[libvirt] [PATCH] cpu: add 'amd-ssbd' and 'amd-no-ssb' CPU features (CVE-2018-3639)
AMD x86 CPUs have two separate ways to mitigate the Speculative Store Bypass hardware flaw. In current processors only non-architectural MSRs are available, and so hypervisors must expose a virtualized MSR and CPU flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1). In future processors AMD will provide an architectural MSR, indicated by existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has given the name "amd-ssbd". The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it is available, since it provides improved performance. For virtual machine configuration, both should be exposed when available, to allow for maximal guest OS compatibility as not all guests yet support both. If future processes are not vulnerable to the flaw, this will be indicated by the existance of CPUID Function 8000_0008, EBX[26]=1, to which QEMU has given the name "amd-no-ssb". See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf from: https://bugzilla.kernel.org/show_bug.cgi?id=199889 Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, but doesn't report their existance as distinct flags in /proc/cpuinfo. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/cpu/cpu_map.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml index 96daa0f9af..9af190a579 100644 --- a/src/cpu/cpu_map.xml +++ b/src/cpu/cpu_map.xml @@ -433,9 +433,15 @@ <feature name='ibpb'> <cpuid eax_in='0x80000008' ebx='0x00001000'/> </feature> + <feature name='amd-ssbd'> + <cpuid eax_in='0x80000008' ebx='0x01000000'/> + </feature> <feature name='virt-ssbd'> <cpuid eax_in='0x80000008' ebx='0x02000000'/> </feature> + <feature name='amd-no-ssb'> + <cpuid eax_in='0x80000008' ebx='0x04000000'/> + </feature> <!-- models --> <model name='486'> -- 2.17.0
On Thu, Jun 14, 2018 at 11:48:41AM +0100, Daniel P. Berrangé wrote:
AMD x86 CPUs have two separate ways to mitigate the Speculative Store Bypass hardware flaw. In current processors only non-architectural MSRs are available, and so hypervisors must expose a virtualized MSR and CPU flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1).
In future processors AMD will provide an architectural MSR, indicated by existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has given the name "amd-ssbd".
The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it is available, since it provides improved performance. For virtual machine configuration, both should be exposed when available, to allow for maximal guest OS compatibility as not all guests yet support both.
If future processes are not vulnerable to the flaw, this will be indicated by the existance of CPUID Function 8000_0008, EBX[26]=1, to which QEMU has given the name "amd-no-ssb".
See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf from:
https://bugzilla.kernel.org/show_bug.cgi?id=199889
Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, but doesn't report their existance as distinct flags in /proc/cpuinfo.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/cpu/cpu_map.xml | 6 ++++++ 1 file changed, 6 insertions(+)
FWIW: Reviewed-by: Kashyap Chamarthy <kchamart@redhat.com> [...] -- /kashyap
On Thu, Jun 14, 2018 at 11:48:41 +0100, Daniel P. Berrangé wrote:
AMD x86 CPUs have two separate ways to mitigate the Speculative Store Bypass hardware flaw. In current processors only non-architectural MSRs are available, and so hypervisors must expose a virtualized MSR and CPU flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1).
In future processors AMD will provide an architectural MSR, indicated by existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has given the name "amd-ssbd".
The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it is available, since it provides improved performance. For virtual machine configuration, both should be exposed when available, to allow for maximal guest OS compatibility as not all guests yet support both.
If future processes are not vulnerable to the flaw, this will be indicated by the existance of CPUID Function 8000_0008, EBX[26]=1, to which QEMU has given the name "amd-no-ssb".
See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf from:
https://bugzilla.kernel.org/show_bug.cgi?id=199889
Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, but doesn't report their existance as distinct flags in /proc/cpuinfo.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Eduardo pushed the QEMU part into his x86-next queue, but he didn't send a pull request yet. I think it's a good idea to wait until the patch lands in QEMU master before pushing this patch. Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
On Thu, Jun 14, 2018 at 11:48:41AM +0100, Daniel P. Berrangé wrote: [...]
Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, but doesn't report their existance as distinct flags in /proc/cpuinfo.
Since it isn't pushed yet, minor nit-pick: s/existance/existence/ Should the commit message be amended to mention that `/proc/cpuinfo` will, confusingly enough, report 'ssbd' (for 'amd-ssbd')? Because reading this thread on 'qemu-devel': https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg03660.html [PATCH 1/2] i386: define the AMD 'amd-ssbd' CPUID feature bit Says: [quote] It [kernel] will only report 'ssbd' but not 'amd-ssb-no' nor 'amd-ssbd'. [...] The code that finds the AMD_SSBD and sets the 'ssbd' is: + if (cpu_has(c, X86_FEATURE_AMD_SSBD)) { + set_cpu_cap(c, X86_FEATURE_SSBD); + set_cpu_cap(c, X86_FEATURE_MSR_SPEC_CTRL); + clear_cpu_cap(c, X86_FEATURE_VIRT_SSBD); + } Meaning the 'ssbd' will show up in /proc/cpuinfo [/quote] [...] -- /kashyap
On Thu, Jun 21, 2018 at 12:24:13PM +0200, Kashyap Chamarthy wrote:
On Thu, Jun 14, 2018 at 11:48:41AM +0100, Daniel P. Berrangé wrote:
[...]
Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, but doesn't report their existance as distinct flags in /proc/cpuinfo.
Since it isn't pushed yet, minor nit-pick: s/existance/existence/
Should the commit message be amended to mention that `/proc/cpuinfo` will, confusingly enough, report 'ssbd' (for 'amd-ssbd')?
Maybe it's not so confusing if it will show up as 'ssbd' for all (Intel / AMD) processors. Useful for tooling to look for one flag across all the processors. [...] -- /kashyap
participants (3)
-
Daniel P. Berrangé -
Jiri Denemark -
Kashyap Chamarthy