diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_5.10host.json b/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_5.10host.json index 101a901c4c6..b14fe411f1d 100644 --- a/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_5.10host.json +++ b/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_5.10host.json @@ -1,9 +1,9 @@ { - "firecracker_version": "1.13.0-dev", - "kernel_version": "5.10.238-234.956.amzn2.x86_64", - "microcode_version": "0xa101154", + "firecracker_version": "1.14.0-dev", + "kernel_version": "5.10.244-240.965.amzn2.x86_64", + "microcode_version": "0xa101156", "bios_version": "1.0", - "bios_revision": "2.21", + "bios_revision": "2.23", "guest_cpu_config": { "kvm_capabilities": [], "cpuid_modifiers": [ @@ -1494,7 +1494,7 @@ }, { "register": "ecx", - "bitmap": "0b00000000000000000010000000000000" + "bitmap": "0b00000000000000000110000000000000" }, { "register": "edx", @@ -1502,7 +1502,6 @@ } ] } - ], "msr_modifiers": [ { @@ -1635,4 +1634,4 @@ } ] } -} +} \ No newline at end of file diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json b/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json index 4aab22a404d..dc7a9b8ea8e 100644 --- a/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json +++ b/tests/data/cpu_template_helper/fingerprint_AMD_GENOA_6.1host.json @@ -1,9 +1,9 @@ { - "firecracker_version": "1.13.0-dev", - "kernel_version": "6.1.141-165.249.amzn2023.x86_64", - "microcode_version": "0xa101154", + "firecracker_version": "1.14.0-dev", + "kernel_version": "6.1.153-175.280.amzn2023.x86_64", + "microcode_version": "0xa101156", "bios_version": "1.0", - "bios_revision": "2.21", + "bios_revision": "2.23", "guest_cpu_config": { "kvm_capabilities": [], "cpuid_modifiers": [ @@ -1486,7 +1486,7 @@ "modifiers": [ { "register": "eax", - "bitmap": "0b00000000000000000000000001000101" + "bitmap": "0b00000000000000000000001001100101" }, { "register": "ebx", diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_5.10host.json b/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_5.10host.json index 9281503432c..e61fe44b885 100644 --- a/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_5.10host.json +++ b/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_5.10host.json @@ -1,9 +1,9 @@ { - "firecracker_version": "1.13.0-dev", - "kernel_version": "5.10.238-234.956.amzn2.x86_64", - "microcode_version": "0xa0011db", + "firecracker_version": "1.14.0-dev", + "kernel_version": "5.10.244-240.965.amzn2.x86_64", + "microcode_version": "0xa0011de", "bios_version": "1.0", - "bios_revision": "0.94", + "bios_revision": "0.98", "guest_cpu_config": { "kvm_capabilities": [], "cpuid_modifiers": [ @@ -1402,7 +1402,7 @@ }, { "register": "ecx", - "bitmap": "0b00000000000000000010000000000000" + "bitmap": "0b00000000000000000110000000000000" }, { "register": "edx", @@ -1542,4 +1542,4 @@ } ] } -} +} \ No newline at end of file diff --git a/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json b/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json index 510d2c5d4fe..dc03e308dd6 100644 --- a/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json +++ b/tests/data/cpu_template_helper/fingerprint_AMD_MILAN_6.1host.json @@ -1,9 +1,9 @@ { - "firecracker_version": "1.13.0-dev", - "kernel_version": "6.1.141-165.249.amzn2023.x86_64", - "microcode_version": "0xa0011db", + "firecracker_version": "1.14.0-dev", + "kernel_version": "6.1.153-175.280.amzn2023.x86_64", + "microcode_version": "0xa0011de", "bios_version": "1.0", - "bios_revision": "0.94", + "bios_revision": "0.98", "guest_cpu_config": { "kvm_capabilities": [], "cpuid_modifiers": [ @@ -1394,7 +1394,7 @@ "modifiers": [ { "register": "eax", - "bitmap": "0b00000000000000000000000001000101" + "bitmap": "0b00000000000000000000001001100101" }, { "register": "ebx", diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py index 61314208950..b787196f6f5 100644 --- a/tests/integration_tests/security/test_vulnerabilities.py +++ b/tests/integration_tests/security/test_vulnerabilities.py @@ -11,13 +11,11 @@ import pytest import requests -from packaging import version from framework import utils from framework.ab_test import git_clone from framework.microvm import MicroVMFactory from framework.properties import global_props -from framework.utils_cpuid import CpuVendor, get_cpu_vendor CHECKER_URL = "https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh" CHECKER_FILENAME = "spectre-meltdown-checker.sh" @@ -134,32 +132,8 @@ def get_vuln_files_exception_dict(template): """ Returns a dictionary of expected values for vulnerability files requiring special treatment. """ - host_kernel_version = version.parse(utils.get_kernel_version()) - cpu_vendor = get_cpu_vendor() exception_dict = {} - # Exception for tsa - # ============================= - # - # AMD guests on 6.1 hosts before 6.1.153 - # -------------------------------------------- - # On 6.1 kernels before 6.1.153 [1], KVM doesn't tell the guest that the microcode with the TSA - # mitigation has been applied by setting CPUID.(EAX=0x80000021,ECX=0):EAX[5 (CLEAR_VERW)]. - # The guest applies the mitigation anyways, but flags it as possibly vulnerable as it cannot - # verify that the microcode update has been applied correctly. - # Note that this doesn't affect the T2A template (deprecated) as the presented CPU is older - # and not recognised as being affected by TSA. - # [1]: https://github.com/amazonlinux/linux/commit/8d1e0db16431610b5b35737d88595bdd7a08e271 - - if ( - cpu_vendor == CpuVendor.AMD - and template == "None" - and host_kernel_version.major == 6 - and host_kernel_version.minor == 1 - and host_kernel_version.micro < 153 - ): - exception_dict["tsa"] = "Vulnerable: Clear CPU buffers attempted, no microcode" - # Exception for mmio_stale_data # ============================= #