On 11/01/2018 10:31, Paul Mackerras wrote: > Hi Paolo, > > This is a pull request for a commit that adds three new KVM > capabilities as part of the mitigation for the recently announced > exploits CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (also known as > meltdown and spectre). These capabilities tell userspace about > whether the host machine has the vulnerabilities, and if so, whether > it has updated firmware that enables the machine to provide > instructions to help work around the vulnerabilities. > > Michael Ellerman has put the changes needed for kernels to use the > workaround instructions to work around CVE-2017-5754 (meltdown) into > his fixes branch and intends to ask Linus to pull them for 4.15. In a > guest kernel, the workarounds depend on getting information from the > platform from a new H_GET_CPU_CHARACTERISTICS hypercall. These > capabilities provide the information that userspace (e.g. QEMU) needs > in order to implement that hypercall. In the absence of the > hypercall, patched guest kernels will assume the machine is vulnerable > and will use a (slow) displacement flush loop to flush the L1 cache > each time the kernel exits to userspace. Why three capabilities? Could KVM just return KVM_PPC_GET_HOST_CPU_CHARACTERISTICS (perhaps only the characteristics word and not the behavior ones)? I agree this can go in for 4.15 though. Thanks, Paolo > > I leave it to your discretion as to whether to push it to Linus to go > in 4.15, or merge it in the 4.16 merge window. If it was up to me, I > would go for 4.15. In either case, please merge it to the kvm tree so > that the capability numbers get stabilized and the corresponding QEMU > patches can get merged. > > The pull request includes one commit from Michael Ellerman's tree via > his topic/ppc-kvm branch, because that commit adds definitions that > are used in implementing the capability tests. > > Thanks, > Paul. > > The following changes since commit ae64f9bd1d3621b5e60d7363bc20afb46aede215: > > Linux 4.15-rc2 (2017-12-03 11:01:47 -0500) > > are available in the git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc tags/kvm-ppc-cve-4.15 > > for you to fetch changes up to f6021f88d8ffefae616c33f70063e435209dad92: > > KVM: PPC: Book3S: Add capabilities for hardware/firmware CVE workarounds (2018-01-11 20:04:57 +1100) > > ---------------------------------------------------------------- > One commit, that adds three new KVM capabilities, which inform > userspace about the machine's vulnerability to recently-announced > vulnerabilities CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754. > This gives userspace information needed to implement the new > H_GET_CPU_CHARACTERISTICS hypercall for pseries VMs. > > ---------------------------------------------------------------- > Michael Neuling (1): > powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper > > Paul Mackerras (1): > KVM: PPC: Book3S: Add capabilities for hardware/firmware CVE workarounds > > Documentation/virtual/kvm/api.txt | 36 ++++++ > arch/powerpc/include/asm/hvcall.h | 17 +++ > arch/powerpc/include/asm/plpar_wrappers.h | 14 +++ > arch/powerpc/kvm/powerpc.c | 200 ++++++++++++++++++++++++++++++ > include/uapi/linux/kvm.h | 3 + > 5 files changed, 270 insertions(+) > > -
