summaryrefslogtreecommitdiffstats
path: root/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-08 04:20:13 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-08 04:20:28 +0000
commitcce8a6c59ba5062594dc8665c7faa1f04ec96491 (patch)
tree15d4a62065c339e11e09c8c6d278edba454c3eb9 /debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
parentReleasing progress-linux version 4.19.289-1progress5u1. (diff)
downloadlinux-cce8a6c59ba5062594dc8665c7faa1f04ec96491.tar.xz
linux-cce8a6c59ba5062594dc8665c7faa1f04ec96491.zip
Merging debian version 4.19.289-2.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch')
-rw-r--r--debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
new file mode 100644
index 000000000..e16870f6e
--- /dev/null
+++ b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch
@@ -0,0 +1,69 @@
+From e9a103c76a5ffb605204f25222e6217931ff129b Mon Sep 17 00:00:00 2001
+From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Date: Wed, 12 Jul 2023 19:43:14 -0700
+Subject: KVM: Add GDS_NO support to KVM
+
+From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+
+commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream
+
+Gather Data Sampling (GDS) is a transient execution attack using
+gather instructions from the AVX2 and AVX512 extensions. This attack
+allows malicious code to infer data that was previously stored in
+vector registers. Systems that are not vulnerable to GDS will set the
+GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM
+guests that may think they are on vulnerable systems that are, in
+fact, not affected. Guests that are running on affected hosts where
+the mitigation is enabled are protected as if they were running
+on an unaffected system.
+
+On all hosts that are not affected or that are mitigated, set the
+GDS_NO bit.
+
+Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 7 +++++++
+ arch/x86/kvm/x86.c | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -628,6 +628,13 @@ static const char * const gds_strings[]
+ [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status",
+ };
+
++bool gds_ucode_mitigated(void)
++{
++ return (gds_mitigation == GDS_MITIGATION_FULL ||
++ gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
++}
++EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
++
+ void update_gds_msr(void)
+ {
+ u64 mcu_ctrl_after;
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -217,6 +217,8 @@ struct kvm_stats_debugfs_item debugfs_en
+
+ u64 __read_mostly host_xcr0;
+
++extern bool gds_ucode_mitigated(void);
++
+ static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt);
+
+ static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu)
+@@ -1224,6 +1226,9 @@ u64 kvm_get_arch_capabilities(void)
+ /* Guests don't need to know "Fill buffer clear control" exists */
+ data &= ~ARCH_CAP_FB_CLEAR_CTRL;
+
++ if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated())
++ data |= ARCH_CAP_GDS_NO;
++
+ return data;
+ }
+