fix(test/vulnerabilities): add exception for TSA before 6.1.153

Manciukic · Manciukic · commit 95dd5c9fd306 · 2025-09-30T14:08:19.000+01:00
TSA is marked as vulnerable as 6.1 kernels before 6.1.153 don't
correctly pass through the CPUID bit to let the guest know that the
microcode is applied (CLEAR_VERW).
We noticed only now as we just updated the guest kernels and they now
contain the TSA mitigation.

Signed-off-by: Riccardo Mancini &lt;mancio@amazon.com&gt;
diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py
@@ -11,11 +11,13 @@
 
 import pytest
 import requests
+from packaging import version
 
 from framework import utils
 from framework.ab_test import git_clone
 from framework.microvm import MicroVMFactory
 from framework.properties import global_props
+from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh"
 CHECKER_FILENAME = "spectre-meltdown-checker.sh"
@@ -132,8 +134,29 @@ def get_vuln_files_exception_dict(template):
     """
     Returns a dictionary of expected values for vulnerability files requiring special treatment.
     """
+    host_kernel_version = version.parse(utils.get_kernel_version())
+    cpu_vendor = get_cpu_vendor()
     exception_dict = {}
 
+    # Exception for tsa
+    # =============================
+    #
+    # AMD guests on 6.1 hosts before 6.1.153
+    # --------------------------------------------
+    # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
+    # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
+    # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
+    # verify that the microcode update has been applied correctly.
+    # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
+
+    if (
+        cpu_vendor == CpuVendor.AMD
+        and host_kernel_version.major == 6
+        and host_kernel_version.minor == 1
+        and host_kernel_version.micro < 153
+    ):
+        exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
+
     # Exception for mmio_stale_data
     # =============================
     #
