|
11 | 11 |
|
12 | 12 | import pytest |
13 | 13 | import requests |
| 14 | +from packaging import version |
14 | 15 |
|
15 | 16 | from framework import utils |
16 | 17 | from framework.ab_test import git_clone |
17 | 18 | from framework.microvm import MicroVMFactory |
18 | 19 | from framework.properties import global_props |
| 20 | +from framework.utils_cpuid import CpuVendor, get_cpu_vendor |
19 | 21 |
|
20 | 22 | CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh" |
21 | 23 | CHECKER_FILENAME = "spectre-meltdown-checker.sh" |
@@ -132,8 +134,32 @@ def get_vuln_files_exception_dict(template): |
132 | 134 | """ |
133 | 135 | Returns a dictionary of expected values for vulnerability files requiring special treatment. |
134 | 136 | """ |
| 137 | + host_kernel_version = version.parse(utils.get_kernel_version()) |
| 138 | + cpu_vendor = get_cpu_vendor() |
135 | 139 | exception_dict = {} |
136 | 140 |
|
| 141 | + # Exception for tsa |
| 142 | + # ============================= |
| 143 | + # |
| 144 | + # AMD guests on 6.1 hosts before 6.1.153 |
| 145 | + # -------------------------------------------- |
| 146 | + # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA |
| 147 | + # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)]. |
| 148 | + # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot |
| 149 | + # verify that the microcode update has been applied correctly. |
| 150 | + # Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older |
| 151 | + # and not recognised as being affected by TSA. |
| 152 | + # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271 |
| 153 | + |
| 154 | + if ( |
| 155 | + cpu_vendor == CpuVendor.AMD |
| 156 | + and template == "None" |
| 157 | + and host_kernel_version.major == 6 |
| 158 | + and host_kernel_version.minor == 1 |
| 159 | + and host_kernel_version.micro < 153 |
| 160 | + ): |
| 161 | + exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode" |
| 162 | + |
137 | 163 | # Exception for mmio_stale_data |
138 | 164 | # ============================= |
139 | 165 | # |
|
0 commit comments