test: skip mmio_stale_data vuln

pb8o · zulinx86 · commit 2daedf95c56c · 2023-08-11T10:23:15.000+01:00
This does not mean the guest is vulnerable, just that we don't give enough information to the guest to tell if it is vulnerable ot not. The docs[1] say that 'Vulnerable: Clear CPU buffers attempted, no microcode': The processor is vulnerable, but microcode is not updated. The mitigation is enabled on a best effort basis. We may not want to pass-through the microcode to the guest, as that could be leveraged by an attacker. [1]: https://www.kernel.org/doc/html/next/admin-guide/hw-vuln/processor_mmio_stale_data.html Signed-off-by: Pablo Barbáchano <pablob@amazon.com>
diff --git a/tests/integration_tests/security/test_vulnerabilities.py b/tests/integration_tests/security/test_vulnerabilities.py
@@ -240,7 +240,7 @@ def check_vulnerabilities_files_on_guest(microvm):
     """
     vuln_dir = "/sys/devices/system/cpu/vulnerabilities"
     ecode, stdout, stderr = microvm.ssh.execute_command(
-        f"grep -r Vulnerable {vuln_dir}"
+        f"grep -r Vulnerable {vuln_dir} | grep -v mmio_stale_data:"
     )
     assert ecode == 1, f"stdout:\n{stdout}\nstderr:\n{stderr}\n"
 

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ def check_vulnerabilities_files_on_guest(microvm):`
`240`	`240`	`"""`
`241`	`241`	`vuln_dir = "/sys/devices/system/cpu/vulnerabilities"`
`242`	`242`	`ecode, stdout, stderr = microvm.ssh.execute_command(`
`243`		`- f"grep -r Vulnerable {vuln_dir}"`
	`243`	`+ f"grep -r Vulnerable {vuln_dir} \| grep -v mmio_stale_data:"`
`244`	`244`	`)`
`245`	`245`	`assert ecode == 1, f"stdout:\n{stdout}\nstderr:\n{stderr}\n"`
`246`	`246`