Expose bits related to SRSO vulnerability
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| qemu (Ubuntu) | Status tracked in Plucky | |||||
| Noble |
Triaged
|
Medium
|
Unassigned | |||
| Oracular |
Triaged
|
Medium
|
Unassigned | |||
| Plucky |
Fix Released
|
Undecided
|
Unassigned | |||
Bug Description
[Impact]
According to AMD's Speculative Return Stack Overflow whitepaper the hypervisor should synthesize the value of IBPB_BRTYPE and SBPB CPUID bits to the guest.
Support for this is already present in noble kernel with commit e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be ("KVM: x86: Add IBPB_BRTYPE support").
Add support in QEMU to expose the bits to the guest OS.
[Test Plan]
* First of all we'll (and have in advance) run general regression tests
* Qemu shall show to be aware of the new flags
#qemu-
gfni hle ht hypervisor ia64 ibpb ibpb-brtype ibrs ibrs-all ibs intel-pt
sbdr-ssdp-no sbpb sep serialize sgx sgx-aex-notify sgx-debug sgx-edeccssa
* host:
# cat /sys/devices/
Mitigation: Safe RET
* before (guest):
$ cpuid -l 0x80000021 -1 -r
0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
$ cat /sys/devices/
Vulnerable: Safe RET, no microcode
* after (guest) with CPU flags added:
$ cpuid -l 0x80000021 -1 -r
0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
$ cat /sys/devices/
Mitigation: Safe RET
[Where problems could occur]
* None to be expected as these flags are not (yet) included in any predefined CPU model
---
Relevant patches needed for qemu 8.2 in noble:
target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest:
* https:/
target/i386: Fix minor typo in NO_NESTED_DATA_BP feature bit:
* https:/
target/i386: Expose bits related to SRSO vulnerability
* https:/
Related branches
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 225 lines (+191/-0)5 files modifieddebian/changelog (+8/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp2101944/0047-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch (+60/-0)
debian/patches/ubuntu/lp2101944/0048-target-i386-Fix-minor-typo-in-NO_NESTED_DATA_BP-feat.patch (+47/-0)
debian/patches/ubuntu/lp2101944/0049-target-i386-Expose-bits-related-to-SRSO-vulnerabilit.patch (+73/-0)
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 225 lines (+191/-0)5 files modifieddebian/changelog (+8/-0)
debian/patches/series (+3/-0)
debian/patches/ubuntu/lp2101944/0047-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch (+60/-0)
debian/patches/ubuntu/lp2101944/0048-target-i386-Fix-minor-typo-in-NO_NESTED_DATA_BP-feat.patch (+47/-0)
debian/patches/ubuntu/lp2101944/0049-target-i386-Expose-bits-related-to-SRSO-vulnerabilit.patch (+73/-0)
| Christian Ehrhardt (paelzer) wrote | #1 |
| Changed in qemu (Ubuntu Plucky): | |
| status: | New → Fix Released |
| Changed in qemu (Ubuntu Oracular): | |
| importance: | Undecided → Medium |
| Changed in qemu (Ubuntu Noble): | |
| importance: | Undecided → Medium |
| Changed in qemu (Ubuntu Oracular): | |
| status: | New → Triaged |
| Changed in qemu (Ubuntu Noble): | |
| status: | New → Triaged |
| tags: | added: server-todo |
| Lukas Märdian (slyon) wrote | #2 |
Hi Markus and thanks for the always great prep when reporting such.
The patches are already in upstream qemu v9.2 which we have in Plucky.
Let us check if they can be backported without breakage to the most recent LTS.
In this particular case it will indeed be more regression tests, as I'd want to make sure this does not break e.g. migration of fixed<->unfixed systemd, on a matrix of intel (unlikely to have any effect) and AMD (potential) hardware.
But totally yes, if we can make this work out it allows the guests to not apply the mitigations if exposed as fixed by HW/FW already.
P.S. I'll be out a few days, so this won't be super quick