[PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646)

[PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646)

[Kyle Copperfield via]

New microcode introduces the "Flush L1D Cache" CPUID feature bit.
This needs to be exposed to guest OS to allow them to protect against
CVE-2018-3646.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
---
 docs/qemu-cpu-models.texi | 7 +++++++
 target/i386/cpu.c         | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
index f88a1def0d..1b5349d86a 100644
--- a/docs/qemu-cpu-models.texi
+++ b/docs/qemu-cpu-models.texi
@@ -180,6 +180,13 @@ Must be explicitly turned on for all Intel CPU models.
 Requires the host CPU microcode to support this feature before it
 can be used for guest CPUs.
 
+@item @code{flush_l1d}
+
+Required to enable strong Foreshadow-NG (VMM) (CVE-2018-3646) fixes in
+guests.
+
+Requires the host CPU microcode to support this feature before it
+can be used for guest CPUs.
 
 @item @code{ssbd}
 
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a624163ac2..1fb6d677e2 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1083,7 +1083,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
             NULL, NULL, NULL /* pconfig */, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, "spec-ctrl", "stibp",
-            NULL, "arch-capabilities", "core-capability", "ssbd",
+            "flush_l1d", "arch-capabilities", "core-capability", "ssbd",
         },
         .cpuid = {
             .eax = 7,
-- 
2.24.0

Re: [PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646)

[Daniel P. Berrangé]

On Tue, Nov 12, 2019 at 03:50:43AM +0000, Kyle Copperfield via wrote:
> New microcode introduces the "Flush L1D Cache" CPUID feature bit.
> This needs to be exposed to guest OS to allow them to protect against
> CVE-2018-3646.

My understanding was that this is only required in the L0 hypervisor,
not the guests or nested hypervisors, which is why QEMU hadn't already
exposed this feature when L1TF first went public.

Copying Paolo for a definitive answer on that though....

> 
> Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
> ---
>  docs/qemu-cpu-models.texi | 7 +++++++
>  target/i386/cpu.c         | 2 +-
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
> index f88a1def0d..1b5349d86a 100644
> --- a/docs/qemu-cpu-models.texi
> +++ b/docs/qemu-cpu-models.texi
> @@ -180,6 +180,13 @@ Must be explicitly turned on for all Intel CPU models.
>  Requires the host CPU microcode to support this feature before it
>  can be used for guest CPUs.
>  
> +@item @code{flush_l1d}
> +
> +Required to enable strong Foreshadow-NG (VMM) (CVE-2018-3646) fixes in
> +guests.
> +
> +Requires the host CPU microcode to support this feature before it
> +can be used for guest CPUs.
>  
>  @item @code{ssbd}
>  
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index a624163ac2..1fb6d677e2 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1083,7 +1083,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
>              NULL, NULL, NULL /* pconfig */, NULL,
>              NULL, NULL, NULL, NULL,
>              NULL, NULL, "spec-ctrl", "stibp",
> -            NULL, "arch-capabilities", "core-capability", "ssbd",
> +            "flush_l1d", "arch-capabilities", "core-capability", "ssbd",
>          },
>          .cpuid = {
>              .eax = 7,
> -- 
> 2.24.0
> 
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646)

[Paolo Bonzini]

On 12/11/19 10:51, Daniel P. Berrangé wrote:
> On Tue, Nov 12, 2019 at 03:50:43AM +0000, Kyle Copperfield via wrote:
>> New microcode introduces the "Flush L1D Cache" CPUID feature bit.
>> This needs to be exposed to guest OS to allow them to protect against
>> CVE-2018-3646.
> 
> My understanding was that this is only required in the L0 hypervisor,
> not the guests or nested hypervisors, which is why QEMU hadn't already
> exposed this feature when L1TF first went public.
> 
> Copying Paolo for a definitive answer on that though....

Correct; in fact in addition to this patch you would have to patch KVM
to allow guest writes to MSR_IA32_FLUSH_CMD.

