[PATCH v2 00/11] x86/microcode: Refactor NMI-based rendezvous mechanism to stop-machine

[Chang S. Bae]

The last version [0] took off patches for the new NMI stop-machine
facility from the dynamic mitigation series. The review comments prompted me
reconsider it and I ended up reworking on that part for this series.

Here are a few things to call out

 * Introduce a cpumask to ensure NMI delivery to target CPUs, which
   allows removal of the static key and per-CPU flag (Boris)

 * Add a Kconfig to hide the facility to other architectures. There is no
   known use case outside x86, so this is to avoid any misuse (Thomas)

 * Switch to accumulate error code for multi-CPU stop-machine instead of
   returning an arbitrary error (Boris)

 * Ensure the handler write the return value before it is read. In
   practice, it was observed that IPI/NMI was not immediate, but an
   immediate read without any guard isn't reliable.

 * Clarify the behavior when no CPU target is given (@cpus=NULL). Instead
   of executing the stop function on every online CPU, it picks only one
   CPU (CPU0, in fact) to run.

 * Refactor the existing flow to better accommodate the new facility.

Other than that, the rest of x86 side changes are relatively minor (typo,
renaming, rebasing).

---

Below is an updated version of the original cover letter:

David Kaplan previously proposed introducing an NMI-based stop-machine
mechanism as part of his dynamic mitigation series [1]. This "big hammer"
approach was also discussed during the last LPC x86 uconf [2].

This patchset uses the facility for the late-loading of Intel microcode
by refactoring existing NMI control mechanism. There is one bit to call
out for the review here -- offline CPU handling. Before highlighting the
case, let me first walk through the online case:

== Online CPU Handling ==

Currently, the microcode loader uses a NMI-based control flow, similar
to the proposed stop_machine_nmi(). When the NMI option is enabled, the
loader invokes stop-machine, and the callback establishes an IPI back to
the local CPU, which then performs the microcode update from NMI context.

The new facility incorporates this logic:

 * Raise self-NMI, then execute the stop function from the handler

With simplification:

 * Replace the static key and per-CPU flag with a cpumask that ensures
   NMI delivery.

Given this, convert this to use the (new) stop-machine API.

== Offline CPU Handling ==

With NMI-based microcode loading, soft-offlined CPUs are also brought
into the rendezvous to avoid unexpected behavior changes (e.g. related
to MWAIT) introduced by new microcode [3].

Today, the boot CPU explicitly fires IPIs to those offline CPUs, which
establishes yet another NMI control path. However, the new stop-machine
facility does not currently account for this case, as it is primarily
shaped for online CPUs.

This patch set is intended to introduce a new NMI stop-machine along with
an existing use case (Intel ucode late-loading), independent of the
dynamic mitigation series.

The commonality, nonetheless, between them lies on online CPU handling.
So, no new facility is introduced for offline CPUs. Instead, the existing
per-CPU flag in the x86 microcode loader continues to gate the handler
without the (now removed) static key.

== Patch Structure ==

 * PATCH 1–6:  Establish the stop-machine NMI facility
 * PATCH 7–10: Incremental refactoring, with offline handling update.

The patch set is available in this repository:
 git://github.com/intel-staging/microcode.git nmi-stop-machine_v2

Testing was performed using late-loading on Intel CPUs, which default to
the NMI-based update path.

Thanks,
Chang

[0] V1: https://lore.kernel.org/lkml/20260125014224.249901-1-chang.seok.bae@xxxxxxxxx/
[1]: https://lore.kernel.org/lkml/20251013143444.3999-1-david.kaplan@xxxxxxx/
[2]: https://youtu.be/2eEPYt5XrCE?si=NUGF2pkqk8MUh9GR&t=1739
[3]: 8f849ff63bcb ("x86/microcode: Handle "offline" CPUs correctly")

Chang S. Bae (9):
  stop_machine: Clarify @cpus == NULL semantics
  stop_machine: Accumulate error code rather than overwrite
  stop_machine: Refactor multi-CPU stop glue code
  stop_machine: Add NMI-based execution path
  stop_machine: Introduce stop_machine_nmi_cpuslocked()
  x86/microcode: Distinguish NMI control path on stop-machine callback
  x86/microcode: Use stop-machine NMI facility
  x86/nmi: Simplify offline microcode handler invocation
  x86/microcode: Remove microcode_nmi_handler_enable

David Kaplan (2):
  x86/apic: Implement self-NMI support
  x86/nmi: Support NMI stop-machine handler

 arch/Kconfig                         |   3 +
 arch/x86/Kconfig                     |   1 +
 arch/x86/include/asm/microcode.h     |  11 --
 arch/x86/kernel/apic/ipi.c           |  10 ++
 arch/x86/kernel/cpu/microcode/core.c |  35 +----
 arch/x86/kernel/nmi.c                |   7 +-
 include/linux/stop_machine.h         |  58 +++++++--
 kernel/stop_machine.c                | 188 +++++++++++++++++++++++----
 8 files changed, 241 insertions(+), 72 deletions(-)


base-commit: 6e45429392a5cdd8168619d7558f7bd6cf706394
-- 
2.51.0