diff mbox series

[SRU,n:linux-azure,1/1] UBUNTU: SAUCE: x86/hyperv: temporarily disable CET SS on SEV-SNP due to a paravisor bug

Message ID 20240612202739.25050-2-john.cabaj@canonical.com
State New
Headers show
Series Kernel fails to enable XSAVE when running in a “v5” AMD SEV-SNP VM | expand

Commit Message

John Cabaj June 12, 2024, 8:27 p.m. UTC 
From: Dexuan Cui <decui@microsoft.com>

BugLink: https://bugs.launchpad.net/bugs/2069204

See the comment in the change for details. The paravisir would be
fixed by Oct 2024, so the patch would become unnecessary after Oct 2024.

Originally-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Dexuan Cui <decui@microsoft.com>
(cherry picked from commit cdf5cdde07a0389525328379c4813d9620ed40ea https://github.com/dcui/linux)
Signed-off-by: John Cabaj <johncabaj@outlook.com>
---
 arch/x86/kernel/cpu/mshyperv.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
diff mbox series

Patch

diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c
index 82a356fbde4e..c9dee20fa8a9 100644
--- a/arch/x86/kernel/cpu/mshyperv.c
+++ b/arch/x86/kernel/cpu/mshyperv.c
@@ -581,6 +581,27 @@  static void __init ms_hyperv_init_platform(void)
 	if (!(ms_hyperv.features & HV_ACCESS_TSC_INVARIANT))
 		mark_tsc_unstable("running on Hyper-V");
 
+	/*
+	 * Mask CET Shadow Stack on SEV-SNP due to a CPUID emulation bug in
+	 * the paravisor on old Azure SEV-SNP hosts, e.g., 10.0.20348.2867-2-0.
+	 * Due to the bug, paranoid_xstate_size_valid() in a v6.6 or newer
+	 * kernel prints a warning "XSAVE consistency problem: size 848 != kernel_size 832"
+	 * and the kernel disables XSAVE completely; the early 'init' program or
+	 * any later program may get core-dumped due to "invalid opcode", if
+	 * they assume XSAVE is available (e.g., it looks like
+	 * libgnutls.so.30.27.0 tries to unconditionally use XSAVE.
+	 *
+	 * Note: the SNP paravisor bug only affects a v6.6+ Linux kernel
+	 * (CET Shadow Stack is firstly enabled in v6.6) when the VM is a "v5"
+	 * SNP VM on Azure. A "v6" SNP VM is not affected, and a TDX VM is also
+	 * not affectd since the versions of paravisor for them are already
+	 * fixed. The fix for the "v5" VMs would roll out around September or
+	 * October, 2024.
+	 */
+       if (ms_hyperv.paravisor_present &&
+	   hv_get_isolation_type() == HV_ISOLATION_TYPE_SNP)
+                setup_clear_cpu_cap(X86_FEATURE_SHSTK);
+
 	hardlockup_detector_disable();
 }