diff options
Diffstat (limited to 'debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch')
| -rw-r--r-- | debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch new file mode 100644 index 000000000..e16870f6e --- /dev/null +++ b/debian/patches/bugfix/x86/gds/kvm-add-gds_no-support-to-kvm.patch @@ -0,0 +1,69 @@ +From e9a103c76a5ffb605204f25222e6217931ff129b Mon Sep 17 00:00:00 2001 +From: Daniel Sneddon <daniel.sneddon@linux.intel.com> +Date: Wed, 12 Jul 2023 19:43:14 -0700 +Subject: KVM: Add GDS_NO support to KVM + +From: Daniel Sneddon <daniel.sneddon@linux.intel.com> + +commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream + +Gather Data Sampling (GDS) is a transient execution attack using +gather instructions from the AVX2 and AVX512 extensions. This attack +allows malicious code to infer data that was previously stored in +vector registers. Systems that are not vulnerable to GDS will set the +GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM +guests that may think they are on vulnerable systems that are, in +fact, not affected. Guests that are running on affected hosts where +the mitigation is enabled are protected as if they were running +on an unaffected system. + +On all hosts that are not affected or that are mitigated, set the +GDS_NO bit. + +Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> +Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> +Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> +Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + arch/x86/kernel/cpu/bugs.c | 7 +++++++ + arch/x86/kvm/x86.c | 5 +++++ + 2 files changed, 12 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -628,6 +628,13 @@ static const char * const gds_strings[] + [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", + }; + ++bool gds_ucode_mitigated(void) ++{ ++ return (gds_mitigation == GDS_MITIGATION_FULL || ++ gds_mitigation == GDS_MITIGATION_FULL_LOCKED); ++} ++EXPORT_SYMBOL_GPL(gds_ucode_mitigated); ++ + void update_gds_msr(void) + { + u64 mcu_ctrl_after; +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -217,6 +217,8 @@ struct kvm_stats_debugfs_item debugfs_en + + u64 __read_mostly host_xcr0; + ++extern bool gds_ucode_mitigated(void); ++ + static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt); + + static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu) +@@ -1224,6 +1226,9 @@ u64 kvm_get_arch_capabilities(void) + /* Guests don't need to know "Fill buffer clear control" exists */ + data &= ~ARCH_CAP_FB_CLEAR_CTRL; + ++ if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated()) ++ data |= ARCH_CAP_GDS_NO; ++ + return data; + } + |