From 2731628e2747b89916199720de7ef17fe1d7433f Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Thu, 6 Sep 2018 23:01:17 +0800
Subject: [PATCH] HV: wrap security related CPU capabilities checking

- add a function to detect CPU capabilities for security
   related features, it will print warning messages if
   current ucode can't support the latest security features.

Tracked-On: #1672
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
---
 hypervisor/arch/x86/cpu.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/hypervisor/arch/x86/cpu.c b/hypervisor/arch/x86/cpu.c
index 965d60260..28de12056 100644
--- a/hypervisor/arch/x86/cpu.c
+++ b/hypervisor/arch/x86/cpu.c
@@ -416,6 +416,16 @@ void bsp_boot_init(void)
 	SWITCH_TO(rsp, bsp_boot_post);
 }
 
+static bool check_cpu_security_config(void)
+{
+	if (!cpu_has_cap(X86_FEATURE_IBRS_IBPB) &&
+		!cpu_has_cap(X86_FEATURE_STIBP)) {
+		return false;
+	}
+
+	return true;
+}
+
 static void bsp_boot_post(void)
 {
 #ifdef STACK_PROTECTOR
@@ -465,8 +475,7 @@ static void bsp_boot_post(void)
 	}
 
 	/* Warn for security feature not ready */
-	if (!cpu_has_cap(X86_FEATURE_IBRS_IBPB) &&
-			!cpu_has_cap(X86_FEATURE_STIBP)) {
+	if (!check_cpu_security_config()) {
 		pr_fatal("SECURITY WARNING!!!!!!");
 		pr_fatal("Please apply the latest CPU uCode patch!");
 	}