}'" \ "'$(($cur_level + 1))' match_model=${match_model}" check_caveat "${dep_name}" "$(($cur_level + 1))" > /dev/null || result="$?" match_model="${old_match_model}" case "${result}" in 0) debug "${check} succeeded: result=${result}"; echo "${result}" ;; 1) debug "${check} failed: result=${result}"; echo "${result}" ;; 2) local reason="result=${result} and skip='${skip}'" case "${skip}" in success) debug "${check} succeeded: ${reason}"; echo 0 ;; fail) debug "${check} failed: ${reason}"; echo 1 ;; skip) debug "${check} skipped: ${reason}"; echo 2 ;; *) debug "${check} error: unexpected skip=" \ "setting (${skip})"; echo 9 ;; esac ;; 3) local reason="result=${result} and force_skip='${force_skip}'" case "${force_skip}" in success) debug "${check} succeeded: ${reason}"; echo 0 ;; fail) debug "${check} failed: ${reason}"; echo 1 ;; skip) debug "${check} skipped: ${reason}"; echo 2 ;; *) debug "${check} error: unexpected force-skip=" \ "setting (${skip})"; echo 9 ;; esac ;; *) debug "${check} error: unexpected check_caveat result" \ "(${result})"; echo 9 ;; esac ;; *) debug "${check} error: unknown dependency type '${dep_type}'" echo 9 ;; esac } # Provides model in format "VENDOR_ID FAMILY-MODEL-STEPPING" # # We check only the first processor as we don't expect non-symmetrical setups # with CPUs with caveats get_model_string() { /usr/bin/printf "%s %02x-%02x-%02x" \ $(/bin/sed -rn '1,/^$/{ s/^vendor_id[[:space:]]*: (.*)$/\1/p; s/^cpu family[[:space:]]*: (.*)$/\1/p; s/^model[[:space:]]*: (.*)$/\1/p; s/^stepping[[:space:]]*: (.*)$/\1/p; }' /proc/cpuinfo) } get_model_name() { /bin/sed -rn '1,/^$/s/^model name[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } get_vendor_id() { /bin/sed -rn '1,/^$/s/^vendor_id[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } get_mc_path() { case "$1" in GenuineIntel) echo "intel-ucode/$2" ;; AuthenticAMD) echo "amd-ucode/$2" ;; *) # We actually only support Intel ucode, but things may break # if nothing is printed (input would be gotten from stdin # otherwise). echo "invalid" ;; esac } get_mc_ver() { /bin/sed -rn '1,/^$/s/^microcode[[:space:]]*: (.*)$/\1/p' /proc/cpuinfo } match_model=0 configs= kver=$(/bin/uname -r) verbose=0 early_check=0 print_disclaimers=0 ret=0 while getopts "dek:c:mv" opt; do case "${opt}" in d) print_disclaimers=1 early_check=2 ;; e) early_check=1 ;; k) kver="$OPTARG" ;; c) configs="$configs $OPTARG" ;; m) match_model=1 ;; v) verbose=1 ;; *) usage exit 1; ;; esac done : "${configs:=$(find "${MC_CAVEATS_DATA_DIR}" -maxdepth 1 -mindepth 1 -type d -printf "%f\n")}" cpu_model=$(get_model_string) cpu_model_name=$(get_model_name) cpu_vendor=$(get_vendor_id) ret_paths="" ok_paths="" fail_paths="" ret_cfgs="" ok_cfgs="" fail_cfgs="" skip_cfgs="" if [ 1 -eq "$early_check" ]; then stage="early" else stage="late" fi # check_caveat CFG [CHECK_LEVEL] # changes ret_paths, ok_paths, fail_paths, ret_cfgs, ok_cfgs, fail_cfgs, # skip_cfgs if CHECK_LEVEL is set to 0 (default). # CHECK_LEVEL is used for recursive configuration dependency checks, # and indicates nesting level. # Return value: # 0 - check is successful # 1 - check has been failed # 2 - configuration has been skipped # 3 - configuration has been skipped due to presence of an override file check_caveat() { local cfg="$1" local check_level="${2:-0}" local dir="$MC_CAVEATS_DATA_DIR/$cfg" [ -r "${dir}/readme" ] || { debug "File 'readme' in ${dir} is not found, skipping" return 2 } [ -r "${dir}/config" ] || { debug "File 'config' in ${dir} is not found, skipping" return 2 } local cfg_model= local cfg_vendor= local cfg_path= local cfg_kvers= local cfg_kvers_early= local cfg_mc_min_ver_late= local cfg_disable= local