chore: Update fingerprint for VERW_CLEAR bit pass through

zulinx86 · Manciukic · commit d749db4bdfff · 2025-10-08T16:10:05.000+01:00
The kernel patch [1] passed through CPUID.0x80000021:EAX[5] (VERW_CLEAR) to tell guests that the microcode is applied and the memory form of the VERW instruction can be used to clear the microarchitectural data structures necessary to mitigate TSA-L1 and TSA-SQ. Thanks to it, we can drop the exception for vulnerabilities sysfs check inside guest. In addition to the VERW_CLEAR bit passthrough, the kernel also started always setting CPUID.0x80000021:EAX[9] (NO_SMM_CTL_MSR) since SMM_CTL MSR is not available for KVM guests. [1]: amazonlinux/linux@8d1e0db Signed-off-by: Takahiro Itazuri <itazur@amazon.com>
diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json b/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json
@@ -1,9 +1,9 @@
 {
-  "firecracker_version": "1.13.0-dev",
-  "kernel_version": "6.1.141-165.249.amzn2023.x86_64",
-  "microcode_version": "0xa101154",
+  "firecracker_version": "1.14.0-dev",
+  "kernel_version": "6.1.153-175.280.amzn2023.x86_64",
+  "microcode_version": "0xa101156",
   "bios_version": "1.0",
-  "bios_revision": "2.21",
+  "bios_revision": "2.23",
   "guest_cpu_config": {
     "kvm_capabilities": [],
     "cpuid_modifiers": [
@@ -1486,7 +1486,7 @@
         "modifiers": [
           {
             "register": "eax",
-            "bitmap": "0b00000000000000000000000001000101"
+            "bitmap": "0b00000000000000000000001001100101"
           },
           {
             "register": "ebx",
diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json b/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json
@@ -1,9 +1,9 @@
 {
-  "firecracker_version": "1.13.0-dev",
-  "kernel_version": "6.1.141-165.249.amzn2023.x86_64",
-  "microcode_version": "0xa0011db",
+  "firecracker_version": "1.14.0-dev",
+  "kernel_version": "6.1.153-175.280.amzn2023.x86_64",
+  "microcode_version": "0xa0011de",
   "bios_version": "1.0",
-  "bios_revision": "0.94",
+  "bios_revision": "0.98",
   "guest_cpu_config": {
     "kvm_capabilities": [],
     "cpuid_modifiers": [
@@ -1394,7 +1394,7 @@
         "modifiers": [
           {
             "register": "eax",
-            "bitmap": "0b00000000000000000000000001000101"
+            "bitmap": "0b00000000000000000000001001100101"
           },
           {
             "register": "ebx",
diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py
@@ -11,13 +11,11 @@
 
 import pytest
 import requests
-from packaging import version
 
 from framework import utils
 from framework.ab_test import git_clone
 from framework.microvm import MicroVMFactory
 from framework.properties import global_props
-from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh"
 CHECKER_FILENAME = "spectre-meltdown-checker.sh"
@@ -134,32 +132,8 @@ def get_vuln_files_exception_dict(template):
     """
     Returns a dictionary of expected values for vulnerability files requiring special treatment.
     """
-    host_kernel_version = version.parse(utils.get_kernel_version())
-    cpu_vendor = get_cpu_vendor()
     exception_dict = {}
 
-    # Exception for tsa
-    # =============================
-    #
-    # AMD guests on 6.1 hosts before 6.1.153
-    # --------------------------------------------
-    # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
-    # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
-    # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
-    # verify that the microcode update has been applied correctly.
-    # Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older
-    # and not recognised as being affected by TSA.
-    # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
-
-    if (
-        cpu_vendor == CpuVendor.AMD
-        and template == "None"
-        and host_kernel_version.major == 6
-        and host_kernel_version.minor == 1
-        and host_kernel_version.micro < 153
-    ):
-        exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
-
     # Exception for mmio_stale_data
     # =============================
     #
