On Mon, May 11, 2026 at 10:50 PM Zishun Yi <[email protected]> wrote: > > Currently, the Machine Security Configuration Register (mseccfg) was > missing from the live migration state. This omission causes the register > to be reset to zero on the destination host after migration. > > Fixed by adding vmstate_mseccfg subsection > > This vulnerability was discovered and reported by SpecHunter, an > AI-driven architecture specification analysis tool. > > Link: > https://github.com/yizishun/rv-isa-sec/blob/a22e4459cd026ae970791dfbd9cfe5d110fbd46b/output/riscv-isa-manual/pr-1879/qemu.txt#L121 > Signed-off-by: Zishun Yi <[email protected]>
Reviewed-by: Alistair Francis <[email protected]> Alistair > --- > target/riscv/machine.c | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/target/riscv/machine.c b/target/riscv/machine.c > index 09c032a87914..6776e7bf5a11 100644 > --- a/target/riscv/machine.c > +++ b/target/riscv/machine.c > @@ -423,6 +423,25 @@ static const VMStateDescription vmstate_sstc = { > } > }; > > +static bool mseccfg_needed(void *opaque) > +{ > + RISCVCPU *cpu = opaque; > + > + return cpu->cfg.ext_smepmp || cpu->cfg.ext_zkr > + || cpu->cfg.ext_smmpm || cpu->cfg.ext_zicfilp; > +} > + > +static const VMStateDescription vmstate_mseccfg = { > + .name = "cpu/mseccfg", > + .version_id = 1, > + .minimum_version_id = 1, > + .needed = mseccfg_needed, > + .fields = (const VMStateField[]) { > + VMSTATE_UINTTL(env.mseccfg, RISCVCPU), > + VMSTATE_END_OF_LIST() > + } > +}; > + > const VMStateDescription vmstate_riscv_cpu = { > .name = "cpu", > .version_id = 11, > @@ -499,6 +518,7 @@ const VMStateDescription vmstate_riscv_cpu = { > &vmstate_ssp, > &vmstate_ctr, > &vmstate_sstc, > + &vmstate_mseccfg, > NULL > } > }; > -- > 2.51.2 > >
