Patch "KVM: Add GDS_NO support to KVM" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    KVM: Add GDS_NO support to KVM

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-add-gds_no-support-to-kvm.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 1d5122ddea93de52adc82ef3b98759a9eda73da2 Mon Sep 17 00:00:00 2001
From: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx>
Date: Tue, 1 Aug 2023 16:07:15 +0200
Subject: KVM: Add GDS_NO support to KVM

From: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx>

commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 upstream

Gather Data Sampling (GDS) is a transient execution attack using
gather instructions from the AVX2 and AVX512 extensions. This attack
allows malicious code to infer data that was previously stored in
vector registers. Systems that are not vulnerable to GDS will set the
GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM
guests that may think they are on vulnerable systems that are, in
fact, not affected. Guests that are running on affected hosts where
the mitigation is enabled are protected as if they were running
on an unaffected system.

On all hosts that are not affected or that are mitigated, set the
GDS_NO bit.

Signed-off-by: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx>
Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Acked-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Signed-off-by: Daniel Sneddon <daniel.sneddon@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/x86/kernel/cpu/bugs.c |    7 +++++++
 arch/x86/kvm/x86.c         |    7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -674,6 +674,13 @@ static const char * const gds_strings[]
 	[GDS_MITIGATION_HYPERVISOR]	= "Unknown: Dependent on hypervisor status",
 };
 
+bool gds_ucode_mitigated(void)
+{
+	return (gds_mitigation == GDS_MITIGATION_FULL ||
+		gds_mitigation == GDS_MITIGATION_FULL_LOCKED);
+}
+EXPORT_SYMBOL_GPL(gds_ucode_mitigated);
+
 void update_gds_msr(void)
 {
 	u64 mcu_ctrl_after;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -314,6 +314,8 @@ u64 __read_mostly host_xcr0;
 
 static struct kmem_cache *x86_emulator_cache;
 
+extern bool gds_ucode_mitigated(void);
+
 /*
  * When called, it means the previous get/set msr reached an invalid msr.
  * Return true if we want to ignore/silent this failed msr access.
@@ -1617,7 +1619,7 @@ static bool kvm_is_immutable_feature_msr
 	 ARCH_CAP_SKIP_VMENTRY_L1DFLUSH | ARCH_CAP_SSB_NO | ARCH_CAP_MDS_NO | \
 	 ARCH_CAP_PSCHANGE_MC_NO | ARCH_CAP_TSX_CTRL_MSR | ARCH_CAP_TAA_NO | \
 	 ARCH_CAP_SBDR_SSDP_NO | ARCH_CAP_FBSDP_NO | ARCH_CAP_PSDP_NO | \
-	 ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO)
+	 ARCH_CAP_FB_CLEAR | ARCH_CAP_RRSBA | ARCH_CAP_PBRSB_NO | ARCH_CAP_GDS_NO)
 
 static u64 kvm_get_arch_capabilities(void)
 {
@@ -1674,6 +1676,9 @@ static u64 kvm_get_arch_capabilities(voi
 		 */
 	}
 
+	if (!boot_cpu_has_bug(X86_BUG_GDS) || gds_ucode_mitigated())
+		data |= ARCH_CAP_GDS_NO;
+
 	return data;
 }
 


Patches currently in stable-queue which might be from daniel.sneddon@xxxxxxxxxxxxxxx are

queue-6.4/x86-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/arm-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-speculation-add-kconfig-option-for-gds.patch
queue-6.4/um-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/mips-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/init-x86-move-mem_encrypt_init-into-arch_cpu_finalize_init.patch
queue-6.4/sh-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-speculation-add-gather-data-sampling-mitigation.patch
queue-6.4/init-invoke-arch_cpu_finalize_init-earlier.patch
queue-6.4/kvm-add-gds_no-support-to-kvm.patch
queue-6.4/x86-fpu-move-fpu-initialization-into-arch_cpu_finalize_init.patch
queue-6.4/loongarch-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-speculation-add-force-option-to-gds-mitigation.patch
queue-6.4/init-remove-check_bugs-leftovers.patch
queue-6.4/init-provide-arch_cpu_finalize_init.patch
queue-6.4/m68k-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-init-initialize-signal-frame-size-late.patch
queue-6.4/sparc-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-fpu-mark-init-functions-__init.patch
queue-6.4/ia64-cpu-switch-to-arch_cpu_finalize_init.patch
queue-6.4/x86-fpu-remove-cpuinfo-argument-from-init-functions.patch



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux