Skip to content

fix(test/vulnerabilities): add exception for TSA before 6.1.153 #5458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 1, 2025
Merged

fix(test/vulnerabilities): add exception for TSA before 6.1.153 #5458

merged 2 commits into from
Oct 1, 2025
+26 −0

Conversation

Manciukic
Copy link
Contributor

Changes

Add an exception for TSA for host kernels before 6.1.153

Reason

Vulnerability checks are failing.

TSA is marked as vulnerable as 6.1 kernels before 6.1.153 don't correctly pass through the CPUID bit to let the guest know that the microcode is applied (CLEAR_VERW).
We noticed only now as we just updated the guest kernels and they now contain the TSA mitigation.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • I have mentioned all user-facing changes in CHANGELOG.md.
  • If a specific issue led to this PR, this PR closes the issue.
  • When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@codecov Codecov
Copy link

codecov bot commented Sep 30, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.76%. Comparing base (f481687) to head (2fbb814).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5458   +/-   ##
=======================================
  Coverage   82.76%   82.76%           
=======================================
  Files         263      263           
  Lines       27300    27300           
=======================================
  Hits        22594    22594           
  Misses       4706     4706
Flag Coverage Δ
5.10-m5n.metal 82.94% <ø> (-0.01%) ⬇️
5.10-m6a.metal 82.19% <ø> (ø)
5.10-m6g.metal 79.53% <ø> (-0.01%) ⬇️
5.10-m6i.metal 82.94% <ø> (ø)
5.10-m7a.metal-48xl 82.18% <ø> (ø)
5.10-m7g.metal 79.53% <ø> (-0.01%) ⬇️
5.10-m7i.metal-24xl 82.90% <ø> (-0.01%) ⬇️
5.10-m7i.metal-48xl 82.91% <ø> (-0.01%) ⬇️
5.10-m8g.metal-24xl 79.53% <ø> (ø)
5.10-m8g.metal-48xl 79.53% <ø> (ø)
6.1-m5n.metal 82.98% <ø> (ø)
6.1-m6a.metal 82.23% <ø> (-0.01%) ⬇️
6.1-m6g.metal 79.53% <ø> (-0.01%) ⬇️
6.1-m6i.metal 82.97% <ø> (ø)
6.1-m7a.metal-48xl 82.22% <ø> (ø)
6.1-m7g.metal 79.53% <ø> (-0.01%) ⬇️
6.1-m7i.metal-24xl 82.98% <ø> (ø)
6.1-m7i.metal-48xl 82.98% <ø> (-0.01%) ⬇️
6.1-m8g.metal-24xl 79.53% <ø> (-0.01%) ⬇️
6.1-m8g.metal-48xl 79.53% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Manciukic Manciukic force-pushed the fix-tsa-vuln-check branch 4 times, most recently from 0c61122 to 95dd5c9 Compare September 30, 2025 13:08
@Manciukic
fix(test/vulnerabilities): add exception for TSA before 6.1.153
ac342ed 
TSA is marked as vulnerable as 6.1 kernels before 6.1.153 don't
correctly pass through the CPUID bit to let the guest know that the
microcode is applied (CLEAR_VERW).
We noticed only now as we just updated the guest kernels and they now
contain the TSA mitigation.

Signed-off-by: Riccardo Mancini <mancio@amazon.com>
@Manciukic Manciukic marked this pull request as ready for review September 30, 2025 15:12
@Manciukic Manciukic added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Sep 30, 2025
@roypat
Copy link
Contributor

roypat commented Sep 30, 2025

cant we just update the host kernel?

@Manciukic
Copy link
Contributor Author

cant we just update the host kernel?

The AMI wasn't yet available when I checked. This is to unblock the CI.

@Manciukic Manciukic enabled auto-merge (rebase) October 1, 2025 09:26
@Manciukic Manciukic merged commit feffd18 into firecracker-microvm:main Oct 1, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JackThomson2 JackThomson2 JackThomson2 approved these changes

@ShadowCurse ShadowCurse ShadowCurse approved these changes

Assignees
No one assigned
Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Manciukic @roypat @JackThomson2 @ShadowCurse