Paolo

> 
>>
>> Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
>> ---
>>  docs/qemu-cpu-models.texi | 7 +++++++
>>  target/i386/cpu.c         | 2 +-
>>  2 files changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
>> index f88a1def0d..1b5349d86a 100644
>> --- a/docs/qemu-cpu-models.texi
>> +++ b/docs/qemu-cpu-models.texi
>> @@ -180,6 +180,13 @@ Must be explicitly turned on for all Intel CPU models.
>>  Requires the host CPU microcode to support this feature before it
>>  can be used for guest CPUs.
>>  
>> +@item @code{flush_l1d}
>> +
>> +Required to enable strong Foreshadow-NG (VMM) (CVE-2018-3646) fixes in
>> +guests.
>> +
>> +Requires the host CPU microcode to support this feature before it
>> +can be used for guest CPUs.
>>  
>>  @item @code{ssbd}
>>  
>> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
>> index a624163ac2..1fb6d677e2 100644
>> --- a/target/i386/cpu.c
>> +++ b/target/i386/cpu.c
>> @@ -1083,7 +1083,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
>>              NULL, NULL, NULL /* pconfig */, NULL,
>>              NULL, NULL, NULL, NULL,
>>              NULL, NULL, "spec-ctrl", "stibp",
>> -            NULL, "arch-capabilities", "core-capability", "ssbd",
>> +            "flush_l1d", "arch-capabilities", "core-capability", "ssbd",
>>          },
>>          .cpuid = {
>>              .eax = 7,
>> -- 
>> 2.24.0
>>
>>
> 
> Regards,
> Daniel
> 

Re: [PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646)

[no-reply]

Patchew URL: https://patchew.org/QEMU/20191112035043.54600-1-kmcopper@danwin1210.me/



Hi,

This series failed the docker-quick@centos7 build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-centos7 V=1 NETWORK=1
time make docker-test-quick@centos7 SHOW_ENV=1 J=14 NETWORK=1
=== TEST SCRIPT END ===

