On Mon, May 11, 2026 at 10:50 PM Zishun Yi <[email protected]> wrote:
>
> Currently, the Machine Security Configuration Register (mseccfg) was
> missing from the live migration state. This omission causes the register
> to be reset to zero on the destination host after migration.
>
> Fixed by adding vmstate_mseccfg subsection
>
> This vulnerability was discovered and reported by SpecHunter, an
> AI-driven architecture specification analysis tool.
>
> Link:
> https://github.com/yizishun/rv-isa-sec/blob/a22e4459cd026ae970791dfbd9cfe5d110fbd46b/output/riscv-isa-manual/pr-1879/qemu.txt#L121
> Signed-off-by: Zishun Yi <[email protected]>
Thanks!
Applied to riscv-to-apply.next
Alistair
> ---
> target/riscv/machine.c | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/target/riscv/machine.c b/target/riscv/machine.c
> index 09c032a87914..6776e7bf5a11 100644
> --- a/target/riscv/machine.c
> +++ b/target/riscv/machine.c
> @@ -423,6 +423,25 @@ static const VMStateDescription vmstate_sstc = {
> }
> };
>
> +static bool mseccfg_needed(void *opaque)
> +{
> + RISCVCPU *cpu = opaque;
> +
> + return cpu->cfg.ext_smepmp || cpu->cfg.ext_zkr
> + || cpu->cfg.ext_smmpm || cpu->cfg.ext_zicfilp;
> +}
> +
> +static const VMStateDescription vmstate_mseccfg = {
> + .name = "cpu/mseccfg",
> + .version_id = 1,
> + .minimum_version_id = 1,
> + .needed = mseccfg_needed,
> + .fields = (const VMStateField[]) {
> + VMSTATE_UINTTL(env.mseccfg, RISCVCPU),
> + VMSTATE_END_OF_LIST()
> + }
> +};
> +
> const VMStateDescription vmstate_riscv_cpu = {
> .name = "cpu",
> .version_id = 11,
> @@ -499,6 +518,7 @@ const VMStateDescription vmstate_riscv_cpu = {
> &vmstate_ssp,
> &vmstate_ctr,
> &vmstate_sstc,
> + &vmstate_mseccfg,
> NULL
> }
> };
> --
> 2.51.2
>
>
