This is a note to let you know that I've just added the patch titled KVM: Add GDS_NO support to KVM to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: kvm-add-gds_no-support-to-kvm.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e9a103c76a5ffb605204f25222e6217931ff129b Mon Sep 17 00:00:00 2001 From: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx> Date: Wed, 12 Jul 2023 19:43:14 -0700 Subject: KVM: Add GDS_NO support to KVM From: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx> commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream Gather Data Sampling (GDS) is a transient execution attack using gather instructions from the AVX2 and AVX512 extensions. This attack allows malicious code to infer data that was previously stored in vector registers. Systems that are not vulnerable to GDS will set the GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM guests that may think they are on vulnerable systems that are, in fact, not affected. Guests that are running on affected hosts where the mitigation is enabled are protected as if they were running on an unaffected system. On all hosts that are not affected or that are mitigated, set the GDS_NO bit. Signed-off-by: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx> Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> Acked-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx> Signed-off-by: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/kernel/cpu/bugs.c | 7 +++++++ arch/x86/kvm/x86.c | 5 +++++ 2 files changed, 12 insertions(+) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -628,6 +628,13 @@ static const char * const gds_strings[] [GDS_MITIGATION_HYPERVISOR] = "Unknown: Dependent on hypervisor status", }; +bool gds_ucode_mitigated(void) +{ + return (gds_mitigation == GDS_MITIGATION_FULL || + gds_mitigation == GDS_MITIGATION_FULL_LOCKED); +} +EXPORT_SYMBOL_GPL(gds_ucode_mitigated); + void update_gds_msr(void) { u64 mcu_ctrl_after; --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -201,6 +201,8 @@ struct kvm_stats_debugfs_item debugfs_en u64 __read_mostly host_xcr0; +extern bool gds_ucode_mitigated(void); + static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt); static inline void kvm_async_pf_hash_reset(struct kvm_vcpu *vcpu) @@ -1131,6 +1133,9 @@ u64 kvm_get_arch_capabilities(void) /* Guests don't need to know "Fill buffer clear control" exists */ data &= ~ARCH_CAP_FB_CLEAR_CTRL; + if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated()) + data |= ARCH_CAP_GDS_NO; + return data; } Patches currently in stable-queue which might be from daniel.sneddon@xxxxxxxxxxxxxxx are queue-4.14/x86-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/arm-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/x86-speculation-add-kconfig-option-for-gds.patch queue-4.14/um-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/mips-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch queue-4.14/sh-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/x86-speculation-add-gather-data-sampling-mitigation.patch queue-4.14/init-invoke-arch_cpu_finalize_init-earlier.patch queue-4.14/kvm-add-gds_no-support-to-kvm.patch queue-4.14/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch queue-4.14/x86-speculation-add-force-option-to-gds-mitigation.patch queue-4.14/init-remove-check_bugs-leftovers.patch queue-4.14/init-provide-arch_cpu_finalize_init.patch queue-4.14/m68k-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/sparc-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/x86-fpu-mark-init-functions-__init.patch queue-4.14/ia64-cpu-switch-to-arch_cpu_finalize_init.patch queue-4.14/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch