Re: Encrypted Message

[Thomas Gleixner <tglx@linutronix.de>]

On Mon, 4 Mar 2019, speck for Jon Masters wrote:

> > That said: Virtual Machines Will Eventually Receive Vaccine
> 
> The effect of this patch, currently, is that a (bare metal) machine
> without updated ucode will print the following:
> 
> [    1.576602] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
> 
> The intention of the patch is to say "hey, you might be on a VM, so
> we'll try anyway in case we didn't get told you had MD_CLEAR". But the
> effect on bare metal might be ambiguous. It's reasonable (for someone
> else) to assume we might be using a software sequence to try flushing.
> 
> Perhaps the wording should convey something like:
> 
> "MDS: Vulnerable: Clear CPU buffers may not work, no microcode"

Yeah, we also could do something like the delta patch below:

Thanks,

	tglx

8<------------------

--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -228,18 +228,28 @@ static const char * const mds_strings[]
 	[MDS_MITIGATION_VMWERV]	= "Vulnerable: Clear CPU buffers attempted, no microcode",
 };
 
-static void mds_select_mitigation(void)
+static void __init mds_check_md_clear(void)
+{
+	if (!boot_cpu_has(X86_FEATURE_MD_CLEAR)) {
+		if (hypervisor_is_type(X86_HYPER_NATIVE)) {
+			mds_mitigation = MDS_MITIGATION_OFF;
+			return;
+		}
+		mds_mitigation = MDS_MITIGATION_VMWERV;
+	}
+	static_branch_enable(&mds_user_clear);
+}
+
+static void __init mds_select_mitigation(void)
 {
 	if (!boot_cpu_has_bug(X86_BUG_MDS)) {
 		mds_mitigation = MDS_MITIGATION_OFF;
 		return;
 	}
 
-	if (mds_mitigation == MDS_MITIGATION_FULL) {
-		if (!boot_cpu_has(X86_FEATURE_MD_CLEAR))
-			mds_mitigation = MDS_MITIGATION_VMWERV;
-		static_branch_enable(&mds_user_clear);
-	}
+	if (mds_mitigation == MDS_MITIGATION_FULL)
+		mds_check_md_clear();
+
 	pr_info("%s\n", mds_strings[mds_mitigation]);
 }