Merge branch 'main' into pci_cleanup

bchalios · web-flow · commit 7caccb7d84ee · 2025-10-01T12:44:16.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
       day: "monday"
     allow:
       - dependency-type: "all"
+    ignore:
+      - dependency-name: "aws-lc-rs"
     groups:
       rust-vmm:
         patterns:
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/vmm/Cargo.toml b/src/vmm/Cargo.toml
@@ -19,7 +19,7 @@ acpi_tables = { path = "../acpi-tables" }
 aes-gcm = { version = "0.10.1", default-features = false, features = ["aes"] }
 anyhow = "1.0.100"
 arrayvec = { version = "0.7.6", optional = true }
-aws-lc-rs = { version = "1.14.1", features = ["bindgen"] }
+aws-lc-rs = { version = "1.14.0", features = ["bindgen"] }
 base64 = "0.22.1"
 bincode = { version = "2.0.1", features = ["serde"] }
 bitflags = "2.9.4"
diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py
@@ -11,11 +11,13 @@
 
 import pytest
 import requests
+from packaging import version
 
 from framework import utils
 from framework.ab_test import git_clone
 from framework.microvm import MicroVMFactory
 from framework.properties import global_props
+from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh"
 CHECKER_FILENAME = "spectre-meltdown-checker.sh"
@@ -132,8 +134,32 @@ def get_vuln_files_exception_dict(template):
     """
     Returns a dictionary of expected values for vulnerability files requiring special treatment.
     """
+    host_kernel_version = version.parse(utils.get_kernel_version())
+    cpu_vendor = get_cpu_vendor()
     exception_dict = {}
 
+    # Exception for tsa
+    # =============================
+    #
+    # AMD guests on 6.1 hosts before 6.1.153
+    # --------------------------------------------
+    # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
+    # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
+    # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
+    # verify that the microcode update has been applied correctly.
+    # Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older
+    # and not recognised as being affected by TSA.
+    # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
+
+    if (
+        cpu_vendor == CpuVendor.AMD
+        and template == "None"
+        and host_kernel_version.major == 6
+        and host_kernel_version.minor == 1
+        and host_kernel_version.micro < 153
+    ):
+        exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
+
     # Exception for mmio_stale_data
     # =============================
     #
