[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RFC: guest INTEL GDS mitigation status on patched host
From: |
Jinpu Wang |
Subject: |
RFC: guest INTEL GDS mitigation status on patched host |
Date: |
Fri, 11 Aug 2023 15:12:12 +0200 |
Hi folks on the list:
I'm testing the latest Downfall cpu vulnerability mitigation. what I
notice is when both host and guest are using patched kernel +
microcode eg kernel 5.15.125 + intel-microcode 20230808 on affected
server eg Icelake server.
The mitigation status inside guest is:
Vulnerabilities:
Gather data sampling: Unknown: Dependent on hyp
ervisor status
-----------------------------------> this one.
Itlb multihit: Not affected
L1tf: Not affected
Mds: Not affected
Meltdown: Not affected
Mmio stale data: Vulnerable: Clear CPU buf
fers attempted, no microc
ode; SMT Host state unkno
wn
Retbleed: Not affected
Spec rstack overflow: Not affected
Spec store bypass: Mitigation; Speculative S
tore Bypass disabled via
prctl and seccomp
Spectre v1: Mitigation; usercopy/swap
gs barriers and __user po
inter sanitization
Spectre v2: Mitigation; Enhanced IBRS
, IBPB conditional, RSB f
illing, PBRSB-eIBRS SW se
quence
Srbds: Not affected
Tsx async abort: Not affected
According to kernel commit below
commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7
Author: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Date: Wed Jul 12 19:43:14 2023 -0700
KVM: Add GDS_NO support to KVM
Gather Data Sampling (GDS) is a transient execution attack using
gather instructions from the AVX2 and AVX512 extensions. This attack
allows malicious code to infer data that was previously stored in
vector registers. Systems that are not vulnerable to GDS will set the
GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM
guests that may think they are on vulnerable systems that are, in
fact, not affected. Guests that are running on affected hosts where
the mitigation is enabled are protected as if they were running
on an unaffected system.
On all hosts that are not affected or that are mitigated, set the
GDS_NO bit.
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
KVM also has the support of GDS_NO, but seems qemu side doesn't pass
the info to guest, that's why it is unknown. IMO qemu should pass
GDS_NO if the host is already patched.
Is Intel or anyone already working on the qemu patch? I know it's not
a must, but good to do.
Thx!
Jinpu Wang @ IONOS Cloud
- RFC: guest INTEL GDS mitigation status on patched host,
Jinpu Wang <=