Hi folks on the list: I'm testing the latest Downfall cpu vulnerability mitigation. what I notice is when both host and guest are using patched kernel + microcode eg kernel 5.15.125 + intel-microcode 20230808 on affected server eg Icelake server.
The mitigation status inside guest is: Vulnerabilities: Gather data sampling: Unknown: Dependent on hyp ervisor status -----------------------------------> this one. Itlb multihit: Not affected L1tf: Not affected Mds: Not affected Meltdown: Not affected Mmio stale data: Vulnerable: Clear CPU buf fers attempted, no microc ode; SMT Host state unkno wn Retbleed: Not affected Spec rstack overflow: Not affected Spec store bypass: Mitigation; Speculative S tore Bypass disabled via prctl and seccomp Spectre v1: Mitigation; usercopy/swap gs barriers and __user po inter sanitization Spectre v2: Mitigation; Enhanced IBRS , IBPB conditional, RSB f illing, PBRSB-eIBRS SW se quence Srbds: Not affected Tsx async abort: Not affected According to kernel commit below commit 81ac7e5d741742d650b4ed6186c4826c1a0631a7 Author: Daniel Sneddon <daniel.sned...@linux.intel.com> Date: Wed Jul 12 19:43:14 2023 -0700 KVM: Add GDS_NO support to KVM Gather Data Sampling (GDS) is a transient execution attack using gather instructions from the AVX2 and AVX512 extensions. This attack allows malicious code to infer data that was previously stored in vector registers. Systems that are not vulnerable to GDS will set the GDS_NO bit of the IA32_ARCH_CAPABILITIES MSR. This is useful for VM guests that may think they are on vulnerable systems that are, in fact, not affected. Guests that are running on affected hosts where the mitigation is enabled are protected as if they were running on an unaffected system. On all hosts that are not affected or that are mitigated, set the GDS_NO bit. Signed-off-by: Daniel Sneddon <daniel.sned...@linux.intel.com> Signed-off-by: Dave Hansen <dave.han...@linux.intel.com> Acked-by: Josh Poimboeuf <jpoim...@kernel.org> KVM also has the support of GDS_NO, but seems qemu side doesn't pass the info to guest, that's why it is unknown. IMO qemu should pass GDS_NO if the host is already patched. Is Intel or anyone already working on the qemu patch? I know it's not a must, but good to do. Thx! Jinpu Wang @ IONOS Cloud