From 0701abbf9880b5ab1cf44e0caa6ad173aec840e7 Mon Sep 17 00:00:00 2001 From: Fabiano Rosas Date: Mon, 5 Aug 2024 17:20:41 -0300 Subject: [PATCH] target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest According to AMD's Speculative Return Stack Overflow whitepaper (link below), the hypervisor should synthesize the value of IBPB_BRTYPE and SBPB CPUID bits to the guest. Support for this is already present in the kernel with commit e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be ("KVM: x86: Add IBPB_BRTYPE support"). Add support in QEMU to expose the bits to the guest OS. host: # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET before (guest): $ cpuid -l 0x80000021 -1 -r 0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 ^ $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Vulnerable: Safe RET, no microcode after (guest): $ cpuid -l 0x80000021 -1 -r 0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 ^ $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow Mitigation: Safe RET Reported-by: Fabian Vogt Link: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf Signed-off-by: Fabiano Rosas Link: https://lore.kernel.org/r/20240805202041.5936-1-farosas@suse.de Signed-off-by: Paolo Bonzini --- target/i386/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 31f287cae0..ff227a8c5c 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -1221,8 +1221,8 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, + NULL, NULL, NULL, "sbpb", + "ibpb-brtype", NULL, NULL, NULL, }, .cpuid = { .eax = 0x80000021, .reg = R_EAX, }, .tcg_features = 0,