https://bugzilla.suse.com/show_bug.cgi?id=1228079 Bug ID: 1228079 Summary: SRSO mitigation in microcode not passed through KVM VMs Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 URL: https://openqa.opensuse.org/tests/4344305/modules/jour nal_check/steps/9 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: fvogt@suse.com, jeos-internal@suse.de, kernel-bugs@suse.de, mloviska@suse.com, nik.borisov@suse.com, tiwai@suse.com Depends on: 1227900 Target Milestone: --- Found By: openQA Blocker: Yes This is what bug 1227900 originally observed: Even though the host system loaded microcode with the feature enabled and uses it itself, guest systems think the functionality is not available. This may result in performance degradation. Some investigation reveals that the X86_FEATURE_IBPB_BRTYPE cpu feature is set in the host kernel, but the guest kernel does not see it in cpuid. +++ This bug was initially created as a clone of Bug #1227900 +++ ## Observation During the firstboot of the image, journal log scan on Minimal-VM's cloud image[1] shows below errors/warnings that we have never noticed before on other images that the same test case is being executed. I cannot reproduce the issue on my local openQA running on an intel machine. This snippet comes from opensuse worker (openqaworker20) running AMD EPYC 7543 32-Core Processor. Jul 16 04:26:30.176898 localhost> kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.9.9-1-default root=UUID=f6566395-dd79-43c7-9364-e040b2668a54 rw quiet systemd.show_status=1 console=ttyS0,115200 console=tty0 net.ifnames=0

Jul 16 04:26:30.177796 localhost kernel: Calibrating delay loop (skipped) preset value.. 5602.32 BogoMIPS (lpj=9333326) Jul 16 04:26:30.177805 localhost kernel: x86/cpu: User Mode Instruction Prevention (UMIP) activated Jul 16 04:26:30.177814 localhost kernel: Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127 Jul 16 04:26:30.177823 localhost kernel: Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0 Jul 16 04:26:30.177834 localhost kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization Jul 16 04:26:30.177849 localhost kernel: Spectre V2 : Mitigation: Retpolines Jul 16 04:26:30.177859 localhost kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch Jul 16 04:26:30.177869 localhost kernel: Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT Jul 16 04:26:30.177879 localhost kernel: Spectre V2 : Enabling Restricted Speculation for firmware calls Jul 16 04:26:30.177889 localhost kernel: Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier Jul 16 04:26:30.177899 localhost kernel: Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl Jul 16 04:26:30.177908 localhost kernel: Speculative Return Stack Overflow: IBPB-extending microcode not applied! Jul 16 04:26:30.177919 localhost kernel: Speculative Return Stack Overflow: WARNING: See https://kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html for mitigation options. Jul 16 04:26:30.177929 localhost kernel: Speculative Return Stack Overflow: Vulnerable: Safe RET, no microcode Jul 16 04:26:30.177939 localhost kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

Except the presence of these messages in the boot log, the test results do not show any other related issues. ## Tested image [1] openSUSE-Tumbleweed-Minimal-VM.x86_64-1.0.0-Cloud-Snapshot20240714.qcow2 openQA test in scenario opensuse-Tumbleweed-JeOS-for-OpenStack-Cloud-x86_64-jeos-no-cloud@64bit_virtio fails in [journal_check](https://openqa.opensuse.org/tests/4344305/modules/journal_check/steps/9) ## Reproducible The image was never tested before in openQA -- You are receiving this mail because: You are the assignee for the bug.