Re: [PATCH 1/2] x86/microcode/AMD: Load late on both threads too

[Jim Mattson]

On Wed, Aug 16, 2023 at 2:59 PM Borislav Petkov <bp@xxxxxxxxx> wrote:
>
> On Wed, Aug 16, 2023 at 02:36:57PM -0700, Jim Mattson wrote:
> > Doesn't this render that attestation misleading, since the microcode
> > patch may not have been loaded on all logical processors?
>
> For that it doesn't matter because the microcode engine is shared
> between the two threads. The updated microcode revision is shown on any
> of the two threads so you can load on one only. And we did this for
> years.
>
> Only recently we started loading on both and we will be doing that from
> now on.

SEV-SNP is supposed to protect the guest from a malicious host. A
malicious host may not load the microcode update on both threads. As a
result, it gives me some concern when I see something like this
(https://lore.kernel.org/lkml/20230808190239.131508-1-john.allen@xxxxxxx/):

+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")

It seems problematic if the guest can't tell from the attestation
whether or not the identified microcode revision has been correctly
applied.

> What could be problematic is if it simply fails loading on some cores
> - regardless of SMT - but that would be problematic not only to SEV-SNP
> attestation but to the general system health. tglx has some patches
> which verify what has been successfully loaded where so hopefully we'll
> be verifying more in that area.

I had assumed that the SEV-SNP microcode revision attestation was for
all logical processors on the host. Are you saying that it is not?