cfg_pci= local cfg_dmi= local cfg_dependency= local key local value while read -r key value; do case "$key" in model) cfg_model="$value" ;; vendor) cfg_vendor="$value" ;; path) cfg_path="$cfg_path $value" ;; kernel) cfg_kvers="$cfg_kvers $value" ;; kernel_early) cfg_kvers_early="$cfg_kvers_early $value" ;; mc_min_ver_late) cfg_mc_min_ver_late="$value" ;; disable) cfg_disable="$cfg_disable $value " ;; pci_config_val) cfg_pci="$cfg_pci $value" ;; dmi) cfg_dmi="$cfg_dmi $value" ;; dependency) cfg_dependency="$cfg_dependency $value" ;; '#'*|'') continue ;; *) debug "Unknown key '$key' (value '$value') in config" \ "'$cfg'" ;; esac done < "${dir}/config" debug "${cfg}: model '$cfg_model', path '$cfg_path', kvers '$cfg_kvers'" echo "$cfg_path" # Check for override files in the following order: # - disallow early/late specific caveat for specific kernel # - force early/late specific caveat for specific kernel # - disallow specific caveat for specific kernel # - force specific caveat for specific kernel # # - disallow early/late specific caveat for any kernel # - disallow early/late any caveat for specific kernel # - force early/late specific caveat for any kernel # - force early/late any caveat for specific kernel # - disallow specific caveat for any kernel # - disallow any caveat for specific kernel # - force specific caveat for any kernel # - force any caveat for specific kernel # # - disallow early/late everything # - force early/late everyhting # - disallow everything # - force everyhting local ignore_cfg=0 local force_cfg=0 local override_file="" local overrides=" 0:$FW_DIR/$kver/disallow-$stage-$cfg 1:$FW_DIR/$kver/force-$stage-$cfg 0:$FW_DIR/$kver/disallow-$cfg 1:$FW_DIR/$kver/force-$cfg 0:$FW_DIR/$kver/disallow-$stage 0:$CFG_DIR/disallow-$stage-$cfg 1:$FW_DIR/$kver/force-$stage 1:$CFG_DIR/force-$stage-$cfg 0:$FW_DIR/$kver/disallow 0:$CFG_DIR/disallow-$cfg 1:$FW_DIR/$kver/force 1:$CFG_DIR/force-$cfg 0:$CFG_DIR/disallow-$stage 1:$CFG_DIR/force-$stage 0:$CFG_DIR/disallow 1:$CFG_DIR/force" local o local o_force local override_file for o in $(echo "$overrides"); do o_force=${o%%:*} override_file=${o#$o_force:} [ -e "$override_file" ] || continue if [ 0 -eq "$o_force" ]; then ignore_cfg=1 else force_cfg=1 fi break done [ 0 -eq "$ignore_cfg" ] || { debug "Configuration \"$cfg\" is ignored due to presence of" \ "\"$override_file\"." return 3 } # Check model if model filter is enabled if [ 1 -eq "$match_model" -a -n "$cfg_model" ]; then [ "x$cpu_model" = "x$cfg_model" ] || { debug "Current CPU model '$cpu_model' doesn't" \ "match configuration CPU model '$cfg_model'," \ "skipping" return 2 } fi # Check paths if model filter is enabled local cpu_mc_path local cfg_mc_present if [ 1 -eq "$match_model" -a -n "$cfg_path" ]; then cpu_mc_path="$MC_CAVEATS_DATA_DIR/$cfg/$(get_mc_path \ "$cpu_vendor" "${cpu_model#* }")" cfg_mc_present=0 for p in $(printf "%s" "$cfg_path"); do /usr/bin/find "$MC_CAVEATS_DATA_DIR/$cfg" \ -path "$MC_CAVEATS_DATA_DIR/$cfg/$p" -print0 \ | /bin/grep -zFxc "$cpu_mc_path" > /dev/null \ || continue cfg_mc_present=1 break done [ 1 = "$cfg_mc_present" ] || { debug "No matching microcode files in '$cfg_path'" \ "for CPU model '$cpu_model', skipping" return 2 } fi # Check vendor if model filter is enabled if [ 1 -eq "$match_model" -a -n "$cfg_vendor" ]; then [ "x$cpu_vendor" = "x$cfg_vendor" ] || { debug "Current CPU vendor '$cpu_vendor' doesn't" \ "match configuration CPU vendor '$cfg_vendor'," \ "skipping" return 2 } fi # Has to be performed before dependency checks [ 0 -eq "$force_cfg" ] || { debug "Checks for configuration \"$cfg\" are ignored due to" \ "presence of \"$override_file\"." return 0 } # Check