hv: refine security capability detection function.

 ACRN hypervisor always print CPU microcode update
 warning message on KBL NUC platform, even after
 BIOS was updated to the latest.

 'check_cpu_security_cap()' returns false if
 no ARCH_CAPABILITIES MSR support on current platform,
 but this MSR may not be available on some platforms.
 This patch is to remove this pre-condition.

Tracked-On: #3317
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Jason CJ Chen <jason.cj.chen@intel.com>

Author: yonghuah

hypervisor/arch/x86/security.c

@@ -59,16 +59,16 @@ bool check_cpu_security_cap(void)
 		x86_arch_capabilities = msr_read(MSR_IA32_ARCH_CAPABILITIES);
 		skip_l1dfl_vmentry = ((x86_arch_capabilities
 			& IA32_ARCH_CAP_SKIP_L1DFL_VMENTRY) != 0UL);
+	}
 
-		if ((!pcpu_has_cap(X86_FEATURE_L1D_FLUSH)) && (!skip_l1dfl_vmentry)) {
-			ret = false;
-		} else if ((!pcpu_has_cap(X86_FEATURE_IBRS_IBPB)) &&
-			(!pcpu_has_cap(X86_FEATURE_STIBP))) {
-			ret = false;
-		} else {
-			/* No other state currently, do nothing */
-		}
-	} else {
+	if ((!pcpu_has_cap(X86_FEATURE_L1D_FLUSH)) && (!skip_l1dfl_vmentry)) {
+		/* Processor is affected by L1TF CPU vulnerability,
+		 * but no L1D_FLUSH command support.
+		 */
+		ret = false;
+	}
+
+	if ((!pcpu_has_cap(X86_FEATURE_IBRS_IBPB)) && (!pcpu_has_cap(X86_FEATURE_STIBP))) {
 		ret = false;
 	}
 

hypervisor/include/arch/x86/security.h

@@ -9,7 +9,7 @@
 
 /* type of speculation control
  * 0 - no speculation control support
- * 1 - raw IBRS + IPBP support
+ * 1 - raw IBRS + IBPB support
  * 2 - with STIBP optimization support
  */
 #define IBRS_NONE	0