diff options
Diffstat (limited to 'debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch')
| -rw-r--r-- | debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch deleted file mode 100644 index e16870f6e..000000000 --- a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch +++ /dev/null @@ -1,69 +0,0 @@ -From e9a103c76a5ffb605204f25222e6217931ff129b Mon Sep 17 00:00:00 2001 -From: Daniel Sneddon <daniel.sneddon@linux.intel.com> -Date: Wed, 12 Jul 2023 19:43:14 -0700 -Subject: KVM: Add GDS_NO support to KVM - -From: Daniel Sneddon <daniel.sneddon@linux.intel.com> - -commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream - -Gather Data Sampling (GDS) is a transient execution attack using -gather instructions from the AVX2 and AVX512 extensions. This attack -allows malicious code to infer data that was previously stored in -vector registers. Systems that are not vulnerable to GDS will set the -GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM -guests that may think they are on vulnerable systems that are, in -fact, not affected. Guests that are running on affected hosts where -the mitigation is enabled are protected as if they were running -on an unaffected system. - -On all hosts that are not affected or that are mitigated, set the -GDS_NO bit. - -Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> -Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> -Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> -Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - arch/x86/kernel/cpu/bugs.c | 7 +++++++ - arch/x86/kvm/x86.c | 5 +++++ - 2 files changed, 12 insertions(+) - ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -628,6 +628,13 @@ static const char * const gds_strings[] - [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", - }; - -+bool gds_ucode_mitigated(void) -+{ -+ return (gds_mitigation == GDS_MITIGATION_FULL || -+ gds_mitigation == GDS_MITIGATION_FULL_LOCKED); -+} -+EXPORT_SYMBOL_GPL(gds_ucode_mitigated); -+ - void update_gds_msr(void) - { - u64 mcu_ctrl_after; ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -217,6 +217,8 @@ struct kvm_stats_debugfs_item debugfs_en - - u64 __read_mostly host_xcr0; - -+extern bool gds_ucode_mitigated(void); -+ - static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt); - - static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu) -@@ -1224,6 +1226,9 @@ u64 kvm_get_arch_capabilities(void) - /* Guests don't need to know "Fill buffer clear control" exists */ - data &= ~ARCH_CAP_FB_CLEAR_CTRL; - -+ if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated()) -+ data |= ARCH_CAP_GDS_NO; -+ - return data; - } - |