dependencies # It has to be performed here (before adding configuration # to $ret_cfgs/$ret_paths) since it may be skipped. if [ -n "$cfg_dependency" ]; then dep_line="$(printf "%s\n" "$cfg_dependency" | \ while read -r dep_type dep_name dep_opts do [ -n "$dep_type" ] || continue dep_res=$(check_dependency "$check_level" \ "$dep_type" \ "$dep_name" \ "$dep_opts") [ 0 != "$dep_res" ] || continue echo "$dep_res $dep_type $dep_name $dep_opts" break done echo "0 ")" case "${dep_line%% *}" in 0) ;; 2) debug "Dependency check '${dep_line#* }'" \ "induced configuration skip" return 2 ;; *) debug "Dependency check '${dep_line#* }'" \ "failed (with return code ${dep_line%% *})" return 1 ;; esac fi # Check configuration files [ "x${cfg_disable%%* $stage *}" = "x$cfg_disable" ] || { debug "${cfg}: caveat is disabled in configuration" return 1 } # Check late load kernel version if [ 1 -ne "$early_check" -a -n "$cfg_kvers" ]; then check_kver "$kver" $cfg_kvers || { debug "${cfg}: late load kernel version check for" \ " '$kver' against '$cfg_kvers' failed" return 1 } fi # Check early load kernel version if [ 0 -ne "$early_check" -a -n "$cfg_kvers_early" ]; then check_kver "$kver" $cfg_kvers_early || { debug "${cfg}: early load kernel version check for" \ "'$kver' against '$cfg_kvers_early' failed" return 1 } fi # Check current microcode version for the late update if [ -n "$cfg_mc_min_ver_late" -a 1 -ne "$early_check" -a \ "x$cpu_model" = "x$cfg_model" ]; then cpu_mc_ver="$(get_mc_ver)" [ 1 -eq $((cpu_mc_ver >= cfg_mc_min_ver_late)) ] || { debug "${cfg}: CPU microcode version $cpu_mc_ver" \ "failed check (should be at least" \ "${cfg_mc_min_ver_late})" return 1 } fi # Check PCI devices if model filter is enabled # Note that the model filter check is done inside check_pci_config_val # based on the 'mode=' parameter. if [ -n "$cfg_pci" ]; then pci_line="$(printf "%s\n" "$cfg_pci" | while read -r pci_line; do [ -n "$pci_line" ] || continue pci_res=$(check_pci_config_val "$pci_line" \ "$match_model") [ 0 != "$pci_res" ] || continue echo "$pci_res $pci_line" break done echo "0 ")" [ -z "${pci_line#* }" ] || { debug "PCI configuration word check '${pci_line#* }'" \ "failed (with return code ${pci_line%% *})" return 1 } fi # Check DMI data if model filter is enabled # Note that the model filter check is done inside check_dmi_val # (which returns the value of 'no-model-mode=' parameter # if it is disenaged). if [ -n "$cfg_dmi" ]; then dmi_line="$(printf "%s\n" "$cfg_dmi" | while read -r dmi_line do [ -n "$dmi_line" ] || continue dmi_res=$(check_dmi_val "$dmi_line" \ "$match_model") [ 0 != "$dmi_res" ] || continue echo "$dmi_res $dmi_line" break done echo "0 ")" [ -z "${dmi_line#* }" ] || { debug "DMI data check '${dmi_line#* }'" \ "failed (with return code ${dmi_line%% *})" return 1 } fi return 0 } for cfg in $(echo "${configs}"); do if cfg_path=$(check_caveat "$cfg"; exit "$?") then ret_cfgs="$ret_cfgs $cfg" ret_paths="$ret_paths $cfg_path" ok_cfgs="$ok_cfgs $cfg" ok_paths="$ok_paths $cfg_path" else case "$?" in 1) ret=1 ret_cfgs="$ret_cfgs $cfg" ret_paths="$ret_paths $cfg_path" fail_cfgs="$fail_cfgs $cfg" fail_paths="$fail_paths $cfg_path" [ 0 -eq "$print_disclaimers" ] \ || [ ! -e "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ] \ || /bin/cat "${MC_CAVEATS_DATA_DIR}/${cfg}/disclaimer" ;; 2|3) skip_cfgs="$skip_cfgs $cfg"; ;; *) debug "Unexpected check_caveat return code '$?'" \ "for config '$cfg'" ;; esac fi done [ 0 -eq "$print_disclaimers" ] || exit 0 echo "cfgs$ret_cfgs" echo "skip_cfgs$skip_cfgs" echo "paths$ret_paths" echo "ok_cfgs$ok_cfgs" echo "ok_paths$ok_paths" echo "fail_cfgs$fail_cfgs" echo "fail_paths$fail_paths" exit $ret