From ac342ede5b69e2b780d783fb7b52b43da65528dc Mon Sep 17 00:00:00 2001
From: Riccardo Mancini <mancio@amazon.com>
Date: Tue, 30 Sep 2025 12:37:33 +0100
Subject: [PATCH] fix(test/vulnerabilities): add exception for TSA before
 6.1.153

TSA is marked as vulnerable as 6.1 kernels before 6.1.153 don't
correctly pass through the CPUID bit to let the guest know that the
microcode is applied (CLEAR_VERW).
We noticed only now as we just updated the guest kernels and they now
contain the TSA mitigation.

Signed-off-by: Riccardo Mancini <mancio@amazon.com>
---
 .../security/test_vulnerabilities.py          | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py
index b787196f6f5..61314208950 100644
--- a/tests/integration_tests/security/test_vulnerabilities.py
+++ b/tests/integration_tests/security/test_vulnerabilities.py
@@ -11,11 +11,13 @@
 
 import pytest
 import requests
+from packaging import version
 
 from framework import utils
 from framework.ab_test import git_clone
 from framework.microvm import MicroVMFactory
 from framework.properties import global_props
+from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh"
 CHECKER_FILENAME = "spectre-meltdown-checker.sh"
@@ -132,8 +134,32 @@ def get_vuln_files_exception_dict(template):
     """
     Returns a dictionary of expected values for vulnerability files requiring special treatment.
     """
+    host_kernel_version = version.parse(utils.get_kernel_version())
+    cpu_vendor = get_cpu_vendor()
     exception_dict = {}
 
+    # Exception for tsa
+    # =============================
+    #
+    # AMD guests on 6.1 hosts before 6.1.153
+    # --------------------------------------------
+    # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA
+    # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)].
+    # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot
+    # verify that the microcode update has been applied correctly.
+    # Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older
+    # and not recognised as being affected by TSA.
+    # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271
+
+    if (
+        cpu_vendor == CpuVendor.AMD
+        and template == "None"
+        and host_kernel_version.major == 6
+        and host_kernel_version.minor == 1
+        and host_kernel_version.micro < 153
+    ):
+        exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode"
+
     # Exception for mmio_stale_data
     # =============================
     #