Bug ID 1228079
Summary SRSO mitigation in microcode not passed through KVM VMs
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
URL https://openqa.opensuse.org/tests/4344305/modules/journal_check/steps/9
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-bugs@opensuse.org
Reporter fvogt@suse.com
QA Contact qa-bugs@suse.de
CC fvogt@suse.com, jeos-internal@suse.de, kernel-bugs@suse.de, mloviska@suse.com, nik.borisov@suse.com, tiwai@suse.com
Depends on 1227900
Target Milestone ---
Found By openQA
Blocker Yes 

This is what bug 1227900 originally observed: Even though the host system
loaded microcode with the feature enabled and uses it itself, guest systems
think the functionality is not available. This may result in performance
degradation.

Some investigation reveals that the X86_FEATURE_IBPB_BRTYPE cpu feature is set
in the host kernel, but the guest kernel does not see it in cpuid.

+++ This bug was initially created as a clone of Bug #1227900 +++

## Observation

During the firstboot of the image, journal log scan on Minimal-VM's cloud
image[1] shows below errors/warnings that we have never noticed before on other
images that the same test case is being executed.

I cannot reproduce the issue on my local openQA running on an intel machine.
This snippet comes from opensuse worker (openqaworker20) running AMD EPYC 7543
32-Core Processor.
Jul 16 04:26:30.176898 localhost> kernel: Command line:
BOOT_IMAGE=/boot/vmlinuz-6.9.9-1-default
root=UUID=f6566395-dd79-43c7-9364-e040b2668a54 rw quiet systemd.show_status=1
console=ttyS0,115200 console=tty0 net.ifnames=0

> Jul 16 04:26:30.177796 localhost kernel: Calibrating delay loop (skipped) preset value.. 5602.32 BogoMIPS (lpj=9333326)
> Jul 16 04:26:30.177805 localhost kernel: x86/cpu: User Mode Instruction Prevention (UMIP) activated
> Jul 16 04:26:30.177814 localhost kernel: Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127
> Jul 16 04:26:30.177823 localhost kernel: Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0
> Jul 16 04:26:30.177834 localhost kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
> Jul 16 04:26:30.177849 localhost kernel: Spectre V2 : Mitigation: Retpolines
> Jul 16 04:26:30.177859 localhost kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
> Jul 16 04:26:30.177869 localhost kernel: Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
> Jul 16 04:26:30.177879 localhost kernel: Spectre V2 : Enabling Restricted Speculation for firmware calls
> Jul 16 04:26:30.177889 localhost kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
> Jul 16 04:26:30.177899 localhost kernel: Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
> Jul 16 04:26:30.177908 localhost kernel: Speculative Return Stack Overflow: IBPB-extending microcode not applied!
> Jul 16 04:26:30.177919 localhost kernel: Speculative Return Stack Overflow: WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options.
> Jul 16 04:26:30.177929 localhost kernel: Speculative Return Stack Overflow: Vulnerable: Safe RET, no microcode
> Jul 16 04:26:30.177939 localhost kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

Except the presence of these messages in the boot log, the test results do not
show any other related issues.

## Tested image
[1] openSUSE-Tumbleweed-Minimal-VM.x86_64-1.0.0-Cloud-Snapshot20240714.qcow2

openQA test in scenario
opensuse-Tumbleweed-JeOS-for-OpenStack-Cloud-x86_64-jeos-no-cloud@64bit_virtio
fails in
[journal_check](https://openqa.opensuse.org/tests/4344305/modules/journal_check/steps/9)

## Reproducible

The image was never tested before in openQA

You are receiving this mail because: