https://bugs.launchpad.net/bugs/2097605 was released, so I'm removing
the block-proposed tag.
** Tags removed: block-proposed-noble block-proposed-oracular
** Description changed:
[Impact]
According to AMD's Speculative Return Stack Overflow whitepaper the
hypervisor should synthesize the value of IBPB_BRTYPE and SBPB CPUID
bits to the guest.
Support for this is already present in noble kernel with commit
e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be
("KVM: x86: Add IBPB_BRTYPE support").
Add support in QEMU to expose the bits to the guest OS.
[Test Plan]
* First of all we'll (and have in advance) run general regression tests
* Qemu shall show to be aware of the new flags
- #qemu-system-x86_64 -cpu ? | grep -E 'sbpb|ibpb-brtype'
+ #qemu-system-x86_64 -cpu \? | grep -E 'sbpb|ibpb-brtype'
gfni hle ht hypervisor ia64 ibpb ibpb-brtype ibrs ibrs-all ibs intel-pt
sbdr-ssdp-no sbpb sep serialize sgx sgx-aex-notify sgx-debug sgx-edeccssa
* host:
# cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Mitigation: Safe RET
* before (guest):
$ cpuid -l 0x80000021 -1 -r
0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000
edx=0x00000000
^
$ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Vulnerable: Safe RET, no microcode
* after (guest) with CPU flags added:
$ cpuid -l 0x80000021 -1 -r
0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000
edx=0x00000000
^
$ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow
Mitigation: Safe RET
[Where problems could occur]
* None to be expected as these flags are not (yet) included in any
predefined CPU model
- * Synthesizing the value of IBPB_BRTYPE and SBPB CPUID bits to the guest
could have side-effects when migrating guests between fixed<->unfixed systems.
Therefore, we executed the lengthy Server-team regression tests on two
different testflinger machines that have the affected chipset, using a PPA
build:
+ * Synthesizing the value of IBPB_BRTYPE and SBPB CPUID bits to the guest
could have side-effects when migrating guests between fixed<->unfixed systems.
Therefore, we executed the lengthy Server-team regression tests on two
different testflinger machines that have the affected chipset, using a PPA
build:
- AMD ROME, fleep/Noble: https://pastebin.canonical.com/p/VS374ffdN6/
- AMD Milan, ziptoad/Oracular: https://pastebin.canonical.com/p/XhQnyPQxG9/
- => Test results are looking good and only showed failures on
+ => Test results are looking good and only showed failures on
focal->jammy cross-test migrations (which we didn't touch with this SRU)
and some other, unsupported edge cases (e.g. noble->jammy & jammy->focal
downgrade migrations). Therefore, we do not expect any side-effects from
this SRU upload! See details in:
https://code.launchpad.net/~slyon/ubuntu/+source/qemu/+git/qemu/+merge/483036
---
Relevant patches needed for qemu 8.2 in noble:
target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest:
*
https://gitlab.com/qemu-project/qemu/-/commit/0701abbf9880b5ab1cf44e0caa6ad173aec840e7.patch
target/i386: Fix minor typo in NO_NESTED_DATA_BP feature bit:
*
https://gitlab.com/qemu-project/qemu/-/commit/9c882ad4dc96f658ff9f92b88b3749d0398e6fa2.patch
target/i386: Expose bits related to SRSO vulnerability
*
https://gitlab.com/qemu-project/qemu/-/commit/2ec282b8eaaddf5c136f7566b5f61d80288a2065.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2101944
Title:
Expose bits related to SRSO vulnerability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/2101944/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
