From 46e826a3d156f13afe8bf24009a993047b0fa755 Mon Sep 17 00:00:00 2001
From: Patrick Roy <roypat@amazon.co.uk>
Date: Wed, 3 Apr 2024 10:04:54 +0100
Subject: [PATCH 1/2] fix: Update x86/6.1 MSR baselines with `RFDS_NO`

Since Amazon Linux commit
amazonlinux/linux/b2e92ab17e440a97c716b701ecd897eebca11ac0,
KVM passes through bit 27 of the `MSR_IA32_ARCH_CAPABILITIES` MSR
(0x10A) to the guest, to let them know whether the processor they're
running on is affected by RFDS. According to Intel, only Atom processors
are affected [[1]], and accordingly, for all instances in our CI this
bit is reported to be 1. Thus, update the baselines.

[1]: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html

Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
---
 .../fingerprint_INTEL_CASCADELAKE_6.1host.json                  | 2 +-
 .../cpu_template_helper/fingerprint_INTEL_ICELAKE_6.1host.json  | 2 +-
 .../cpu_template_helper/fingerprint_INTEL_SKYLAKE_6.1host.json  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/data/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_6.1host.json b/tests/data/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_6.1host.json
index fc517607112..0820515b571 100644
--- a/tests/data/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_6.1host.json
+++ b/tests/data/cpu_template_helper/fingerprint_INTEL_CASCADELAKE_6.1host.json
@@ -1128,7 +1128,7 @@
       },
       {
         "addr": "0x10a",
-        "bitmap": "0b0000000000000000000000000000000000000100000010101010000011101011"
+        "bitmap": "0b0000000000000000000000000000000000001100000010101010000011101011"
       },
       {
         "addr": "0x140",
diff --git a/tests/data/cpu_template_helper/fingerprint_INTEL_ICELAKE_6.1host.json b/tests/data/cpu_template_helper/fingerprint_INTEL_ICELAKE_6.1host.json
index 00115539fc6..2ee9aaa6e1f 100644
--- a/tests/data/cpu_template_helper/fingerprint_INTEL_ICELAKE_6.1host.json
+++ b/tests/data/cpu_template_helper/fingerprint_INTEL_ICELAKE_6.1host.json
@@ -1220,7 +1220,7 @@
       },
       {
         "addr": "0x10a",
-        "bitmap": "0b0000000000000000000000000000000000000100000000101010000011101011"
+        "bitmap": "0b0000000000000000000000000000000000001100000000101010000011101011"
       },
       {
         "addr": "0x140",
diff --git a/tests/data/cpu_template_helper/fingerprint_INTEL_SKYLAKE_6.1host.json b/tests/data/cpu_template_helper/fingerprint_INTEL_SKYLAKE_6.1host.json
index 3bf35bbe145..ecd71b42760 100644
--- a/tests/data/cpu_template_helper/fingerprint_INTEL_SKYLAKE_6.1host.json
+++ b/tests/data/cpu_template_helper/fingerprint_INTEL_SKYLAKE_6.1host.json
@@ -1128,7 +1128,7 @@
       },
       {
         "addr": "0x10a",
-        "bitmap": "0b0000000000000000000000000000000000000100000000000000000001001100"
+        "bitmap": "0b0000000000000000000000000000000000001100000000000000000001001100"
       },
       {
         "addr": "0x140",

From a0211a67166953083df724b092c874a171a6cf15 Mon Sep 17 00:00:00 2001
From: Patrick Roy <roypat@amazon.co.uk>
Date: Wed, 3 Apr 2024 10:17:37 +0100
Subject: [PATCH 2/2] fix: Update static CPU templates with `RFDS_NO` bit

Passthrough in T2CL template, set to 1 in T2S template.

Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
---
 CHANGELOG.md                                               | 5 +++++
 src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2cl.rs | 3 ++-
 src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2s.rs  | 3 ++-
 tests/data/static_cpu_templates/t2cl.json                  | 2 +-
 tests/data/static_cpu_templates/t2s.json                   | 2 +-
 5 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a1dce4eb73..dbe0493e4d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,11 @@ and this project adheres to
   `--config` parameter of `cpu-template-helper` optional. Users no longer need
   to prepare kernel, rootfs and Firecracker configuration files to use
   `cpu-template-helper`.
+- [#4537](https://github.com/firecracker-microvm/firecracker/pull/4537) Changed
+  T2CL template to pass through bit 27 of `MSR_IA32_ARCH_CAPABILITIES`
+  (`RFDS_NO`).
+- [#4537](https://github.com/firecracker-microvm/firecracker/pull/4537) Changed
+  T2S template to set bit 27 of `MSR_IA32_ARCH_CAPABILITIES` (`RFDS_NO`) to 1.
 
 ### Deprecated
 
diff --git a/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2cl.rs b/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2cl.rs
index 39cc4297a6a..7f36f32a53a 100644
--- a/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2cl.rs
+++ b/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2cl.rs
@@ -277,12 +277,13 @@ pub fn t2cl() -> CustomCpuTemplate {
             // - Bit 19: RRSBA
             // - Bit 24: PBRSB_NO
             // - Bit 26: GDS_NO
+            // - Bit 27: RFDS_NO
             //
             // Note that this MSR is specific to Intel processors.
             RegisterModifier {
                 addr: 0x10a,
                 bitmap: RegisterValueFilter {
-                    filter: 0b1111_1111_1111_1111_1111_1111_1111_1111_1111_1010_1111_0101_0001_1110_0000_0000,
+                    filter: 0b1111_1111_1111_1111_1111_1111_1111_1111_1111_0010_1111_0101_0001_1110_0000_0000,
                     value: 0b0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000_0000,
                 },
             },
diff --git a/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2s.rs b/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2s.rs
index 19eed9cd860..d536d1bce93 100644
--- a/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2s.rs
+++ b/src/vmm/src/cpu_config/x86_64/static_cpu_templates/t2s.rs
@@ -255,12 +255,13 @@ pub fn t2s() -> CustomCpuTemplate {
             // - Bit 23: OVERCLOCKING_STATUS
             // - Bit 24: PBRSB_NO
             // - Bit 26: GDS_NO
+            // - BIT 27: RFDS_NO
             // - Bits 63-25: Reserved
             RegisterModifier {
             addr: 0x10a,
             bitmap: RegisterValueFilter {
                 filter: 0b1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111_1111,
-                value: 0b0000_0000_0000_0000_0000_0000_0000_0000_0000_0100_0000_1000_0000_1100_0100_1100,
+                value: 0b0000_0000_0000_0000_0000_0000_0000_0000_0000_1100_0000_1000_0000_1100_0100_1100,
             },
         }],
         ..Default::default()
diff --git a/tests/data/static_cpu_templates/t2cl.json b/tests/data/static_cpu_templates/t2cl.json
index 8a33f0f0cb4..be258c768a9 100644
--- a/tests/data/static_cpu_templates/t2cl.json
+++ b/tests/data/static_cpu_templates/t2cl.json
@@ -90,7 +90,7 @@
   "msr_modifiers": [
     {
       "addr": "0x10a",
-      "bitmap": "0b0000000000000000000000000000000000000x0x0000x0x0xxx0000xxxxxxxxx"
+      "bitmap": "0b000000000000000000000000000000000000xx0x0000x0x0xxx0000xxxxxxxxx"
     }
   ]
 }
diff --git a/tests/data/static_cpu_templates/t2s.json b/tests/data/static_cpu_templates/t2s.json
index f92553bb8ad..2704ccddd02 100644
--- a/tests/data/static_cpu_templates/t2s.json
+++ b/tests/data/static_cpu_templates/t2s.json
@@ -90,7 +90,7 @@
   "msr_modifiers": [
     {
       "addr": "0x10a",
-      "bitmap": "0b0000000000000000000000000000000000000100000010000000110001001100"
+      "bitmap": "0b0000000000000000000000000000000000001100000010000000110001001100"
     }
   ]
 }