Skip to content

Commit 47dc36b

Browse files
authored
Merge branch 'main' into dependabot/cargo/firecracker-af4f04985d
2 parents 31540dd + feffd18 commit 47dc36b

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

tests/integration_tests/security/test_vulnerabilities.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,13 @@
1111

1212
import pytest
1313
import requests
14+
from packaging import version
1415

1516
from framework import utils
1617
from framework.ab_test import git_clone
1718
from framework.microvm import MicroVMFactory
1819
from framework.properties import global_props
20+
from framework.utils_cpuid import CpuVendor, get_cpu_vendor
1921

2022
CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh"
2123
CHECKER_FILENAME = "spectre-meltdown-checker.sh"
@@ -132,8 +134,32 @@ def get_vuln_files_exception_dict(template):
132134
"""
133135
Returns a dictionary of expected values for vulnerability files requiring special treatment.
134136
"""
137+
host_kernel_version = version.parse(utils.get_kernel_version())
138+
cpu_vendor = get_cpu_vendor()
135139
exception_dict = {}
136140

141+
# Exception for tsa
142+
# =============================
143+
#
144+
# AMD guests on 6.1 hosts before 6.1.153
145+
# --------------------------------------------
146+
# On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
147+
# mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
148+
# The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
149+
# verify that the microcode update has been applied correctly.
150+
# Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older
151+
# and not recognised as being affected by TSA.
152+
# [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
153+
154+
if (
155+
cpu_vendor == CpuVendor.AMD
156+
and template == "None"
157+
and host_kernel_version.major == 6
158+
and host_kernel_version.minor == 1
159+
and host_kernel_version.micro < 153
160+
):
161+
exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
162+
137163
# Exception for mmio_stale_data
138164
# =============================
139165
#

0 commit comments

Comments
 (0)