x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests

commit 6c4dbbd14730c43f4ed808a9c42ca41625925c22 upstream

X86_FEATURE_MD_CLEAR is a new CPUID bit which is set when microcode
provides the mechanism to invoke a flush of various exploitable CPU buffers
by invoking the VERW instruction.

Hand it through to guests so they can adjust their mitigations.

This also requires corresponding qemu changes, which are available
separately.

[ tglx: Massaged changelog ]

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Reviewed-by: Jon Masters <jcm@redhat.com>
Tested-by: Jon Masters <jcm@redhat.com>
(cherry picked from commit 0908473b20312b30f2600e4b16027d6c7facef4a)

Orabug: 29526900
CVE: CVE-2018-12126
CVE: CVE-2018-12130
CVE: CVE-2018-12127

Signed-off-by: Kanth Ghatraju <kanth.ghatraju@oracle.com>
Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Conflicts:
	arch/x86/kvm/cpuid.c
Different initial content of cpuid bits.

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 58bfdbd02a61c39998c80cfe29b32a4c0f9eec04..93e6df26dbd91c36b3c0c76d9a1d169f72a3293d 100644 (file)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -66,6 +66,7 @@ u64 kvm_supported_xcr0(void)
 
 
 /* CPUID[eax=0x80000008].ebx */
+#define KVM_CPUID_BIT_MD_CLEAR         10
 #define KVM_CPUID_BIT_IBPB_SUPPORT     12
 #define KVM_CPUID_BIT_VIRT_SSBD                25
 
@@ -368,7 +369,7 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                F(XSAVEOPT) | F(XSAVEC) | F(XGETBV1) | f_xsaves;
 
        const u32 kvm_cpuid_7_0_edx_x86_features = KF(IBRS) | KF(STIBP) |
-               KF(IA32_ARCH_CAPS) | KF(SSBD);
+               KF(IA32_ARCH_CAPS) | KF(SSBD) | KF(MD_CLEAR);
 
        /* cpuid 0x80000008.ebx */
        const u32 kvm_cpuid_80000008_ebx_x86_features =
@@ -453,6 +454,8 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
                                entry->edx &= ~(1u << KVM_CPUID_BIT_STIBP);
                        if ( !boot_cpu_has(X86_FEATURE_SSBD) )
                                entry->edx &= ~(1u << KVM_CPUID_BIT_SSBD);
+                       if ( !boot_cpu_has(X86_FEATURE_MD_CLEAR) )
+                                entry->edx &= ~(1u << KVM_CPUID_BIT_MD_CLEAR);
                } else {
                        entry->ebx = 0;
                        entry->edx = 0;