From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: x86/amd: Mitigate AMD-SN-7053 / FP-DSS

This is XSA-488 / CVE-2025-54505

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
index c448997be551..43cd3ae9ba4d 100644
--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -1009,6 +1009,42 @@ static void cf_check fam17_disable_c6(void *arg)
 	wrmsrl(MSR_AMD_CSTATE_CFG, val & mask);
 }
 
+static void amd_init_fp_cfg(const struct cpuinfo_x86 *c)
+{
+    uint64_t val, new = 0;
+
+    /* If virtualised, we won't have mutable access even if we can read it. */
+    if ( cpu_has_hypervisor )
+        return;
+
+    /*
+     * On Zen1, mitigate SB-7053 / FP-DSS Floating Point Divider State
+     * Sampling by setting bit 9 as instructed.
+     */
+    if ( c->x86 == 0x17 && is_zen1_uarch() )
+        new |= 1 << 9;
+
+    /*
+     * Avoid reading FP_CFG if we don't intend to change anything.  The
+     * register doesn't exist on all families.
+     */
+    if ( !new )
+        return;
+
+    rdmsrl(MSR_AMD64_FP_CFG, val);
+
+    if ( (val & new) == new )
+        return;
+
+    /*
+     * FP_CFG is a Core-scoped MSR, and this write is racy.  However, both
+     * threads calculate the new value from state which expected to be
+     * consistent across CPUs and unrelated to the old value, so the result
+     * should be consistent.
+     */
+    wrmsrl(MSR_AMD64_FP_CFG, val | new);
+}
+
 static void amd_check_bp_cfg(void)
 {
 	uint64_t val, new = 0;
@@ -1053,6 +1089,8 @@ static void cf_check init_amd(struct cpuinfo_x86 *c)
 
 	unsigned long long value;
 
+	amd_init_fp_cfg(c);
+
 	/* Disable TLB flush filter by setting HWCR.FFDIS on K8
 	 * bit 6 of msr C001_0015
 	 *
diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h
index c9f980cd577f..516ee26d7079 100644
--- a/xen/arch/x86/include/asm/msr-index.h
+++ b/xen/arch/x86/include/asm/msr-index.h
@@ -411,6 +411,7 @@
 #define MSR_AMD64_LS_CFG		0xc0011020
 #define MSR_AMD64_IC_CFG		0xc0011021
 #define MSR_AMD64_DC_CFG		0xc0011022
+#define MSR_AMD64_FP_CFG		0xc0011028
 #define MSR_AMD64_DE_CFG		0xc0011029
 #define AMD64_DE_CFG_LFENCE_SERIALISE	(_AC(1, ULL) << 1)
 #define MSR_AMD64_EX_CFG		0xc001102c