61 lines
2.2 KiB
Diff
61 lines
2.2 KiB
Diff
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
|
|
Date: Wed, 23 Oct 2019 12:23:33 +0200
|
|
Subject: kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
|
|
|
|
commit e1d38b63acd843cfdd4222bf19a26700fd5c699e upstream
|
|
|
|
Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX
|
|
Async Abort(TAA) affected hosts that have TSX enabled and updated
|
|
microcode. This is required so that the guests don't complain,
|
|
|
|
"Vulnerable: Clear CPU buffers attempted, no microcode"
|
|
|
|
when the host has the updated microcode to clear CPU buffers.
|
|
|
|
Microcode update also adds support for MSR_IA32_TSX_CTRL which is
|
|
enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR.
|
|
Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is
|
|
not exported to the guests.
|
|
|
|
In this case export MDS_NO=0 to the guests. When guests have
|
|
CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA.
|
|
|
|
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
|
|
Signed-off-by: Borislav Petkov <bp@suse.de>
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
|
|
Reviewed-by: Tony Luck <tony.luck@intel.com>
|
|
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
|
|
---
|
|
arch/x86/kvm/x86.c | 19 +++++++++++++++++++
|
|
1 file changed, 19 insertions(+)
|
|
|
|
--- a/arch/x86/kvm/x86.c
|
|
+++ b/arch/x86/kvm/x86.c
|
|
@@ -1134,6 +1134,25 @@ u64 kvm_get_arch_capabilities(void)
|
|
if (!boot_cpu_has_bug(X86_BUG_MDS))
|
|
data |= ARCH_CAP_MDS_NO;
|
|
|
|
+ /*
|
|
+ * On TAA affected systems, export MDS_NO=0 when:
|
|
+ * - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1.
|
|
+ * - Updated microcode is present. This is detected by
|
|
+ * the presence of ARCH_CAP_TSX_CTRL_MSR and ensures
|
|
+ * that VERW clears CPU buffers.
|
|
+ *
|
|
+ * When MDS_NO=0 is exported, guests deploy clear CPU buffer
|
|
+ * mitigation and don't complain:
|
|
+ *
|
|
+ * "Vulnerable: Clear CPU buffers attempted, no microcode"
|
|
+ *
|
|
+ * If TSX is disabled on the system, guests are also mitigated against
|
|
+ * TAA and clear CPU buffer mitigation is not required for guests.
|
|
+ */
|
|
+ if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
|
|
+ (data & ARCH_CAP_TSX_CTRL_MSR))
|
|
+ data &= ~ARCH_CAP_MDS_NO;
|
|
+
|
|
return data;
|
|
}
|
|
|