Hi Paolo,
This is a pull request for a commit that adds three new KVM
capabilities as part of the mitigation for the recently announced
exploits CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (also known as
meltdown and spectre). These capabilities tell userspace about
whether the host machine has the vulnerabilities, and if so, whether
it has updated firmware that enables the machine to provide
instructions to help work around the vulnerabilities.
Michael Ellerman has put the changes needed for kernels to use the
workaround instructions to work around CVE-2017-5754 (meltdown) into
his fixes branch and intends to ask Linus to pull them for 4.15. In a
guest kernel, the workarounds depend on getting information from the
platform from a new H_GET_CPU_CHARACTERISTICS hypercall. These
capabilities provide the information that userspace (e.g. QEMU) needs
in order to implement that hypercall. In the absence of the
hypercall, patched guest kernels will assume the machine is vulnerable
and will use a (slow) displacement flush loop to flush the L1 cache
each time the kernel exits to userspace.
I leave it to your discretion as to whether to push it to Linus to go
in 4.15, or merge it in the 4.16 merge window. If it was up to me, I
would go for 4.15. In either case, please merge it to the kvm tree so
that the capability numbers get stabilized and the corresponding QEMU
patches can get merged.
The pull request includes one commit from Michael Ellerman's tree via
his topic/ppc-kvm branch, because that commit adds definitions that
are used in implementing the capability tests.
Thanks,
Paul.
The following changes since commit ae64f9bd1d3621b5e60d7363bc20afb46aede215:
Linux 4.15-rc2 (2017-12-03 11:01:47 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc tags/kvm-ppc-cve-4.15
for you to fetch changes up to f6021f88d8ffefae616c33f70063e435209dad92:
KVM: PPC: Book3S: Add capabilities for hardware/firmware CVE workarounds (2018-01-11 20:04:57 +1100)
----------------------------------------------------------------
One commit, that adds three new KVM capabilities, which inform
userspace about the machine's vulnerability to recently-announced
vulnerabilities CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754.
This gives userspace information needed to implement the new
H_GET_CPU_CHARACTERISTICS hypercall for pseries VMs.
----------------------------------------------------------------
Michael Neuling (1):
powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
Paul Mackerras (1):
KVM: PPC: Book3S: Add capabilities for hardware/firmware CVE workarounds
Documentation/virtual/kvm/api.txt | 36 ++++++
arch/powerpc/include/asm/hvcall.h | 17 +++
arch/powerpc/include/asm/plpar_wrappers.h | 14 +++
arch/powerpc/kvm/powerpc.c | 200 ++++++++++++++++++++++++++++++
include/uapi/linux/kvm.h | 3 +
5 files changed, 270 insertions(+)
