| Message ID | 20240805202041.5936-1-farosas@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest | expand |
Fabiano Rosas <farosas@suse.de> writes: > According to AMD's Speculative Return Stack Overflow whitepaper (link > below), the hypervisor should synthesize the value of IBPB_BRTYPE and > SBPB CPUID bits to the guest. > > Support for this is already present in the kernel with commit > e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be > ("KVM: x86: Add IBPB_BRTYPE support"). > > Add support in QEMU to expose the bits to the guest OS. > > host: > # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow > Mitigation: Safe RET > > before (guest): > $ cpuid -l 0x80000021 -1 -r > 0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 > ^ > $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow > Vulnerable: Safe RET, no microcode > > after (guest): > $ cpuid -l 0x80000021 -1 -r > 0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 > ^ > $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow > Mitigation: Safe RET > > Reported-by: Fabian Vogt <fvogt@suse.de> > Link: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf > Signed-off-by: Fabiano Rosas <farosas@suse.de> > --- > More info on this thread: > https://lore.kernel.org/r/68f8b8b1ca1bf58b059f52afbd1c9c51108a074a.camel@suse.com > --- > target/i386/cpu.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/target/i386/cpu.c b/target/i386/cpu.c > index 85ef7452c0..d33401c922 100644 > --- a/target/i386/cpu.c > +++ b/target/i386/cpu.c > @@ -1221,8 +1221,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { > NULL, NULL, NULL, NULL, > NULL, NULL, NULL, NULL, > NULL, NULL, NULL, NULL, > - NULL, NULL, NULL, NULL, > - NULL, NULL, NULL, NULL, > + NULL, NULL, NULL, "sbpb", > + "ibpb-brtype", NULL, NULL, NULL, > }, > .cpuid = { .eax = 0x80000021, .reg = R_EAX, }, > .tcg_features = 0, Ping, any thoughts on this one?
Queued, thanks. Paolo
diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 85ef7452c0..d33401c922 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1221,8 +1221,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, + NULL, NULL, NULL, "sbpb", + "ibpb-brtype", NULL, NULL, NULL, }, .cpuid = { .eax = 0x80000021, .reg = R_EAX, }, .tcg_features = 0,
According to AMD's Speculative Return Stack Overflow whitepaper (link below), the hypervisor should synthesize the value of IBPB_BRTYPE and SBPB CPUID bits to the guest. Support for this is already present in the kernel with commit e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be ("KVM: x86: Add IBPB_BRTYPE support"). Add support in QEMU to expose the bits to the guest OS. host: # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET before (guest): $ cpuid -l 0x80000021 -1 -r 0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 ^ $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Vulnerable: Safe RET, no microcode after (guest): $ cpuid -l 0x80000021 -1 -r 0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 ^ $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Reported-by: Fabian Vogt <fvogt@suse.de> Link: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf Signed-off-by: Fabiano Rosas <farosas@suse.de> --- More info on this thread: https://lore.kernel.org/r/68f8b8b1ca1bf58b059f52afbd1c9c51108a074a.camel@suse.com --- target/i386/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)