fix(vmm): Disable perfmon and debug capability

We completely disabled the PMU on CPUID.0AH in 58b71f0 ("cpuid:
disable performance monitor unit") to prevent an attacker from
redirecting control flow to malicious code.

On the other hand, Firecracker left CPUID:01H.ECX[bit 15] as it is,
which indicates the processor supports the performance and debug feature
indication IA32_PERF_CAPABILITIES MSR enumerating the existence of
performance monitoring features.

Thit bit is set to 1 on Intel CPUs + kernel 5.10 by default. And now
the custom CPU template feature allows users to set to 1. To prevent
users and newer kernels from enabling it, this commit disables it in
CPUID normalization process.

Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

CHANGELOG.md

@@ -22,6 +22,7 @@
   [#3542](https://github.com/firecracker-microvm/firecracker/issues/3542).
 - A race condition that has been identified between the API thread and the VMM
   thread due to a misconfiguration of the `api_event_fd`.
+- Fixed CPUID leaf 0x1 to disable perfmon and debug feature on x86 host.
 
 ## [1.3.0]
 

docs/cpu_templates/cpuid-normalization.md

@@ -16,6 +16,7 @@ See also: [boot protocol settings](boot-protocol.md)
 | Set CLFLUSH line size                                                                | 0x1  | -       | EBX      | 15:8  |
 | Set maximum number of addressable IDs for logical processors in the physical package | 0x1  | -       | EBX      | 23:16 |
 | Set initial APIC ID                                                                  | 0x1  | -       | EBX      | 31:24 |
+| Disable PDCM (Perfmon and Debug Capability)                                          | 0x1  | -       | ECX      | 15    |
 | Enable TSC_DEADLINE                                                                  | 0x1  | -       | ECX      | 24    |
 | Enable HYPERVISOR                                                                    | 0x1  | -       | ECX      | 31    |
 | Set HTT value if the microVM's CPU count is greater than 1                           | 0x1  | -       | EDX      | 28    |

resources/tests/cpu_template_helper/fingerprint_AMD_MILAN_4.14host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "4.14.311-233.529.amzn2.x86_64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "4.14.313-235.533.amzn2.x86_64",
   "microcode_version": "0xa001173",
   "bios_version": "1.0",
   "bios_revision": "5.22",

resources/tests/cpu_template_helper/fingerprint_AMD_MILAN_5.10host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "5.10.177-158.645.amzn2.x86_64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "5.10.178-162.673.amzn2.x86_64",
   "microcode_version": "0xa001173",
   "bios_version": "1.0",
   "bios_revision": "5.22",
@@ -1421,10 +1421,6 @@
         "addr": "0x277",
         "bitmap": "0b0000000000000111000001000000011000000000000001110000010000000110"
       },
-      {
-        "addr": "0x345",
-        "bitmap": "0b0000000000000000000000000000000000000000000000000000000000000000"
-      },
       {
         "addr": "0x6e0",
         "bitmap": "0b0000000000000000000000000000000000000000000000000000000000000000"

resources/tests/cpu_template_helper/fingerprint_ARM_NEOVERSE_N1_4.14host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "4.14.311-233.529.amzn2.aarch64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "4.14.313-235.533.amzn2.aarch64",
   "microcode_version": "0x00000000000000ff",
   "bios_version": "1.0",
   "bios_revision": "1.0",

resources/tests/cpu_template_helper/fingerprint_ARM_NEOVERSE_N1_5.10host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "5.10.177-158.645.amzn2.aarch64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "5.10.178-162.673.amzn2.aarch64",
   "microcode_version": "0x00000000000000ff",
   "bios_version": "1.0",
   "bios_revision": "1.0",

resources/tests/cpu_template_helper/fingerprint_ARM_NEOVERSE_V1_4.14host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "4.14.311-233.529.amzn2.aarch64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "4.14.313-235.533.amzn2.aarch64",
   "microcode_version": "0x0000000000000001",
   "bios_version": "1.0",
   "bios_revision": "1.0",

resources/tests/cpu_template_helper/fingerprint_ARM_NEOVERSE_V1_5.10host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "5.10.177-158.645.amzn2.aarch64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "5.10.178-162.673.amzn2.aarch64",
   "microcode_version": "0x0000000000000001",
   "bios_version": "1.0",
   "bios_revision": "1.0",

resources/tests/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_4.14host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "4.14.311-233.529.amzn2.x86_64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "4.14.313-235.533.amzn2.x86_64",
   "microcode_version": "0x5003302",
   "bios_version": "1.0",
   "bios_revision": "3.65",

resources/tests/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_5.10host.json

@@ -1,6 +1,6 @@
 {
-  "firecracker_version": "1.4.0-dev",
-  "kernel_version": "5.10.177-158.645.amzn2.x86_64",
+  "firecracker_version": "1.5.0-dev",
+  "kernel_version": "5.10.178-162.673.amzn2.x86_64",
   "microcode_version": "0x5003302",
   "bios_version": "1.0",
   "bios_revision": "3.65",
@@ -44,7 +44,7 @@
           },
           {
             "register": "ecx",
-            "bitmap": "0b11110111111110101011001000100011"
+            "bitmap": "0b11110111111110100011001000100011"
           },
           {
             "register": "edx",
@@ -1153,10 +1153,6 @@
         "addr": "0x277",
         "bitmap": "0b0000000000000111000001000000011000000000000001110000010000000110"
       },
-      {
-        "addr": "0x345",
-        "bitmap": "0b0000000000000000000000000000000000000000000000000010000000000000"
-      },
       {
         "addr": "0x6e0",
         "bitmap": "0b0000000000000000000000000000000000000000000000000000000000000000"