kernel / kernel-source

Clone
Source Code
GIT

Files

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   SLE12-SP5
  2.   patches.suse
  3.   kvm-add-gds_no-support-to-kvm.patch
Blob Blame History Raw 
From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Date: Wed, 12 Jul 2023 19:43:14 -0700
Subject: KVM: Add GDS_NO support to KVM
Git-commit: 81ac7e5d741742d650b4ed6186c4826c1a0631a7
Patch-mainline: v6.6 or v6.5-rc3 (next release)
References: bsc#1206418, CVE-2022-40982

Gather Data Sampling (GDS) is a transient execution attack using
gather instructions from the AVX2 and AVX512 extensions. This attack
allows malicious code to infer data that was previously stored in
vector registers. Systems that are not vulnerable to GDS will set the
GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM
guests that may think they are on vulnerable systems that are, in
fact, not affected. Guests that are running on affected hosts where
the mitigation is enabled are protected as if they were running
on an unaffected system.

On all hosts that are not affected or that are mitigated, set the
GDS_NO bit.

Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Acked-by: Nikolay Borisov <nik.borisov@suse.com>
---
 arch/x86/kernel/cpu/bugs.c |    7 +++++++
 arch/x86/kvm/x86.c         |    5 +++++
 2 files changed, 12 insertions(+)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -654,6 +654,13 @@ static const char * const gds_strings[]
 	[GDS_MITIGATION_HYPERVISOR]	= "Unknown: Dependent on hypervisor status",
 };

+bool gds_ucode_mitigated(void)
+{
+	return (gds_mitigation == GDS_MITIGATION_FULL ||
+		gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
+}
+EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
+
 void update_gds_msr(void)
 {
 	u64 mcu_ctrl_after;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -518,6 +518,8 @@ void kvm_requeue_exception_e(struct kvm_
 }
 EXPORT_SYMBOL_GPL(kvm_requeue_exception_e);

+extern bool gds_ucode_mitigated(void);
+
 /*
  * Checks if cpl <= required_cpl; if true, return true.  Otherwise queue
  * a #GP and return false.
@@ -1131,6 +1133,9 @@ u64 kvm_get_arch_capabilities(void)
 	/* Guests don't need to know "Fill buffer clear control" exists */
 	data &= ~ARCH_CAP_FB_CLEAR_CTRL;

+	if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated())
+		data |= ARCH_CAP_GDS_NO;
+
 	return data;
 }
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.