Update expected SPECTRE mitigations after RETbleed

pb8o · JonathanWoollett-Light · commit de9d7d9e0c6e · 2022-09-05T10:18:38.000+01:00
Signed-off-by: Pablo Barbáchano &lt;pablob@amazon.com&gt;
diff --git a/docs/prod-host-setup.md b/docs/prod-host-setup.md
@@ -297,8 +297,8 @@ echo "KSM: ENABLED (Recommendation: DISABLED)"
 
 ###### Intel and AMD
 
-We recommend using a kernel compiled with eIBRS or `RETPOLINE`, together with
-microcode supporting conditional Indirect Branch Prediction Barriers (IBPB).
+We recommend using a kernel compiled with eIBRS or IBRS, together with microcode
+supporting conditional Indirect Branch Prediction Barriers (IBPB).
 
 Verification can be done by running:
 
@@ -308,7 +308,8 @@ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
 
 The output should mention the following mitigations being in use:
 
-- `Enhanced IBRS` or `Retpolines`
+- One of Retpolines (pre-Skylake CPU), IBRS (Skylake), or Enhanced IBRS (Cascade
+  Lake and later)
 - `IBPB` at least `conditional`
 
 ###### ARM64
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -86,7 +86,6 @@ def test_with_any_microvm(test_microvm_any):
 import tempfile
 import uuid
 import json
-import re
 
 import pytest
 
@@ -485,30 +484,9 @@ def test_multiple_microvms(test_fc_session_root_path, context, bin_cloner_path):
 def test_spectre_mitigations():
     """Check the kernel is compiled with SPECTREv2 mitigations."""
 
-    def check_retpoline(body):
-        # We check for full retpoline support by checking if the kernel was:
-        # 1. compiled with CONFIG_RETPOLINE
-        # 2. built with a retpoline-capable compiler
-
-        _, stdout, _ = utils.run_cmd("uname -r")
-        opt_config = "/boot/config-{}".format(stdout.rstrip())
-        assert os.path.exists(opt_config)
-        code, _, _ = utils.run_cmd(
-            "grep -q '^CONFIG_RETPOLINE' {}".format(opt_config), ignore_return_code=True
-        )
-        if code != 0:
-            return False
-
-        # As per the spectre-meltdown-checker, if retpoline or retpolines exist as
-        # whole words and minimial is not found, then it's full retpoline.
-        words = re.split(" |; |, |: |\n", body)
-        if ("retpoline" in words or "retpolines" in words) and "minimal" not in words:
-            return True
-        return False
-
     def x86_64(body):
         return ("IBPB: conditional" in body or "IBPB: always-on" in body) and (
-            "Enhanced IBRS" in body or check_retpoline(body.lower())
+            "Enhanced IBRS" in body or "IBRS" in body
         )
 
     def aarch64(body):
