From: Paolo Bonzini <pbonzini@redhat.com>
To: Babu Moger <babu.moger@amd.com>, zhao1.liu@intel.com, bp@alien8.de
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org
Subject: Re: [PATCH v2 1/2] target/i386: Add TSA attack variants TSA-SQ and TSA-L1
Date: Thu, 9 Oct 2025 13:30:00 +0200 [thread overview]
Message-ID: <86a16e8e-48ab-404f-9530-d21e5d30db4b@redhat.com> (raw)
In-Reply-To: <12881b2c03fa351316057ddc5f39c011074b4549.1752176771.git.babu.moger@amd.com>
On 7/10/25 21:46, Babu Moger wrote:
> Transient Scheduler Attacks (TSA) are new speculative side channel attacks
> related to the execution timing of instructions under specific
> microarchitectural conditions. In some cases, an attacker may be able to
> use this timing information to infer data from other contexts, resulting in
> information leakage.
>
> AMD has identified two sub-variants two variants of TSA.
> CPUID Fn8000_0021 ECX[1] (TSA_SQ_NO).
> If this bit is 1, the CPU is not vulnerable to TSA-SQ.
>
> CPUID Fn8000_0021 ECX[2] (TSA_L1_NO).
> If this bit is 1, the CPU is not vulnerable to TSA-L1.
>
> Add the new feature word FEAT_8000_0021_ECX and corresponding bits to
> detect TSA variants.
Applied, thanks.
Paolo
>
> Link: https://www.amd.com/content/dam/amd/en/documents/resources/bulletin/technical-guidance-for-mitigating-transient-scheduler-attacks.pdf
> Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de>
> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
> Signed-off-by: Babu Moger <babu.moger@amd.com>
> ---
> v2: Split the patches into two.
> Not adding the feature bit in CPU model now. Users can add the feature
> bits by using the option "-cpu EPYC-Genoa,+tsa-sq-no,+tsa-l1-no".
>
> v1: https://lore.kernel.org/qemu-devel/20250709104956.GAaG5JVO-74EF96hHO@fat_crate.local/
> ---
> target/i386/cpu.c | 17 +++++++++++++++++
> target/i386/cpu.h | 6 ++++++
> 2 files changed, 23 insertions(+)
>
> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
> index 0d35e95430..2cd07b86b5 100644
> --- a/target/i386/cpu.c
> +++ b/target/i386/cpu.c
> @@ -1292,6 +1292,22 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
> .tcg_features = 0,
> .unmigratable_flags = 0,
> },
> + [FEAT_8000_0021_ECX] = {
> + .type = CPUID_FEATURE_WORD,
> + .feat_names = {
> + NULL, "tsa-sq-no", "tsa-l1-no", NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + NULL, NULL, NULL, NULL,
> + },
> + .cpuid = { .eax = 0x80000021, .reg = R_ECX, },
> + .tcg_features = 0,
> + .unmigratable_flags = 0,
> + },
> [FEAT_8000_0022_EAX] = {
> .type = CPUID_FEATURE_WORD,
> .feat_names = {
> @@ -7934,6 +7950,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
> *eax = *ebx = *ecx = *edx = 0;
> *eax = env->features[FEAT_8000_0021_EAX];
> *ebx = env->features[FEAT_8000_0021_EBX];
> + *ecx = env->features[FEAT_8000_0021_ECX];
> break;
> default:
> /* reserved values: zero */
> diff --git a/target/i386/cpu.h b/target/i386/cpu.h
> index 51e10139df..6a9eb2dbf7 100644
> --- a/target/i386/cpu.h
> +++ b/target/i386/cpu.h
> @@ -641,6 +641,7 @@ typedef enum FeatureWord {
> FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */
> FEAT_8000_0021_EAX, /* CPUID[8000_0021].EAX */
> FEAT_8000_0021_EBX, /* CPUID[8000_0021].EBX */
> + FEAT_8000_0021_ECX, /* CPUID[8000_0021].ECX */
> FEAT_8000_0022_EAX, /* CPUID[8000_0022].EAX */
> FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */
> FEAT_KVM, /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */
> @@ -1124,6 +1125,11 @@ uint64_t x86_cpu_get_supported_feature_word(X86CPU *cpu, FeatureWord w);
> */
> #define CPUID_8000_0021_EBX_RAPSIZE (8U << 16)
>
> +/* CPU is not vulnerable TSA SA-SQ attack */
> +#define CPUID_8000_0021_ECX_TSA_SQ_NO (1U << 1)
> +/* CPU is not vulnerable TSA SA-L1 attack */
> +#define CPUID_8000_0021_ECX_TSA_L1_NO (1U << 2)
> +
> /* Performance Monitoring Version 2 */
> #define CPUID_8000_0022_EAX_PERFMON_V2 (1U << 0)
>
prev parent reply other threads:[~2025-10-09 11:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-10 19:46 [PATCH v2 1/2] target/i386: Add TSA attack variants TSA-SQ and TSA-L1 Babu Moger
2025-07-10 19:46 ` [PATCH v2 2/2] target/i386: Add TSA feature flag verw-clear Babu Moger
2025-07-16 4:55 ` Zhao Liu
2025-07-16 6:28 ` Xiaoyao Li
2025-10-09 11:30 ` Paolo Bonzini
2025-07-15 22:22 ` [PATCH v2 1/2] target/i386: Add TSA attack variants TSA-SQ and TSA-L1 Moger, Babu
2025-07-16 4:53 ` Zhao Liu
2025-07-16 6:27 ` Xiaoyao Li
2025-10-09 11:30 ` Paolo Bonzini [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86a16e8e-48ab-404f-9530-d21e5d30db4b@redhat.com \
--to=pbonzini@redhat.com \
--cc=babu.moger@amd.com \
--cc=bp@alien8.de \
--cc=kvm@vger.kernel.org \
--cc=qemu-devel@nongnu.org \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).