kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX Async Abort(TAA) affected hosts that have TSX enabled and updated microcode. This is required so that the guests don't complain, "Vulnerable: Clear CPU buffers attempted, no microcode" when the host has the updated microcode to clear CPU buffers. Microcode update also adds support for MSR_IA32_TSX_CTRL which is enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR. Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is not exported to the guests. In this case export MDS_NO=0 to the guests. When guests have CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA. Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> Signed-off-by: Borislav Petkov <bp@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Neelima Krishnan <neelima.krishnan@intel.com> Reviewed-by: Tony Luck <tony.luck@intel.com> Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
This commit is contained in:
parent
6608b45ac5
commit
e1d38b63ac
|
@ -1298,6 +1298,25 @@ static u64 kvm_get_arch_capabilities(void)
|
||||||
if (!boot_cpu_has_bug(X86_BUG_MDS))
|
if (!boot_cpu_has_bug(X86_BUG_MDS))
|
||||||
data |= ARCH_CAP_MDS_NO;
|
data |= ARCH_CAP_MDS_NO;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* On TAA affected systems, export MDS_NO=0 when:
|
||||||
|
* - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1.
|
||||||
|
* - Updated microcode is present. This is detected by
|
||||||
|
* the presence of ARCH_CAP_TSX_CTRL_MSR and ensures
|
||||||
|
* that VERW clears CPU buffers.
|
||||||
|
*
|
||||||
|
* When MDS_NO=0 is exported, guests deploy clear CPU buffer
|
||||||
|
* mitigation and don't complain:
|
||||||
|
*
|
||||||
|
* "Vulnerable: Clear CPU buffers attempted, no microcode"
|
||||||
|
*
|
||||||
|
* If TSX is disabled on the system, guests are also mitigated against
|
||||||
|
* TAA and clear CPU buffer mitigation is not required for guests.
|
||||||
|
*/
|
||||||
|
if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) &&
|
||||||
|
(data & ARCH_CAP_TSX_CTRL_MSR))
|
||||||
|
data &= ~ARCH_CAP_MDS_NO;
|
||||||
|
|
||||||
return data;
|
return data;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue