diff options
| author | Pawan Gupta <pawan.kumar.gupta@linux.intel.com> | 2019-10-23 06:23:33 -0400 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2019-10-28 03:36:59 -0400 |
| commit | e1d38b63acd843cfdd4222bf19a26700fd5c699e (patch) | |
| tree | 628b58426dbd6b25dc4200409ac19a3e079ba4e8 | |
| parent | 6608b45ac5ecb56f9e171252229c39580cc85f0f (diff) | |
kvm/x86: Export MDS_NO=0 to guests when TSX is enabled
Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX
Async Abort(TAA) affected hosts that have TSX enabled and updated
microcode. This is required so that the guests don't complain,
"Vulnerable: Clear CPU buffers attempted, no microcode"
when the host has the updated microcode to clear CPU buffers.
Microcode update also adds support for MSR_IA32_TSX_CTRL which is
enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR.
Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is
not exported to the guests.
In this case export MDS_NO=0 to the guests. When guests have
CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
| -rw-r--r-- | arch/x86/kvm/x86.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index ff395f812719..32d70ca2a7fd 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c | |||
| @@ -1298,6 +1298,25 @@ static u64 kvm_get_arch_capabilities(void) | |||
| 1298 | if (!boot_cpu_has_bug(X86_BUG_MDS)) | 1298 | if (!boot_cpu_has_bug(X86_BUG_MDS)) |
| 1299 | data |= ARCH_CAP_MDS_NO; | 1299 | data |= ARCH_CAP_MDS_NO; |
| 1300 | 1300 | ||
| 1301 | /* | ||
| 1302 | * On TAA affected systems, export MDS_NO=0 when: | ||
| 1303 | * - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1. | ||
| 1304 | * - Updated microcode is present. This is detected by | ||
| 1305 | * the presence of ARCH_CAP_TSX_CTRL_MSR and ensures | ||
| 1306 | * that VERW clears CPU buffers. | ||
| 1307 | * | ||
| 1308 | * When MDS_NO=0 is exported, guests deploy clear CPU buffer | ||
| 1309 | * mitigation and don't complain: | ||
| 1310 | * | ||
| 1311 | * "Vulnerable: Clear CPU buffers attempted, no microcode" | ||
| 1312 | * | ||
| 1313 | * If TSX is disabled on the system, guests are also mitigated against | ||
| 1314 | * TAA and clear CPU buffer mitigation is not required for guests. | ||
| 1315 | */ | ||
| 1316 | if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && | ||
| 1317 | (data & ARCH_CAP_TSX_CTRL_MSR)) | ||
| 1318 | data &= ~ARCH_CAP_MDS_NO; | ||
| 1319 | |||
| 1301 | return data; | 1320 | return data; |
| 1302 | } | 1321 | } |
| 1303 | 1322 | ||