Skip to content

Commit f101b1a

Browse files
committed
chore: Update fingerprint for VERW_CLEAR bit pass through
The kernel patch [1] passed through CPUID.0x80000021:EAX[5] (VERW_CLEAR) to tell guests that the microcode is applied and the memory form of the VERW instruction can be used to clear the microarchitectural data structures necessary to mitigate TSA-L1 and TSA-SQ. Thanks to it, we can drop the exception for vulnerabilities sysfs check inside guest. In addition to the VERW_CLEAR bit passthrough, the kernel also started always setting CPUID.0x80000021:EAX[9] (NO_SMM_CTL_MSR) since SMM_CTL MSR is not available for KVM guests. [1]: amazonlinux/linux@8d1e0db Signed-off-by: Takahiro Itazuri <[email protected]>
1 parent 99365ff commit f101b1a

File tree

3 files changed

+10
-32
lines changed

3 files changed

+10
-32
lines changed

tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
{
2-
"firecracker_version": "1.13.0-dev",
3-
"kernel_version": "6.1.141-165.249.amzn2023.x86_64",
4-
"microcode_version": "0xa101154",
2+
"firecracker_version": "1.14.0-dev",
3+
"kernel_version": "6.1.153-175.280.amzn2023.x86_64",
4+
"microcode_version": "0xa101156",
55
"bios_version": "1.0",
6-
"bios_revision": "2.21",
6+
"bios_revision": "2.23",
77
"guest_cpu_config": {
88
"kvm_capabilities": [],
99
"cpuid_modifiers": [
@@ -1486,7 +1486,7 @@
14861486
"modifiers": [
14871487
{
14881488
"register": "eax",
1489-
"bitmap": "0b00000000000000000000000001000101"
1489+
"bitmap": "0b00000000000000000000001001100101"
14901490
},
14911491
{
14921492
"register": "ebx",

tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
{
2-
"firecracker_version": "1.13.0-dev",
3-
"kernel_version": "6.1.141-165.249.amzn2023.x86_64",
4-
"microcode_version": "0xa0011db",
2+
"firecracker_version": "1.14.0-dev",
3+
"kernel_version": "6.1.153-175.280.amzn2023.x86_64",
4+
"microcode_version": "0xa0011de",
55
"bios_version": "1.0",
6-
"bios_revision": "0.94",
6+
"bios_revision": "0.98",
77
"guest_cpu_config": {
88
"kvm_capabilities": [],
99
"cpuid_modifiers": [
@@ -1394,7 +1394,7 @@
13941394
"modifiers": [
13951395
{
13961396
"register": "eax",
1397-
"bitmap": "0b00000000000000000000000001000101"
1397+
"bitmap": "0b00000000000000000000001001100101"
13981398
},
13991399
{
14001400
"register": "ebx",

tests/integration_tests/security/test_vulnerabilities.py

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -138,28 +138,6 @@ def get_vuln_files_exception_dict(template):
138138
cpu_vendor = get_cpu_vendor()
139139
exception_dict = {}
140140

141-
# Exception for tsa
142-
# =============================
143-
#
144-
# AMD guests on 6.1 hosts before 6.1.153
145-
# --------------------------------------------
146-
# On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
147-
# mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
148-
# The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
149-
# verify that the microcode update has been applied correctly.
150-
# Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older
151-
# and not recognised as being affected by TSA.
152-
# [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
153-
154-
if (
155-
cpu_vendor == CpuVendor.AMD
156-
and template == "None"
157-
and host_kernel_version.major == 6
158-
and host_kernel_version.minor == 1
159-
and host_kernel_version.micro < 153
160-
):
161-
exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
162-
163141
# Exception for mmio_stale_data
164142
# =============================
165143
#

0 commit comments

Comments
 (0)