From cf23dd9b24235f760e5eace729d5729538d61326 Mon Sep 17 00:00:00 2001 From: Takahiro Itazuri Date: Wed, 3 Apr 2024 16:57:45 +0000 Subject: [PATCH] test: Only expect "Clear CPU buffers" As mentioned in the comment of the exception dict, FLUSH_L1D is virtualized on kernel 6.4 or later, resulting in "Mitigation: Clear CPU buffers; SMT Host state unknown" rather than "Vulnerable: Clear CPU buffers attempted, no microcode". To make the test pass both before and after the virtualization support of FLUSH_L1D, only expects "Clear CPU buffers" that is the common part of both. Signed-off-by: Takahiro Itazuri --- .../security/test_vulnerabilities.py | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py index 2b7d301d56d3..b22a76a2ab6a 100644 --- a/tests/integration_tests/security/test_vulnerabilities.py +++ b/tests/integration_tests/security/test_vulnerabilities.py @@ -387,11 +387,12 @@ def get_vuln_files_exception_dict(template): # https://github.com/torvalds/linux/commit/da3db168fb671f15e393b227f5c312c698ecb6ea # Thus, since the FLUSH_L1D bit is masked off prior to kernel v6.4, guests with # IA32_ARCH_CAPABILITIES.FB_CLEAR (bit 17) = 0 (like guests on Intel Skylake and guests with - # T2S template) fall onto the second hand of the condition and fail the test. The expected value - # "Vulnerable: Clear CPU buffers attempted, no microcode" means that the kernel is using the - # best effort mode which invokes the mitigation instructions (VERW in this case) without a - # guarantee that they clear the CPU buffers. If the host has the microcode update applied - # correctly, the mitigation works and it is safe to ignore the "Vulnerable" message. + # T2S template) fall onto the second hand of the condition and fail the test. The value is + # "Vulnerable: Clear CPU buffers attempted, no microcode" on guests on Intel Skylake and guests + # with T2S template but "Mitigation: Clear CPU buffers; SMT Host state unknown" on kernel v6.4 + # or later. In any case, the kernel attempts to clear CPU buffers using VERW instruction and it + # is safe to ingore the "Vulnerable" message if the host has the microcode update applied + # correctly. Here we expect the common string "Clear CPU buffers" to cover both cases. # # Guest on Intel Skylake with C3 template # --------------------------------------- @@ -409,9 +410,7 @@ def get_vuln_files_exception_dict(template): if global_props.cpu_codename == "INTEL_SKYLAKE" and template == "C3": exception_dict["mmio_stale_data"] = "Unknown: No mitigations" elif global_props.cpu_codename == "INTEL_SKYLAKE" or template == "T2S": - exception_dict[ - "mmio_stale_data" - ] = "Vulnerable: Clear CPU buffers attempted, no microcode" + exception_dict["mmio_stale_data"] = "Clear CPU buffers" return exception_dict