qemu-system-x86_64: /tmp/qemu-test/src/target/i386/cpu.c:5896: x86_cpu_register_feature_bit_props: Assertion `!(__extension__ (__builtin_constant_p ('_') && !__builtin_constant_p (name) && ('_') == '\0' ? (char *) __rawmemchr (name, '_') : __builtin_strchr (name, '_')))' failed.
Broken pipe
/tmp/qemu-test/src/tests/libqtest.c:149: kill_qemu() detected QEMU death from signal 6 (Aborted) (core dumped)
ERROR - too few tests run (expected 3, got 0)
make: *** [check-qtest-x86_64] Error 1
make: *** Waiting for unfinished jobs....
  TEST    check-qtest-aarch64: tests/numa-test
  TEST    check-unit: tests/check-block-qdict
---
 Testing:
 QEMU X.Y.Z monitor - type 'help' for more information
-(qemu) savevm snap0
-Error: No block device can accept snapshots
-(qemu) info snapshots
-No available block device supports snapshots
-(qemu) loadvm snap0
-Error: No block device supports snapshots
-(qemu) quit
+(qemu) QEMU_PROG: TEST_DIR/src/target/i386/cpu.c:5896: x86_cpu_register_feature_bit_props: Assertion `!(__extension__ (__builtin_constant_p ('_') && !__builtin_constant_p (name) && ('_') == '\0' ? (char *) __rawmemchr (name, '_') : __builtin_strchr (name, '_')))' failed.
+./common.rc: line 121:  3783 Aborted                 (core dumped) ( if [ -n "${QEMU_NEED_PID}" ]; then
---
 Testing: -drive driver=file,file=TEST_DIR/t.IMGFMT,if=none
 QEMU X.Y.Z monitor - type 'help' for more information
-(qemu) savevm snap0
-Error: Device 'none0' is writable but does not support snapshots
-(qemu) info snapshots
-No available block device supports snapshots
-(qemu) loadvm snap0
-Error: Device 'none0' is writable but does not support snapshots
-(qemu) quit
+(qemu) QEMU_PROG: TEST_DIR/src/target/i386/cpu.c:5896: x86_cpu_register_feature_bit_props: Assertion `!(__extension__ (__builtin_constant_p ('_') && !__builtin_constant_p (name) && ('_') == '\0' ? (char *) __rawmemchr (name, '_') : __builtin_strchr (name, '_')))' failed.
+./common.rc: line 121:  3813 Aborted                 (core dumped) ( if [ -n "${QEMU_NEED_PID}" ]; then
---
 Testing: -drive driver=file,file=TEST_DIR/t.IMGFMT,if=virtio
 QEMU X.Y.Z monitor - type 'help' for more information
-(qemu) savevm snap0
-Error: Device 'virtio0' is writable but does not support snapshots
-(qemu) info snapshots
-No available block device supports snapshots
-(qemu) loadvm snap0
-Error: Device 'virtio0' is writable but does not support snapshots
-(qemu) quit
+(qemu) QEMU_PROG: TEST_DIR/src/target/i386/cpu.c:5896: x86_cpu_register_feature_bit_props: Assertion `!(__extension__ (__builtin_constant_p ('_') && !__builtin_constant_p (name) && ('_') == '\0' ? (char *) __rawmemchr (name, '_') : __builtin_strchr (name, '_')))' failed.
+./common.rc: line 121:  3905 Aborted                 (core dumped) ( if [ -n "${QEMU_NEED_PID}" ]; then
---
 Testing: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=file
 QEMU X.Y.Z monitor - type 'help' for more information
-(qemu) savevm snap0
-Error: Device '' is writable but does not support snapshots
-(qemu) info snapshots
-No available block device supports snapshots
-(qemu) loadvm snap0
-Error: Device '' is writable but does not support snapshots
-(qemu) quit
+(qemu) QEMU_PROG: TEST_DIR/src/target/i386/cpu.c:5896: x86_cpu_register_feature_bit_props: Assertion `!(__extension__ (__builtin_constant_p ('_') && !__builtin_constant_p (name) && ('_') == '\0' ? (char *) __rawmemchr (name, '_') : __builtin_strchr (name, '_')))' failed.
+./common.rc: line 121:  3963 Aborted                 (core dumped) ( if [ -n "${QEMU_NEED_PID}" ]; then
---
  TEST    iotest-qcow2: 268
Failures: 060 071 099 117 120 140 141 143 156 161 172 176 184 186 191 192 195 229 249 267
Failed 20 of 108 iotests
make: *** [check-tests/check-block.sh] Error 1
  TEST    check-qtest-aarch64: tests/test-hmp
  TEST    check-qtest-aarch64: tests/qos-test
Traceback (most recent call last):
---
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', '-n', 'docker', 'run', '--label', 'com.qemu.instance.uuid=9a7271ca31ae40eba9ab5405c4c0f28e', '-u', '1001', '--security-opt', 'seccomp=unconfined', '--rm', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=14', '-e', 'DEBUG=', '-e', 'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/home/patchew/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', '/var/tmp/patchew-tester-tmp-fgz2lauj/src/docker-src.2019-11-12-06.38.00.21021:/var/tmp/qemu:z,ro', 'qemu:centos7', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit status 2.
filter=--filter=label=com.qemu.instance.uuid=9a7271ca31ae40eba9ab5405c4c0f28e
make[1]: *** [docker-run] Error 1
make[1]: Leaving directory `/var/tmp/patchew-tester-tmp-fgz2lauj/src'
make: *** [docker-run-test-quick@centos7] Error 2

real    10m24.785s
user    0m8.285s


The full log is available at
http://patchew.org/logs/20191112035043.54600-1-kmcopper@danwin1210.me/testing.docker-quick@centos7/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com